Best Of

Join our conversation and ask a question. To get us started, here is our starter question - 

What are 3 specific recommendations to have a successful incident response or flaw remediation program?

Answers will be posted on Wednesday, March 20, 2019 by Shane himself. 

There are many ways to identify your vendors:

• Project information
• Legal Contracts
• Company Announcements
• Status Reports
• Accounts Payable / Purchasing
• Remote Access Systems
• System Accounts
• Facility Access Records
• Application Access
• Firewall Rules
• Network Circuits
• Data Transfer Records
• Asset Management Records
• Data Leakage Protection / Internet Usage Records
• Equipment Location Information
• Operational Monitoring
• Incident / Outage Reports
• Etc

Find the teams that own those processes, partner with them to get legacy and proactive visibility to the information.  

For categorization, identify criteria which absolutely require an assessment, situations that never require an assessment, and what falls in between.  You need to consider the resources you have available, number of vendors, and purpose of your program in order to identify appropriate criteria.  For example:

• If the vendor is hosting information in their systems, how critical does it have to be before it warrants an assessment?
  
• If the vendor is providing services using their their systems or networks, how critical does it have to be before it warrants an assessment?
• Where can you leverage your existing solutions to avoid performing an assessment.  That is, if the vendor is doing everything using your equipment, they are taking your training, and subjected to your background checks, would they have anything in scope for the assessment?
• etc.

Recognize that individual teams may be using the same vendor in completely different ways.

With a bit of work, you should be able to establish criteria you can justify.

Chris

See my comment to another question: "How does your organization identify and categorize third parties?"

Partner with the teams that run those programs to ensure you are notified proactively.  Trying to capture it after the fact is a challenge.

Remember that your vendor's bills are being paid, their people report to managers, change and access requests are being authorized, etc.  Leverage that information to determine the appropriate contact.

Chris

I completely agree with Elbahoug.  It is one thing to understand what tools and controls are implemented in an environment, but it is just as important to ensure a company has the right team with the right training and processes to use those tools.  In particular, in the dynamic cyber risk environment, where the threat landscape is changing hourly, the adaptability and insight of a mature team can often be more important than the inventory of controls.

As Pattie mentions above, CyberGRX breaks out maturity in addition to effectiveness to provide practitioners with the information necessary to make the appropriate business case decisions.

Recohight, For your questions:
1. One of the unique elements of the CyberGRX assessment is its ability to expand or contract to the level of maturity of the cyber program of the company being assessed.  The "gating questions" at the control and sub-control level reduce the question set for less mature or smaller programs while expanding out for the most mature, thus allowing the same framework to flex across sizes.  For ma/pa type companies, typically our Tier 3 assessment is most applicable.  If they are literally answering "no" to each of the questions at that level, then you might want to consider how you are interacting with them and what data you share.

2.  If I understand correctly, the CyberGRX assessment is broader than most of the recognized regulatory standards or other certifications and thus to provide comparability across your portfolio, companies already adhering to those standards should still also complete a CyberGRX assessment (and many have).  The portfolio residual risk tools that will be coming in the platform in roughly a month will also highlight this.  We will be bringing out at a later time a feature where assessed companies can indicate whether they have any of the above certifications, as an additional data point for you as the consumer of their assessment.

3. The majority of assessments on the CyberGRX exchange are at the enterprise level.  In some cases, where larger companies have responded at the service level, it is usually indicated on the profile page for that company.  In these cases, we are working with companies to provide individual assessments corresponding to separate service lines.