Best Of
Ask the Expert - Shane Hasert, CISSP, CISA, CRISC, CTPRP, CTPRA, Sr Risk Analyst CyberGRX
What are 3 specific recommendations to have a successful incident response or flaw remediation program?
Answers will be posted on Wednesday, March 20, 2019 by Shane himself.

Re: How does your organization identify and categorize third parties?
There are many ways to identify your vendors:
- Project information
- Legal Contracts
- Company Announcements
- Status Reports
- Accounts Payable / Purchasing
- Remote Access Systems
- System Accounts
- Facility Access Records
- Application Access
- Firewall Rules
- Network Circuits
- Data Transfer Records
- Asset Management Records
- Data Leakage Protection / Internet Usage Records
- Equipment Location Information
- Operational Monitoring
- Incident / Outage Reports
- Etc
For categorization, identify criteria which absolutely require an assessment, situations that never require an assessment, and what falls in between. You need to consider the resources you have available, number of vendors, and purpose of your program in order to identify appropriate criteria. For example:
- If the vendor is hosting information in their systems, how critical does it have to be before it warrants an assessment?
- If the vendor is providing services using their their systems or networks, how critical does it have to be before it warrants an assessment?
- Where can you leverage your existing solutions to avoid performing an assessment. That is, if the vendor is doing everything using your equipment, they are taking your training, and subjected to your background checks, would they have anything in scope for the assessment?
- etc.
With a bit of work, you should be able to establish criteria you can justify.
Chris
Re: Identifying Vendor Contacts
Partner with the teams that run those programs to ensure you are notified proactively. Trying to capture it after the fact is a challenge.
Remember that your vendor's bills are being paid, their people report to managers, change and access requests are being authorized, etc. Leverage that information to determine the appropriate contact.
Chris
Re: Is there a template to assess the vendor risk management for a company in terms of maturity.
As Pattie mentions above, CyberGRX breaks out maturity in addition to effectiveness to provide practitioners with the information necessary to make the appropriate business case decisions.

Re: How will CyberGRX properly assess the following classes/scenarios?
1. One of the unique elements of the CyberGRX assessment is its ability to expand or contract to the level of maturity of the cyber program of the company being assessed. The "gating questions" at the control and sub-control level reduce the question set for less mature or smaller programs while expanding out for the most mature, thus allowing the same framework to flex across sizes. For ma/pa type companies, typically our Tier 3 assessment is most applicable. If they are literally answering "no" to each of the questions at that level, then you might want to consider how you are interacting with them and what data you share.
2. If I understand correctly, the CyberGRX assessment is broader than most of the recognized regulatory standards or other certifications and thus to provide comparability across your portfolio, companies already adhering to those standards should still also complete a CyberGRX assessment (and many have). The portfolio residual risk tools that will be coming in the platform in roughly a month will also highlight this. We will be bringing out at a later time a feature where assessed companies can indicate whether they have any of the above certifications, as an additional data point for you as the consumer of their assessment.
3. The majority of assessments on the CyberGRX exchange are at the enterprise level. In some cases, where larger companies have responded at the service level, it is usually indicated on the profile page for that company. In these cases, we are working with companies to provide individual assessments corresponding to separate service lines.

Watch a 3 minute CyberGRX demo
https://info.cybergrx.com/thankyou-demo3minute

Re: Analyze Risk or Rely on Critical Controls?
The cloud brings a host of new issues within the VRM space. One aspect is the need to change the framework for assessing SaaS vendors as the standard industry control areas might be not applicable in many cases and instead the focus needs to be on the proper configuration of these solutions as well as 4th party management.
Another aspect that complicates things is access management for these types of vendors. Remote access for your vendors whether for a true contractor engagement or support / trouble shooting work is a challenge on its own. To further complicate things you have to also create a process for access management for SaaS solutions where admins of the product can provision access completely independent of your standard IAM process. This access poses a great amount of risk even if the access is not to your internal network or systems. File upload to these hosted solutions becomes the highlighted risk and having both visibility and control over this becomes crucial.