How will CyberGRX properly assess the following classes/scenarios?

1. Assessing Individual or Ma/Pa Size vendors that have no security/privacy practice in place?
2. Qualifying Orgs which has widely accepted standards (HITRUST, ISO or similar third party audits)?  In an effort to permit your customers to accept this will there an override approval option so we can still track the unique exceptions in the CyberGRX system?
3. Is there an ability to clearly see the scope of the Vendor Assessment giving the Vendor and Customer the clarity on if these answers are Enterprise Focus or Service Specific?  Can this be front page so we're all aware of the scope?


  • Recohight, For your questions:
    1. One of the unique elements of the CyberGRX assessment is its ability to expand or contract to the level of maturity of the cyber program of the company being assessed.  The "gating questions" at the control and sub-control level reduce the question set for less mature or smaller programs while expanding out for the most mature, thus allowing the same framework to flex across sizes.  For ma/pa type companies, typically our Tier 3 assessment is most applicable.  If they are literally answering "no" to each of the questions at that level, then you might want to consider how you are interacting with them and what data you share.

    2.  If I understand correctly, the CyberGRX assessment is broader than most of the recognized regulatory standards or other certifications and thus to provide comparability across your portfolio, companies already adhering to those standards should still also complete a CyberGRX assessment (and many have).  The portfolio residual risk tools that will be coming in the platform in roughly a month will also highlight this.  We will be bringing out at a later time a feature where assessed companies can indicate whether they have any of the above certifications, as an additional data point for you as the consumer of their assessment.

    3. The majority of assessments on the CyberGRX exchange are at the enterprise level.  In some cases, where larger companies have responded at the service level, it is usually indicated on the profile page for that company.  In these cases, we are working with companies to provide individual assessments corresponding to separate service lines.
Sign In or Register to comment.