Skip to main content

Validation Methodology

Katie
Updated

This document provides a comprehensive description of the validation process for ProcessUnity Exchange Prospects, Customers, and Third Parties. If you have any questions about the information in this document, please get in touch with ProcessUnity. 

Overview

Validation aims to evaluate the accuracy of assessment answers provided by Third Parties. Validation provides ProcessUnity Customers with confidence in the results of completed assessments. In addition, validation may satisfy specific regulatory requirements and give customers additional data points from which to analyze assessments.

It is important to note that validation is not a re-assessment of the implementation or effectiveness of security controls. For example, an Exchange Assessor will not require direct access to third party systems, networks, or assets during the validation process. ProcessUnity does not perform vulnerability scans or penetration tests as part of the validation process. The focus of validation efforts is on measuring the accuracy of Third-party assessment answers.

Process Summary

Validation can be an assessment requirement when a customer requests validated data in addition to a third party self-assessment. Once validation is completed, validation data is accessible to approved customers, in terms of recency, for a minimum of 12 months post-completion date. As a result, if another customer requests validation and it is less than 12 months since you had last completed validation, you will not be required to undergo validation again.

All Validation requests are completed by the ProcessUnity Validation Team according to ProcessUnity Exchange standards. The following is a high-level summary of the typical steps in the assessment and validation process :

  1. A Customer organization places a Validation Request on a Third Party.

  2. The Third Party is provisioned on the platform and completes a self-assessment for the 60 Critical Controls. Completing the self-assessment includes the Third Party uploading evidence documents via the platform and linking documents to controls. 

  3. The Third Party can view controls selected for validation within the "Validation Request" on the Questionnaire Dashboard.  A downloadable Evidence Help Sheet (EHS) is also available.

  4. The ProcessUnity Assessor evaluates this evidence to determine whether or not it adequately verifies the Third Party's questionnaire answers.

  5. If additional evidence is needed, the Third Party is notified that a follow-up EHS is available (see Step 3 above), and a final round of evidence evaluation is performed.  Only two (2) rounds of evaluation are performed per assessment.

  6. The ProcessUnity Assessor finalizes the results of validation and releases final assessment results.

  7. The Third Party can review their assessment results and approve any Customers with pending validation requests.

Control Selection

ProcessUnity has identified sixty (60) critical controls that describe safeguards to prevent today’s most pervasive and dangerous cyber-attacks. ProcessUnity security professionals review and update this list annually. Customers' recommendations are welcome, although there is no assurance or guarantee that they will make the final list for that year.

This list of standard 60 controls are required be answered by the Third Party as a part of the validation process. Third Parties will not be asked to provide evidence for controls which they indicated that they have not implemented or are not applicable (i.e. control is answered "No" or "NA"). 

Acceptable Formats for Evidence Delivery

The validation process requires Third Parties to share cyber-relevant information with ProcessUnity Assessors. For this reason, we offer several formats for sharing of evidence artifacts. We have found that the most efficient formats for validation are:

  • Document Sharing: The Third Party uploads evidence artifacts to either the Exchange platform or they can choose to use a cloud-hosted document sharing platform, like Box.com.
  • Web Conference: The Third Party’s internal security policies may prevent them from uploading evidence artifacts. ProcessUnity Assessors are happy to schedule a web conference to observe evidence artifacts online without taking possession of the artifacts directly.

Standards for Acceptable Evidence

ProcessUnity has developed a strict set of standards for what constitutes acceptable evidence. The following sections of this document describe how those standards are applied to the validation process.

Evidence Types

In general, evidence is categorized into three types:

  • Verbal Evidence: Verbal evidence is any evidence that is self-attested. Examples include discussions, written notes or explanations, previously completed self-assessments, etc.
  • Written Evidence: Written evidence is any evidence in a narrative documentation format. Examples include policies, procedures, emails, etc.
  • Demonstrated Evidence: Demonstrated evidence is any primary, technical evidence. Examples include actual live demonstrations, screenshots, exports, etc.

 

The following bullets summarize when each type of evidence may be used to validate a Third Party’s assessment answers:

  • Verbal evidence is never acceptable for validation. However, verbal evidence may provide context beneficial in the overall validation process.
  • Written evidence is acceptable in limited situations where narrative documentation is the focus of the evaluated security control. For example, a copy of an Access Control Policy likely provides adequate evidence for a control requiring the development of an Access Control Policy.
  • Demonstrated evidence is the predominant type of evidence that is requested and used for validation. For example, a screenshot showing the configuration settings of an AWS S3 instance may provide acceptable evidence for control requiring encryption of data at rest.

Evidence Evaluation

ProcessUnity Assessors are tasked with measuring the accuracy of a Third Party’s assessment responses based on the evaluation of evidence artifacts. The following general practices are employed to ensure that the review is fair, correct, consistent, and efficient:

  • Evidence must directly illustrate the implementation or effectiveness of the evaluated control in order to validate a third party's answers.
  • Assessors may not infer or make assumptions about information not clearly illustrated in the provided evidence.
  • All evidence must be attributable to the Third Party being assessed.
  • Evidence must be attributable to the type of asset that is the focus of the Third Party's chosen assessment answer.
  • ProcessUnity will accept certain secondary assessment artifacts as evidence (e.g., SOC, ISO, and PCI-DSS reports and certifications) as long as the provided artifacts meet the following criteria:
    • The assessment was conducted by an organization that is wholly independent of the Third Party
    • The evaluation must have been undertaken within the previous 12 months(or have an official bridge letter extending the "expiration" to within 12 months)
    • The scope of the assessment and its relation to the Third Party is explicitly defined
    • The requirements and objectives of all tested controls can be directly correlated to the third party's ProcessUnity assessment controls and Third-party answers.
    • The results of the independent assessment tests are documented
    • The results of the independent assessment resulted in no exceptions from the stated control

Independence

Assessors must maintain appropriate independence from Third Parties involved in the validation process. To maintain this independence, Assessors:

  • Assessors will not provide explicit direction to Third Parties regarding specific evidence. For example, an Assessor will not coach a Third Party on how to navigate to Active Directory and locate a particular GPO that satisfies a control being validated.
  • Will not provide explicit remediation recommendations to Third Parties or Customers. Assessors are often called upon to provide expert opinions on various cybersecurity topics. If asked, an Assessor can provide high-level remediation recommendations (e.g., "A properly implemented SIEM tool would improve your ability to collect and analyze log data.")but may not make explicit recommendations(e.g., "You should purchase Splunk. That will lower your risk.").
  • We won't be able to direct third parties on answer options. Assessors are often asked to sit in on calls or meetings with Third Parties who need clarification during the Processunity assessment. Assessors can clarify what a particular control, question, or answer option means but cannot tell the Third Party which answer to choose.

 

Evidence Artifact Security

ProcessUnity Assessors prioritize protecting evidence artifacts. Third-party evidence artifacts are considered highly sensitive, and in many cases, their sensitivity exceeds the sensitivity of answers in the assessment itself. Documents uploaded during the assessment process are securely stored on the Processunity Global Risk Exchange Platform. 

Validation Team

The ProcessUnity Validation Team collectively has over 75 years of cyber security and privacy auditing and assessment experience. ProcessUnity Assessors have worked in various fields and industries in the public and private sectors, including healthcare, energy, telecommunications, retail, finance, information technology, and computing.

The Validation Team members have developed information security curriculums at the university level and contributed to developing and implementing the Federal Risk and Authorization Management Program (FedRAMP) for the United States government.

Training

Validation Team members are graduates from universities and cyber security programs worldwide. They hold degrees in industry-relevant fields such as Information Systems Security, Computer Science, Business, and Cyber Law. In addition, team members hold or are currently pursuing recognized certifications such as Security+, CISSP, CISA, CRISC, CSIM, CEH, CTPRP, CTPRA, CIPP/US, ISO27001LI/LA, and ITILv3.

All ProcessUnity Assessors undergo extensive training before being assigned to any validation activities. Training includes basic auditing and assessment best practices, internal ProcessUnity procedures, application utilization, and advanced data security measures. Assessors will both shadow and be reverse-shadowed on initial validation assignments to ensure they act according to ProcessUnity policies and standards. Refresher training is required periodically for all Assessors.

Partners

ProcessUnity has engaged with specific partners to validate our third-party assessments. These partners can provide global scalability for our solution. Validation Assessors are trained according to ProcessUnity standards and conduct validation following ProcessUnity standard procedures. Assessors leveraged from partner organizations must meet or exceed the abovementioned capabilities and experience.

Was this article helpful?

1 out of 1 found this helpful
Return to top

Related articles