Evidence Validation
ProcessUnity Exchange validated assessments features two phases: the self-assessment phase (questionnaire) and the validation phase. Customers request validated assessments in order to evaluate the accuracy of their Third Party’s self-assessment answers. This evaluation is referred to as the assessment validation phase. This guide will cover the following:
Evidence Preparation & Guidance
Assessment Validation Phase
During the self-assessment (questionnaire), the Third Party answers a set of standard 60 controls, referred to as 60 Critical Controls. Only those 60 Critical Controls that were answered "Yes" will be validated. The standard method for conducting validation is for the Third Party to upload evidence through the Exchange platform or another secure file sharing platform that the Third Party chooses. ProcessUnity will also accept viewing of evidence via teleconference, if this is preferred.
The validation phase consists of two rounds. Each round has a stage of collection and review. In the initial round, the Third Party is asked to collect evidence for all 60 Critical Controls answered "Yes". The GRX assessors will review the evidence submitted by the Third Party to determine the degree to which it supports the Third Party’s assessment answers. If any controls could not be validated by the evidence that was initially provided, a follow-up round is available. The Third Party is then asked to provide additional evidence for these remaining controls within 30 days. If no addtional evidence is provided in that timeframe, the validation will be closed and results will remain "Not Validated" for those controls.
PLEASE NOTE: In order to maintain the efficiency of the assessment process, we must limit evidence collection and review to the two rounds described above. Assessments are only re-validated on an annual basis, if requested by a customer to do so.
Please see the "Validation Process" article for more detailed instructions on how to provide evidence in the ProcessUnity Exchange.
Evidence Help Sheet
Following completion of the initial validation round, the Assessor will update the existing Evidence Help Sheet to reflect the remaining controls that could not be validated. This updated Evidence Help Sheet will also include an additional column with comments from the assessor to help guide the Third Party for the final round of evidence upload and review without being prescriptive.
To access this file, from within an individual 60 Critical Control question, select 'Download Evidence Help Sheet'.
Evidence Preparation & Guidance for Third Parties
Identifying the appropriate evidence artifacts can be difficult, so we’ve developed this guidance to provide some helpful recommendations, tips, and tricks.
- Be sure that the evidence you provide clearly supports the answers chosen in your assessment.
- Example: If you answered that you encrypt data at rest, a screenshot of a valid SSL certificate is not appropriate evidence, even though it addresses the use of encryption. Instead, consider providing a screenshot from a whole disk encryption solution.
- Consider adding a notation or comment for the GRX Assessor if an explanation is needed to clarify the evidence provided. This can significantly reduce the amount of time it takes to complete the validation process.
- Label provided evidence with the number of the corresponding control(s). This too can significantly reduce the amount of time it will take an Assessor to evaluate the evidence and complete the validation process.
- Remember that verbal evidence alone, without the support of documentation or other evidence artifacts, is not sufficient to validate assessment answers. Verbal evidence includes conversations or interviews with GRX Assessors as well as written explanations submitted as evidence.
- Example: Providing a note that says, “We de-activate accounts after 5 unsuccessful login attempts.” would not be sufficient evidence to validate control Account Lockout. Instead, consider sending a screenshot from a group policy that shows the setting for the account lockout threshold.
- Written policies can provide excellent evidence for assessment answers that focus on the existence, development, update, or execution of policy. Policies generally do not provide clear evidence of the actual implementation or effectiveness of technical security controls (e.g. Server Hardening).
- Whenever possible, ensure that the evidence you provide can be attributed to your organization. An isolated snippet from one paragraph of an SOP may support an assessment answer but will likely result in a follow-up request from the GRX Assessor. Instead, consider sending the entire SOP or SOP section that includes your organization’s branding.
- Ensure that provided evidence is clearly associated with the type of asset (e.g. workstations, servers, mobile devices, etc.) that is the focus of your chosen assessment answer.
- Example: If you indicated that you’ve implemented anti-malware tools on desktops and laptops, an isolated screenshot of an anti-malware agent typically will not provide sufficient evidence. This is because there is no way for the Assessor to confirm the type of device on which the anti-malware software has been installed. However, combining the screenshot with a runbook for imaging laptops, for example, can clarify the asset type on which the anti-malware solution has been implemented.
- Previously completed assessment reports or audit reports can be used as evidence, but they must meet the following criteria:
- The assessment must have been conducted by a trusted independent organization
- The assessment must have been conducted within the previous 12 months (or be within its expiry period)
- The scope of the assessment and its relation to the Third Party must be explicitly defined
- The method and results of each tested activity must be clearly documented
- When in doubt, reach out to your ProcessUnity GRX Assessment Coordinator. We are here to facilitate the timely and accurate completion of your assessment and are happy to answer your questions or provide clarification as needed.
Examples of Good Evidence
- It can be attributed to your company
- The name of the policy is visible
- The currency of the policy can be confirmed
- The file is saved as the corresponding control number
- The relevant section of the policy is provided. Table of Contents (ToC) are not sufficient for validation.
Evidence Validation FAQ
The following questions and answers have been curated from actual ProcessUnity Global Risk Exchange Customer interactions.
Q: What if I want more details on the validation process for a specific assessment?
A: This document provides details on many aspects of the evidence validation process. Contact Exchange Support if you require additional information.
Q: How are the controls selected for validation?
A: ProcessUnity has identified sixty (60) critical controls that describe safeguards to prevent today’s most pervasive and dangerous cyber-attacks. This list of critical controls is reviewed and updated annually by ProcessUnity security professionals. Recommendations from Customers are welcome, although there is no assurance or guaranty that recommendations will make the final list for that year.
This list of standard 60 controls are required be answered by the Third Party as a part of the validation process. Third Parties will not be asked to provide evidence for controls which they indicated that they have not implemented or are not applicable (i.e. control is answered "No" or "NA").
Q: Do I (a Third Party) have to provide evidence for validation?
A: Yes and No. Evidence is required in order to validate Third Party assessment answers; however, the assessor does not have to have evidence 'in-hand' if a web conference is the selected method for review. The type of evidence is dependent on the control, assessment questions, and the Third Party's chosen answers.
Q: Is evidence validation conducted remotely or onsite?
A: The most efficient validation occurs when Third Parties upload evidence documents directly to the platform.
Q: What happens if I (the Third Party) don’t want to upload documents to the Exchange?
A: Third Parties may use alternative document sharing methods such as Box.com, Google Drive, MS OneDrive, etc. They may also request live, remote validation sessions via teleconference. These sessions allow the Third Party to display evidence for ProcessUnity Exchange Assessors to review without having to disseminate any documentation. Sessions will not be recorded and screenshots of evidence will not be taken or stored.
Q: How much evidence will I (the Third Party) have to provide?
A: There is no pre-defined list of evidence that is required for each assessment. The number of evidence artifacts will depend on the Third Party’s willingness to share evidence, the controls selected for validation, the number and disparity of answers chosen by the Third Party for each sub-control, and the type of evidence provided (e.g. a screenshot vs a broad compliance report).
The ProcessUnity Validation team is made up of security and audit professionals. When they review evidence, every assessor approaches the evidence with two questions:
1) Based on what I am looking at (in reference to the control) do I reasonably believe they have the control covered or in place?
2) If another security professional were looking at the same thing I am, would they come to the same conclusion?
If they can say, ‘yes’ to both of these, we validate the control.
Q: How does evidence validation impact assessment results?
A: After completing validation, the results are located for review on the 'Risk Profile' tab within the Risk Navigator feature of your own company profile page. Validation results do not impact the assessment scoring results. Control scores are derived using the self-assessment answers. Instead validation outcomes are presented as a separate data point that is used to inform the validity of the control score. Within the Risk Navigator feature is a 'Validation Status' and 'Evidence Type' column which will reflect the final validation state per control and a high-level description of what type of evidence you provided in order to validate the given control.
Q: What if I (the Third Party) disagree with the validation scores in my assessment report?
A: At the end of every assessment an out-brief meeting is offered to the Third Party. Third Parties are encouraged to raise concerns and questions during this meeting or by simply contacting Exchange Support at any time during the assessment and validation phases. Third Parties can also provide comments for a given control that will be viewed by any customers with approved access to that control.
Q: How much time does evidence validation take?
A: An article on this can be found here.
Q: Can ProcessUnity GRX validate evidence if it is submitted in a language other than English?
A: English is the preferred language for validation, but through our global validation partners, we DO have the ability to validate evidence submitted in several other languages (see below list). Please note that non-English validation does not follow our normal SLAs for evidence review (12 days to review initial evidence and 7 days to review follow-up evidence). Moreover, there are rare cases where we cannot in fact support non-English validation due to partner limitations such as conflicts of interest.
- Mandarin
- Spanish
- German
- Russian
- Japanese
- French
- Portuguese
- The Third Party can translate evidence to English and re-submit.
- The Third Party can deny Validation Requests for any customers and provide explanation to the customer as to why they could not complete validation.