Skip to main content

Framework Application Across the Platform

Katie
Updated

The application of frameworks can be observed throughout various features of the GRX platform. This provides users with the ability throughout the assessment lifecycle to evaluate a company's risk through a lens that is most meaningful to their business and its needs. 

 

Table of Contents

 

Frameworks Overview

A security framework is a structured set of guidelines, standards, and best practices designed to help organizations manage and mitigate security risks. It provides a comprehensive approach to identify, protect, detect, respond to, and recover from security incidents. Security frameworks typically cover areas such as governance, risk management, compliance, security controls, and incident response.

Some well-known security frameworks include:

NIST Cybersecurity Framework (CSF): A voluntary framework by the National Institute of Standards and Technology (NIST) that provides a policy framework for computer security guidance.

ISO/IEC 27001: An international standard for information security management systems (ISMS) that outlines the requirements for establishing, implementing, maintaining, and continually improving an ISMS.

Why Frameworks are Valuable

Consistency: Frameworks provide standardized methods and processes, ensuring consistency across projects and organizations.

Efficiency: By following established guidelines and best practices, organizations can streamline their processes and reduce the time and effort required to achieve their objectives.

Quality: Frameworks help maintain high standards and ensure that outcomes meet predefined criteria for quality and performance.

Risk Management: Frameworks often include risk management strategies, helping organizations identify, assess, and mitigate potential risks.

Compliance: Many frameworks are designed to help organizations comply with industry regulations and standards, reducing the risk of legal and financial penalties.

Continuous Improvement: Frameworks promote ongoing evaluation and refinement of processes, enabling organizations to adapt and improve over time.

In essence, frameworks are invaluable tools that provide structure, guidance, and assurance, helping organizations achieve their goals more effectively and efficiently.

 

At ProcessUnity, we engage various frameworks for various requirements and scenarios, including:

Industry specific – like HIPAA (for healthcare) and NY-DFS (for financial services)

Region/Country specific – like DORA (EU) and CPS234 (AUS)

Generally accepted standards – like CSF (NIST) and ISO27001 (licensed content)

Specific threats – like Volt Typhoon (PRC) and Clop ransomware (RUS)

 

Features that Utilize Frameworks

The following features utilize frameworks as an integral part of their functionality. Depending on the feature, the selected framework may differ provided there are varying use cases for each. 

Requests

When placing a request on a third party for assessment data and/or validation data, you must select a framework from the provided list of available options in the request form drop down.   

Screenshot 2025-02-13 at 3.55.45 PM.png

Factors that may influence selection of requested framework: 

  • The preferred framework your company evaluates third party risk through the lens of will likely influence what is requested. This ensures that only those controls with significance to your organization and how it evaluates risk to be requested by a third party to complete. If your company has a custom framework or access to a licensed framework, these are available to request. 
  • Within the drop down list are high level insights into the volume of attested controls that have been previously attested and are readily available (following approval) by the respective company, out of the total controls included in a framework. This data can be used to assist in determining which framework would be potentially best to request in terms of quickest delivery of attested results. If for example a company has all 60 controls attested out of the 60 total included in the 'ProcessUnity Critical Cyber Risk Questionnaire' then requesting that framework would be relatively quick for the third party to deliver attested results, provided the data is already available and simply just needs to be approved for access. 
  • Validation requests are limited to ProcessUnity frameworks. If validation data is a requirement in addition to an assessment request, this request for both assessment and validation results must be placed on either the 'ProcessUnity Critical Cyber Risk Questionnaire' or the 'ProcessUnity Cyber Risk Questionnaire'. 

Shares

When sharing your assessment results and/or validation data with a company, you must select a framework from the provided list of available options in the request form drop down.   

Screenshot 2025-02-13 at 3.55.45 PM.png

Factors that may influence selection of shared framework: 

  • The company you are sharing with may have previously communicated that they leverage a given framework for evaluating risk through the lens of (ex: NIST). Or given the location of the company sharing with or its industry, that they would be highly likely to be leveraging a given industry framework (ex: HIPAA) or standard framework (ex: EU DORA, various Australian security frameworks, etc.).  These considerations can be made to share the most applicable framework with a company. This ensures that only the most relevant control data is shared. 
  • Within the drop down list are high level insights into the volume of attested controls that have been previously attested and are readily available for sharing, out of the total controls included in a framework. This data can be used to assist in determining which framework would be potentially best to share where no additional controls would need to be answered for a complete, attested dataset to be provided. 
  • Validation shares are limited to ProcessUnity frameworks. If validation data is a requirement in addition to sharing assessment data, the share for both assessment and validation results must be placed on either the 'ProcessUnity Critical Cyber Risk Questionnaire' or the 'ProcessUnity Cyber Risk Questionnaire'. 

Questionnaire Completion

Following a customers assessment and/or validation request, these requests will appear in the Request and Shares table found on the Questionnaire Dashboard. Any shares initiated by a third party to a company will also appear here. 

Screenshot 2025-02-13 at 4.48.37 PM.png

Requests and shares found here are inherently differentiated by the requested framework, and grouped when multiple requests/shares for the same framework are present. This provides users with the ability to prioritize a certain request over another, based on a high priority customer, total number of requesting customers, and/or the total number of questions included in a framework request. For example, users can choose to prioritize completing smaller requests first so that delivery of those results can be expedited. 

Risk Navigator

Risk Navigator provides the granular and summary level predictive and attested assessment results for a given company, in addition to mapping this data to industry-accepted frameworks, threat profiles, and MITRE ATT&CK scenarios. It supports your organization in evaluating a company's risk through a "lens" that is meaningful to your business and its needs. 

 

By default Risk Navigator maps to the 'ProcessUnity Cyber Risk Questionnaire' framework. To select a different framework to map to select the framework drop down. The three most frequent frameworks that are mapped to by your company's users will be listed at the top for quick access.

Screenshot 2025-02-14 at 9.59.05 AM.png

Provided the general flexibility of this feature, you have the ability to map to as many frameworks as you would like in order to generate different datasets for risk analysis purposes. There is the ability to map to our legacy questionnaire which includes our prior group structure and sub-control data. 

 

Portfolio Risk Findings

Portfolio Risk Findings provides summary level predictive and attested assessment results for all companies in your portfolio, in addition to mapping this data to industry-accepted frameworks, threat profiles, and MITRE ATT&CK scenarios. It supports your organization in evaluating portfolio level risk through a "lens" that is meaningful to your business and its needs. 

 

By default Portfolio Risk Findings maps to the 'ProcessUnity Cyber Risk Questionnaire' framework. To select a different framework to map to select the framework drop down. The three most frequent frameworks that are mapped to by your company's users will be listed at the top for quick access.

Screenshot 2025-02-14 at 10.07.12 AM.png

Provided the general flexibility of this feature, you have the ability to map to as many frameworks as you would like in order to generate different datasets for risk analysis purposes. There is the ability to map to our legacy questionnaire which includes our prior group structure and sub-control data. 

 

Frameworks List

A complete list of all available Frameworks can be found here

 

 

Was this article helpful?

1 out of 1 found this helpful
Return to top

Related articles