Physical Validation: Process Outline

Question 1

Process Outline:
Step One

Answer 1

1. Meet with the Business and then with the Third Party to document the “Rules of Engagement” for the onsite visit.

Meet with the vendor and business to discuss how the vendor runs, onsite visit, there for three days

Question 2

Process Outline:
Step Two

Answer 2

2. Plan for the visit by creating an evidence list to be provide a head of time to your third party, as well as a list of the process walk throughs you want to accomplish.

Tell them the domain you’re going to cover, see program documentation and evidence that you’re going that.

Question 3

Process Outline:
Step Three

Answer 3

3. Provide a draft agenda to the third party and request they not only confirm topics, but also provide names and emails of those that can discuss each topic.

-Also have them schedule times the individuals will be available to discuss the topics.
-Give some flexibility to move this around for SEMs are available

Question 4

Process Outline:
Step Four

Answer 4

4. Arrive at the site visit on time and perform introductions (you are there as a partner)

-You are there as a partner to uplevel their security and make yours better.

Question 5

Process Outline:
Step Five

Answer 5

5. Follow your agenda, perform your interviews, and review evidence provided for each process.

-Evidence of process in place is screen shot of AD to show that what password limits are in place, show someone logging into their system with the wrong credentials.

Question 6

Process Outline:
Step Six

Answer 6

6. Discuss any initial findings discovered before you leave to validate if information was missed or if you accurately captured processes.

-Discuss what findings were found, and give them time to review.
-This is a conversation, not a check list.
-Conversation leads to trust.

Question 7

Process Outline:
Step Seven

Answer 7

7. Thank your hosts for a productive site visit and discuss next steps (issue finalization, reporting, and issue remediation follow up)

Question 8

Physical Validation vs Compliance Checklist

Answer 8

-Conversation
-Trust
-Discovery

Hire people that are good at being interactive and talking for this role, not just cyber security people.
-The conversation builds up the trust

Question 9

Physical Validation:
Soft Targets for Validation

Answer 9

-Vendors with CSPs
-Vendors with no or low data count (but still High Risk)
-Vendors with geographic challenges
-Vendors with scheduling challenges

-If you have a vendor with connectivity but not a lot of data the validation can be done virtually

-Vendors that keep pushing out on sights then try to do virtually, I’d rather have half a sandwich than nothing, some physical validation rather than none

-Vendors with geographic challenges, other side of country. Do a virtual with a collab tool

Question 10

Physical Validation Process Steps

Answer 10

1. Meet with the Business and then with the Third Party to document the “Rules of Engagement” for the onsite visit.
2. Plan for the visit by creating an evidence list to be provide a head of time to your third party, as well as a list of the process walk throughs you want to accomplish.
3. Provide a draft agenda to the third party and request they not only confirm topics, but also provide names and emails of those that can discuss each topic.
4. Arrive at the site visit on time and perform introductions (you are there as a partner)
5. Follow your agenda, perform your interviews, and review evidence provided for each process.
6. Discuss any initial findings discovered before you leave to validate if information was missed or if you accurately captured processes.
7. Thank your hosts for a productive site visit and discuss next steps (issue finalization, reporting, and issue remediation follow up)