Physical Validation: Program Design & Scope Flashcards
Program Design & Scope
-Framework
-The framework your cybersecurity and third-party
risk management utilize can drive the domains
covered in your physical validation exercises. For the
purpose of this lesson, we’ll use NIST to describe the
domains covered
-Process Outline
Greg is heavy CSF user.
Your cybersecurity framework and how you design your questions out of that.
Look at how your framework is and security standards are built.
What are we checking when we go to a vendor?
Should be what we already have inside our current program
Physical Validation Overview 1
Physical Validation is when a cyber assessor will require the third party to demonstrate that they not only have sufficient standards and process in place, but also can evidence they are operating as intended. For example, if a third party’s access management policy says privileged accounts must be reviewed quarterly, the cyber assessor will want to validate that process is occurring by requesting evidence of the last review (usually a screenshot with date/time stamps)
Physical Validation Overview 2
This step provides much more clarity of the security risk of a third party, if done correctly.
If it is done as a checklist, it is only succeeding at compliance. This class teaches the method of interviewing a third party on their cybersecurity program, while also substantive testing policies, and procedures that looks to ensure security is done end-to end. While this may seem time consuming, most programs that utilize this method can perform a physical validation in two or three days. This process also does not take many resources (only one or two skilled assessors). In the end, physical validation will provide your organization with a more robust TPRM program that can better evidence security controls are in place at a third party location and operating as intended.
