Correlation Evidence Questionnaire

C
Written By Threat NG Staff

A Correlation Evidence Questionnaire, in the context of cybersecurity and often third-party risk management, is a focused set of questions designed to achieve two primary objectives: first, to gather self-reported information about security controls and practices, and second, to specifically request and organize evidence that supports and validates those claims.

This type of questionnaire moves beyond the simple "yes/no" or self-assessment format by deliberately requiring proof, or "correlation evidence," to substantiate the claimed security posture. The term "Correlation" implies that the answers provided by an individual or vendor must align and be verifiable against the required supporting documentation or observed technical data.

Purpose and Function

The primary function of a Correlation Evidence Questionnaire is to close the gap between an organization's stated security posture and its actual, operational state.

  1. Demand for Verifiable Proof: Unlike a general security questionnaire, which might accept a simple assertion such as "Data is encrypted," an Evidence Questionnaire will require supporting documentation, such as a screenshot of the encryption configuration, a policy document detailing encryption standards, or an audit log showing a data protection review.

  2. Facilitating Cross-Functional Cooperation: Providing evidence requires input from various departments within the organization, including IT operations, legal, human resources, and compliance teams. This necessity requires cross-functional cooperation to gather and organize the evidence necessary, ensuring a single source of truth.

  3. Risk Assessment and Prioritization: By correlating claims with evidence, the recipient organization (typically the client or third-party risk management team) can conduct a more accurate, objective risk assessment. Discrepancies between the answer and the evidence expose a security gap or a failed control, which can then be prioritized for remediation.

  4. Due Diligence and Legal Defense: The collected evidence serves as due diligence documentation. In the event of a security incident or breach involving the assessed entity, the accumulated evidence provides a legal record of the security controls that were claimed and verified at that time, which can be critical for liability and insurance claims.

Structure and Content

The questions within this type of questionnaire typically cover a wide range of risk domains, including:

  • Access Control: Requiring evidence of multi-factor authentication policies and role-based access logs.

  • Incident Response Planning: Requiring documented incident response plans, communication procedures, and evidence of periodic testing.

  • Data Protection: Requiring evidence of encryption practices for data at rest and in transit.

  • Compliance: Requiring certification documents or audit reports for frameworks like ISO 27001 or SOC 2.

The overall goal is to establish transparency and trust by ensuring that all security claims are backed by solid, tangible proof.

ThreatNG provides direct, powerful support for the Correlation Evidence Questionnaire concept by providing a foundation of objective, verifiable external evidence that can be used to validate or invalidate self-reported security claims. The platform dynamically generates these questionnaires based on its findings, making them relevant and focused on actual external risk.

External Discovery and Continuous Monitoring

ThreatNG eliminates blind spots by continuously discovering assets that should be under security control, providing the necessary scope for the questionnaire.

  • External Discovery: ThreatNG performs purely external unauthenticated discovery to map an organization's whole attack surface. This baseline information on discovered subdomains, mobile apps, and technologies forms the factual context against which questionnaire responses are correlated.

  • Continuous Monitoring: The platform continuously monitors the external attack surface. This ensures that if a control fails after a questionnaire is completed (e.g., a security header is removed), the questionnaire's answer is immediately invalidated by new evidence, proving that the claimed control has decayed.

External Assessment (The Correlation Evidence)

ThreatNG’s assessments generate the specific, objective data points needed to correlate against an organization’s stated policies.

  • Subdomain Takeover Susceptibility: A questionnaire might ask, "Do you have a rigorous subdomain decommissioning process?" ThreatNG’s assessment provides evidence of correlation by checking for Subdomain Takeover Susceptibility. A positive finding—an inactive or unclaimed CNAME record pointing to an external service such as Heroku or Vercel—is irrefutable evidence that the claimed process failed and requires corrective action.

  • Web Application Hijack Susceptibility: A question might be, "Are your web applications protected against common browser attacks?" ThreatNG's Web Application Hijack Susceptibility Security Rating acts as evidence by confirming the presence or absence of key security headers such as Content-Security-Policy and HTTP Strict-Transport-Security (HSTS). A missing header provides the correlation evidence that the defensive control is absent or misconfigured.

  • Data Leak Susceptibility: If a questionnaire asks, "Are all cloud storage buckets privately configured?" ThreatNG's assessment provides evidence of correlation by uncovering Cloud Exposure (specifically, exposed open cloud buckets). The verifiable discovery of an exposed Microsoft Azure or AWS bucket instantly contradicts a "yes" answer.

Investigation Modules

ThreatNG’s investigation modules are the source of the dynamic questions and the high-certainty proof used to demand evidence.

  • Dynamically Generated Questionnaires: The platform’s unique value is its ability to create dynamically generated Correlation Evidence Questionnaires where questions are based on the discovery and assessment results.

    • Example: If the Sensitive Code Exposure module discovers a leaked AWS Access Key ID in a public GitHub repository, the system dynamically inserts a high-priority question: "Provide evidence of log-in attempts using the exposed AWS Access Key ID and confirm its status (revoked/active)".

  • Contextual Risk Intelligence (Context Engine™): The Context Engine™ ensures the evidence is irrefutable by delivering Legal-Grade Attribution. This ensures that the evidence attached to a question is not just a vague indicator but highly correlated technical proof, accelerating cross-functional cooperation to address the issue.

Intelligence Repositories

The intelligence repositories provide the external risk context that elevates the importance of the evidence requested in the questionnaire.

  • Vulnerabilities (DarCache Vulnerability): If a component found on an external subdomain has a vulnerability, the repository checks KEV (known exploited vulnerabilities) and EPSS (exploitation likelihood). This context is attached to the corresponding questionnaire item, informing the recipient that the requested evidence relates to a risk that is actively being exploited in the wild, thereby raising the response priority.

  • Compromised Credentials (DarCache Rupture): The discovery of relevant Compromised Credentials from a dark web repository provides objective evidence that external identity controls have failed, forcing the questionnaire recipient to provide immediate evidence of a password reset and MFA enforcement for the affected account.

Reporting

ThreatNG's reporting helps formalize the correlation process and communicate discrepancies to GRC stakeholders.

  • External GRC Assessment Mappings: The findings that drive the questionnaire questions are mapped to frameworks such as HIPAA, GDPR, and NIST CSF. This allows the report to show exactly which regulatory controls are not supported by the external evidence, compelling a governance response.

  • Prioritized Reporting: The platform uses its ratings and contextual intelligence to prioritize the findings and their associated questions, ensuring the organization dedicates resources to gathering evidence for the most critical risks (High) first.

Complementary Solutions

ThreatNG's ability to serve as an external evidence provider can drastically streamline internal security governance workflows.

  • Working with GRC Platforms: ThreatNG’s dynamically generated questions and External GRC Assessment findings can be integrated with a GRC Platform. This allows the platform to automatically flag discrepancies when a self-reported answer (e.g., "MFA is enforced") contradicts ThreatNG’s external correlation evidence (e.g., a login portal found during discovery lacks MFA), ensuring the internal audit accurately reflects the operational security posture.

  • Working with IT Service Management (ITSM) Tools: When the correlation evidence gathered by the questionnaire confirms a technical fix is needed (e.g., "Yes, we fixed the dangling DNS record"), ThreatNG’s initial discovery and subsequent validation can be used by an ITSM tool to automatically close the associated high-priority remediation ticket, completing the control lifecycle and documenting the evidence for the fix.

Threat NG Staff
Previous

External Control Gap
Next

Context Engine