Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Once you have all of the questions and question lists you need in Isora GRC, you can start to create assessments. Currently, Isora GRC supports three different types of assessments that target different types of entities. They are organizational, app, and vendor.

Organizational Assessments

An organizational assessment can be thought of as a bunch of questions along with a list of organizational entities that the assessment is targeting. For each organizational unit which is affected by the assessment, at least one a survey will be created. Then responsible users within the organizational unit fill out the surveys. When all surveys of an assessment have been completed and signed off appropriately, then the entire assessment is complete.

Assessments aren't Organizational assessments are not created from the assessment moduleAssessment page. They are created using on the admin moduleSettings page. Only Isora GRC superusers have the ability to create organizational assessments and publish them to users.

The following flowcharts illustrate many of the aspects of organizational assessments and how they come together to produce surveys for the users.

...

Figure 8-2 1: Org Unit Assessment Object Relationships

In the latest version of Isora GRC, the host categorization part of organizational assessments is optional. In earlier versions, it was required, even if included org units had no hosts.

App Assessments

For app assessments, you can only choose one app to assess for a given assessment. So there is also only one survey produced, which simply consists of the questions in the question list you use when you create the assessment, and an overall classification of the app based on the data it has access to.

...

Figure 8-3 App Assessment Object Relationships

Assessment Types

Assessment types App assessments can be created from the Settings page by a superuser, or from the Assessments page by an Assessment Manager.

...

Figure 2: App Assessment Question Object Relationships

Vendor Assessments

Vendor assessments are targeted toward third-party products. Unlike other types of assessments, any Isora GRC user with any role in an organizational unit can create or edit a vendor assessment. By default, vendor assessments are visible to only other members of the same org unit that created the assessment, but you can make them visible to everyone.

A vendor assessment includes a target, which is a specific vendor product and a question list. There is just one survey, and it’s usually filled out by means of an external link provided to the vendor representative. The vendor rep does not need to log into Isora GRC to access the link. Alternatively, a local Isora GRC user could fill out the survey.

...

Assessment Series

Assessment series are used to track the same assessment when you run it multiple times in a series. The types series are driven by the needs of your organization, and often tied to governmental regulatory requirements. Each time you are going to start a new series of related assessments, you should start by creating a new assessment typeseries.

Click “manage assessment types” to see a list of existing types, edit or remove them, or add a new one. You can also upload a simple CSV where each line has the name of an assessment type.

...

Assessment types have different target types, depending on what they assess. For example, if you're assessing the security of an application, the target would be "app". The "org unit" target refers to an assessment which includes OU-level questions and classification of all hosts on sheets that belong to the OU. You can rename an existing assessment type, but you can't change its target typeIf you want to do a one-off assessment, you still need to create at least one assessment series with the appropriate target type because Isora GRC doesn’t directly support the concept of one-off assessments. Typically, all vendor assessments are considered part of the same series.

Only superusers can create or edit assessment series.

Info

Expect future updates to allow Isora GRC to support additional target types.

Related content:

Iframe
srchttps://www.youtube.com/embed/kolVueBXjrMTcSBOeAYUhA
width560
titleCreating Organizational AssessmentsOverview: Assessment
alignmiddle
height315

See also: Setting up Up Assessments

...

hiddentrue

...

Questions- the Building Blocks of an Assessment

Working With Questions

Working With Answer Response Groups