Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 14 Next »

What is ISORA?

ISORA is an information security risk assessment and inventory control application. It can be used to conduct targeted risk assessments to assess compliance with specific laws and regulations such as: GLBA 314.4(b), FERPA, HIPAA, SOX, DFARS and GDPR. It can also be used to conduct organization-wide risk assessments against cyber-security frameworks such as: NIST 800-53, NIST 800-171, NIST CSF, ISO/IEC, ITIL and COBIT.

Who should read this document?

Anyone responsible for administering the ISORA product.

Who should not read this document?

End-users of ISORA who are simply required to fill out surveys for assessments (and/or may need to add inventory into ISORA); they should read the ISORA User Guide instead.

How to use this Guide

If you are just getting started with ISORA, start with the overview to get a big-picture view of how the tool is used. Then go through each section step-by-step, in order. The next section of this guide, 2. Initial Setup, contains a list of steps that only need to be performed once, when you first configure the product. The remaining sections consist of explanations of how to use each application of the ISORA product. Over time, as you add more assessments, you can revisit this information to remind yourself how to do individual tasks with ISORA.

Overview of ISORA

The purpose of ISORA is to conduct assessments against organizational units and inventory. Before assessments can be performed, you need to put data about your organization and your inventory into ISORA. Then you create lists of questions about the organizational units and lists of inventory items to be classified. You can pull from existing lists of questions and/or create your own custom questions. When you create a new assessment, these questions will be compiled into surveys which are targeted to specific organizational units.

When the assessment is pushed out to the organization, specific people within each organizational unit will be responsible for answering the questions and marking the survey as complete. The person who is ultimately responsible for signing off on the survey is called the organizational unit head. Once all surveys have been marked complete, the entire assessment is considered to be complete.

Over time, you will likely run the same basic assessment on a regular, scheduled basis. ISORA’s Report feature allows you to generate C-level-friendly charts showing trends across multiple instances of an assessment.



Figure 1‑1 General Workflow with ISORA

The order of all steps in the workflow is not set in stone; however, before surveys are filled out and OU heads sign off on the surveys, all of the previous steps must be completed- data (both organizational and inventory) must be in ISORA and the assessment must be created and published.

In some cases, administrators are not directly responsible for host-level inventory information. This is particularly likely in large-scale environments. It may be the case that ISORA administrators are directly responsible only for those hosts that are directly used by their organizational unit; and others within the larger organization are responsible for the majority of hosts. In that case, an alternative workflow may be used.



Figure 1‑2 Alternative Workflow with ISORA

Users may add inventory data to ISORA before or after the ISORA administrator creates an assessment.



  • No labels