Once you have all of the questions and question lists you need in Isora GRC, you can start to create assessments. An assessment can be thought of as a bunch of questions along with a list of organizational entities that the assessment is targeting. SCISORA-1504 - Getting issue details... STATUS For each organizational unit which is affected by the assessment, at least one survey will be created. Then responsible users within the organizational unit fill out the surveys. When all surveys of an assessment have been completed and signed off appropriately, then the assessment is complete.
Assessments aren't created from the assessment module. They are created using the admin module. Only Isora GRC superusers have the ability to create assessments and publish them to users.
The following flowchart illustrates many of the aspects of assessments and how they come together to produce surveys for the users. In the chart, an "org unit" type (previously referred to as "classification" type) of assessment is shown.
PLEASE NOTE: The flowchart illustrates answer choices and answer response groups, which are a new and upcoming feature. Not all instances of Isora GRC support these features yet.
Figure 8-2 Assessment Object Relationships
Assessment Types
Assessment types are used to track the same assessment when you run it multiple times. The types are driven by the needs of your organization, and often tied to governmental regulatory requirements. Click “manage assessment types” to see a list of existing types, edit or remove them, or add a new one. You can also upload a simple CSV where each line has the name of an assessment type.
Assessment types have different target types, depending on what they assess. For example, if you're assessing the security of an application, the target would be "app". If you're assessing an individual person or host, you would choose "person" or "host" as the target. The "classification" target refers to an assessment which includes OU-level questions and classification of all hosts within the OU. (Note: Legacy assessments (which contain unit-level questions and selected host classifications) also have the "classification" target, for compatibility.) You can rename an existing assessment type, but you can't change its target.
PLEASE NOTE: Not all instances of Isora GRC support different target types yet. For legacy Isora GRC, "classification" (org unit) is the only target type and it is implicit.
Creating or Editing Assessments
To work with assessments, click the “manage assessments” link. In the table, you can see a list of existing assessments. A value of published=”yes” means that the assessment has been published to Isora GRC, and surveys are available to users. It does not indicate whether any individual surveys of the assessment have been launched.
All assessments that have ever been created will be listed here. This allows you to see both current and historical data. You can remove assessments by clicking the X next to them. You can also edit an existing assessment, or click the + button to create a new one.
The page you see when you edit an existing assessment is just like what you see when you create a new one, except it’s already filled in with existing data.
Historically, assessments would be targeted to one or more organizational units. In current versions of Isora GRC, you can create assessments that target various types of entities. Depending on the target type of an assessment, different options will be presented when you create a new assessment.
To create a new one, click the + button. This starts a 2-step process. In the first step, you assign a name, due date and assessment type. Depending on the type you choose, the following drop-down will be populated with question lists that are appropriate for the target type of the assessment. If this is a draft and you don't want anyone to actually start the assessment yet, leave the "publish on create" box unchecked.
Click next to process to the second step of the process. Depending on what type of assessment you are creating, the next step will offer different options. For example, if the target of the assessment type is "app," you type the name of the app you want to assess into the search box.
If the type of assessment you are doing includes unit-level questions, then you'll be presented with a list of organizational units, so you can choose whichever ones you want to include. Each OU chosen will result in a survey being published once the assessment is launched, and whoever has the authority within that OU will be able to answer the questions.
Continue clicking the checkboxes next to the OU names and filling out the forms for each OU, until all of the OUs that you want have been included. If you omit something, until it’s published, you can edit the assessment later to add it. Once published, you won’t be able to edit the assessment.
Click the “create” button to save the new assessment.
If you save an assessment without publishing it (by setting published to “yes”), you will see a published value of “no” in the assessments table. You can edit the assessment to make whatever changes you still need, then publish it later.
Once an assessment has been published, the assessment managers and other Isora GRC users can view it on the assessment module when they log in.
Related content: