1. Getting Started with Isora GRC

What is Isora GRC?

Isora GRC is an information security risk assessment and inventory control application. It can be used to conduct targeted risk assessments to assess compliance with specific laws and regulations such as: GLBA 314.4(b), FERPA, HIPAA, SOX, DFARS and GDPR. It can also be used to conduct organization-wide risk assessments against cyber-security frameworks such as: NIST 800-53, NIST 800-171, NIST CSF, ISO/IEC, ITIL and COBIT.

Who should read this document?

Anyone responsible for administering the Isora GRC product.

Who should not read this document?

End-users of Isora GRC who are simply required to fill out surveys for assessments (and/or may need to add inventory into Isora GRC); they should read the Isora GRC User Guide instead.

How to use this Guide

If you are just getting started with Isora GRC, start with the overview to get a big-picture view of how the tool is used. Then go through each section step-by-step, in order. The next section of this guide, 2. Initial Setup, contains a list of steps that only need to be performed once, when you first configure the product. The remaining sections consist of explanations of how to use each module of the Isora GRC product. Over time, as you add more assessments, you can revisit this information to remind yourself how to do individual tasks with Isora GRC.

Overview of Isora GRC

The purpose of Isora GRC is to conduct assessments against organizational units and inventory. Before assessments can be performed, you need to put data about your organization and your inventory into Isora GRC. Then you create lists of questions about the organizational units and lists of inventory items to be classified. You can pull from existing lists of questions and/or create your own custom questions. When you create a new assessment, these questions will be compiled into surveys which are targeted to specific organizational units.

When the assessment is pushed out to the organization, specific people within each organizational unit will be responsible for answering the questions and marking the survey as complete. The person who is ultimately responsible for signing off on the survey is called the organizational unit head. Once all surveys have been marked complete, the entire assessment is considered to be complete.

Over time, you will likely run the same basic assessment on a regular, scheduled basis. Isora GRC’s reports feature allows you to generate simple charts showing trends across multiple instances of an assessment.




Figure 1‑1 General Workflow with Isora GRC

The order of all steps in the workflow is not fixed; however, before surveys are filled out and OU heads sign off on the surveys, all of the previous steps must be completed- data (both organizational and inventory) must be in Isora GRC and the assessment must be created and published.

In some cases, administrators are not directly responsible for host-level inventory information. This is particularly likely in large-scale environments. It may be the case that Isora GRC administrators are directly responsible only for those hosts that are directly used by their organizational unit; and others within the larger organization are responsible for the majority of hosts. In that case, an alternative workflow may be used.




Figure 1‑2 Alternative Workflow with Isora GRC

Users may add inventory data to Isora GRC before or after the Isora GRC administrator creates an assessment.







If you can't find what you are a looking for and need support, email support@saltycloud.