2. Unit questions

Owned by Shane Pierce
Last updated: Aug 03, 2020 by Laura McWilliams
3 min read

Each organizational unit has a set of questions to answer which are specific to that unit.  

Layout

Unit questions are listed under question category headings. Each line is roughly broken into the following five, unlabeled columns:

  1. The Info column, with an icon indicating the saved state of the question.
  2. The Question column, which displays the question itself.
  3. The Answercolumn, which will be described later.
  4. The Commentscolumn, where detailed information on the answer is entered.
  5. The Lockcolumn, which contains a button that saves and locks a question once it has been answered.


Sections

Questions are broken into sections by question category. Each category/section represents a major grouping of questions from a specific area of risk, such as Disaster Recovery/Business Continuity Planning, Mobile Device Security, and Security Awareness.

Child Questions

Some questions have child questions, which go deeper into a specific aspect of the parent. A child question may not be visible until the parent is answered.

Delegation

Questions can be delegated to other persons by section, but not by individual question. Delegation is useful when different groups or individuals handle different portions of the business of the unit.

Answering Questions

Answer the question as Yes (100%), No (0%), partially complete, or not applicable. All required questions must be locked in order to acknowledge this step.

Partial (0-33%, 34-66%, 66-99%)

A partial completion answer is useful when a unit has some, but not all, of the controls mentioned in the question in place. For example, if the question pertains to encrypting all unit laptops and only approximately 75% of those laptops have been encrypted, then the partial answer of 67-99% should be used. If a question is answered partially, then a best-guess timeline for implementation should be included in the comments.

When to use “not applicable”

“Not applicable” should be used when a question does not apply at all to a given unit. For instance, if the question is about unit-issued portable devices and the unit does not issue portable devices, that question can be answered “not applicable.”

Comments

Some questions may require comments in order to lock. The requirement for a comment varies by question; some questions might never require a comment; some might always require a comment; and some might require a comment if given a particular answer. Generally, a comment must be provided for “partial” answers.

Saving and Locking Answers

To save and confirm an answer, click the “lock” button in the Lock column. Once locked, the “lock” button will change to an “unlock” button, which can be used to allow editing of an answer. 


Acknowledgement

Step 2 of Isora GRC is not complete until all required questions have been locked. When all questions are locked, an assessment manager for the unit must acknowledge that the information provided is accurate by clicking on the Acknowledge button at the top of the assessment.

Pre-Final Acknowledgement

Once the host categorization and unit questions have been completed and acknowledged by an assessment manager, the assessment is ready for pre-final acknowledgement. An assessment manager must acknowledge the assessment as a whole. Doing so will send email notifications to the unit head for final acknowledgement. This extra step gives assessment managers extra time to prepare before engaging with the unit head.

Final Acknowledgement

Once the assessment has been pre-final acknowledged, a unit head for the assessment must finally acknowledge the assessment. Doing so affirms that all host categorization and unit answers are accurate. This action completes the assessment.




If you can't find what you are a looking for and need support, email support@saltycloud.