Setting Up Assessments
To work with assessments, click the “Assessments” link in the Setup area of the Settings page. There you can work with Series and Assessments.
See also: What is an assessment series?
Working with Series
The “Series” page allows you to view and edit existing series or create new ones.
Each series has a name and a target type. Make sure you choose the correct target type, because later when you create an instance of the assessment within the series, your options will be limited based on the target type.
Possible Target Types
Target Type | Description |
|---|---|
Org Unit | Allows you to create organizational assessments, choosing any number of targeted organizational units. Surveys will include unit questions targeted to each OU and, by default, host categorization for any sheets belonging to targeted OUs. Only superusers can create Organizational Assessments. |
App | Allows you to create an app assessment for a given app in inventory, including an overall classification and app questions. Only superusers and assessment managers can create and complete app assessments. |
Vendor | Allows you to assess a vendor product. Anyone with a role in an OU can create and complete vendor assessments. |
Managing Assessment Series
You should not need to create a large number of assessment series. If this is happening, then you may need to reconsider the way you are structuring your series. Maybe you could reuse a single series for multiple assessments that are essentially one-off, but are related in some way. For example, you could use a single series for all vendor assessments.
You can’t delete an existing series if there are any outstanding assessments the belong to it. However, if all of the included assessments are completed, you can delete the series without losing any data. The existing reports from completed assessments will remain on the Complete tab, even though the series itself has been removed.
Working with Assessments
On the “Assessment” page, you can work with existing assessments or create new ones. Before creating an assessment, the series must already exist. This is true even if you are going to do a one-off assessment. With the exception of vendor products, whatever objects are going to be targeted by the assessment must also exist in Isora GRC before you create the assessment. For example, if you want to assess an app called TimeSheets, the TimeSheets app must already be in inventory before you create the assessment. If you are assessing the MATH organizational unit, the MATH OU must already exist in Isora GRC.
Vendor assessments are handled a little differently from other types of assessments. There is a button on the Assessment page where any authorized user can create a vendor or app assessment. When you create a new vendor assessment, in the process you can add a new product into Isora GRC’s database. You don’t need to do a separate step to add the vendor product into inventory.
When you create a new assessment, you’ll need to first choose the series and then the other options available to you will change depending on your choice. You can also choose whether or not to publish the assessment. Until it has been published, superusers can edit assessments to make changes like choosing a different question list, or a different set of organizational units to include.
Once an assessment has been published, the assessment managers and other Isora GRC users can view and work with it on the Assessment page when they log in. Assessments don’t show up on the Assessment page until they have been published.
Options for Organizational Assessments
Organizational assessments are more complicated than other types of assessments, and they can only be created by a superuser from the Settings page. There are two steps in the dialog for creating these assessments.
On the first step, you assign a name and due date, choose an existing Series and Question List, and decide whether to immediately publish the assessment or not.
On the second step, you choose the org units to include in the assessment. A survey will be created for each targeted org unit.
The second dialog step has two checkboxes that relate to host categorization.
The first one, labeled “Enable host categorization” allows you to skip the host categorization step altogether in this assessment. By default, all organizational surveys have 2 steps- unit questions and host categorization. Even if an org unit has no hosts, it would still have an “empty” host categorization. For use cases where you are not interested in categorizing hosts based on their data, you should uncheck this checkbox.
In older versions of Isora GRC, ALL organizational assessments have to include host categorization. If this is the case for you, and you would like be able to skip the host categorization step, please email support@saltycloud.com to request an update so this checkbox will appear on your system.
The second checkbox, labeled “Skip org units without sheets,” is useful if you are particularly focuses on host categorization. If checked, then any org units without inventory sheets will be excluded, even if you check them in the list- in other words, they will not get a survey created for them and they are effectively not part of this assessment.
See also: FAQ: What is Host Categorization?