Criteria, Asset Categories & Risk Types
When an Account Administrator first signs into their account, a set of criteria to be used in the conduct of assessments appears within their Criteria Library by default (comprising: asset criticality; threat [x3 options]; hazard; risk control effectiveness and risk matrix criteria).
The Account Administrator is free to edit/rename this set, but until at least one other set is created, they are not able to delete it (this is because the account would be left with no criteria as you cannot create new sets – you simply copy, rename and modify existing sets).
The default criteria is also visible to Organisational Administrators, for the organisations that they have been assigned to. However, and while they cannot edit the default set of criteria (or any other that is owned by the Account Administrator), they can customise then save a copy of each set under a new name (to the libraries of organisations they are assigned to).
In cases such as this, where an Account or Organisational Administrator saves a new set of criteria, it will only appear in that Criteria Library for the selected organisation(s) – and subordinate Business Units. This then means that a Business Unit Administrator can see and utilise criteria that Account and Organisational Administrators have saved to each organisation. It is also useful in situations where users in one organisation should not see the criteria of another.
Organisational Administrators can assign saved sets to all, some or single organisations that they have been assigned to. Only the Account Administrator can save criteria so as to be accessible by all organisations in the account. The same rules apply to Asset Categories, Risk Types, Assets, Hazards, Threat Actors and Control Categories.
Asset Categories and Risk Types
Account and Organisational Administrators can edit/delete Asset Categories and Risk Types that they ‘own’. To do so, simply click on the three dots on each row in the library.