Default Records and Text
There is presently a range of default data that you will see in the system, including the following:
- Asset Categories: These are relevant to the Asset Criticality Assessment within each assessment and enable Assessors to group assets under common categories (e.g. employees, contractors and visitors are all categorised as ‘People’). These enable Assessors to describe assets are higher level categories within their reports, rather than to list every individual asset. Default Asset Categories can only be edited by the Account Administrator – Organisational and Business Units Administrators can edit those applicable to their entities only.
- Risk Types: These are relevant to the Security Risk Register and allow Assessors to associate individual risks with risk categories for reporting purposes. Default Risk, Types can only be edited by the Account Administrator – Organisational and Business Units Administrators can edit those applicable to their entities only.
- Criteria: Default Asset Criticality, Threat, Risk Control Effectiveness and Risk Criteria exist within the system and can be used as is, or adjusted and saved under a different name for future use. This enables quick orientation for users, in terms of how criteria is intended to be constructed, and in many cases it can be used as is.
- Threat Actors and Acts: A default list of Threat Actors and Acts appears within the Threat Assessment stage of an assessment, enabling users to quickly delete what they don’t need and populate the remainder.
- Control Categories and Controls: Similarly, the Risk Control Effectiveness (RCE) Assessments contains a quantity of default content to guide users – this can be deleted if not needed, or repurposed (if users have permissions to do so) to speed the assessment process along.