Setting up and Completing an Assessment
Account, Organisation and Business Units Administrators are the only users who can set up new assessments. They can also then go ahead and complete the assessments themselves, or allocate a user an Assessor role to do so (by finding the user’s record in SECTARA and adding an Assessor role). The significant benefits in setting up assessments for an Assessor to complete are that Administrators can:
- Control what criteria is used for each assessment.
- Define Threat and Risk Tolerance settings.
- Pre-populate assessments with External, Internal and Security Risk Context headings that they wish Assessors to focus on.
- Define specific assets, Threat Actors and Acts, Control categories and Controls that they wish to be included within each assessment.
- Create enormous productivity gains for assessors in doing so – they only have to focus on pure risk assessment efforts, not the peripherals.
- From the Landing Page, or from within an Organisation or Business Unit, create a new assessment, give it a name and save it.
- Once the assessment has been created, open it.
- At top right, under the “View Analytics”button, is a a button marked with a “+” – click this to open the criteria section for the assessment. This will reveal the assessment criteria (Asset Criticality, Threat, Risk Control Ratings and Risk Matrices); it is suggested that you click on the Asset Criticality criteria first and select the set of criteria that you intend to use (you may also adjust it from here and save it).
- Open and select the desired Threat, Risk Control and Risk criteria, adjusting and saving them if necessary once you do. You have now set the criteria for the assessment and will see it appear during subsequent steps.
Note: if you change criteria later you will need to go back and review all items that you previously assessed using the new criteria. In the case of Threat criteria, especially when changing from a 3×3 to 4×4 or 5×5 (or vice versa), this will cause most/all entries to be removed from the Risk Register, because the threat tolerance and ratings will no longer line up. Select and customise your criteria early, and only make minor adjustments (if any) to descriptions and ratings thereafter.
If you’re setting the assessment up for an Assessor to complete:
- Consider populating headings within the Scope, Context and Criteria section. Note that, as a free text field it can be changed at any time (including by the Assessor).
- Consider also defining Assets, Threat Actors and Acts, and Control categories and controls that you wish to see included in the assessment.
- The final step involves completing the Risk Register. Depending upon the Threat Tolerance chosen during the criteria setup process, which you can change at any time, you may not see any entries within the Risk Register.
- This may be intended, but if not consider reducing the level at which you have set the Threat Tolerance criteria, or otherwise review ratings given to individual Threat Acts. If you set the Threat Tolerance Rating to its lowest setting you will see that risks will have been created for all Threat Acts, within the Risk Register.
- You will also see pre-populated content based on entries made within the earlier stages – this is deliberate to assure methodological rigour. Add controls relevant to each risk from the list (based on your earlier entries), risk descriptions, then set the Current Risk rating.
- Identify treatments that will reduce the Current Risk rating down to or below the predefined tolerance level (which can be viewed within Risk criteria), then reassess the Residual Risk rating.
- The Risk Details button allows you to designate Risk Owners and associated meta-details for each risk. Populating this is optional.
- Complete this for all entries in the Risk Register and the assessment will have been completed.
- View in Analytics, export or create a Viewer user to allow your stakeholders to review it – better still debrief them and update it at the same time!