Setting up and Completing an Assessment
It is highly recommended that you invest time in viewing the seven assessment-related tutorial videos, which are accessible by clicking the orange icon at the bottom right of screen once logged in. These take you through each of the logical stages of setting up, completing and exporting your assessments.
A basic summary of steps is indiated below:
Account, Organisation and Business Units Administrators are the only users who can set up new assessments. They can also then go ahead and complete the assessments themselves, or allocate a user an Assessor to do so (by finding the user’s record in SECTARA and adding an Assessor role). The significant benefits in setting up assessments for an Assessor to complete are that Administrators can:
- Control what criteria is used for each assessment.
- Define Threat and Risk Tolerance settings.
- Pre-populate assessments with External, Internal and Security Risk Context headings that they wish Assessors to focus on.
- Define specific assets, Threat Actors and Acts, Control categories and Controls that they wish to be included within each assessment.
- Create enormous productivity gains for assessors in doing so – they only have to focus on pure risk assessment efforts, not the peripherals.
- From the Landing Page, or from within an Organisation or Business Unit, create a new assessment, give it a name and save it.
- Once the assessment has been created, open it.
- At top right, under the “View Analytics”button, is a a button marked with a “+” – click this to open the criteria section for the assessment. This will reveal the assessment criteria (Asset Criticality, Threat, Risk Control Ratings and Risk Matrices); it is suggested that you click on the Asset Criticality criteria first and select the set of criteria that you intend to use (you may also adjust it from here and save it).
- Open and select the desired Threat, Risk Control and Risk criteria, adjusting and saving them if necessary once you do. You have now set the criteria for the assessment and will see it appear during subsequent steps.
Strong Note: if you change criteria later you will need to go back and review all items that you previously assessed using the new criteria. In the case of Threat criteria, especially when changing from a 3×3 to 4×4 or 5×5 (or vice versa), this will often cause most/all entries to be deleted from the Risk Register, because threat tolerance and ratings will no longer line up in a logical manner. Select and customise your criteria early, and only make minor adjustments (if any) to descriptions and ratings thereafter, from within the assessment.
If you’re setting the assessment up for an Assessor to complete:
- Consider populating headings within the Scope, Context and Criteria section. Note that, as a free text field it can be changed at any time (including by the Assessor).
- Consider also defining Assets, Threat Actors and Acts, and Control categories and controls that you wish to see included in the assessment.
- The final step involves completing the Risk Register. Depending upon the Threat Tolerance chosen during the criteria setup process, which you can change at any time, you may not see any entries within the Risk Register.
- This may be intended, but if not consider reducing the level at which you have set the Threat Tolerance criteria, or otherwise review ratings given to individual Threat Acts. If you set the Threat Tolerance Rating to its lowest setting you will see that risks will have been created for all Threat Acts, within the Risk Register.
- You will also see hard-coded, pre-populated content based on entries made within the earlier stages – this is deliberate to assure methodological rigour. Addrisk descriptions, controls relevant to each risk from the list (based on your earlier entries), then set the Current Risk rating.
- Identify treatments that will reduce the Current Risk rating down to or below the predefined tolerance level (which can be viewed within Risk criteria), then reassess the Residual Risk rating. If the Current Risk is tolerable, you may consider inserting a treatment such as “Risk is tolerable – monitor and review”, for completeness/another readers’ benefit.
- The Risk Details button allows you to designate Risk Owners and associated meta-details for each risk. Populating this is optional, but Risk Owner details are included within Treatment Plans, where they are exported from the system.
- Complete this for all entries in the Risk Register and the assessment will have been completed.
- View it in Analytics, export it or a treatment plan, or create a Viewer user to allow your stakeholders to review it – better still debrief them and update it at the same time!
Once again, however, it is highly recommended that you viewi the seven assessment-related tutorial videos, which are accessible by clicking the orange icon at the bottom right of screen once logged in. They present an empty asessment, and compare it to one that he been completed.