Setting up and Completing an Assessment
It is highly recommended that you invest time in viewing the assessment-related tutorial videos, which are accessible by clicking the orange icon at the bottom right of screen once logged in. These take you through each of the logical stages of setting up, completing and exporting your assessments. A basic summary of steps is indicated below:
Administrators are the only users who can set up new assessments. They can also then complete the assessments themselves, or allocate a user an Assessor to do so (by finding the user’s record in SECTARA and adding an Assessor role). The significant benefits in setting up assessments for an Assessor to complete are that Administrators can:
- Control what criteria is used for each assessment.
- Define Threat and Risk Tolerance settings.
- Pre-populate assessments with External, Internal and Security Risk Context headings that they wish Assessors to focus on.
- Define specific assets, Threat Actors and Acts, Hazards and Events, Control categories and Controls that they wish to be included within each assessment.
- Create enormous productivity gains for assessors in doing so – they only have to focus on populating risk assessment details, not the peripherals.
- From the Landing Page, or from within an Organisation or Business Unit, create a new assessment, give it a name and save it.
- Once the assessment has been created, open it.
- The default (Asset Criticality, Threat, Hazard, Risk Control Effectiveness and Risk) criteria is applied to all new assessments by default, and when opening the assessment users will see a warning message that this is the case (unless they have previously opted to permanently dismiss this message). Click “Change Criteria” at top right to display the criteria for the assessment. This will reveal the assessment criteria, where it can be changed if desired.
Strong Note: in most cases, if you change or adjust criteria after populating and rating entries you will need to go back and review all items that you previously assessed, using the new criteria. In the case of Threat criteria, especially when changing from a 3×3 to 4×4 or 5×5 (or vice versa), this will often cause most/all entries to be deleted from the Risk Register. We strongly recommend selecting and customising your criteria early, and if you must, only make minor adjustments to descriptions and ratings thereafter. The general rule is that structural changes to criteria will cause a loss of data.
If you’re setting the assessment up for an Assessor to complete:
- Consider populating headings within the Scope, Context & Criteria section. Note that, as a free text field it can be changed at any time (including by the Assessor); also note comments at the top of the field about auto-saving content.
- Consider also defining Assets, Threat Actors and Acts, Hazards and Events, and Control categories and controls.
- The final step involves completing the Risk Register. Depending upon the Threat/Hazard Tolerance chosen during the criteria setup process, which you can change at any time, you may not see any entries within the Risk Register.
- This may be intended, but if not consider reducing the level at which you have set the Threat/Hazard Tolerance criteria, or otherwise review ratings given to individual Threat Acts/Hazards Events. If you set the Tolerance Ratings to their lowest settings, you will see that risks will have been created for all Threat Acts and Hazard Events, within the Risk Register.
- You will also see hard-coded, pre-populated content based on entries made within the earlier stages – this is deliberate to assure methodological rigour. Add risk descriptions, controls relevant to each risk from the list (based on your earlier entries), then set the Current Risk rating.
- Identify treatments that will reduce the Current Risk rating down to or below the predefined tolerance level (which can be viewed within Risk criteria), then reassess the Residual Risk rating. If the Current Risk is tolerable, you may consider inserting a treatment such as “Risk is tolerable – monitor and review”, for completeness/another readers’ benefit.
- The Risk Details button allows you to designate Risk Owners and associated meta-details for each risk. Populating this is optional, but Risk Owner details are included within Treatment Plans, where they are exported from the system.
- Complete this for all entries in the Risk Register to complete the assessment.
- You may then view it in Analytics, export it or a treatment plan, or create a Viewer user to allow your stakeholders to review it – better still debrief them and update it at the same time!