We are begining a facelift for the Online Assessment module:
Phase One Changes (completed)
New UI for the Portal
the portal needs a new look and feel, it has been already designed and it will look more or less along the following lines.
NOTE: the portal is missing showing the score (Current Vs Max) in the case scoring is enabled.
Questionnaires must support Multiple Choice as answers
questionnaires must now support multiple choice answers, so the “Predefined” answers option must have an alternative, “PredefinedMultipleChoice” which lets the user select more than one answer.
this option should disable the possibility of having:
- Scoring (column K, L)
- Warnings (column J)
- Conditional Answers being Displayed (M,N)
On the index this type of answer will be displayed as a typicall cell with multiple objects:
And the filter should let people choose one or more items.
Questionnaires must support Dates as answers
Questionaires must have an option to add “Date”, the date provided by the recipient of the OA can be anytime (present, past or future). When date is selected as a possible answer the following columns are not applicable: I,J,K,L
In the old implementation, users had the option to provide both answer types — open and select. Now, we are introducing two new answer types: multiselect and date. Will it still be possible to combine different types of answers (e.g., multiselect and open answer)? How would this be defined in the CSV — multiselect|open|date?
>> good question, today we have the following options (column G): PredefinedAnswers, OpenAnswer, Both.
>> the new option is “PredefinedMultipleChoice” , make sense we give users the option to use this in combination with openanswers, so we need PredefinedMultipleChoiceAndOpen to allow both options.
>> to be consistent, we need to change “Both” to “PredefinedAnswersAndOpen”
>> date for the time being will be left alone, without the option to combine them with open answers.
Will we sum the answers from a multiselect, or will this not be possible with multiselect?
>> is very complicated, we leave it as explained in section 2a from this post.
CSV import language is really bad
the CSV import file is a disaster, the language is terrilble it needs to be re-written completely.
Manage Questionnaires from Web UI not just CSV
we miss a way to edit questionaires using the UI, this requires a proper UI implementation so whatever you do in CSVs can be done on the web interface. in particular the conditionals (if the answer is this then show or hide that question)
What if we implement it in the same way as compliance analysis? That is, you upload a questionnaire, and in the questions index, views are automatically created with questionnaires (similar to compliance packages and compliance analysis). Would it also be possible to filter and sort in the question index (currently this is not possible)?
as discussed we need to simplify the ux as much as possible because one must assume the user might upload an outrageous number of questions. this suggestion works well, every row must be of course editable and the form we load must be “very friendly” in order to support the logic of field types, etc.
Phase Two Updates
Third Party / OA Access
Today we allow OA submissions using two different mechanisms, both require one or more eramba user account:
- Magic Link (no timeouts, works or not depending if the OA is started or stopped)
- Eramba Authentication (Settings/Authentication/*)
In both scenarios, we require a user account because of notifications for the most part, the account has the email we need to reach. We need to simplify the creation of accounts for the OA portal so anyone with the right permissions can manage them (CRUD). This is crucial for this to work.
Related post: Feature - Access Management Updates
Third Party Validation Portal
We need to let the administrator (optionally) validate the third party details using a public portal. The key features for this portal are:
General Concept:
- A public portal is used for the Third Party to validate its details (we leverage the OA portal)
- The portal loads fields from the Third Party form (user defines which ones) and when saved, the Third Party item gets updated
- Access to the portal is done by a magic link that: has a timeout (setting), can be revoked anytime
Process:
- Optional - adjust (create, edit, re-arrange, etc) fields on the Third Party module using custom fields
- Create a Third Party, define one or more “Third Party Contacts” with eramba accounts that include the email
- Enable the OA portal, define the following settings under Third Party / settings:
- enable of portal for third parties (by default disabled), note: the oa portal can be enabled but that does not mean it will work for third parties
- if enabled, magic link timeout in days, this counter starts from the moment the link is created and sent
- we need pre-defined warning notifications: send magic link, supplier submission of portal, revoked magic link, expired magic link
- Third Party items will have magic link button enabled if the OA portal is enabled for third parties, there is one option:
- Send Link (Email Triggers, Activity Log Entry too)
- Admin clicks on the button “Send Link” and emails go out, we log this on the Activity Log, the button now has two clicks:
- Re-Send Link (Email Triggers, Activity Log Entry too)
- Revoke Access (Email Triggers, Activity Log Entry too)
- At this stage if the admin tries editing the Third Party:
- ONLY the following fields are editable: GRC Contact, Third Party Contact, Type, Potential Liabilities, Business Units, Processes
- all others (including custom fields, are not editable as they are supposed to be completed by the supplier) - note in the future this could be a setting, as well, which fields are shown on the portal.
- The supplier goes to the portal using the link provided
- The portal displays the form as it is defined by the administrator (Check developer options)
- Supplier submits (Email Sent + Activity Log)
Status (they all must trigger a record on the activity log):
- New Item (this is actually when the item is created by admin)
- Invite Sent (the admin click on send token, this only happens if settings are defined)
- Revoked (admin triggered)
- Submitted (supplier responded)
- Expired (automatically based on settings)
Status and fields:
Phase Three Updates (not defined)
Third Party Risk Matrix
General Concept:
- Administrators can Risk assess a third party they created in eramba
- The Risk assessment follows the settings defined in Risks Mgt / Third Party Risks
- If this has not been defined, the feature can not be used
- While this classification can be done anytime, we need to track down each time it was done so we show an overtime line report
- There should be a review concept
User Story:
-
The user goes to Risk/Third Party Risk/Settings/ and configures: Classification (isnt this inherited from other risk modules?), Calculation and Threshold
-
Note:
- New installs do not show Magerit calculation anymore in the asset module (less than 1 in 100 customers use it)
- New installs do not show European calculation anymore in the asset module (less than 5 in 100 customers use it)
- New installs do not show under as Risk Residual the option “Numeric” anymore in any of the three Risk modules. Note: you can have a Risk Matrix defined and use Numeric.
-
The user goes to Org/Third Party/Settings/Risk Calculations
- On/Off (Default: Off). If there are no Risk Classifications,Calculations and Thresholds defined the ON does not work and shows a message (TBD)
- If On:
- Risk Classification is Mandatory|Optional (Default: Optional)
- Risk Reviews: No|Yes → THIS NOT YET NEEDED UNTIL WE COMPLETE REVIEWS
- Yes: define fixed or custom frequency
- If Off: Nothing
- If On:
- On/Off (Default: Off). If there are no Risk Classifications,Calculations and Thresholds defined the ON does not work and shows a message (TBD)
-
If Risk Classifications are ON
- When the Third Party is edited, we have a new tab “Risk Classification” and the user must pick what the risk classification is. We show also the calculation.
- Filters must reflect this Risk settings as we have on the Risk module
- We will need to update reports
Third Party Risk Risk Reviews (TBD)
On a world where reviews work as a timer that trigger events the following options come to mind:
- the third party is moved to “draft” (this is only possible if workflows are enabled)
- the third party risk classification is set to unknown, this instead triggers a dynamic status
- the review triggers a dynamic status “risk expired” and that triggers a notification
Third Party Assessments (OA)
If Risk Classifications are ON, when a “Review” is completed on the OA module we need to show on top of the notes the Risk Classification UX (same as shown on the Third Party module) and the user must or not complete it (depending on the setting on the Third Party module)
Pull Supplier Incidents from Public DBs - Automation
The idea is to create some automation script that pull known incidents from public companies into eramba automatically using a recurrent automation script. The main sources, free and paid are the following we came out from a google search, we don’t know any of them:
Paid:
-
Bitsight
-
UpGuard
-
securityscorecard
-
Panorays
-
SOCRadar
Free:
-
Dark web data collection
-
NVD
-
OSV
Create Risk out of Feedback - Automation
TBD
references:
https://eramba.zendesk.com/agent/tickets/30934
https://eramba.zendesk.com/agent/tickets/26884
https://eramba.zendesk.com/agent/tickets/22640
https://eramba.zendesk.com/agent/tickets/21371
https://eramba.zendesk.com/agent/tickets/17087
https://eramba.zendesk.com/agent/tickets/30765
https://eramba.zendesk.com/agent/tickets/30818
https://eramba.zendesk.com/agent/tickets/26089
https://eramba.zendesk.com/agent/tickets/18914
https://discussions.eramba.org/t/feature-select-multiple-answers-in-online-assessments/1168
https://discussions.eramba.org/t/question-how-to-create-multiple-select-drop-downs-on-questionnaires/3340