A day or so someone in the community asked me about how VA’s worked , they went trough the documentation and were able to sort it (well, so far). Then i got this question:
“How do people use eramba to do an Enterprise Risk Assessment/ Questionnaire (see the attached basic sample from online)? I’m sure I can create risks for each of these, but that means someone is going in there 1-by-1 to answer them. That is tedious.”
In all fairness, we got this question several times. If i understand the output of the VA (the responses based on the questions) should or could become risk items on the risk module. If that understanding of mine is right, eramba does not have this.
Can someone describe what would you like to have here? is it that for every question on the VA , depending on the response, you get a risk automatically created? or a finding (VA has findings) automatically created?
If yes - risks have many mandatory fields (controls, classification of risk, assets input, third parties, etc)…we would still need to know the answer to those fields to automatically create them.
Perhaps the approach is not to have them “automatically” created by manually the user clicks on the VA question and a risk window opens as completed as possible?
When i built eramba i used it to record the output of my risk assessment , not to guide me trough the analysis and the recording of this risks. My analysis was (and still) is done with interviews, many notes, etc, etc and I only needed a place to record that output.
Do i understand that need points at linking teh analysis of VAs to the recording of risks?