Today we’ll be showing you through our Assessments module. Our Assessments Module is best suited for security consultancies, offering frameworkbased governance, risk and compliance assessments, as well as technical testers using Scoping questionnaires. Some of our most commonly used assessment frameworks include CMMC, NIST, Sys, ISO, FFIC and NYDFS. Let’s move into the Assessments module. Here you will see two tabs in progress, Completed and Manage Questionnaires. The questionnaire is one half of the assessment process. It is a framework based list of reusable questions that can be used to begin an assessment.
You can import questionnaires using a JSON format here, as well as create a new questionnaire from scratch by clicking this button, giving it a title, and choosing the Reference framework which will build the bare bones of a questionnaire that allows you to add questions and edit those details. These questionnaires allow you to pre populate commonly seen deficiencies recommendations and authoritative references into your framework based risk assessments. Once you have your questionnaire in the system, you will begin and execute an assessment. You can do this here on the Manage Questionnaires tab by choosing the assessment questionnaire you would like to use and clicking Begin Assessment in line with that questionnaire, then choosing the Client or project. Or you can click on the In Progress Completed tab and start a new assessment at the top. This allows you to choose the client and the questionnaire you would like to use to begin all of the data from that questionnaire that you had uploaded pre populated into the assessment. So while you are doing the assessment, there’s no need to copy and paste the questions or any of the other assessment information, and it allows you to complete this easier and quicker.
If you have a question that someone needs to answer and they aren’t sitting next to you, you can actually copy the URL at the top of the browser and email that to them. As long as they have an account within your PlexTrac instance, they’ll be able to view that question and give you the answers that you need. This assessment module also tells you the progress of your questionnaire. Currently we are at 1% with this questionnaire and this little bar as we complete more questions will continue to fill until we get a fully completed questionnaire. We can also search our questions by keyword and filter them by status. Over to the left of each question. Running down this left hand modal, you will notice a circle.
This circle means that this question is not completed and is also required if you have questions about what the different icons mean on this left hand side next to the question. This key up here next to the question Navigator, gives you what they all mean. You can see incomplete and required Once we move to completed, you’ll see a check mark. As you complete each question, you have the option to answer the different parts of the assessment question. Enter in Observations, anything else that is related to that question. Enter In Notes and also add attachments such as policy documents, screenshots, code samples, and videos. When you click the Add Attachments button, it will bring up a modal where you can drag and drop, paste or browse your computer files to add them to this question.
If you hover over the question mark, you will see the different supported file types for this upload box. Once you have added everything you need, you can mark the question as complete and move on to the next question, either by clicking on the question here, entering the question number here, or if you know you need to move to the 7th category, you can just enter the seven up here and it filters your results by that number. So I now know I need to get into the Resources section. All of these features within the Navigator allow you to perform your assessment directly in your reporting platform in PlexTrac, in an easy to navigate environment built for your workflow, you can collect evidence directly and securely in the platform, and this eliminates the need to email sensitive documentation as you’re completing assessments. Once your assessments complete, you can add a reviewer by clicking on the Ad Reviewers link, and then you can click in that box and either narrow down your list or choose from the Dropdown. Once you add a reviewer, you’re putting this assessment into Draft format. This assessment cannot be completed or submitted while it’s with a reviewer.
This allows you to present your findings effectively and efficiently, eliminate the hassle and concern of emailing sensitive documentation, and it provides your clients access to a web based portal to consume the results. Now you’ll see the status has been changed to In Review. I put myself as the reviewer, so if I click on In Review, I can see that my name is listed here. Pending approval, we can add additional names as needed, and if I have completed my review and I say it’s good to go, I click on Approve and Save. And if I’m the only reviewer now, I can submit the assessment, or I can continue to work through the assessment questions. When you finish your assessment and you go through to submit it, Flex Check will automatically create a report from that assessment and bring you directly to the Readout view. This report, since it’s published and all of the findings within it are published, any of your stakeholders or analyst users are able to immediately view this information within PlexTrac, which is great for getting the information out as quickly as needed.
You can see here we have this Readout view. We can see what things are in process and what’s open on the findings, which are all of the ones that we just answered those questions. We can see the different levels of severity, and over here we can see each of those questions as they were listed on the assessment. If you click into a question, you can actually see the description from the questions in the assessment, and then you can also see the score we gave them and the box we click next to it and then any notes that we did, as well as the Nest documentation for that question since that was built into the assessment. If any edits need to be made to this report, you can do that within the details, such as all of these automatically give you the Cyber Pasture Review assessment name as the report name. So if you wanted to adjust that, you can. You can also export this as a Word document based on your Ginger template.
It will export a beautiful document for your stakeholders. The other way your stakeholders can access this information is if you use PlexTrac as an electronic delivery system. I’ve signed in here as one of my analyst users. She’s a stakeholder for this client and she can both go into reports and see the report that I just published and see all of the same information that I had in mind, and as well as she can go into analytics and see any analytics from her findings that she has access to. So if I wanted to add in all of the different findings severities, because I had that narrowed down, she can then view all of those findings and click on each one. It brings her that same information. Stakeholders really enjoy the analytics section because they can view exactly what they need to see.
So maybe this user only needs to see findings with the severity level of critical and there are none. So they know that they can just walk away from this part of their day because everything has been taken care of. Or maybe they only need to see critical findings that are open. Again, there’s no findings at that level for this specific person, but that helps them narrow it down and figure out what they need to work on and move on with their day.