Online Assessments

Upload questionnaires and send them to your stakeholders for feedback - long

  • Episodes13
  • Duration33m 4s
  • LanguagesEN
Episode 5

OA Strategy

Defining your OA Strategy

Introduction

You need to define your OA strategy, this is typically composed of four steps as shown in the diagram below:

These steps will help you define most settings and content you will need to use the OA module, in the next chapters you can read how each one of these stages helps you build a strategy. The typical outcome of your strategy will be a table with the following information:

For example:

Audience Questionnaire Evaluation Tracking Authentication
All Suppliers General Supplier Evaluation Maturity: High/Low/Medium Third Parties Module Non-Authenticated
Companies we outsource IT management Outsourcing Development Services Security Maturity: High/Low/Medium Third Parties Module Non-Authenticated
All our SaaS suppliers that do not have ISO 27001 certificates SaaS Supplier  Scoring: 0-10/11-200/201+ Third Parties Module Authenticated
All our departments Privacy Practices inside the Company Scoring: 0-10/11-200/201+ Business Unit Module / Risk Module Non-Authenticated
All our departments Risk Assessment Inside the Company Scoring: 0-10/11-200/201+ Business Unit Module / Risk Module Non-Authenticated
All our departments Understanding of our Policies Absolute: Pass/Failed Business Unit Module / Risk Module Non-Authenticated

Audience

You need to identify the audiences of your OAs, who are going to provide you with information. This is important because based on who they are you can define the kind of questions you can ask.

Is not a bad idea to define these audiences as "Internal" (people inside your organisation) and "External" (people outside the organisation).

Examples:

  • All Suppliers (External)
  • Application teams (Internal)
  • Consulting Suppliers (External)
  • SaaS Providers (External)
  • All departments (Internals)

Questionnaire

The next step is to list the questionnaires you want to use for each audience. The idea is you customise questions based on who is supposed to answer them, you don't need to ask all your suppliers about SaaS Technical Security assessments as some of them might not offer SaaS services to your organisation.

  • You will ask open questions or closed (drop downs)
  • Closed questions have the following advantages:
    • You can use scores which will let you evaluate your feedback quicker (at least initially)
    • You can use conditionals (show this question if they respond to this) making questionnaires much shorter (for you to analyse and for them to respond)

Evaluation

Once you get the questions defined you need to know how you will evaluate feedback, there are many ways but typically they all fall in a "Drop-down" style:

  • Fail or Pass
  • High Maturity, Medium Maturity, Low Maturity
  • Etc

The screenshot below shows a set of custom fields created on the OA module to track down results based on subjective and scored results:

The examples above are subjective, there is a human aspect that evaluates feedback and determines the overall result of the exercise. If you wish to take a more systematic approach you can use, as part of your evaluation, scoring. In this approach you will assign points to every question and answer (answers will be fixed) and out of that you will get a score.

There is also the option to use both methods, the score can provide an indication that is then refined with a subjective analysis. This is important as you will need to customize your OAs to record the result of your evaluation.

Scoring

For centuries scoring has been the way to go when you need to evaluate people or entities, the idea is to systematically and quickly come to, initial results. We advise people to use scoring when possible. To use scoring on your questionnaires, your questions will be responded to using a set of fixed options making it look a bit like a multiple-choice exam.

For example: a question that is worth 10 points of score that has two possible answers (Yes and No) could score 0 points or 10 points if you set the "Answer Weight" for Yes to 0 and "No" to 1. The screenshot below shows an example, question 4.1 could be worth 0 or -10 points depending if the user responds "Yes" or "No".

We recommend you structure your questionnaire in a way that desired outcomes (answers) earn points and undesired outcomes reduce the score (or the other way around).

For example, if you are assessing suppliers all the undesired answers (they handle sensitive data, they share it with third parties, etc) will earn them points but if they have multiple certifications (PCI, iso, etc) you will deduct them points.

As shown in the example below, we typically plan our questionnaires per chapter and define the scoring outcome before we even start with setting up questions.

The idea behind this method is that suppliers that score 0 are ok and those from 10 to 40 are not that great or potentially very bad. This typically can trigger dynamic statuses which in turn can trigger automation, such as automated email notification to suppliers.

Tracking

Targets are the entities you relate to your OAs, in eramba these can be:

  • Third Parties (typically used for supplier vendor risk assessments, etc)
  • Risks and business units (typically used to perform risk identification exercises)
  • Data Flows (typically used to perform privacy risk assessments, etc)  

Every OA you create you will link it to the related entity so you can later list all OAs for any given item. For example, if you want to access all OAs you run against a supplier, you will link those OAs against a Third Party.

Authentication

When you send an OA to an entity, that person (or group of people) needs to click on a link (that will get to them most likely as part of an email sent by eramba) and then the OA portal will be shown.

At this stage, there are two options:

  • The person will authenticate with a username and password (you will need to create accounts for them in eramba)
  • The person will not need to authenticate since the link sent to them is unique to their OA (only those who know that link can access the OA)

Non-authenticated OAs are nowadays the norm because they facilitate things for both ends in terms of account management.