Online Assessment

Upload questionnaires and send them to your stakeholders for feedback

  • Documentation
  • Duration19m 27s
  • LanguagesEN

Course Introduction

This course is a mix of theoretical concepts, implementation, and operational instructions designed to help you understand how Online Assessments is established and managed within eramba.

The course follows a logical progression through three main pillars:

  • Theoretical Concepts: The underlying logic and risk methodology.

  • Implementation Steps: The technical configuration of the module.

To successfully navigate this course, you will need to reference two additional types of documentation:

  • Common Features: These are universal functionalities found across almost every eramba module. Examples include Notifications, Reports, Custom Fields, and the API.

  • Related Modules: These are supporting modules that provide the "solutions" to your risks. To fully implement Risk Management, you will interact with Policies, Internal Controls, Exceptions, and Projects.

LLMs

Statistically, most people don’t "read" — and certainly don’t fully "understand" — documentation. If you’re planning to take this course be asured you wil get in trouble.

You can use LLMs to clarify doubts from what you "read" to make sure you "understand", you simply need to copy the URL and paste it into your preferred LLM (OpenAI, Gemini, etc.) together with the prompt below:

I’m trying to understand how Online Assessments works and how it’s implemented in Eramba. This is their documentation. If you’re able to review it, can you answer any quick questions I may have? This is the URL: (paste url here)

If you are somewhat dilligent and careful on your questions you wil get a lot of support from your LLM.

You can then ask questions a bit like if you would be asking them on a demo call:

Typical Scenarios

This chapter shows practical ways to use online assessments for:

  • Third-party (supplier) assessments

  • Risk assessments in your organization

  • Gap assessments if you are a consulting company

Supported Versions

Online Assessments runs on both on-premises and cloud deployments and is available in the Enterprise Edition only.

Theory

Module Relationships

The Online Assessment (OA) module can operate independently without any other module unless you are using it for purposes in which case you will rely on multiple "Supporting Modules":

  • Supplier Assessments: Requires association with the Organization / Third Party module.

  • Application/Asset Assessments: Requires association with the Asset Management / Asset module.

  • Risk Assessments: Requires association with the Risk Management module.

  • Data Privacy Assessments: Requires association with the Asset Management / Data Flow module.

Within the OA module, you have multiple sub-modules that are required for the OA module to operate.

  • Questionnaires: Where you maintain the library of questionnaires used in your OAs. Each questionnaire is composed of one or more questions.

  • Feedback: Contains the answers provided in your OAs.

  • Findings: Used to record specific answers that do not meet requirements or require further follow-up.

  • Audit Trails: Records all activity within the OA module for tracking and compliance.

Templates

We are developing an integrated list of templates for Online Assessments. These will primarily focus on standardized questionnaires, including Risk Assessments, SaaS Vendor Assessments, and Financial Assessments.

Please review our Product Roadmap for details and updates.

Online Assessments

Every time you want to send a questionnaire to someone (inside or outside your organization), you will need to create an Online Assessment (OA) under the Security Operations / Online Assessments module.

OAs can be created one by one (using a form) or multiple in one shoot using CSV import files (see CSV Imports common functionality documentation). The main attributes when creating an OA are:

  • The GRC Assessor and Recipient define who will send the questionnaire (and review the answers) and who will be on the receiving side. These can be single or multiple accounts or groups created in Eramba; anyone assigned will receive a notification and be granted access to work on the OA.

  • The recipient must access the OA Portal (explained later in this document) using either a magic link (a unique link without authentication that allows access to their assigned OAs only) or standard authentication (built into Eramba). Most users choose the unique link, as it is much more practical.

  • The questionnaire is essential; it is the primary reason for creating an OA. You can select the one you want to use from the library of questionnaires (explained later in this document). Once the OA is saved, this cannot be changed, even if you edit the OA.

  • You can include an option on the portal for the recipient to download a PDF report, which you can generate using the common Reporting functionality. These reports are customizable and can contain any information you define. You can also decide whether the recipient is permitted to submit the assessment without answering all the questions.

  • You must define the start and end dates for your OA; on these dates, the OA will automatically start and stop. You can override this at any time by selecting the OA from the list and clicking Start or Stop. Eramba can also send various notifications based on these dates.

  • You can also configure recurrence settings, which will "clone" the OA at the specific times you define and launch it again to repeat the process. You can choose whether to pre-load previous answers to make the process easier for the recipient.

Once you create an OA, selecting it will reveal a menu bar with multiple options. From there, you can start or stop the assessment, generate a unique URL for accessing the portal, and more.

Questionaires

Under the Questionnaire tab, you must import questionnaires into Eramba. These can be configured in a multitude of ways, allowing for highly flexible questionnaires.

Questionnaires are most often created using spreadsheets, where every row represents a question. While this can also be done using the web interface, it is a much longer process. The CSV you use follows the same principles as any other CSV import in Eramba (see the CSV Common Feature documentation), so it is best to follow those specific instructions.

The questionaire can include:

  • Questions are grouped into chapters; both questions and chapters must have an ID, title, and description.

  • Questions can be answered in several ways: Dates (where the recipient must select a specific date), Dropdowns, Multiple Dropdowns, Open Text, or a combination of both Dropdown and Open Text.

  • If you choose Dropdowns (single or multiple), you have several additional options: Scoring (where you can set a value for the question and a multiplier for each possible answer), Conditional Questions (where specific answers trigger additional questions that are otherwise hidden), and Warning Messages that appear depending on the selected option.

Assuming you will be using OAs for Supplier Assessments, it is typically a good idea to group your targets by their characteristics and only then define the questions you need them to answer. The fewer questions you ask, the fewer questions you need to review—a win-win situation. Typically, this grouping is structured as follows:

  • SaaS Vendors (product-related questions)

  • Consulting Vendors (no product-related questions)

  • Compliance-Specific Questionnaires (SOC, SOX, etc.)

Is also very important that you make full use of Questionaires potential, in particular dropdowns and scoring. A typical setup includes a "Yes/No" question for a category that only shows questions if applicable. For example: Do you handle PII Data? - where you only show the rest of the questions if the answer is Yes.

Any LLM (OpenAI, Gemini, Etc) can create for you a questionaire by simply importing an empty CSV template and promping something like: "Create a 10-question questionnaire that I can import into the eramba Online Assessment module. Please use the attached CSV template and follow the included instructions. The assessment will be used to evaluate SaaS vendors; ensure you include key security and compliance questions and utilize dropdown menus where possible"

Dropdowns allow you to set scoring; typically, this is used to "Add" or "Deduct" points depending on the expected answer. Scoring all your questions as +1 for a good answer and -1 for a bad answer will typically provide a clear indication of which overall scores are very bad or very good.

Efficient questionaires make a huge operational cost difference.

OA Portal

The OA Portal is the website that your OA recipients will access to respond to your questions. Every OA you send out has an associated questionnaire; this is what is shown on the portal.

The portal allows recipients to answer questions (which are saved automatically as they are answered), download a report (optional, depending on the OA settings), and submit once ready (the administrator can configure whether this is only possible after all or some questions are answered). The questions shown are derived from your questionnaire settings and can include a multitude of different question types. The recipient can also add attachments if allowed.

Feedback

Under the Feedback tab, you will see the responses your OA received from the recipient. As the GRC Contact, you can also review the recipient's feedback using the portal; use whichever method you find more practical.

The Feedback tab will include many rows, so it is best to access them from the Online Assessment module by clicking on the Feedback shortcut column. You can then open the feedback in a new tab to work more comfortably.

OA Review

After an OA has been submitted, you will notice the statuses update to show that the "Pending Review" status has appeared. This is because once an OA is completed, your task is to review the answers and provide a final comment on the "Result" of the assessment.

To complete the review, you need to load the "Feedback" tab for the OA. You will notice that the "Reviewed" column indicates whether each question has been flagged as reviewed (by default, all will be marked as "Not Reviewed").

After you review an answer, you can flag the question as reviewed by simply editing it (typically, this is also done via bulk edits in one shot).

After all your questions have been reviewed, if you select the OA you have been working on under Online Assessments, you will notice that the "Review" button has become available. Clicking there allows you to log your review notes and save your final assessment.

Each Reviewed  OA will have its "Notes" and "Review Date" saved, once an OA has been reviewed ithe review notes can no longer be pupdated.

Findings

After you complete the review, you might want to document issues or gaps that were identified; we do that in the form of Findings. These findings are linked to the specific OA and, optionally, to one or more individual questions within that OA.

Findings have a Deadline (which can trigger automated notifications) and a Status that can be set to "Open" or "Closed"; this helps you effectively track and manage these findings. Once a Finding is set to "Closed," the "Closure Date" will be automatically updated to reflect that date.

Statuses

Dynamic Status is a powerful and versatile common functionality that can be used for many different purposes (label Pass vs Failed OAs, High Score vs Low Score, Etc.

"OAs come with a set of pre-defined dynamic statuses that help you visualize which step of the lifecycle the OA is in—for example: Accepting Answers, Submitted, Reviewed, etc."

Vendor Assessments

The OA functionality supports various use cases, as detailed in the scope section of this document. Depending on the specific use case, you can associate other modules to ensure that OA results are automatically reflected across those items.

These associations (assets, third parties, etc.) are hidden by default and do not appear on the form used to create OAs. You can unhide them using the Customization common feature.

In this chapter, we will explain the concept of associated modules using the Third Party module—linking OAs with Organization / Third Parties is the primary use case, typically used to assess suppliers from various perspectives (financial, cybersecurity, etc.). —though the same principles apply to all other modules (assets, risks, business units, etc.).

The high-level process is described in the diagram below:

When creating an OA, you can link one or more Third Parties, provided they have been previously created in the system.

This allows you to reflect on the Organization / Third Parties module your Third Parties and how they are affected by the OAs they have related and their results.

In the Third Party module, you can now see that the supplier OpenAI has one associated OA in Pending status. Once the OA is completed, the results will be reflected directly on the Third Party record.

You can use more sophisticated methods by leveraging the Dynamic Status and Custom Fields common features to reflect OA results directly on your Third Party records. For example:

  • OA Results: The final assessment result (e.g., Pass, Failed, etc.) can be stored in a Custom Field. This result can then be inherited by your Third Party records for centralized tracking.

  • Findings Inheritance: Any findings logged during an OA can be inherited by the associated Third Party. This allows you to quickly identify which Third Parties have active findings and monitor their current status (e.g., Open, Closed).

Implementation (tbd)

Use Case Definition

As discussed OAs can use for an infinite number of scenarios, in this implemnetation we wil focus on Supplier Assessments which as discussed seem to be the most poppular one. The implementation steps are shown on the diagram below:

The implementation process requires multiple configurations and an initial "Test" to ensure everything works correctly and that you fully understand the workflow. After a successful test, you can repeat the process as many times as required.

Access Management

During the implementation phase, it is important to understand how the user interface works (views, add, edit, delete, bulk edits, and similar actions). Reviewing this upfront will make the implementation process smoother and more efficient.

It is critical to get this first phase right before implementing the Online Assessmnet use case, as correcting it later can be complex and time-consuming. The following steps must be completed:

  1. Log in to Eramba for the first time and set the Admin password and email (do not use a personal email address). See our Install Guide (choose the one that applies for you) for details.

  2. Create a group for your GRC department (name it according to your department). Create a second group called "OA Recipient". See our Access Management guide for details.

  3. Create user accounts for the GRC team, assign them to the group created in the previous step, and grant Admin privileges. Ensure that no portals are enabled other than Main and Online Assessments. Do not create user accounts for anyone outside the implementation team. User accounts for the rest of the organization should be created after the implementation is completed. See our Access Management guide for details.

  5. Log out as Admin, from now on always login with your personal account.

  6. Optional: Set up SAML, Google OAuth, or LDAP connectors and, if desired, update the Authentication settings to use these connectors in order to authenticate user accounts against a remote directory. See our Access Management guide for details.

Questionaire

While questionnaires can be created using the web interface, the process is very slow. We recommend creating them using CSV files and importing them into eramba, using the web interface only for small corrections if needed.

  1. Define your OA targets by their unique characteristics.

  2. Create questionnaires for each of them using CSV files. Refer to the CSV Import functionality if you are unsure how to format these files.

  3. Import them into eramba via Online Assessments / Questionnaires / Import.

  4. Optional - Adjust them using the web interface, or delete and import corrected CSV versions again.

Notifications (Optional)

There are many possibilities when it comes to notifications. It is strongly recommended that you fully understand how they work by reviewing the notification common feature before making configuration decisions. We only suggest here default notifications that can help you get started.

There are a few default notifications you will most likely want to enable (as they are disabled by default) in eramba. You must also edit the notification Body and Subject to make sure they reflect exactly what you want to communicate. Please pay attention, as these notifications are configured in different modules within the software:

  • Online Assessment module: Send emails when an OA is "Started," when it has been "Submitted," or as reminders a few days before the expected "Stop" date. When editing these notifications, you must adjust the subject and body of the email to reflect your needs—in particular, the URL the recipient must use to access the Portal (if using public, non-authenticated access).

  • Online Assessment / Feedback: Comment & Attachment notifications are sent to all involved parties when a comment or attachment is included as part of the recipient's feedback. There are two distinct notifications—one for the assessor and another for the recipient—because the access URLs differ: the recipient logs into the OA portal, while the assessor logs into either the Main portal or the OA portal. Please edit the notification and adjust the URLs based on your preffered method

  • OA / Findings: Notify users when an OA Finding is created, has expired, or is about to expire:

  • Settings / Organization & Access / Users: Notify a user when an OA recipient account has been created (this is optional and only used when you are using authenticated OAs since OAs that use the magic link do not require this notification)

Third Party User Account

We need to create an account to test the notifications created previously and to assign it to the Third Party and future OA recipients. This is a test account you will later delete:

  1. Under Settings / Organization & Access / Users: Create a dummy user account (configure an email you can reach), assign it to the "OA Recipient" group, and assign only the Online Assessment portal

  3. Remember the password, you will need it later on.

  4. If you configured notifications for User Management, you will receive an email. If you want, you can correct the email subject/body as needed (remember, this notification triggers only for newly created accounts).

While this account will be used to test your setup, all future accounts you create for OA recipients must follow this configuration (portal and group setting in particular). See our Access Management guide for details.

Third Party Creation

It is very common to use the Custom Field common functionality for documenting supplier attributes such as their address, website, contact, risk profile, etc. Please make sure you understand the capabilities of this feature and implement it where appropriate to your needs.

As mentioned before, this step is optional if you are not performing a Vendor Assessment. Since the OA module can be used in many different scenarios, this step could instead involve creating an Asset or Risk that you want to associate with this OA.

  1. Go to Organizaiton / Third Parties and create a Third Party, make sure the contact is the account created in the previous step. See the BU, Assets and Third Party module for mode details

  3. Optional: Adjust the module fields to reflect your supplier details (contact, website, etc.).

  4. Optional: Adjust the module Views to group suppliers by those that have at least one OA assigned, have Open Findings, etc. This will help you better understand where each supplier is in their lifecycle.

If this is the first time you are implementing this module, we recommend you create only one for testing purposes. Once you feel sufficiently comfortable with the OA module, you can use a CSV import to add multiple third parties at once. 

While this Third Party is used for testing purposes, all future Suppliers must be created following this process.

OA Creation (tbd)

It is recommended to first create a test OA to ensure you fully understand how the module works, in particular if you have enabled notifications.

  1. Create an OA, the following fields are particularly important:

    • Assessor Contact: Set this to your GRC group (ensure your account is a member of that group).

    • Recipient: Select the dummy account created previously.

    • Authentication: Choose your preferred option. Remember, if you select Authenticated, you will need the password for your dummy account.

    • Submit Incomplete: It is likely to be useful to enable this feature as you test your OA, so you do not have to answer all questions before being able to "Submit."

    • Questionnaire: Ensure the questionnaire you select is the one you intend to test.

    • Timeline: Set both the Start Date and End Date to tomorrow.

    • Recurrence: Do not enable recurrence just yet; we are creating this initial OA to test your questionnaire and the entire process.

  2. Save

  3. Select the OA and click "Start" on the Action Bar. You need to manually start the OA since the start date is set for tomorrow. A notification will be sent (up to one hour later unless you flush the queue manually) if you have configured it

  5. Dynamic Status will update to "Accepting Answers" and "Not Submitted." If configured, an email should have been sent as well (this can take up to one hour unless you flush the queue manually). Remember the default email include boths URLs by default (authenticated and non-authenticated)

  8. If you enabled notifications, click on the link and log in (or not, if you are using non-authenticated URLs) with your "Dummy" credentials. You should see the Portal. If you did not create notifications, you can access the portal URL by clicking on "Portal URL" on the action bar. You can use these URLs to access the portal (they are the same as the ones in the email).

  9. Regardless of which option you choose, the goal is to simulate exactly what the "Recipient" will see and do on the portal.

  12. Answer a few questions and also include Comments and Attachments in a few of them.

  13. Make sure you can Login to the portal (as the Assessor) and you can see the questionaire. Make sure you can also login as the Vendor (dummy account) using the provided links.

  14. You can now complete the questions and click on "Submit"

Is very common to use the Custom fields common functionalty to adjust the OA form with additional attributes such as "Pass/Failed" or "Next Review OA", Etc.

OA Feedback

Once you have received answers to your questions, the process of reviewing them begins:

  1. You can see the summary of scores and answers on the main OA section (it is very important that you have adjusted the right columns by using the View Common functionality); otherwise, you might not see them.
  3. Use the shortcut counter to see all the feedback for a given OA
  4. .
  5. You can here review the answers to your questions. You can also provide Comments & Attachments to these questions in the form of additional feedback or questions/clarifications to the person who provided you with feedback (the OA must be "Started" for them to login and provide you with feedback)

OA Review

As you review answers on the "Feedback" tab, you can already "Close" the ones that have, in your view, been fully answered. We call this process "Reviewing" questions.

  1. Click on the question you want to close, edit, and change the column to "Reviewed". Note that this process can be done quicker using bulk edits.

Findings (tbd)

TBD

Associated Modules (tbd)

TBD

Operations (tbd)

Recurrent OAs (tbd)

tbd

Risk Reporting (Optional) (tbd)

See Reporting documentation

Risk Automation (Optional) (tbd)

See Automation documentation