There is an attached PDF at the bottom for download.
Creating and Importing Risk Assessment Questionnaires
This guide is designed to help users understand the process of creating custom risk assessment questionnaires. This requires having the SimpleRisk Risk Assessment Extra, Import/Export Extra, and an already functional instance of SimpleRisk in place. While this guide only covers the Import/Export method of creating a new risk assessment questionnaire, please note they can also be created entirely from scratch inside the SimpleRisk UI.
Exporting a Questionnaire
This action is relatively simple and a great starting point for both creating an assessment, as well as gaining an understanding as to how SimpleRisk stores assessments. As a learning exercise, you will find a list of the steps required to export the “Critical Security Controls” questionnaire that’s built into SimpleRisk, which is short and easy to manipulate.
1) At the top, navigate to “Assessments” followed by “Import/Export” on the left.
2) Once the “Questionnaire Import/Export” menu is displayed, select the dropdown in the “Export” section where the default selection is currently set to “Export Questionnaire Template” and change it to “Export Assessment.”
3) A new dropdown will now appear below allowing you to select which assessment will be exported. For our example, we will go ahead and select “Critical Security Controls”
4) Now click “Export Assessment” and a CSV will be downloaded to your machine containing the assessment.
Configuring the Custom Questionnaire
From here, you may now begin to customize the assessment questionnaire for your purposes. Before getting started, here are a couple of pointers.
You may have more than one sub-question for each answer presented, but you cannot add a sub-question of a sub-question.
You first need to remove all of the data from the spreadsheet, except for the first row.
Once the spreadsheet has been adjusted as described above, you can begin to insert your own custom data.
Below, you will find a list of the columns in the spreadsheet and the details describing their purpose.
Questionnaire Template Name – This is used to group questions together in a template. The questionnaire template name must be the same for each answer/row entered that you would like to be grouped. You may upload multiple questionnaire templates in a single CSV each grouped by a distinct unique Questionnaire Template Name.
Question ID – The Question ID is the identifying key value the system uses to determine if a question is new and unique or updating an existing question. Each answer belonging to a given question should have the same question ID. To determine what question ID you should begin your import on you will need to use either the UI or an export of all assessments to determine the highest existing question ID. Your first question ID should begin on the following number.
Question Ordering – Use this column to order the questions. For each question listed, the same ordering number will need to be entered for all possible answers pertaining to that question.
Question – Here, you enter the actual question you would like to be displayed. For each optional response presented, this same Question will need to be repeated.
Answer Type – This refers to type of answer you will be setting up. “0” refers to multiple choice and “1” is for fill in the blanks.
Mapped Controls – This field takes a control ID and maps it to the question. If this question is a maturity question this is where the desired control maturity is populated from.
Has File – In this column, enter a “1” or a “0” to determine whether or not the user responding to this questionnaire will be able to submit supporting documentation (“1”) or unable to upload supporting documentation (“0”).
Question Logic – This option enables for a sub question to be asked based on the answer. “0” will disable while “1” will enable sub question.
Risk Assessment – Enables a pending risk to be created based on the answer to the question.
Compliance Assessment – Enables tracking of pass/fail status against mapped controls. “0” will disable while “1” will enable compliance.
Maturity Assessment – Enables tracking of the current maturity level against a mapped control’s desired maturity level.
Answer – Here, you will enter an answer choice that will be displayed to the user, so they can respond to a specific question, and you can only enter one answer choice per row. If there are multiple answers required for a single question, you will want to copy the entire row and duplicate it below and only change 1) the risk scoring method, 2) the risk score, 3) whether or not a risk will automatically be submitted based on the answer, 4) a risk subject, but only if a specific response to a question triggers a risk to be submitted/created, 5) the answer.
Answer Ordering – This option is to control the order of questions and answers displayed.
Sub Questions – Here you enter the Question ID for any response-based logic that automatically triggers sub-questions that will be asked, based upon the answer selected. Please note you may have more than one sub-question separated by commas (“,”).
Submit Risk – This defines whether or not the system will create a pending risk when a particular answer is given. Use a “1” if you want a risk to be submitted and created and enter a “0” if you do not want a risk to be automatically submitted and created.
Subject – Assuming a respondent’s answer to a question automatically creates a pending risk, this will be the “Subject” associated with the risk created. Please note there is no need to enter a “Subject” if no risk will be submitted and created based on the answer provided.
Owner – If you would like any pending risk that’s automatically generated to have a risk “Owner” assigned to it, here, you will need to enter their Full Name. The Owner must already have an account defined in SimpleRisk for this to work properly, as the system is not designed to automatically create new accounts or store names that are not in the system at the time of import.
Affected Assets – Use this field to assign any affected assets associated with pending risks automatically generated, triggered by the response to a question. Please note that affected assets do not have to already exist in the system and will be automatically created when a pending risk is submitted into the risk registry. Alternatively, at the top of a questionnaire, an asset can be entered to identify the affected assets of all pending risks submitted. It’s worth mentioning that we have also found this field is commonly used to enter a vendor as an “asset,” which makes risk tracking and reporting much easier. Optionally, this field can be left blank.
Tags – This field is for associating any pending risk generated with this answer with tags for organization.
Mitigation Controls – This field is to select a mitigating control for a generated pending risk associated with this row’s answer.
Fail Control – This field can be set to “1” to fail the any compliance control that is attached and “0’ for a pass.
Control Maturity – This field associates a control maturity with the answer in this row. The available control maturity levels are “Not performed, Performed, Documented, Managed, Reviewed & Optimizing”
Risk Scoring Method – This field will define the scoring method applied to any pending risks automatically submitted based upon a respondent’s answer. The scoring types available for this field are as follows:
o Custom – This will assign a risk score based on the value contained in the “Custom Value” column for this row.
o Classic – This will use the “Classic-Likelihood” and “Classic-Impact” values to calculate a risk score for the pending risk.
o CVSS – This will use the CVSS scoring columns to score the pending risk created.
o DREAD – This selection will use the DREAD method with the DREAD scoring columns.
o OWASP – This will use the OWASP risk scoring methodology with the OWASP scoring columns.
o Contributing Risk - This will use the fields “Contributing Likelihood” and “Contributing Subjects and Impacts” to score the risk. For Likelihood you will need to set the value according to the naming conventions in the system. By default, they are “Remote”, “Unlikely”, “Credible”, “Likely”, “Almost Certain” in ascending order of likelihood.
For “Contributing Risks Subjects” and “Impacts” here are some examples.
You will notice the “Subject” of the Contributing Risks is separated from the score by a “_” and the impact options are “Insignificant”, “Minor”, “Moderate”, “Major”, “Extreme/Catastrophic” in ascending level of impact. These are default classifications and can be changed in the “Configure” menu, followed by “Configure Risk Formula” menu, and on the last tab you will see “Contributing Risk Formula.”
Custom Value – This is the column that will be used as the score for Pending Risks using the Custom risk scoring method.
Importing a Questionnaire
Now that we have a custom assessment in spreadsheet form (CSV), it can be imported. Providing the directions in the previous sections were followed as prescribed, these steps should be fairly straightforward. Below you will find step-by-step instructions on how to import your custom assessment questionnaire.
1) After logging into SimpleRisk click “Assessments” at the top followed by “Import/Export” on the left.
2) On this page, in the first section labeled “Import” change the dropdown menu to “Import Assessments”
3) Click the “Choose File” button and point SimpleRisk to your intended CSV upload from the earlier steps.
4) You will now see the column names from your import displayed down the left side and a column of dropdowns on the right containing the available fields you can map to in SimpleRisk. If you began this process with an exported assessment from SimpleRisk, your column names should all match.
5) Once you have confirmed and double-checked that you have set your mapping to the correct fields and they all match, simply click “Import” at the bottom of the section to import the assessment. Your new custom questionnaire is now available for use.
This guide describes the steps required to export, customize, and import a custom questionnaire into SimpleRisk. If any questions were left unanswered or you discover something that is not working as stated, please contact us via e-mail at firstname.lastname@example.org.