An evaluation campaign will allow you to obtain a declarative score, an initial inventory of your compliance and to build your security base.
Summary
1. Concepts
1. Concepts
The evaluations (declarative of conformity) are carried out within the framework of campaigns.
A campaign enables the evaluation to be carried out:
- In relation to a specific questionnaire and/or policy
- According to a specific scale (which greatly influences the type of evaluation)
- On selected perimeters, applications and providers
- With a start date and a possible end date.
2. Set up the evaluation
To create a campaign you can use the wizard by clicking on
The campaign creation wizard appears and guides you to finely configure the campaign.
2.1. Perimeter choice
If you choose to target a group, all child perimeters (direct and indirect) will be included, and new perimeters added in this group will also be automatically added to the campaign if it's active.
⚠️ If you lead the campaign on a group including providers and applications, you will not be able to build a security base, manage measures, these latter being deprived of it.
2.2. Policy choice
If perimeters are not yet associated with the evaluated policy, Tenacy will alert you and offer three choices:
🔎If a perimeter is not associated with a policy:
- the perimeter score will be taken into account in the display of campaign results
- the score of the perimeter will not be taken into account in the display of the policy
- the evaluation score will not be considered in the perimeter score.
💡It is possible to select a questionnaire. It allows to:
- Collect unstructured/non-evaluable information and calculate accumulators (a form of scoring)
- Condition the application of the requirements of a policy.
If a questionnaire and a policy have been selected in the campaign, the completion of the questionnaire is prior to the evaluation. Once the questionnaire has been completed and submitted by the respondent, it moves on to the evaluation phase.
A rejection of the evaluation returns to questionnaire mode to allow the answers to be changed accordingly. The respondents can also return to the questionnaire at any time to change the answers.
To know more about the subject you can read this article.
2.3. Set up the evaluation scale: a pivotal step in the construction of the campaign
It's at this stage that you will choose to:
- collect compliance actions: the actions will be entered in a default register or a register that you would create upstream.
- collect information on the measures already in run: The run measures will be informed in the security base.
- collect evidence in the form of attachments.
🔎 In the case of a supplier or an application, the configuration is simplified, the measures are not offered
The scale determines, by levels:
- Whether to seize or not proofs
- If it is possible for users to respond that the control is not applicable
⚠️ The scale is no longer editable after campaign launch.
2.4. Global parameters
This is where you can enter:
- The start date and the end date of the evaluation (the end date being optional)
- The actions register in which actions retrieved during the campaign will be stored. This register may be modified before the launch of the campaign.
- The name of the campaign
- A description
🔎It is possible to edit the campaign created by the wizard before launching.
2.5. User/group assignment
Once the evaluation has been created, you will need to assign one or more users who can respond to your evaluation:
Evaluations > Click on the icon when hovering over the line > "User/group assignments" tab
Finally, start the campaign ▶️.
3. Answer to an evaluation
Case 1: with measures and actions management
In order to see the impact of the evaluation, we are starting the evaluation on a new perimeter (here, South Korea). It has an empty security base.
To answer to the evaluation, you have to go in the contributions:
Contributions > Evaluations > clic on the evaluation concerned.
Carrying out the evaluation:
- On the left of the screen, the policy is displayed control by control.
- In the middle, a short description and a long description of the selected control.
- On the right, the response area with: the compliance scale, the comments area, the area for adding evidence, measures and actions.
We carry out the evaluation: we select a level of conformity and depending on the previously decided settings, we provide information on the measures operated, under construction and improvement and construction actions, evidence and comments.
After the evaluation, we can go and see that the construction of the security base started with the different measures:
And the actions were stored in the register created for this evaluation:
Case 2: without management of measures and actions (providers and applications)
In the case of supplier evaluation, we have already established that there was no management of measures.
In this case the response page is simplified: the supplier will only be able to provide evidence and comments if permitted by the settings.