This topic explains how to create a query to view risk indicators for authoritative documents and requirements mapped to controls analyzed in risk projects. These mappings can be displayed by control status and requirement or be consolidated by authoritative document, requirement, or by requirement and control. The results always display the latest status from risk analyses considering the latest closed questionnaires.
1. Access the Organization module.
2. Select List Queries from the Queries section.
3. In the Organizational Queries section, click Create.
4. Select the Risk Metrics for Control/Requirement Mappings option (see figure below).
5. Select the Control Status and Requirement option, or click Consolidated By and select one of the options available.
Note: Each of these options display the latest risk analysis results for the option selected, detailed below:
• Control Status and Requirement: This option displays risk indicators for the organizational object selected in the scope. These indicators are displayed for requirements mapped to controls analyzed in risk projects with details on the controls and their relationships with the requirements. Analysis data for each control analyzed in the projects will be displayed. For example, if control 1 was mapped to requirement 1 and this control was analyzed four times in different projects, the query will display the results and information for this control and requirement four times, one for each occurrence.
• Authoritative Document: This option displays risk indicators for the organizational object selected in the scope. These indicators are consolidated for the authoritative document whose requirements were mapped to controls analyzed in risk projects. This consolidation counts the number of times a requirement and any of its child requirements are associated with a control. For example:
Requirement 005.001.001 is mapped to a non-implemented control X whose PSR score is 125
AND
Requirement 005.001 is not associated with any control
AND
Requirement 005 is associated with a non-implemented control Y with a PSR score of 125
THEN
PSR score for the authoritative document will be 250
• Requirement: This option displays risk indicators for the organizational object selected in the scope. These indicators are consolidated for the requirements that were mapped to controls analyzed in risk projects. This consolidation counts the number of times child requirements were associated with controls. If parent requirements have not been associated with any controls, they will display the results for their child requirements. Continuing with the example above, requirement 005.001 would have a PSR score of 125, since it was not directly associated with any controls and thus only displays the results for its child requirement 005.001.001. Requirement 005 would have a PSR score of 250, since it would include its own PSR score of 125 plus the PSR score of its child requirement 005.001.001. By default, this query is grouped by authoritative document and by requirement.
• Requirement and Control: This option displays risk indicators for the organizational object selected in the scope. These indicators are consolidated for the requirements that were mapped to controls analyzed in risk projects. Indicators are again consolidated for requirements. In this case, if control 1 associated with requirement 1 was analyzed four times in risk projects (twice as implemented and twice as not implemented), the four responses to this control will be taken into consideration in the consolidation. The Risk Index in this case would be 50% and the Security Index would be 50%. By default, this query is grouped by requirement and by authoritative document.
The difference between this query and the Requirements query is that this one also displays all the controls the requirements were associated with and the number of times these controls were analyzed, while in the first only the requirements are displayed even if their results were obtained from two different controls mapped to it and regardless of the number of times they were analyzed.
The system displays the Scope step in the wizard for creating queries, where the assets and perimeters from which information will be obtained can be selected (see figure below).
6. Click Add to Scope to select the assets and perimeters to be included in the scope.
The system displays a list containing the assets and perimeters registered in the Organization module.
7. Click Expand () to view the full organization structure.
8. Select the objects you want to include in the scope by marking the checkboxes next to each and clicking Add to Scope (see figure below). If you want to quit the operation, click Cancel.
9. To remove an item from the scope, mark the checkbox next to it and click Remove from Scope.
10. When finished, click Proceed to continue creating the query. If you want to run the query, click Generate Query. If you want to quit the operation, click Cancel.
When Proceed is clicked, the system displays the Filters step in the wizard for creating the query, where the filters to be used can be selected, which will reduce the information used to display the results (see figure below).
Note: Risk metrics are always consolidated based on the controls, since this is the most granular object that can be analyzed in a project. Requirements inherit risk indicators from the controls to which they are mapped. Selecting a filter means indicating that only the controls, and in turn the mapped requirements, meeting the criteria set in the filters selected will be displayed in the query results. For example, if you filter the query by a certain knowledge base, only the controls related to that knowledge base will be displayed in the results.
The filter options for this type of query include asset component, asset type, control, control grouping, knowledge base, strategic business component, tactical business component, and threat.
11. In the Filters section, select the filter you want to use by clicking one of the filter options displayed on the left (see figure below).
12. Depending on the filter option selected, mark the checkboxes next to the objects to be added to the filter or click Add to Filter to select the objects that will be used to filter the scope of the query (see figure below). Note that the options available vary depending on the type of filter you choose.
13. Select the objects to be added to the filter in the window that appears and click Add Selected (see figure below). If you want to quit the operation, click Cancel.
The system displays the objects selected for the filter.
14. To remove objects added to the filter, mark the checkboxes next to each you want to remove and click Remove from Filter.
15. After selecting the filters, click Proceed to continue creating the query. If you want to generate the query, click Generate Query. If you want to cancel query creation, click Cancel. To return to the previous step at any point during this wizard, click Back.
When Proceed is clicked, the system displays the Columns step, where the columns to be displayed in the query results can be selected (see figure below).
16. Select the columns you want to include in the query by marking the checkboxes next to each. By default, the system will show some pre-selected options that can be removed, while others are required columns. To remove non-required columns from the results of the query, unmark the checkbox next to each column name. To include more columns in the results, select the options that are not pre-selected by default.
17. Click Proceed to continue creating the query. If you want to generate the query, click Generate Query. If you want to cancel query creation, click Cancel. To return to the previous step at any point during this wizard, click Back.
When Proceed is clicked, the system displays the Audience step, where you can select which people and groups will be able to view the query in the Home module and in this module, if they have permission to access it (see figure below).
18. Click Add Audience and select People or Groups to add them.
19. If, for example, you selected People, select the people to be added and click Add People (see figure below). If you want to quit the operation, click Cancel.
The system displays the people selected.
20. To remove people or groups from the audience, mark the checkboxes next to their names and click Remove Audience.
The system requests confirmation to remove the people or groups from the audience (see figure below).
21. Click Remove Audience to confirm. If you want to quit the operation, click Cancel.
The system removes the people selected from the audience.
22. Click Proceed to continue creating the query. If you want to generate the query, click Generate Query. If you want to cancel query creation, click Cancel. To return to the previous step, click Back.
When Proceed is clicked, the system displays the Editors step, where you can select which people and groups will be able to edit the query, receiving the same permissions to it as the author (see figure below).
23. Click Add Editors and select People or Groups to add them to the list of editors.
24. If, for example, you selected People, select the people to be added and click Add People (see figure below).
The system displays the people selected.
25. To remove people or groups from the list of editors, mark the checkboxes next to their names and click Remove Editors.
The system requests confirmation to remove the people or groups from the list of editors (see figure below).
26. Click Remove Editors to confirm. If you want to quit the operation, click Cancel.
The system removes the people selected from the list of editors.
27. Click Proceed or Generate Query to run the query. If you want to cancel query creation, click Cancel. To return to the previous step, click Back.
When Proceed is clicked, the system displays the results of the query according to what was selected in the previous steps (see figure below).
28. Click Save to save the query data. If you do not want to save the query, click Cancel. To return to the previous step, click Back.
When Save is clicked, the system displays a window where a name and description for the query can be entered (see figure below).
29. In the Name field, enter a name to identify the purpose and reach of the query.
30. In the Description field, enter the main characteristics of the query.
31. When finished, click Save Query. If you want to quit the operation, click Cancel.
The system displays a success message.