This topic explains how to edit the survey, interviewee, analyst, and reviewer for the asset components included in the scope of a risk project. The scope of a risk management project can only be edited when the analysis phase is still open.
1. Access the Risk module.
2. In the Projects section, click the List Projects option.
3. In the List of Projects section, click Edit next to the risk management project whose scope you want to edit.
4. Click Scope.
5. Mark the checkboxes next to the asset components whose analysis parameters you want to edit and click Edit Selected (see figure below).
The system displays a screen where the analysis parameters for the asset components selected can be edited (see figure below).
Note: The fields marked with an asterisk are options that must be specified for a risk management project. If you do not select any options, the system will do so automatically.
6. Mark the checkbox next to the Analyst field and select the new person you want to assign as analyst. By default, the project leader is assigned as the analyst responsible for answering questionnaires. Keep in mind that the person assigned as analyst must be included in the list of restrictions for this role in the Role Restrictions section of the Administration module and in the Risk Module Users access profile in order to gain access to the module.
7. Mark the checkbox next to the Interviewee field and select the new person you want to assign to the asset component selected. By default, the person responsible for the asset where the asset component is located is assigned as the interviewee. If the list of restrictions for members is enabled, the interviewee must be included in the list of restrictions for interviewees in the Role Restrictions section of the Administration module and in the Risk Module Users access profile in order to gain access to the module.
8. Mark the checkbox next to the Reviewer field and select the person you want to assign as reviewer. Note that by selecting a reviewer, you are specifying that you want the interviews for the asset components selected to be reviewed. If the list of restrictions for members is enabled, the reviewer must be included in the list of restrictions for reviewers in the Role Restrictions section of the Administration module and in the Risk Module Users access profile to gain access to the module.
9. Mark the checkbox next to the Survey field and select the survey you want to associate with the asset components selected. This field will only show options if there are published versions of risk surveys associated with the version of the knowledge base being used. For further details, see Note 1 at the end of this topic.
10. Mark the checkbox next to the Knowledge Base Version field and select the version of the knowledge base that you want to use. All published versions of the knowledge base associated with the asset component selected will be displayed. For further details, see Note 2 at the end of this topic.
11. When finished, click Save. If you want to quit the operation, click Cancel.
The system displays a success message.
Note 1: When a risk survey is created, it is associated with a certain version of a published knowledge base. The survey must be also published before it can be used in risk management projects (see figure below).
Once a survey is published, it may be necessary to edit it to make changes and corrections. In this case, the status of the survey is set to “Being Edited” and, once the changes are made, a new version of the survey needs to be published for use in risk management projects. When a new version of the survey is published, the association that existed between the previous version of the survey and the knowledge base is automatically preserved (see figure below).
Note that the association is between each published version of a risk survey with a specific version of the knowledge base. In the example in the figure above, version 1.0 and 1.1 of risk survey A are both associated with version 1.0 of knowledge base X. There is a slightly more complex scenario to consider in which there are various risk surveys, each with various published versions, associated simultaneously with a single version of a knowledge base.
If an asset component associated with a certain knowledge base that has a one-to-one association with a risk survey is included in the scope of a risk management project, the system will, by default, show the last version of this survey as one of the analysis parameters, facilitating its use (optional) in the project. However, there may be more than one version of a survey or even several versions of different surveys associated with a single version of a knowledge base (see figure above). The system thus offers flexibility by allowing the project leader to select which version of which risk survey will be used when selecting the risk survey for the project (see figure below).
Note 2: By default, when a new asset component is added to the scope of a project, the system suggests that the latest version of the knowledge base associated with the asset component be used. This ensures that the questionnaire which will be generated based on the knowledge base to be answered by the analyst during the analysis phase is the most updated possible.
It’s very simple to check that this is the default system behavior. The figure below shows that the latest published version of the “Technology – Application – Application Server” knowledge base on best practices and procedures for application servers is version 3.0.
Suppose this knowledge base is associated with an environment-type asset component located in a perimeter from the organizational structure, and that this component is included in the scope of a risk management project. In this case, as the last published version of the knowledge base associated with the asset component is version 3.0, the system will automatically suggest that this version be used in the project (see figure below), as mentioned above.
Similarly to how you may want to select which version of a risk survey to use in a project, you may also want or need to use previous versions of the knowledge base that will become the questionnaire to be used in the analysis, instead of using the latest published version.
For example, it may be that the analyst assigned to analyze an asset component’s risks is already familiar with an earlier version of a published knowledge base associated with this component. In this case, the project leader may opt to use a slightly older version of the knowledge base that may be better known, until the analyst becomes familiar with the latest published version.
Another scenario where you may want to use a previous version of a knowledge base has to do with the status of an automated collection, in the case of technology-type asset components. It may be that an earlier version of a knowledge base offers fully automated collections (that is, all of its controls are associated with OVAL scripts and can be answered automatically), while the latest published version of the knowledge base may include new controls which are not yet associated with OVAL scripts and the controls would have to be answered manually. The project leader may choose to not use the latest version until the knowledge base can be fully answered automatically.
There are also other situations (technical, methodological, managerial, etc.) that may justify the decision to not use the latest published version of a knowledge base in a project, even if it is the most updated one. To meet these use cases, the system allows the version of the knowledge base to be selected for use in the project. It’s important to note, however, that there are some restrictions. For it to be possible to select earlier versions, the following conditions must be met:
•There must be more than one published version of the knowledge base in question;
•The analysis of the asset component associated with the knowledge base for which you want to choose the knowledge base version cannot have already begun.
In addition, multiple asset components can be selected at once when you want to edit the analysis parameters in the scope of a project, where you can select, for example, the same analyst or interviewee for all of them at once. Because of this, there may be two other cases in which editing the knowledge base version will not be possible:
•The asset components selected are associated with different knowledge bases. In this case, selecting a knowledge base version would be ambiguous.
•The asset components selected are at different analysis stages in the project. For one, the analysis may have not yet begun, for another it may be in progress, and for another it may have already been completed.