1. Access the Risk module.
2. In the Risk Management Projects section, click the List Projects option.
3. In the Risk Management Projects section, click Edit next to the risk management project containing the non-implemented controls you want to treat.
4. Click the Evaluation tab.
5. Click the List of Controls tab.
6. Mark the checkboxes next to the controls you want to send to treatment and click Treat. Select an event type from the drop-down list and then click Treat (see figure below). Note that you will only be able to view event types for which the association with controls and vulnerabilities was previously enabled in the Object Types section of the Administration module.
The system displays the form used to create events (see figure below).
7. Select Create one event for each control if you want to create a treatment event for each non-implemented control selected. This option will only be enabled if more than one non-implemented control is selected.
8. Select Create one event for all controls if you want to consolidate treatment of multiple controls. This option will only be enabled if more than one non-implemented control is selected.
9. Select Create a parent event for each asset and child events for the associated controls to create a parent event for each asset and child events for each of the non-implemented controls related to the asset. This option will only be enabled if more than one non-implemented control is selected.
10. In the Deadline field, select the deadline for the event. This field is optional and can be edited later, if necessary. This deadline will be applied to all events being created.
11. In the Relevance field, specify the relevance for the event, which will be used to calculate the USR.
12. In the Urgency field, specify the urgency for the event, which will be used to calculate the USR.
13. In the Severity field, specify the severity for the event, which will be used to calculate the USR.
14. In the Title field, enter a name for the event using up to 2,500 characters to help identify it in the list of events in the Workflow module.
• If only one non-implemented control was selected, the default title will be the name of the control. Note that this field can be edited afterwards.
• If more than one non-implemented control was selected but individual events are being created for each, this field will be disabled and the title of each event will be the name of each respective control.
• If more than one non-implemented control was selected and a consolidated event is being created for them, this field will need to be completed.
• If a parent event is being created for each asset and child events for the non-implemented controls, this field will be disabled. The name of the parent event will be the project code together with the name of the asset, while the name of each child event will be the name of each non-implemented control.
15. In the Description field, enter information describing the event using up to 5,500 characters.
• If only one non-implemented control was selected, the default description will be the recommendation for the control. Note that this field can be edited afterwards.
• If more than one non-implemented control was selected and individual events are being created for each, this field will be disabled and the description of each event will be the recommendation of each respective control.
• If more than one non-implemented control was selected and a consolidated event is being created for them, this field will need to be completed.
• If a parent event is being created for each asset and child events for the non-implemented controls, this field will be disabled. The description of the parent event will be the project code together with the name of the asset, along with the number of child events created. The description of each child event will be the recommendation of each respective control.
16. In the Coordinator field, select the person or group of people who will be assigned to carry out the event and update its progress. By default, if the same person was assigned as responsible for all the assets related to the non-implemented controls being sent to treatment, this person will also be assigned coordinator of the treatment events. On the other hand, if different people were assigned as responsible for each asset, the person who sends the controls to treatment is assigned as coordinator of all treatment events being created.
17. In the Responsible field, select the person or group of people assigned to perform activities and update information on the event. By default, if the same person was assigned as responsible for all assets related to the non-implemented controls being sent to treatment, this person will also be responsible for the treatment events. On the other hand, if different people were assigned as responsible for each asset, the person who sends the controls to treatment is assigned as responsible for all treatment events being created.
18. In the Involved field, select the person or group of people who will be formally involved in the event while it takes place. Keep in mind that the people or groups chosen here will be involved in all the events being created.
Note: Event Coordinator, Event Author, Responsible for Event, and Involved in Event are access control roles. Those assigned to these roles will automatically inherit permissions in their respective events. Keep in mind that you can restrict list of members who can be included in these roles through the Roles Restrictions section of the Administration module. If role assignment is restricted for the event type selected, only the people or groups included in the list of members can be assigned to these roles. For details, see Chapter 17: Administration -> Access Control -> Access Control Concepts and Chapter 17: Administration -> Access Control -> Role Restrictions.
19. When finished, click Treat to send the risks to treatment.
The system displays a success message and returns to the list of non-implemented controls. The author of the events will receive a notification in the Home module indicating that events were successfully created in the Workflow module. At this point, the event code for each non-implemented control being treated is listed in the History column and in the Treatment tab (see figure below). Note that events can only be managed from the Workflow module, though their status and progress can be monitored through the Treatment tab.
Note 1: When controls are sent to treatment, the assets related to them are associated with the events and can be viewed through the Associations tab of each. Any business components that were associated with these assets will also be associated with the events.
Note 2: There is an important correlation between the status of a treatment event and the status of the associated risk, indicated in the table below:
Treatment Event Status |
Effect on Associated Risk |
Closed |
The risk that was before considered Being Treated in the Evaluation and Treatment tabs is then considered Treated. |
Cancelled |
The risk that was before considered Being Treated in the Evaluation and Treatment tabs is then considered Not Evaluated in both tabs. Note that cancelled events cannot be reopened, while closed events can. |
Reopened |
If a treatment event is reopened, the risk that was before considered Treated in the Evaluation and Treatment tabs returns to Being Treated. |