Once an assessment has been launched, members of the Security Audit Fieldwork user group can then access it and either complete each of its requirements, or attach issues and corrective actions. Once the fieldwork has been finalized, it will then be sent to the Review workflow state to be closed by a member of the Security Assessment Team user group. If it was set to be recurring, it will be reassigned to the same auditor in the Fieldwork phase at the date set in its Expected Start Date field next year. GS: I couldn't find the framework workflow, but is this correct?
All assigned assessments appear on the My Tasks page. GS: The Fieldwork and Review form only appeared when I was a member of the Security Assessment Team user group. Using just the Security Audit Fieldwork user group gave me a read-only form. Is the user expected to belong to both user groups?
While the steps below explain how to close an assessment in one sitting, it is likely that most assessments will take several days to complete. |
To complete an assessment:
Log into a user account that's been added to the Security Audit Fieldwork user group to display the My Tasks page.
Click an assessment in the Fieldwork workflow state to open the Fieldwork and Review page.
Optional: Click Audit Report to view a report summarizing the assessment, including the frameworks being used, requirements with findings, and issues attached to the assessment.
Optional: Click Issues Report to view a report summarizing all the issues attached to the assessment.
Click Fieldwork Details to open the Fieldwork Details form.
Access the Requirement Assessment form for any of the outstanding requirements attached to the assessment using one of the following three methods:
Framework Tree: Use the navigation tree on the lefthand side of the screen to navigate to the desired requirement
Outstanding Sub Topic Requirements (Grid): Display a data grid showing all currently incomplete requirements by topic and sub-topic. Click on a requirement to access it; or
Outstanding Requirements Report: An exportable report that lists each incomplete requirement attached to the assessment.
On the Requirement Assessment form:
Select whether or not the requirement is being met by the company or if there are conditions that must be met from the Meets Requirement dropdown list.
Drag an image file to or click the Findings Photo fields to add an image file to the requirement.
In the Issues section an existing contributing issue can be added by clicking Add Existing Issue, typing its name in the search bar, and selecting it. To create a new issue from scratch, click + Create New and fill in the required fields. See the Review an Issue article for more detailed information on filling out this form. GS: I tried adding myself to a variety of user groups (the security assessment team, incident administrator, issue owner, and requirement owner (making sure I was assigned to the specific incident) and the Issues section would not populate. Is this a problem with the form, the org I'm using, or is there something I'm doing wrong?
This section will only appear when the user has selected Yes With Conditions or No from the Meets Requirement dropdown list. Optional: Add comments, as needed.
Once the company meets the requirements, or an issue has been added, click Complete.
Once all of the assessment's requirements have been marked as complete, return to the Fieldwork Details form and click Finalize Field Work to move the assessment into the Review workflow state. GS: Is this true, or is there a way to move the assessment to review if some of the requirements are not met?