Scope an Assessment in Security Risk Management

Users in the Security Risk Team user group must scope an assessment to define which security compliance frameworks, sections, sub-sections, or requirements should be assessed (e.g., sections from the Anti-Money Laundering framework). Assessments should be scoped at the time of creation, but they can also be scoped afterwards from the Assessments: Plan, Launch & Monitor activity or from the My Tasks page.
An assessment in need of scoping on the My Tasks page.

To scope an assessment:

  1. Log into a user account from the Security Assessment Team user group.

  2. Create a security risk assessment

  3. Click Scope.
    The Scope button on an assessment.
  4. Select one or more compliance frameworks as the focus of your assessment by clicking Add.
    A list of available security compliance frameworks.
  5. If needed, refine the frameworks further by using one or more of the following default filters in the left-side Filters pane: 
    • Name: Filters which frameworks display based on their Name. When entering keywords in this field, press Enter on your keyboard to apply the filter.
    • By Assessment Type: Filters results by object type or assessment type. 
    • By Dimension: Gives assessment context (e.g., Business Unit).
    • By Description/Unique ID: Filters objects and instances by their Description and Unique ID properties.
    • By State: Filters objects and instances by workflow state, including states from other assessment workflows.
    • Other: Additional filters based on plain text fields, select lists, and multi-select lists added to the focus object type in the assessment. When entering keywords in a text field filter, press Enter on your keyboard to apply the filter. 
  6. To remove any unneeded filters, click the beside the filter in the Filter Selection field.
    Removing unneeded filters from the Filter Selection field.
  7. To add an instance to the assessment, click the Assessments link below an object, then click Add. For more information about an instance, hover your cursor over the ellipsis beside the record. 
    Clicking the Assessments link below an object will display any instances, which can then be added to the assessment.
    If an object has not been previously assessed, it will not have any instances and the Assessments link will be hidden.
  8. Remove any unneeded objects or instances by clicking Remove From Scope beside that object or instance.
  9. Click the green banner at the bottom of the page to display the Assessment Navigation form.
    The Assessment Navigation form.
  10. Click the  icons in the tree to expand the nodes and display any scoped relationships or references to the sections and sub-sections. 
  11. Click the section and sub-section names in the tree to review them and any applicable requirements in the palette.
  12. Deselect the checkboxes beside objects to remove them from the scope. 
    • By default, all objects and their relationships or references are selected.
    • Deselecting an object in an upper node will automatically deselect the objects in the nodes immediately below it.
      Instances cannot be deselected from the scoping form. To remove instances from the scope, click the green banner at the top of the page, then click Remove From Scope beside the instances in the Assessments sections.
  13. To filter which objects are displayed in the tree, click the  icon, then the Select object type to filter tree with dropdown menu to show the available plain text, select list, property filters available for that object type. 
  14. To hide the filters, click the  icon.
    The Filters menu.
  15. Click Confirm Scope, then click Yes to confirm and launch the assessment. 
    • If you created the assessment, then accessed it later from a view, click Yes to display the selected form for that view.
    • Otherwise, the form used to originally create the assessment will be displayed.
      The Please Confirm dialog.