Teamwork makes the dream work - an annoyingly accurate cliche we’ve repeatedly heard over the years from sports fields to corporate offices. It’s a phrase that holds especially true when it comes to compliance. Compliance takes more than a team, it takes a village - a village of analysts, managers, auditors, vendors, executives, and even board members. Each plays an invaluable role in risk management, making it imperative that the tools they use accommodate handoffs and a certain degree of collaboration.
With this in mind, our most recent release focuses on expanding access to features like the risk register, collecting and communicating additional assessment details, and tailoring how information is presented within the platform to make tasks easier for certain roles.
Keep reading below to see which dreams we’ve turned into a reality this April.
Featured Updates:
Security is a team effort, right? We know it’s important to bring your friends and family (okay, maybe just your authorized co-workers) in on the fun, so our cyber security software update brings team access to the Risk Register tab in CyberStrong. Once a team is granted access to a risk register dashboard, all members of that team will have the ability to create, edit, and delete risks within that dashboard.
To grant teams access to an existing risk register dashboard, follow the guidance outlined below:
To grant teams access to a new risk register dashboard, follow the guidance outlined below:
Note: When associating controls with a risk, users will only be able to view and select controls from assessments they have access to. For example, an Administrator within an environment will have more controls to choose from than a manager or collaborator who only has access to select assessments.
Have you ever noticed that for every important activity, there’s typically a form you have to fill out before you can actually do the activity? Doctor visits, car rentals, online purchases, risk assessments - it’s forms galore out there. Or, if you’re used to working with spreadsheets to conduct assessments, you’re familiar with that extra tab at the beginning of the sheet where you have to identify the name, location, criticality, and a hundred other criteria associated with the asset you’re about to assess.
We call this information ‘assessment metadata’ - and until now, there wasn’t an ideal place to house this information within CyberStrong. Now, Administrators can define metadata fields at the framework level and make them available to other Administrators and Managers to populate when an assessment leveraging that framework is created.
To define new metadata fields for a particular framework, follow the guidance outlined below:
Note: At this time, once a metadata field has been created, it cannot be edited or deleted via the interface. If you need to edit/delete a metadata field, please contact your Customer Success Manager.
To create a new assessment, populate the metadata fields, and see how they would appear on an assessment, please follow the guidance outlined below:
Once you have created the assessment, you will be taken to the Assessment Dashboard. The metadata fields for the assessment can be found at the top of the dashboard, below the Project Completion Status Bar.
To edit the metadata fields of an existing assessment, follow the guidance outlined below:
Once you click ‘Update Assessment’, you will be taken back to the Manage Assessments page. To see the results of your changes, click the name of the assessment you just edited to navigate to the Assessment Dashboard.
Note: If you are crosswalking from a framework that has metadata, the metadata will not carry over to the new assessment. If you are crosswalking from a framework that does not have metadata to a framework that does have metadata, you will be prompted to populate the metadata fields on the final step of the crosswalking process.
Struggling with users not knowing where to put their evidence or each user putting it somewhere different? Easter egg hunts are fun (especially when you’ve got a relative that hides $20 bills), but if you’re anything like my family, you also know the pain of searching for that last egg that mom swears is out there, but she can’t remember where she put it and no one can find it.
When it comes to your risk assessments, the stakes are typically a bit higher than a $20 bill, so to make your life easier, we’ve created a map for your hunt! Now, when creating an assessment, Administrators and Managers can designate where they want users to store their evidence. This location will appear as a URL at the top of the evidence tab for each control and will take users directly to the designated evidence repository when clicked. Not rotten eggs hidden in trees this year!
To designate a Document Storage Location, follow the guidance outlined below:
Once you have created the assessment, you will be taken to the Assessment Dashboard. To view the Document Storage Location, follow the guidance outlined below:
To log evidence stored within the designated Document Storage Location within CyberStrong, follow the guidance outlined below:
Audits are a lot like divorces. They’re long, painful, and expensive. If you want to keep your house, you can’t really skip steps. But what if you could expedite the steps? Loophole!
Unfortunately, there’s no easy button for divorces (add that to Staples’ to-do list), but there is a fast pass for audits! Cue the Questions List. Say goodbye to obnoxiously high hourly rates from auditors with our latest enhancements to the Questions List. With the addition of evidence to the Questions List, auditors and the like can get in and get out with minimal button clicks and page turns. For each control, users can now see underlying control actions, their current scores and target scores, annotations, and relevant linked evidence all on one page!
To view evidence within the Questions List, follow the outlined guidance below:
Within the evidence tab, you will be able to see the following for each piece of evidence associated with a control:
To review the artifact itself, click the link under the Location field to navigate to where the evidence is locally stored.
If you’re like us, the NIST CSF is your bread and butter. Those who know it, know it like the back of their hands. It’s one of the more versatile standards in the market; however, it’s not the only standard, and depending on your needs, there may be a framework out there that better fits the bill. When this happens, it can still be helpful to view the other framework through the lens of the CSF to better conceptualize the controls you’re working with. For this reason, we’ve made the controls list filterable by the CSF functions, categories, and subcategories.
To filter the controls list by the Cybersecurity Framework, follow the guidance outlined below:
So, you may be thinking, “ok, you made the lives of auditors and reviewers easier… big whoop. What about me - the actual end-user of the platform, the one in the system every day actually doing the work?”
Repeat after me, Dave Buznik. Goosfraba.
Rest assured, we’ve got a banana for that anger monkey.
Within the ‘My Controls’ tab, users can now add evidence and annotations directly to the controls / control actions assigned to them or that they’re collaborating on without having to navigate to another page. This allows users to quickly add responses across controls and assessments without getting bogged down in the other fields within a control’s Score tab - although that option still exists if in-the-weeds is more your style.
To add evidence and responses via the My Controls view, follow the guidance outlined below:
Once saved, your response will also appear on the Score tab of the control.