Controls Details
The form is divided into several sections, allowing define the following fields:
General Data
Name: Identifies the name of the control that will be shown in the table below.
Control: Identifies the control of the Statement of Applicability (SOA) to which it is associated.
Supervisor: Identify the person responsible within the organization to verify the implementation of the control in the defined deadlines. This person can be selected from the set of Employees (view the section Management).
Other Supervisor: It identifies the person within the organization to verify the implementation of the control within the defined time frames, and can define it in a textual way
Resources: It identifies the resources or organizational departments which will be involved in the implementation of the control.
Term: It identifies the period within which the control should be implemented in the organization.
Associated cost: You can define the cost of the implementation for the organization.
Comments:You can indicate any additional comment associated with the control.
Observations:You can indicate any additional annotation associated with the control.
General Valuation of the Control
It allows you to assess the dimensions of the control that have been configured to be displayed on the Balanced ScoreCard. View Control Methodology.
Indicators of the Control
It allows to associate one or several indicators defined in the section 'ScoreCard/Indicators'.
Actions associated with the control
It allows you to define the necessary actions to implement the control by clicking on the 'New' button. This action generates a new entry in the table on which you can define the following parameters:
Name: It allows you to identify the name of the actions clicking twice on the cell.
Supervisor: Identify the person or department within the organization responsible for verifying the completion of the action within defined.
Resources: It identifies the resources or departments involved in the implementation of the action.
Term: Identifies the period on which the action must be completed. This period should not exceed the period of final implementation of the control.
In case you want to remove an action, you have to select the row or rows and click on the 'Remove' button.
Threats associated with control
Displays the list of threats in the above table to which it is associated the control,including the risk level and its type . For disassociating the control, you have to select the row or rows and clicking on the 'Disassociate' button.
In case the control methodology used is "By Threat" type, for each threat it will be possible to review and modify the effectiveness assessment that the control has, as well as to modify it. The "By Threat" check will be set to Yes when the assessment is specific to that threat, or otherwise it will appear as Threats that do not have specific assessment and to which will be applied the general assessment of the control.
Associated Assets
This section is displayed in case the control methodology is defined as 'By Asset' type. View Control Methodology.
The main table of 'Associated Assets' displays the assets on which the control is applied. If you want to disassociate the control of any of the assets, you can do it by selecting it in the table and clicking on the button 'Disassociate Asset'.
You can also assign a supervisor for each asset, selecting it and clicking on 'Associate Supervisor'. In this case a pop-up window will be displayed to select the Employee to be assigned.
Likewise, the maturity or effectiveness of the control for each asset can also be assessed in a specific way.
Finally, when we select an asset, the following tables of 'Associated Indicators' and 'Associated Evidence' are loaded with indicators and control evidence for each asset, which are independent of the indicators and general evidence of the control.
Related Assets
Displays the list of assets which are affected indirectly by the control. Those assets are the assets identified in the previous section (‘Threats associated with control’). The dependencies are defined in the section ‘Analisys/Asset Inventory’.
Expand: Expand all the list of controls.
Collapse: Collapse the list of controls.
Evidences associated with the control
It allows you to associate evidences to the treatment plan (or control) you are being defined. For this task, from the button "Associate Evidence" you access to a popup window which contains all the evidence recorded in the "Evidence Management" of the "Analysis" menu. It allows you to associate one or several evidences of the list.
Automatic notifications
It allows enabling the sending of notifications to the person in charge of the control, or to those responsible for the actions of the control, depending on which fields are marked.
Alerts are sent when:
An employee is assigned as responsible for the control or for an action
One week before the deadline
When the deadline is met
Successive weeks of the deadline
These alerts will be sent as long as the actions are not in a 100% completed state, from among the states defined in Configuration > Items Methodology (Risk Management Control Levels / Adaptation Plan).
Compliance
In this table, you can check which compliance requirements are related to the control. In addition to being able to access the Compliance assessment linked through the link.