Versions Compared

Old Version 5

changes.mady.by.user Tristan Mohn (Deactivated)

Saved on

compared with

New Version 6

changes.mady.by.user Tristan Mohn (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

...

When a questionnaire is created to discover risky business practices or find immature security policies, you can "weight" responses to automatically calculate risk when the response is returned. Potential risks are then placed into three categories - low, medium and high, depending on the "weight" or number given to an answer. The higher the number, the higher the risk calculation. 

Weighting a Questionnaire

...

We recommend keeping weighting simple. And, since ZenGRC calculates certain numbers for you, it's best to finish weighting all questions prior to calculating thresholds.

Note
titleIMPORTANT

Questionnaire weighting can be done in any manner your organization chooses. This section documents two ways to weight in order to show how the functionality works.

Turning on Weighted

...

To make a questionnaire weighted, complete the following steps:

  1. Click the Weighted toggle. Green indicates weighting is on.

    Tip
    titleTIP

    Sometimes the right-hand panel to weight a survey is difficult to display. If a question is highlighted, click away from the questionnaire, such as in the scroll bar, then select a question again.


First Way to Weight a Questionnaire

...

This example rates all questions a 1, with incremental multipliers differentiating the riskiest responses.

...

  1. Enter a 1 in the Weight box for the question itself. This applies to every question in your survey.
  2. For multiple choice questions, enter a number for each option in the Multiplier box starting with 1 for the lowest risk and continuing consecutively. The highest number represents the most risk as follows:
    1. The highest risk answer, which is Non-Existent Capability in the example, receives a multiplier of 6. (Question weight of 1 x multiplier of 6 = risk score of 6). This means great risk is identified.
    2. The lowest risk answer, which is World-class program in the example, receives a multiplier of 1. (Question weight of 1 x multiplier of 1 = risk score of 1). This means low risk is identified.



  3. Once all questions are weighted and multipliers added, you can establish the mid and high risk thresholds.

Second Way to Weight a Questionnaire

...

This example only adds weight to the most important radio button and checkbox questions. It leaves all others with a 0 weight. This is because responses to other questions need to be evaluated by your organization to decide risk. 

...

  1. Enter a number between 1 and 10 in the Weight box with 1 being the least impact and 10 being the most impact. This is for the question itself and only applies to radio buttons and checkboxes. For the individual answers, review the following:
    1. For each multiple choice option, enter a number in the Multiplier box starting with 1 for the lowest risk and continuing consecutively. The highest number represents the most risk as follows:
      1. The highest risk answer, which is Non-Existent. No defined information security program in the example, receives a multiplier = 2. (Question weight of 5 x multiplier of 2 = risk score of 10). This means great risk is identified.
      2. The medium risk answer, which is Ad-hoc. Some documented processes to capture infosec compliance in the example, receives a multiplier  = 1. (Question weight of 5 x multiplier of 1 = risk score of 5). This means some risk is identified.
      3. The low risk answer, which is World class. Compliant with numerous infosec frameworks in the example, receives a multiplier = 0. (Question weight of 5 x multiplier of 0 = risk score of 0). This means no risk is identified.



    2. For each Yes/No or True/False questions, enter a number in the Multiplier box of 0 or 1.By multiplying the weight x 0, no weight is applied, meaning this answer indicates no risk to your organization. By multiplying the weight x 1, the weight is applied, meaning this answer indicates risk to your organization.
  2. Once all questions are weighted and multipliers added, you can establish the mid and high risk thresholds.

Determining Mid and High Risk Thresholds

...

No matter which way you weight your questionnaire, the calculation for the mid- and high-risk thresholds is the same. To access and rate the thresholds, complete the following steps:

...