Versions Compared

Old Version 4

changes.mady.by.user Tristan Mohn (Deactivated)

Saved on

compared with

New Version 5

changes.mady.by.user Tristan Mohn (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

Weighting-specific best practices:

...

When a questionnaire is created to discover risky business practices or find immature security policies, you can "weight" responses to automatically calculate risk when the response is receivedreturned. Potential risks are then placed into three categories - low, medium and high, depending on the "weight" or number given to an answer. The higher the number, the higher the risk calculation. 

Weighting a Questionnaire

...

We recommend keeping weighting simple. And, since ZenGRC calculates certain numbers for you, it's best to finish weighting all questions prior to calculating low, medium and high thresholds.

Note
titleIMPORTANT

Questionnaire weighting can be done in any manner your organization chooses. This section documents two ways to weight in order to show how the functionality works.

Turning on Weighted

...

...

To make a questionnaire weighted, complete the following steps:

  1. Click the Weighted toggle. Green indicates weighting is on

    in the questionnaire.
    Image Removed
    Select the question in the main window to display available configurations in the right-hand panel.

    .

    Tip
    titleTIP

    Sometimes the right-hand panel to weight a survey is difficult to display. If a question is highlighted, click away from the questionnaire, such as in the scroll bar, then select a question again.


    Image Added

First Way to Weight a Questionnaire

...

This example rates all questions a 1, with incremental multipliers differentiating the riskiest responses.

The following is an example of how to calculate the weight of questionnaire responses:

  1. Add Enter 1 in the Weight box for the question itself. This applies to every question in your survey.
  2. If it is a For multiple choice questionquestions, enter a number for each option in the Multiplier box starting with 1 for the lowest risk and continuing consecutively. The highest number represents the most risk .as follows:
      Rate the
      1. The highest risk answer, which is Non-Existent Capability in the example,
       with a multiplier of 6.Rate the
      1.  receives a multiplier of 6. (Question weight of 1 x multiplier of 6 = risk score of 6). This means great risk is identified.
      2. The lowest risk answer, which is World-class program in the example,
      with a multiplier of 1
      1. receives a multiplier of 1. (Question weight of 1 x multiplier of 1 = risk score of 1). This means low risk is identified.

        Image Modified

    1. Once all questions are weighted and multipliers added, you can establish the mid and high risk thresholds.

    ...

    This example only adds weight to the most important radio button and checkbox questions and questions. It leaves all others with a 0 weight.

    Some pre-determinations to discover risky business practices or find immature security policies. The following shows how it is calculated:

    ...

    This is because responses to other questions need to be evaluated by your organization to decide risk. 

    The following is an example of how to calculate the weight of questionnaire responses:

    1. Enter a number between 1 and 10 in the Weight box with 1 being the least impact and 10 being the most

    ...

    1. impact

    ...

    1. . This is for the question itself and only applies to radio buttons and checkboxes.

    ...

    1. For the individual answers, review the following:
      1. For each multiple choice option, enter a number

    ...

      1. in the Multiplier box starting with 1 for the lowest risk and continuing consecutively. The highest number represents the most risk

    ...

      1. as follows:

        ...

            1. The highest risk answer, which is Non-Existent

        ...

            1. No defined information security program in the example,

        ...

            1. receives a multiplier

        ...

            1. =

        ...

            1. 2

        ...

            1. .

        ...

            1. (

        ...

            1. Question

        ...

            1. weight of 5 x multiplier of 2 = risk score of 10

        ...

            1. ). This means great risk is identified.

        ...

            2. The medium risk answer, which is Ad-hoc. Some documented processes to capture infosec compliance

        ...

            1.  in the example, receives a multiplier  = 1.

        ...

            1. (Question weight of 5 x multiplier of 1 = risk score of 5

        ...

            1. ). This means some risk

        ...

            1.  is identified.

        ...

            2. The low risk answer, which is World class. Compliant with numerous infosec frameworks

        ...

            1.  in the example, receives a multiplier = 0.

        ...

            1. (Question weight of 5 x multiplier of 0 = risk score of 0

        ...

            1. ). This means no risk

        ...

            1.  is identified.

        ...



            1. Image Added

          2. For each Yes/No or True/False questions, enter a number in the Multiplier box of 0 or 1.By multiplying the weight x 0, no weight is applied, meaning this answer indicates no risk to your organization. By multiplying the weight x 1, the weight is applied, meaning this answer indicates risk to your organization.
        2. Once all questions are weighted and multipliers added,

        ...

        1. you can establish the mid and high risk thresholds.

        Determining Mid and High Risk Thresholds

        ...

        No matter which way you decided to weight your questionnaire, the calculation for the mid- and high-risk thresholds is the same. To access and rate the thresholds, complete the following steps:

        1. Click away from the highlighted question and then click any question again to display the right-hand panel where thresholds are calculated.
        2. Use the auto-calculated Min score and Max score displayed in the panel to establish the thresholds, which needs to be calculated by your organization.

          Image Added

        3. In the panel, ZenGRC automatically calculates Min score and Max score numbers calculates Min score and Max score numbers by multiplying the weights and multipliers on each question and adding all questions together. Calculations are completed as follows:
          1. Min score = Question Individual question weight x lowest multiplier. (1 x 1 = 1). Then total the sum of all questions is added = Min score.
          2. Max score = Question weight Individual question weight x highest multiplier. (1 x 6 = 6). Then total  Then the sum of all questions is added = Max score.
            Image Removed
            Image Added

        4. The Mid Risk Threshold box contains the number where the overall risk rating goes from low to medium risk and is determined by you and However, it can be calculated as follows:
          1. The threshold needs to be greater than the Min score box. So following the example, enter a number of 16 or higher in the Mid Risk ThresholdWhen the calculated questionnaire responses reach this number, the questionnaire rating goes from low to medium risk.
        5. The High Risk Threshold box contains the number where the overall risk rating goes from medium to high risk . This and is determined by you and However, it can be calculated as follows:
          • Max score - Min score. (90 - 15 = 75)
          • Divide that by two. (75 / 2 = 37.5)
          • Add the Min score. (37.5 + 15 = 52.5)
          • The High Risk Threshold must be greater than 52.5.