Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Table of Contents | ||
---|---|---|
|
Live Search spaceKey ZenGRCOnboardingGuide additional none placeholder Search our site type page
Overview
ZenGRC provides a status-based risk management workflowan extended workflow that automatically triggers the ability to create tasks between certain risk, threat, and vulnerability statusesactions, such as status transitions and risk thresholds. These tasks are pre-filled with information from customized templates maintained by your organization and can be used as follows:
- To gather feedback and promote awareness between risk stakeholders.
- To describe the work that needs to be done for appropriate assignees
- Or, they can simply be canceled without creating the task.
Note | ||
---|---|---|
| ||
Risk objects follow a different status set up from other ZenGRC objects. Statuses can be reviewed at Risk Management Statuses. |
Image RemovedImage Added
Anchor | ||||
---|---|---|---|---|
|
Workflow
Since tasks provide email notifications for completing an assignment, they can play a powerful role in your risk object management plan. You can use them to request information from multiple users, thereby allowing information gathering and review in between your risk statuses.
The following graphic displays an example of a risk workflow, the green dot between statuses is where tasks displayare triggered. A larger version of the workflow with all risk statuses is at Risk Management Statuses.
The following outlines the functionality of when and how tasks are displayed in the risk workflow:
- To trigger the creation of a new task, the risk must be in one of the following statuses:
- Assessed
- Remediate
- In Remediation
- Once the risk is in one of the above statuses, an actionable drop-down displays with the following selections:
- Accept
- Avoid
- Transfer
- Remediate
- A new task displays immediately after a status in the actionable drop-down is selected. All risk owners can transfer statuses through the drop-down, but only administrators receive the task pop-up since only they can create/delegate tasks. It may be worth reviewing the roles of risk owners should you wish for them to utilize this part of the workflow
- Task details are automatically populated from the templates.
- A task can be cancelled without interrupting the workflow.
- If a decision is already made about a risk, you can quickly transfer it to one of the final steps (Accepted, Avoided, Transferred, or Closed) by using the Status drop-down in the top right. However, this does not trigger a task, and it overrides the prescriptive workflow of the actionable drop-down.
How Tasks Are Triggered in Your Threat or Vulnerability Workflow
Tasks for threats and vulnerabilities are used in the same manner as risks. However, there is only one status selection that triggers the automatic creation of a task. Please see documentation under Following the Threat and Vulnerability Workflows.
Customizing
Task Templates forYour Workflows
The task templates contain text and variables determined by ZenGRC experts, and they are automatically created when a risk object meets the criteria outlined in How Tasks Are Triggered in Your Workflow. Howeveradded to the three default workflow groups. However, the templates can be altered to suit your organization's needs. And once they are triggered, they can be adjusted further if needed.
Anchor |
---|
Workflow Groups
Selecting one will show all the steps involved in that workflow group. The available groups include:
- Risk Workflow
- Threat Workflow
- Vulnerability Workflow
Workflow Steps
Steps are shown for
|
The pre-populated groups include:
- Risk Workflow
- Threat Workflow
- Vulnerability Workflow
However, an unlimited number of workflow groups can exist in your instance. To add a workflow group click the "Create workflow" button on the left side, below the existing workflow groups.
Image Added
To rename a group, hover over the group title and click the pen icon next to it.
Image Added
To delete a group, click the trashcan icon next to the title. Keep in mind that deleting a workflow group will also delete all of the existing steps located in that group.
Image Added
Anchor | ||||
---|---|---|---|---|
|
An unlimited number of workflow steps can exist in each group. To add a workflow step click the "Add step" button on the bottom left side of the page, below the existing workflow steps.
Image Added
To rename a step, hover over the step title and click the pen icon next to it.
Image Added
To delete a step, click the trashcan icon next to the toggle switch on the right.
Image Added
Setting-up a Step
Steps can be added to each workflow group. Each step is composed of the setup fields and the object template fields. The setup fields involve the following:
- Object - Specifies which object the step will activate.
- Event - What triggers the step activation.
- Outcome - Shows the event’s result.
- Action - Specifies the object template that is created. In this beta release, these setup fields can’t be modified, but that will change in upcoming releases.
Modifying the Setup Fields
- Object - the currently available objects (for which custom workflows can be created) are Risks, Threats, Vulnerabilities, Issues, and Controls
- Event - for all objects, the Status transition option is available, while Risk objects also have a Threshold reached option selectable:
- Status transition - If the object gets transferred using the actionable button, the task template gets triggered
- Threshold reached - When a risk score is calculated, and the score values reach the value defined in the Outcome field, the task template gets triggered
- Outcome - based on the event setup field, the options can be the status transition actions or risk score thresholds
- Action - currently, the option to create a task is the only available action
Info | ||
---|---|---|
| ||
The ZenGRC objects that can be used in the current workflow feature are:
The ZenGRC objects that will be available from December 8th include:
|
Altering the Templates
To review or alter the templates, complete the following steps:
- Click Settings | Workflows. (Prior to July 2020, these existed on the Tasks tab on the Risk Settings page.)
- Make a selection
Select a workflow group in the left column and click
a template namethe arrow icon next to the step title to display the template's editable fields.
Currently, there are templates for risks, threats, and vulnerabilities.
Image Modified - The below screenshot highlights variables in red that pull associated risk information into the generated task. See Using Variables in the next section.
- If there are personnel who always review tasks at certain stages, add them to the Assignees, Reviewers, or Verifiers fields. The fields can be altered when the task is generated.
- Select Notify Assignee if the user in the Assignee field should be emailed when the task is saved. This only functions if you have instant notifications activated.
- Click Save at the top bottom of the page. This saves changes to all templatessteps in this group.
Anchor | ||||
---|---|---|---|---|
|
The template Title and Description fields can hold variables, which automatically insert information from the risk, threat, or vulnerability objects into the task to reduce mistakes and misinformation.
The three four variables include:
- %object_title% - Populates the risk object title into the title of the task.
- %object_description% - Populates the riskobject's description into the task.
- %object_url% - Used only in the description field. It provides a link to the main object to which the task is mapped. Enables easir navigating to the required object.
- %object% - Used only in the Related Object field. It provides a direct link to the risk being transferred to the new status and cannot be deleted or changed.
To add a variable into the Title or Description fields, click the blue plus-circle when editing the field, and then select one of the variables from the dropdown. The selected variable will be automatically added to the previous position of the cursor.
Image Added
Enabling and Disabling the Workflow
TemplatesSteps
By default, all templates steps are enabled. But they can be easily disabled without deleting content by selecting the Enabled toggle located in the top right of each template.
Rearranging the
TemplatesSteps
The template step order can be rearranged by dragging the handle in the middle of the block. Moving the templates have The step order has no impact on when the tasks are triggered.
Following the Risk Workflow
ZenGRC provides a suggested workflow using statuses that can be viewed at Risk Management Statuses. This workflow begins with Draft and Identified statuses.
The risk must first be assessed prior to activities such as avoidance or mitigation.
Assessing the Risk
Once a risk is in an Identified status, the following workflow can then be followed:
On the risk, click the Assess button below the risk name. (This changes to the actionable drop-down after click.)Image Removed
Image Removed
Image Removed
Remediating the Risk
After a risk is placed in an Assessed status, the following workflow can be used when Remediate is selected in the actionable drop-down:
Click the Start Remediation button below the risk name. (This changes to the actionable drop-down after click.)Image Removed
Image Removed
Accepting the Risk
After a risk is placed in an Assessed or In Remediation status, the following workflow can be used when Accept is selected in the actionable drop-down:
- A new task displays and is populated with information from the Accept template. If the task is unnecessary, you can cancel it at this point without interrupting the workflow.
- The risk name populates the task Title field where the variable was placed in the template.
- Alter the task as needed and click Save.
- The risk changes to Accepting (even if the task is cancelled).
- The newly created task displays in the risk's Mapped Objects tab.
- If the task assignee has conditions required before the risk can be accepted, they must be noted in the task prior to acceptance.
- Once all steps are taken, the task assignee or the risk owner clicks Complete Acceptance in the risk.
- The risk and the task can then be closed.
Avoiding the Risk
After a risk is placed in an Assessed or In Remediation status, the following workflow can be used when Avoid is selected in the actionable drop-down:
- A new task displays and is populated with information from the Avoid template. If the task is unnecessary, you can cancel it at this point without interrupting the workflow.
- The risk name populates in the task Title field where the variable was placed in the template.
- Alter the task as needed and click Save.
- The risk status changes to Avoiding.
- The newly created task displays in the risk's Mapped Objects tab.
- The task assignee needs to document how activities leading to the risk will now be avoided.
- Once all steps are taken, the task assignee or the risk owner then clicks Complete Avoidance in the risk.
- The risk and the task can then be closed.
Transferring the Risk
After a risk is placed in an Assessed or In Remediation status, the following workflow can be used when Transfer is selected in the actionable drop-down:
- A new task displays and is populated with information from the Transfer template. If the task is unnecessary, you can cancel it at this point without interrupting the workflow.
- The risk name populates in the task Title field where the variable was placed in the template.
- Alter the task as needed and click Save.
- The risk status changes to Transferring (even if the task is cancelled).
- The newly created task displays in the risk's Mapped Objects tab.
- The task assignee must document confirmation that the risk has been successfully transferred, along with to whom and/or what department.
- Once all steps are taken, the task assignee or the risk owner clicks Complete Transfer in the risk.
- The risk and the task can then be closed.
ZenGRC provides suggested threat and vulnerability workflows. These workflows each have one status where a task is automatically triggered.
Identifying the Threat or Vulnerability
After a threat or vulnerability is placed in a Draft status, the following workflow can be used:
Click Identify.Image Removed
Image Removed
The object now follows the workflow found at Risk Management Statuses. Note that for threats and vulnerabilities, the only task template triggered is after clicking Identify in the first step.
Warning and Error Indicators
Both groups and steps have a little notification circle next to their titles. How to interpret the lights:
- If the circle is gray - everything is done correctly
- If the circle is yellow - the changes haven't been saved yet
- If the circle is red - there is an error in the group or step, and it needs to be fixed before the changes can be saved
Image AddedImage AddedImage Added
Workflow Limitations
There are certain limitations to workflow groups and steps. These need to be taken into account for the workflows to function correctly.
- All groups and steps need to have a title defined
- Multiple groups can't be named exactly the same
- Two steps can't have the setup fields defined exactly the same (even if the steps are nested in different groups)
Following the Workflow
Status Transition
To trigger one of the steps defined through a status transition, the status change needs to be completed through the actionable button located below the object title.
Image Added
Threshold Reached
To trigger one of the steps defined through a risk score threshold, the specified risk score needs to be calculated on the risk info page → risk scoring tab. When the specified score is calculated, and the result fits in with the predefined threshold, then the task is created.
Image Added
Include Page | ||||
---|---|---|---|---|
|