Versions Compared

Old Version 7

changes.mady.by.user Tristan Mohn

Saved on

compared with

New Version Current

changes.mady.by.user Victoria Buhler

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
indent18px


Live Search
spaceKeyZenGRCOnboardingGuide
additionalnone
placeholderSearch our site
typepage

Overview


ZenGRC provides a status-based risk management workflowan extended workflow that automatically triggers the ability to create tasks between certain risk, threat, and vulnerability statusesactions, such as status transitions and risk thresholds. These tasks are pre-filled with information from customized templates maintained by your organization and can be used as follows:

  • To gather feedback and promote awareness between risk stakeholders.
  • To describe the work that needs to be done for appropriate assignees
  • Or, they can simply be canceled without creating the task.

Note
titleIMPORTANT

Risk objects follow a different status set up from other ZenGRC objects. Statuses can be reviewed at Risk Management Statuses.


Image RemovedImage Added

Anchor
HowTasksAreTriggered
HowTasksAreTriggered
How Tasks Are Triggered in Your

Risk

Workflow

Since tasks provide email notifications for completing an assignment, they can play a powerful role in your risk object management plan. You can use them to request information from multiple users, thereby allowing information gathering and review in between your risk statuses.

The following graphic displays an example of a risk workflow, the green dot between statuses is where tasks displayare triggered. A larger version of the workflow with all risk statuses is at Risk Management Statuses.

The following outlines the functionality of when and how tasks are displayed in the risk workflow:

  • To trigger the creation of a new task, the risk must be in one of the following statuses:
    • Assessed
    • Remediate
    • In Remediation
  • Once the risk is in one of the above statuses, an actionable drop-down displays with the following selections:
    • Accept
    • Avoid
    • Transfer
    • Remediate



  • A new task displays immediately after a status in the actionable drop-down is selected. All risk owners can transfer statuses through the drop-down, but only administrators receive the task pop-up since only they can create/delegate tasks. It may be worth reviewing the roles of risk owners should you wish for them to utilize this part of the workflow
  • Task details are automatically populated from the templates.
  • A task can be cancelled without interrupting the workflow.
  • If a decision is already made about a risk, you can quickly transfer it to one of the final steps (Accepted, Avoided, Transferred, or Closed) by using the Status drop-down in the top right. However, this does not trigger a task, and it overrides the prescriptive workflow of the actionable drop-down.

How Tasks Are Triggered in Your Threat or Vulnerability Workflow

Tasks for threats and vulnerabilities are used in the same manner as risks. However, there is only one status selection that triggers the automatic creation of a task. Please see documentation under Following the Threat and Vulnerability Workflows


Customizing

Task Templates for

Your Workflows

The task templates contain text and variables determined by ZenGRC experts, and they are automatically created when a risk object meets the criteria outlined in How Tasks Are Triggered in Your Workflow. Howeveradded to the three default workflow groups. However, the templates can be altered to suit your organization's needs. And once they are triggered, they can be adjusted further if needed.

Anchor

Workflow Groups

Selecting one will show all the steps involved in that workflow group. The available groups include:

  • Risk Workflow
  • Threat Workflow
  • Vulnerability Workflow

Workflow Steps

Steps are shown for

How to Manage Workflow Groups
How to Manage Workflow Groups
 Workflow Groups

The pre-populated groups include:

  • Risk Workflow
  • Threat Workflow
  • Vulnerability Workflow

However, an unlimited number of workflow groups can exist in your instance. To add a workflow group click the "Create workflow" button on the left side, below the existing workflow groups.

Image Added

To rename a group, hover over the group title and click the pen icon next to it.

Image Added

To delete a group, click the trashcan icon next to the title. Keep in mind that deleting a workflow group will also delete all of the existing steps located in that group.

Image Added

Anchor
How to Manage Workflow Steps
How to Manage Workflow Steps
 Workflow Steps

An unlimited number of workflow steps can exist in each group. To add a workflow step click the "Add step" button on the bottom left side of the page, below the existing workflow steps.

Image Added

To rename a step, hover over the step title and click the pen icon next to it.

Image Added

To delete a step, click the trashcan icon next to the toggle switch on the right.

Image Added

Setting-up a Step

Steps can be added to each workflow group. Each step is composed of the setup fields and the object template fields. The setup fields involve the following:

  • Object - Specifies which object the step will activate.
  • Event - What triggers the step activation.
  • Outcome - Shows the event’s result.
  • Action - Specifies the object template that is created. In this beta release, these setup fields can’t be modified, but that will change in upcoming releases. 

Modifying the Setup Fields

  • Object - the currently available objects (for which custom workflows can be created) are Risks, Threats, Vulnerabilities, Issues, and Controls
  • Event - for all objects, the Status transition option is available, while Risk objects also have a Threshold reached option selectable:
    • Status transition - If the object gets transferred using the actionable button, the task template gets triggered
    • Threshold reached - When a risk score is calculated, and the score values reach the value defined in the Outcome field, the task template gets triggered
  • Outcome - based on the event setup field, the options can be the status transition actions or risk score thresholds
  • Action - currently, the option to create a task is the only available action
Info
titleNOTE

The ZenGRC objects that can be used in the current workflow feature are:

  • Controls
  • Issues
  • Risks
  • Threats
  • Vulnerabilities

The ZenGRC objects that will be available from December 8th include:

  • Clauses
  • Contracts
  • Data Assets
  • Exceptions
  • Facilities
  • Incidents
  • Markets
  • Objectives
  • Org Groups
  • Policies
  • Processes
  • Products
  • Programs
  • Projects
  • Sections
  • Standards
  • Systems
  • Vendors


Altering the Templates

To review or alter the templates, complete the following steps:

  1. Click Settings | Workflows. (Prior to July 2020, these existed on the Tasks tab on the Risk Settings page.)
  2. Make a selection

    Select a workflow group in the left column and click

    a template name

    the arrow icon next to the step title to display the template's editable fields.

    Currently, there are templates for risks, threats, and vulnerabilities.



    Image Modified

  3. The below screenshot highlights variables in red that pull associated risk information into the generated task. See Using Variables in the next section.



  4. If there are personnel who always review tasks at certain stages, add them to the Assignees, Reviewers, or Verifiers fields. The fields can be altered when the task is generated.
  5. Select Notify Assignee if the user in the Assignee field should be emailed when the task is saved. This only functions if you have instant notifications activated.
  6. Click Save at the top bottom of the page. This saves changes to all templatessteps in this group.

Anchor
UsingVariables
UsingVariables
Using Variables

The template Title and Description fields can hold variables, which automatically insert information from the risk, threat, or vulnerability objects into the task to reduce mistakes and misinformation.

The three four variables include:

  • %object_title%Populates the risk object title into the title of the task.
  • %object_description% Populates the riskobject's description into the task.
  • %object_url% - Used only in the description field. It provides a link to the main object to which the task is mapped. Enables easir navigating to the required object.
  • %object% - Used only in the Related Object field. It provides a direct link to the risk being transferred to the new status and cannot be deleted or changed.

To add a variable into the Title or Description fields, click the blue plus-circle when editing the field, and then select one of the variables from the dropdown. The selected variable will be automatically added to the previous position of the cursor.

Image Added

Enabling and Disabling the Workflow

Templates

Steps

By default, all templates steps are enabled. But they can be easily disabled without deleting content by selecting the Enabled toggle located in the top right of each template.

Rearranging the

Templates

Steps

The template step order can be rearranged by dragging the handle in the middle of the block. Moving the templates have The step order has no impact on when the tasks are triggered.


Following the Risk Workflow

ZenGRC provides a suggested workflow using statuses that can be viewed at Risk Management Statuses. This workflow begins with Draft and Identified statuses.

The risk must first be assessed prior to activities such as avoidance or mitigation.

Assessing the Risk

Once a risk is in an Identified status, the following workflow can then be followed:

On the risk, click the Assess button below the risk name. (This changes to the actionable drop-down after click.)
Image Removed
  • The status changes to Under Assessment and the risk scoring tab opens for scoring the risk.
    • Select scoring options and click Calculate. During this status, we recommend just scoring inherent risks. If the risk goes to remediation, then the residual risks can be calculated.
    Image Removed
  • After calculating the scoring, click Complete Assessment under the risk name. The button becomes the actionable drop-down with selections to trigger task creation.
    • The risk, now in an Assessed status, has the following selections in the drop-down:
  • Accept
  • Avoid
  • Transfer
    • Remediate
    Image Removed

    Remediating the Risk

    After a risk is placed in an Assessed status, the following workflow can be used when Remediate is selected in the actionable drop-down:

    Click the Start Remediation button below the risk name. (This changes to the actionable drop-down after click.)
    Image Removed
  • The status changes to In Remediation and a new task displays using the Remediate template. If the task is unnecessary, you can cancel it at this point without interrupting the workflow. 
    • The risk name populates the task Title field where the variable was placed in the template.
    Image Removed
  • Alter the task as needed.
  • Click Save and the risk changes to In Remediation (even if the task is cancelled).
  • The newly created task displays in the risk's Mapped Objects tab.
  • If the remediation involves putting new controls in place, the task assignee should map the controls to the risk in order to enable monitoring.
  • The actionable button now displays Accept, Avoid and Transfer.
  • The selection of any of these puts the risk into the same workflow as described in the below scenarios.

    • Accepting the Risk

    After a risk is placed in an Assessed or In Remediation status, the following workflow can be used when Accept is selected in the actionable drop-down:

    1. A new task displays and is populated with information from the Accept template. If the task is unnecessary, you can cancel it at this point without interrupting the workflow.
    2. The risk name populates the task Title field where the variable was placed in the template.
    3. Alter the task as needed and click Save.
    4. The risk changes to Accepting (even if the task is cancelled).
    5. The newly created task displays in the risk's Mapped Objects tab.
    6. If the task assignee has conditions required before the risk can be accepted, they must be noted in the task prior to acceptance.
    7. Once all steps are taken, the task assignee or the risk owner clicks Complete Acceptance in the risk.
    8. The risk and the task can then be closed. 

    Avoiding the Risk

    After a risk is placed in an Assessed or In Remediation status, the following workflow can be used when Avoid is selected in the actionable drop-down:

    1. A new task displays and is populated with information from the Avoid template. If the task is unnecessary, you can cancel it at this point without interrupting the workflow.
    2. The risk name populates in the task Title field where the variable was placed in the template.
    3. Alter the task as needed and click Save.
    4. The risk status changes to Avoiding.
    5. The newly created task displays in the risk's Mapped Objects tab.
    6. The task assignee needs to document how activities leading to the risk will now be avoided.
    7. Once all steps are taken, the task assignee or the risk owner then clicks Complete Avoidance in the risk.
    8. The risk and the task can then be closed. 

    Transferring the Risk

    After a risk is placed in an Assessed or In Remediation status, the following workflow can be used when Transfer is selected in the actionable drop-down:

    1. A new task displays and is populated with information from the Transfer template. If the task is unnecessary, you can cancel it at this point without interrupting the workflow. 
    2. The risk name populates in the task Title field where the variable was placed in the template.
    3. Alter the task as needed and click Save.
    4. The risk status changes to Transferring (even if the task is cancelled).
    5. The newly created task displays in the risk's Mapped Objects tab.
    6. The task assignee must document confirmation that the risk has been successfully transferred, along with to whom and/or what department.
    7. Once all steps are taken, the task assignee or the risk owner clicks Complete Transfer in the risk.
    8. The risk and the task can then be closed. 
    AnchorThreatsVulnerabilitiesThreatsVulnerabilitiesFollowing the Threat and Vulnerability Workflows

    ZenGRC provides suggested threat and vulnerability workflows. These workflows each have one status where a task is automatically triggered.

    Identifying the Threat or Vulnerability

    After a threat or vulnerability is placed in a Draft status, the following workflow can be used:

    Click Identify.
    Image Removed
  • A new task displays and is populated with information from the Identify template. If the task is unnecessary, you can cancel it at this point without interrupting the workflow.
  • The threat or vulnerability name populates in the task Title field where the variable was placed in the template.
  • Alter the task as needed and click Save.
  • The newly created task displays in the object's Mapped Objects tab.
  • The task assignee is asked to set an owner, write a detailed description, and map to related objects before changing the threat or vulnerability to the next status.
  • Once all steps are taken, the task assignee or the object owner then clicks Assess, which moves the object to an Under Assessment status.
    • The actionable drop-down displays with options for Accept, Avoid, Transfer, or Remediate.
    Image Removed
    The object now follows the workflow found at Risk Management Statuses. Note that for threats and vulnerabilities, the only task template triggered is after clicking Identify in the first step.

    Warning and Error Indicators

    Both groups and steps have a little notification circle next to their titles. How to interpret the lights:

    • If the circle is gray - everything is done correctly
    • If the circle is yellow - the changes haven't been saved yet
    • If the circle is red - there is an error in the group or step, and it needs to be fixed before the changes can be saved

    Image AddedImage AddedImage Added

    Workflow Limitations

    There are certain limitations to workflow groups and steps. These need to be taken into account for the workflows to function correctly.

    • All groups and steps need to have a title defined
    • Multiple groups can't be named exactly the same
    • Two steps can't have the setup fields defined exactly the same (even if the steps are nested in different groups)

    Following the Workflow

    Status Transition

    To trigger one of the steps defined through a status transition, the status change needs to be completed through the actionable button located below the object title.

    Image Added


    Threshold Reached

    To trigger one of the steps defined through a risk score threshold, the specified risk score needs to be calculated on the risk info page → risk scoring tab. When the specified score is calculated, and the result fits in with the predefined threshold, then the task is created.

    Image Added

    Include Page
    di:RH Navigation
    di:RH Navigation