Questionnaires - ZenGRC Best Practice

Overview

ZenGRC questionnaires are a way to build customized information requests and send them to recipients in any organization. This document provides suggestions for making questionnaire creation easier for you, while reducing survey fatigue for recipients.

Definitions

Questionnaires - A customized, electronic way to request information from any organization, including your own. By creating and sending questionnaires, you can gauge security risks involved in doing business and exchanging information with other organizations.

Conditional questions - These sub-questions only display in response to the recipient's answers on broader questions. It is possible to build more than one conditional per question, as well as nested conditionals. Conditionals are indicated by yellow shading and the word “conditional” in the lower-left corner.

Weighting - Placing ratings on questionnaire responses that put them in a low, medium, or high risk.

Preparation

This section offers suggestions to consider prior to building a questionnaire in ZenGRC:

• Outline your content flow - In the questionnaire builder, new pages can only be added sequentially; so it's best to at least have a loose outline of your questionnaire before beginning to build the questionnaire.

• Prepare an introduction - At the beginning of the questionnaire, create an instructions page to clearly communicate directions. As already stated, pages can only be added to the end of the questionnaire; so if you're not ready to write the text, remember to include a place holder at the beginning.
• Contact Recipients - It's good practice to alert recipients that you'll be requesting their feedback. This shows you appreciate their time and prompts them to look for the questionnaire request. It can be done verbally or by sending a corporately branded email.
• Customize Email - ZenGRC provides customizable email settings that allow you to determine the look of questionnaires. This ensures information sent from your company is easily recognizable and that recipients don't think it's phishing. Prior to sending your first questionnaire, you'll want to consider reviewing the following:
  • Click Settings | Email Settings.
  • Alter text and background colors to your corporate name and branding.

  • Consider adding a logo.

    NOTE

    For additional email customization instructions, please see Configuring Email Settings.

• Decide whether to weight - When asking pointed questions of recipients to determine risk, you have the option of creating a weighted questionnaire. Certain answers carry more risk to your organization than others and weighting, which is placing higher numerical values on those answers, allows for returned questionnaires to be automatically placed in a Low, Medium, or High risk rating.

Building the Questionnaire

The following are tips for building a questionnaire within your ZenGRC instance:

• Create sections - Divide your questionnaire into sections, and start each new section on a new page. Add the “additional text” question type at the top and assign a letter for each section after the instructions. For example:
  • Instructions.
  • A - Application Security.
  • B - Privacy.
• Use a numbering strategy - We recommend utilizing the section letter preceding the number to aid in organization. For example:
  • Set up questions in A - Application Security section as follows:
    • A.1 - (Insert question).
    • A.2 - (Insert question).
    • A.3 - (Insert question).
• Set up questions in “B - Privacy section as follows:
  • B.1 - (Insert question).
  • B.2 - (Insert question).
  • B.3 - (Insert question).
• Continue numbering with conditionals - Base numbering on the section and question number. For example:
  • Set up conditionals of A.1 - (Insert question) as follows:
    • A.1.1 - (Insert conditional question).
    • A.1.2 - (Insert conditional question).
  • Set up conditionals of B.4 - (Insert question) as follows:
    • B.4.1 - (Insert conditional question).
    • B.4.2 - (Insert conditional question).
• Save often!
• Inactive “Save” button - If you can't save, it means one or more questions have errors. This is often caused by not selecting a question type when adding a new question. Identify these errors as follows:
  • The question box is shaded red.
  • Clicking the shaded question box displays the right-hand panel with the field outlined in red.
• Utilize the "File upload" question type - This is useful as a conditional to ask that documents/diagrams be attached directly to the questionnaire.
  • For example, if the following question receives a "Yes" answer:
  • C.1 - Is your organization SOC 2 compliant?,
    then 
  • Create subquestion out of the “Yes” answer with the question type “File upload” and the question title:
    • C.1.1 - Please upload most recent report.
• Remember the “Question is mandatory” checkbox - By checking this box, recipients can't submit a questionnaire unless mandatory questions are answered. The "Submit" button will be deactivated.
• Use the Date Picker for questions - This is useful in situations where you want the recipient to respond with a date that a document, such as a SOC2 report. was created.
• Remember

• Add weights to automatically calculate risk.

Questionnaire Weighting

Using Import Templates

Sending a Questionnaire

The following are tips for sending a questionnaire on any ZenGRC item.

• Customize your message - In addition to branding your email and creating an introduction to the survey itself, you can also change the email message. This is done on Step 2 of sending a questionnaire. Make certain this text correlates with the questionnaire introduction.
• Internal vs. External - In Step 2, there's a choice between sending an "Internal" or "External" questionnaire. The difference is as follows:
  • "Internal" provides a dropdown of ZenGRC users from which to select. Only users in ZenGRC are displayed.
  • "External" provides a blank text box to enter email addresses. Any email address, including ZenGRC users, may be added.
• Choose to receive alerts - An easy way to receive updates on a recipient's response is to select the “I would like to be notified when the recipient responds to the survey” checkbox in Step 2. This way you receive immediate updates instead of having to log in.