Assessments

The Assessments module offers security consultancies and pentesters a streamlined approach to developing and managing framework-based governance risk and compliance assessments and scoping questionnaires. This functionality promotes consistency across assessments and reduces the time and effort required for their creation and management. An additional benefit of managing assessment questionnaires in PlexTrac is the ability to utilize PlexTrac's Reports and Analytics modules to track and report on the status of the assessment findings.

Users access by clicking Assessments in the application's main menu.

Overview

Assessments are crucial for identifying, evaluating, and prioritizing security weaknesses in systems, networks, or applications. They aim to uncover vulnerabilities that malicious actors could exploit. Organizations can strengthen their security defenses and reduce the likelihood of successful attacks and data breaches by systematically reviewing and analyzing areas prone to risks, such as software bugs, misconfigurations, and other security weaknesses.

Various paradigms concentrate on evaluating security in vulnerability assessments. Network vulnerability assessments focus on scrutinizing network infrastructure, devices, and protocols to identify potential weak points that attackers could exploit. Web application vulnerability assessments specialize in detecting and remedying security flaws specific to web-based applications. Host-based vulnerability assessments concentrate on individual systems or hosts, including servers and workstations, to identify potential vulnerabilities and implement necessary safeguards.

Some of the most commonly used assessment frameworks in PlexTrac include CMMC (Cybersecurity Maturity Model Certification), NIST (National Institute of Standards and Technology), CIS (Center for Internet Security), ISO (International Organization for Standardization), FFIEC (Federal Financial Institutions Examination Council), and NYDFS (New York Department of Financial Services).

Assessment questionnaires are valuable for gathering relevant information and evaluating security practices. They serve many purposes, such as identifying vendor risk management, conducting internal and external audits, or obtaining SOC2 certification. By utilizing well-crafted questionnaires, organizations can systematically gather data regarding their security practices, policies, and procedures, which are then used to assess their effectiveness and compliance with established standards. These questionnaires facilitate a structured approach to evaluating security measures, streamlining the process and ensuring consistent evaluation across different projects and organizations.

The Assessments module has two tabs:

• In Progress/Completed: This option shows all assessments the user can view, including completed and in-progress assessments. Client and status can filter assessments.

• Manage Questionnaires: This displays the list of questionnaires available for assessment purposes in the tenancy. It also allows users to create and manage questionnaires and import questions from a JSON file.