The Assessments module offers security consultancies and pentesters a streamlined approach to developing and managing framework-based governance risk and compliance assessments and scoping questionnaires. This functionality promotes consistency across assessments and reduces the time and effort required for their creation and management. An additional benefit of managing assessment questionnaires in PlexTrac is the ability to utilize PlexTrac's Reports and Analytics modules to track and report on the status of the assessment findings.

Users access by clicking Assessments in the application's main menu.

Overview

Assessments are crucial for identifying, evaluating, and prioritizing security weaknesses in systems, networks, or applications. They aim to uncover vulnerabilities that malicious actors could exploit. Organizations can strengthen their security defenses and reduce the likelihood of successful attacks and data breaches by systematically reviewing and analyzing areas prone to risks, such as software bugs, misconfigurations, and other security weaknesses.

Various paradigms concentrate on evaluating security in vulnerability assessments. Network vulnerability assessments focus on scrutinizing network infrastructure, devices, and protocols to identify potential weak points that attackers could exploit. Web application vulnerability assessments specialize in detecting and remedying security flaws specific to web-based applications. Host-based vulnerability assessments concentrate on individual systems or hosts, including servers and workstations, to identify potential vulnerabilities and implement necessary safeguards.

Some of the most commonly used assessment frameworks in PlexTrac include CMMC (Cybersecurity Maturity Model Certification), NIST (National Institute of Standards and Technology), CIS (Center for Internet Security), ISO (International Organization for Standardization), FFIEC (Federal Financial Institutions Examination Council), and NYDFS (New York Department of Financial Services).

Assessment questionnaires are valuable for gathering relevant information and evaluating security practices. These questionnaires serve many purposes, such as identifying vendor risk management, conducting internal and external audits, or obtaining SOC2 certification. By utilizing well-crafted questionnaires, organizations can systematically gather data regarding their security practices, policies, and procedures, which are then used to assess the effectiveness and compliance with established standards. These questionnaires facilitate a structured approach to evaluating security measures, streamlining the process, and ensuring consistent evaluation across different projects and organizations.

The Assessments module has two tabs:

• In Progress/Completed: This shows all assessments the user can view, including assessments that have been completed and are in progress. Client and status can filter assessments.

• Manage Questionnaires: This displays the list of questionnaires available in the tenancy for assessment purposes. It also allows users to create and manage questionnaires and import questions from a JSON file.

PlexTrac's assessment module offers a user-friendly interface that enables effective assessment management, progress tracking, data collection, and collaboration. It ultimately facilitates the submission and presentation of comprehensive assessment findings.

1. Questionnaire progress bar: Visually displays the progress made on the assessment and provides a percentage representation. Users can track their progress as they complete questions, with the bar gradually filling up as the questionnaire is completed.

2. Question navigator box: This box allows searching the title of any question within the assessment. The key icon explains the different circle expressions next to a question.

3. Filter by status box: Further filters the results list by question status.

4. Results count: This displays the number of questions in the assessment and dynamically updates based on filter and search queries.
5. Questions column: Lists all questions that exist in an assessment. The view will change dynamically based on filter and search queries. Select a question from this list to view or complete.

6. Questions column navigation: Provides access to questions that appear on different pages, when applicable.

7. Question details box: Presents the question selected for viewing and completion.

8. Reviewers button: Used to assign assessment reviewers (this option disappears for completed assessments).
9. Submit assessment button: Used to submit the assessment and move it to "Completed" status.

The Manage Questionnaires tab is a directory of assessment questionnaires available for a tenant. This tab provides a centralized location where users can perform various actions, such as creating new questionnaires, modifying existing ones, importing questionnaires from external sources, or deleting no longer needed questionnaires.

The primary objectives of assessment questions are twofold. First, they aim to bolster the effectiveness and thoroughness of the assessment process by providing additional context and relevant information. By including well-crafted questions, the assessment becomes more comprehensive and capable of capturing a broader range of data.

Second, the information collected through these assessment questions is crucial in generating meaningful findings when the assessment is completed and submitted as a report. These findings, derived from the accumulated data, serve as valuable insights and recommendations.

Furthermore, the Manage Questionnaires tab also provides the functionality to initiate client assessments. This feature streamlines the assessment workflow by seamlessly integrating the questionnaire creation and initiation steps within the same interface.

Creating a Questionnaire

Step 1: Click New Questionnaire from the Manage Questionnaires tab of the Assessments module.

Step 2: Enter a unique title and select the reference framework from the pulldown menu.

The reference framework value tags assessments and questions for future categorization and management.

Step 3: Click Create Questionnaire.

The "Edit Questionnaire" page has been launched. This page has multiple sections that are further explained below.

Questionnaire Basic Info Section

Step 4: Edit this section as needed.

• Questionnaire Title (required): This value entered in Step 3 can be edited here. This value will appear in the expanded section of the questionnaire (reference number one in the question example below).

• Reference Framework: This value was selected in Step 3 and cannot be edited. The reference framework value tags assessments and questions for future categorization and management.

• Require Completion of All Questions: If all questions must be answered before completing the assessment, check the box.

Step 5: Click Save Basic Info.

Create a New Question Section

• Title (required): Question title and value that will appear in the expanded section of the questionnaire (see number 1 in the example below).

• Description (required): Description of the question that will appear as additional context for the user when answering the question (see number 2 in the example below).

• Answer Types (required): Header value for multiple-choice questions (see number 3 in the example below). Additional multiple-choice questions can be added by clicking Add Answer Type, which is helpful for assessments that score off multiple categories, such as Process and Practice maturity in CMMC. Check the box under "Require?" to make answering the question mandatory when completing the assessment. The list of values available for each multiple-choice question can be previewed by hovering over the informational icon to the right of the "Answer Types" label (but only admins can edit answer type labels and answer type values).

• Add Input Field: An additional label can be provided and made mandatory if necessary (see number 4 in the example below). The label will be presented to the user with a box for data entry. Enter as many Input Fields as required.

• Add Custom Field: Provides additional RTF fields with a label, if needed. Repeat as often as needed.

Custom Button Fields

• Default Severity: Pulldown menu list of values to define the default severity of the question. If a question is based on a Framework Control, it may have a predefined severity. This will be the severity of the report finding that this question will become upon submission.

• Default Score: Optional method for providing a default score.

• Default Score Calculation: If required, enter as a plain text string.

• Tags: Additional information to improve search and reporting.

• Recommendations: Recommendations relevant to the question, such as a remediation technique or policy suggestion.

• References: References to questions to assist with implementing or verifying the assertion, such as website links.

Writeups DB Button

Information from a writeup can be linked to a question. This metadata and content from the writeup will not appear in the assessment. Still, after the assessment is submitted and the question becomes a finding, the writeup information is included on the finding detail page.

• Writeup: Pulldown menu list of available writeups to link to the question.

• Tags: Additional information to improve search and reporting. This is the same field found under the "Custom" button.

Step 6: Click Create.

The created question now appears in the "All Questions" column on the left.

All Questions Section

This section contains a record of all questions in an assessment and provides the sequence in which they will appear.

Step 7: Create more questions to complete the assessment. This can be done in two ways:

Step 8: Click Create after completing the second question. Create as many questions as needed to complete the assessment.

After multiple questions exist, the ability to sequence each question is provided should the creation of steps be outside the desired final sequence.

Questions can be moved by clicking the "All Questions" question box and dragging it to the desired arrangement on the list. The numbering will dynamically change so that they are ordered as shown on the page (i.e., the question on top is always Question #1).

Importing a Questionnaire

PlexTrac allows questionnaires in JSON file format to be imported.

Step 1: From the Assessments module, click the Manage Questionnaires tab.

Step 2: Click Import.

Step 3: Drag the JSON file to the modal or click to browse the file on the computer. Repeat if necessary. When finished, click Upload.

If the wrong JSON file is used, an error message will appear. If the import is successful, the new file will appear in the list of questionnaires.

Exporting a Questionnaire

A questionnaire can be exported as a JSON file for backup or imported to another instance. Questionnaires can be exported during editing or directly from the Manage Questionnaires page.

Option 1

Step 1: From the Assessments module, click the Manage Questionnaires tab.

Step 2: Click the three dots under the "Actions" menu of the questionnaire and then click Export.

Step 3: A confirmation appears. Click Export.

The questionnaire is downloaded locally as a JSON file.

Option 2

Step 1: From the Assessments module, click the Manage Questionnaires tab.

Step 2: Click Edit under the "Actions" menu of the questionnaire to export.

Step 3: Click Export.

The questionnaire is downloaded locally as a JSON file.

Previewing a Questionnaire

Clicking the row of the questionnaire on the Manage Questionnaire tab displays all question titles, descriptions, and tags. The questions are listed in sequence.

Users have two options for beginning an assessment. First, they can navigate to the Manage Questionnaires tab, choose the preferred assessment questionnaire, and click Begin Assessment. After starting the assessment, they can select the client/project.

Second, users can start a new assessment from the In Progress/Completed tab. This approach permits them to choose the client and questionnaire they want to use as the first step. The assessment automatically populates data from the selected questionnaire, eliminating the need for manual copying and pasting. This simplifies the assessment process, making it more efficient and practical.

PlexTrac also provides a convenient way to involve participants. If there's a question that someone needs to answer, users can copy the URL at the top of the browser and send it via email or IM. If the recipients have an account in the PlexTrac instance, they can access the question and provide the necessary answers. This feature enhances collaboration and ensures that assessments progress smoothly, even with remote participants.

Option A: From the Assessments Home Page

Step 1: Click the Start New Assessment tab from the Assessments default home page.

Step 2: Select the client the assessment applies to from the pulldown menu, then select the questionnaire. Click Next.

Step 3: A new page appears, presenting the assessment for modification.

Option B: From a Questionnaire

Step 1: From the Assessments default home page, click the Manage Questionnaires tab.

Step 2: Click Begin Assessment under the "Actions" column for the desired questionnaire.

Step 3: Select the associated client/project value from the pulldown menu and click Begin Assessment.

Step 4: A new page appears, presenting the assessment for modification.

Next Steps

If no action is taken after an assessment is created or is not finished, the assessment will receive an "In Progress" status and be accessible from the In Progress/Completed tab.

An assessment can be completed by clicking Edit under the "Actions" column.

After finishing an assessment, users can easily choose reviewers from a dropdown menu. This feature simplifies the procedure of sharing findings and removes the necessity of sending confidential documents through email.

When a reviewer is added, the assessment is changed to a draft format with an "In Review" status. This prevents premature submission and ensures that the assessment cannot be completed or submitted until the review is complete.

The number of current reviewers and remaining approvals needed for an assessment is listed on the In Progress/Completed tab.

After the reviewers finish evaluating the assessment and find it suitable, they mark it as approved. If all the reviewers approve the assessment but it is not yet submitted, the assessment will be labeled "Approved," and the overall status will be "In Progress."

In the case of a single reviewer, the user can either submit the assessment or continue working on it. However, if there are other pending reviews, the assessment will be marked as "In Review" and cannot be approved until all reviews have been completed.

Adding Reviewers

Step 1: From the Assessments module home page, click the row of the assessment to work on or Edit from the "Actions" menu.

Step 2: Click Add Reviewers at the top right of the page.

Step 3: Select the reviewer(s) from the entries in the pulldown menu of users. Typing text into the box will narrow the list. Repeat as needed. No limit exists on how many reviewers can be added. When finished, click Save.

The person assigned as a reviewer will receive an email notifying them of the task. The assessment is now in review mode.

Viewing Reviewer Status

Step 1: From the Assessments module home page, click the row of the assessment to work on or Edit from the "Actions" menu.

Step 2: Click the In review button.

A modal appears listing the reviewers and if they have approved the assessment.

The only two options are "Approved" and "Pending Approval."

Editing Reviewers

Step 1: From the Assessments module home page, click the row of the assessment to work on or Edit from the "Actions" menu.

Step 2: Click the In review button.

A modal appears listing the reviewers. Current reviewers can be removed by clicking the "X" next to their name, and new ones can be added by placing the cursor in the box and selecting a new reviewer. Click Save when finished.

Approving an Assessment

Step 1: From the Assessments module home page, click the row of the assessment to work on or Edit from the "Actions" menu.

Step 2: Click the In review button.

A modal appears listing the reviewers. A user who is also an approver will see an Approve button.

Step 3: Click Approve.

After a reviewer clicks Approve, the status changes within the modal to "Approved."

Step 4: Click Save.

The modal disappears. If all reviewers have approved, the status of the assessments changes on the button previously clicked in Step 2.

In addition, the status of the assessments changes on the In Progress/Completed tab.

Revoking an Approval

A user can revoke the approval of an assessment that has not been submitted (i.e., a status of "In Progress") by opening the assessment, clicking the Approved button at the top right of the screen, and then clicking Remove approval from the modal.

This will return the assessment approval status to "In Review" and display the reviewer as "Pending Approval."

Once an assessment is submitted in PlexTrac, the platform automatically generates a report and directs the user to the Report module readout view, and all questions are turned into findings. This published report contains all the findings from the assessment, making it readily accessible to stakeholders and analyst users. This feature enables quick dissemination of information to relevant parties.

Submitting an Assessment

Step 1: From the Assessments module home page, click the row of the assessment to work on or Edit from the "Actions" menu.

Step 2: Click Submit assessment.

Step 3: If all questions have been completed, a message confirming action appears. Click Submit assessment.

A report readout from the Reports tab of the Clients module will be presented, providing assessment details. The answered questions are now findings. Each finding includes the question, description, assigned score, checkbox status, and any accompanying notes and relevant documentation incorporated into the assessment.

If required, users can make edits to the report before exporting it. This feature ensures that the final report accurately reflects any updates or changes made during the assessment process. Users can review and modify the report as necessary, guaranteeing its accuracy and completeness before sharing it with stakeholders.

The assessment is still listed within the Assessment module, now with a "Completed" status.

Assessment Findings Status

Once an assessment is submitted, all questions, including custom fields, are transformed into findings. PlexTrac then assigns a status to each finding, using business rules corresponding to the answer type and values of the question.

Findings Status Logic

Below are the guidelines used to determine the value given to a finding status. These rules are followed in sequence until the status is resolved and a value is determined.

To ensure the accuracy of the rules listed in the table, the answer type value must match the value in the table, where applicable. For example, an answer type value of Not Compliant will result in a match and a findings status assigned, while a value of Non Compliant will not.

The same logic is applied to custom fields. If, for example, a custom field answer type is "Yes (Pass) / No (Fail)" and the value is "Yes," the finding status assigned is Closed. If the custom field answer type scenario and value are not found below, the finding status assigned is In Process.

Assessments can be started immediately after creation or worked on later by opening one to complete from the In Progress/Completed tab. If no action is taken after an assessment is created or the assessment is not finished, the assessment will have an "In Progress" status.

To open and complete an "In Progress" assessment, go to the In Progress/Completed tab, select the desired assessment, and click Edit.

Monitoring Progress

The assessment module provides progress tracking for questionnaires. A visual bar indicates the questionnaire's completion status, gradually filling up as more questions are answered until it reaches 100%.

Users can provide answers, observations, notes, and attachments as questions are completed, such as policy documents, screenshots, code samples, and videos. Attachments are facilitated through a modal where files can be dragged, dropped, pasted, or browsed from the computer.

Questions can be marked as complete, and users can continue to another question by clicking the question in the left column, entering the question number in the provided box, clicking the navigation arrow to reach the previous or next question in sequence, or using search/filtering to find a specific question.

The progress bar will update as data is entered, questions are completed, and the user moves to the next question. Completed questions will have a checkmark in the circle next to the question.

Questions that are optional for the assessment will have a circle with a dotted outline next to the question's title, while questions that are required will have a circle with a solid outline. Questions touched but not marked as completed are identified with a shaded purple within the circle. Questions that have not been touched retain a white background until modified.

When an assessment has all questions completed, all questions will have a checkmark, and the questionnaire progress bar will be full and display a green checkmark.

Answering a Question

Questions are answered by selecting the question title in the Questions column, which inserts the question in the main window. The edited question is highlighted with a shaded background in the left column.

A question defaults to the status of "Not Started." When a question receives input in any available field, it updates to "In Progress."

After a question has been answered, click the circle next to "Mark question complete," which will update its status to "Completed" and impact the questionnaire progress bar.

Adding Attachments

Users can gather evidence directly and securely on the platform, eliminating the need to email sensitive documents while completing assessments.

Step 1: Click Add attachment(s).

Step 2: Drag a file onto the modal or browse it from a local computer.

Step 3: Add any additional notes as needed. Repeat the process if more than one file is loaded. Click Save.

The attachment is listed on the question after the "Notes" box. Hover over the attachment filename for icons to download or delete the file.