Online Assessments

Introduction

In this episode, we explain the key attributes of an Online Assessment (OA). Understanding these attributes will guide you in accurately completing the OA creation form, ensuring all essential details are included for a smooth and effective assessment setup.

Roles

When creating an Online Assessment (OA), there are two default roles:

• Assessor: This is typically a group that includes your team members responsible for managing and reviewing the assessment.
• OA Recipient: This refers to the person (or people) you want to respond to your OA. Multiple recipients can be assigned if needed.

These roles are important no matter what authenication settings you have selected for your OAs becasue even for non-authenticated OAs you might still want to send email notifications to the "OA Recipient" role and for that you need accounts (that contain the email where to send email notifications)

Authentication

As discussed your OA recipients can access the portal in two ways:

• Using a unique URL
• Using username/password credentials

If you would like to use credentials you will need to create user accounts for each OA and manage their passwords. 

Questionnaire

This is the questionnaire you plan to use for your Online Assessment (OA). Once the OA is created, the selected questionnaire cannot be modified. If changes are necessary, you will need to create (or clone) a new OA with a different questionnaire. Additionally, questionnaires in use by OAs cannot be deleted.

If modifications to a questionnaire are required, we recommend uploading a second version using CSV imports, as changes made through the user interface are limited to only a few options. This approach ensures proper version control and flexibility.

Portal Settings

When the OA Recipient logs into the portal, you can let them download the questions, and findings you might record (see findings later on the documentation) and also submit the OA even if all questions are not answered.

Schedule

When an OA is created you must tell eramba when it should start (the soonest is the day after today) and when it will end. eramba will automatically start the OA on the start date and if you want, it can also stop it on the end date. You can override both dates anytime.

Recurrence

If you want your questionnaires to repeat themselves over time, for example, because you need to assess Risks in your departments every year, you can enable the recurrence setting. This will automatically clone the OA on the dates you set and start it automatically.

Asociations

You can optionally asociate your OAs to other items in eramba, this is typically useful to somehow asociate the origin of those items (as part of discovery, risk identification, etc).

The following is a list of typical use cases for these asociations:

• Third Party: Use this when assessing suppliers or external vendors. This helps track which suppliers have been evaluated and their compliance status.
• Business Units: Use this when performing Risk Assessments within your organization. Each Business Unit (BU) represents a department in your company, allowing you to assess risks at an organizational level.
• Assets: Use this when assessing applications, IT systems, or other assets regarding key security and operational practices (e.g., user provisioning, deprovisioning, segregation of duties (SOD)).
• Risks (Assets, Third Party): This association is typically made after the OA has been submitted and reviewed. If risks are identified (e.g., a vulnerability in a Third Party or a Business Unit), you can formally document them as Risks in the system for tracking and mitigation.