Product Documentation
Copyright: Crossword Cybersecurity PLC
Strictly Confidential
Purpose & version control
This purpose of this documentation is to describe the functionality of the current live version of Rizikon Assurance on the general shared platform, also known as Version 2.0.
The software should behave generally consistently with this documentation and it is referred to in the standard SAAS contract and in the standard Service Level Agreements.
This documentation is updated in-line with new versions of Rizikon Assurance on the general shared platform. Please make sure you are looking at the correct version of the documentation.
This is not intended as User documentation, although it will help gain an overall understanding of the system.
Document Version | Version 2.0 | Date released | 3/09/19 |
Authors | Ken Fraser, Jake Holloway, Cezary Biernacki. Kasia Jones | Distribution | Sales, Consulting - Internal only |
Table of contents
Rizikon Assurance Functionality
Main System Data Entities and Attributes
Assurance Manager with Customer Admin
User Roles versus System Capabilities
Common Screen Elements and Operations
Main Sections: Assurance Manager and Portal
Organisations [Assurance Manager]
Assessments [Assurance Manager]
Assessment page - Completer view [Portal]
Assessment page - Assessor view [Portal]
Assessment Review page - Assessor view [Portal]
Two-factor Authentication (2FA)
Technology Stack & Infrastructure Regions
Rizikon Assurance Functionality
Overview of Rizikon Assurance
The system is designed to help Customers manage third-party risk by supporting and partially automating the processes of sending secure online Assessments to other Organisations or teams, and scoring & reviewing the submissions returned.
The primary user roles are Assurance Managers, Completers and Assessors.
Main System Data Entities and Attributes
General information
The main system entities can be seen as follows;
...
Organisation
An Organisation is typically a third party to the Customer organisation. E.g. a supplier, or partner. It can also be an internal team, an office or a system in other valid use cases of Rizikon Assurance.
An Organisation has the following attributes:
...
Attribute name
...
Validation
...
Notes
...
Name
...
Mandatory. Text upto to 200 characters.
...
The full name of organisation, e.g. “Tyrell Corporation”
...
Primary Contact
...
Optional, Any single Existing Contact
...
This is the default Contact for the Organisation and is used as the default Completer of Assessments
...
Person Responsible
...
Optional, Any single Existing Contact
...
This is the person in the client’s company responsible for relationships with the Organisation
...
Tags
...
Optional, Any Existing Tag or Tags (multiple)
...
See Tags
...
Impact
...
Optional. 0-5
...
Indicate what is a potential risk impact of the Organisation on the client:
0 - Unclassified, 5 - Very High impact.
...
Credit Safe
...
Optional
...
Linking to the Creditsafe company database available when Credit safe is enabled.
...
Notes
...
Optional free text, upto 2000 characters.
...
An informational field, stored but not used by Rizikon Assurance.
...
Active
...
True/False
If true (default), the Organisation is active and appear by default.
If false, the Organisation is deactivated and does not appear, unless specifically requested.
...
Date issued (created)
...
Date
...
The date when an entry for the Organisation was added or uploaded to Rizikon Assurance. It cannot be changed.
An Organisation can have any number of Contacts (see Contact) and Assessments (see Assessment) associated with it.
An Organisation can be Deactivated. A Deactivated which means that by default it will not be shown.
An Assurance Manager can list, search, view, add and modify Organisations via page Organisations.
Contact
Contacts are people, who may optionally be associated with an Organisation.
A Contact may also be a user, with one or more User Roles.
Contact has the following attributes:
...
Attribute name
...
Validation
...
Notes
...
First Name
...
Mandatory. Text upto 64 characters.
E.g. “John”.
...
Last Name
...
Mandatory. Text upto 64 characters
...
E.g. “Smith”.
Rizikon Assurance sometimes displays “First Name” and “Last Name” together as “Full Name” e.g. “John Smith”
...
...
Mandatory. Text upto 128 characters.
Must contain an “@”.
Must be unique.
...
E.g. “j.smith@example.com”.
If the Contact is also a User, Email is functions as a login identificator. Rizikon Assurance can send emails to address notifying the User of some relevant events.
...
Account Status
...
One of the following:
Active, Unconfirmed, Blocked, Deleted,
Determines the current status of the Contact as a User of Rizikon Assurance:
Active - can access Rizikon Assurance normally;
Unconfirmed - can access Rizikon; Assurance but have not done yet that;
Blocked - cannot access Rizikon Assurance;
Deleted - the Contact is considered deleted, the User will not be able to access Rizikon Assurance, and the Contact will not be listed unless specifically requested.
...
Security Status
...
Automatic: Active or Security Blocked
Not editable. “Active” is default.
If Rizikon Assurance detects too many failed login attempts it automatically switches “Security Status” to “Security Blocked”. When “Security Blocked” the User is prevented to login Rizikon Assurance, until she or he resets their passwords or is unblocked by an Assurance Manager.
...
Two Factor Authentication
...
Automatic: Not Configured or Enabled
...
Informs if the Contact configured Two Factor Authentication mechanism to add an extra protection to his/her Rizikon Assurance login.
...
Employed By
...
Optional. Any single existing Organisation.
...
Indicates that the Contact is an employee of an Organisation.
...
Capabilities
...
Optional
...
See User Roles
...
Internal Note
...
Optional. Text upto 2000 characters.
...
An informational field, stored but not used by Rizikon Assurance.
...
Associated Organisations
...
Optional
...
A list of Organisations, that the Contact is either:
Employed By
Primary Contact
Person Responsible
...
Criticality
...
Automatic.
...
Criticality of the default scorecard for each organisation.
Assessment
An Assessment is an online intelligent (programmatically controlled e.g. IF-THEN branching) questionnaire sent to an Organisation for one or more Completers to complete and submit. It is also comprises of the scoring method (including any data referenced) and the automatically generated Report.
Assessments have the following attributes:
...
Attribute name
...
Validation
...
Notes
...
Name
...
Mandatory. Text up to 200 characters..
...
Default is composed from:
Organisation’s Name
Assessment Category
Current Year
Increasing Number
E.g. “ Tyrell Corp/Supplier Onboarding/2019/1”
Default can be overridden by the creator or changed later.
...
Organisation
...
Mandatory. Any single valid Organisation.
...
An Organisation for which the Assessment is assigned.
...
Completed Percentage
...
Automatic.
...
Percent of questions that are answered by a Completer, but not including ones that are flagged by an Assessor.
...
Assessment Category
...
Mandatory.
Selected from the Assessment types present in the client’s configuration.
E.g. “Modern Slavery Risk”.
It cannot be changed after creation.
...
Score
Automatic / Manual.
Can be any value defined as a valid score e.g. “Pass” or “High Risk”.
Created by the Scoring calculation for the Assessment following Submission by the Completer. It can be changed by an Assessor.
...
Status
...
Automatically created and validated
...
See all valid values in Assessment workflow
...
Primary Completer
...
Mandatory. Any Contact with Completer role.
...
A User who should fill the Assessment.
...
Additional Completers
...
Optional. Any Contacts with Completer role.
...
Additional Users who can contribute filling the Assessments.
...
Primary Assessor
...
Mandatory. Any Contact with Assessor role.
...
A User responsible for checking the Assessment once it was filled by a Completer. The Assessor can override any scores, Approving or Rejecting the Assessment,or flag any answers and send the Assessment back to Completer,
...
Additional Assessors
...
Optional. Any additional Contacts with Assessor role
...
Additional Users that can access the Assessment as Assessors.
...
Date Issued
...
Automatic.
...
Date when the Assessment was created/sent.
...
Last Answered Date
...
Automatic
...
Updated when any Completer last answered a question
...
Renewal Date
...
Optional. Date.
...
Information when the Assessment is considered to be out-of-date and should a new Assessment should be issued.
...
Submission Target
...
Optional. Date.
...
A date by which the Completer(s) should submit the Assessment. Used to inform which Assessments are Late For Submission. See Summary Page.
...
Decision Target
...
Optional. Date.
...
A date by which the Assessor(s) should Approve or Reject the Assessment. Used to inform which Assessments are Late For Submission. See Summary Page.
...
Created By
...
Automatic.
...
It cannot be changed. Set to the Assurance Manager who created the Assessment.
...
Metadata Updated
...
Automatic.
...
Updated every time the metadata of the Assessment are changed.
...
Archived
...
True or False
...
If True, the Assessment is not listed unless specifically requested and it is not counted into various statistics.
...
Internal Note
...
Optional. Text upto 4000 characters.
...
It is not displayed to the Completer(s).
...
External Note
...
Optional. Text upto 4000 characters.
...
It is displayed to the Completer(s).
Users assigned as Completers or Assessors can receive notifications about the Assessment depending on the state of the Assessment.
Question types supported
The following types of questions can exist in an Assessment
...
Question type
...
Description
...
Notes
...
Freetext
...
Mandatory. Text up to 4000 characters.
...
Optional Freetext
...
Optional, Text up to 4000 characters.
...
Boolean
...
Mandatory.
...
Can be displayed as “Yes/ No” or a checkbox
...
Mapped
...
Mandatory. Multiple Choice
...
Only one answer can be provided
...
Multiple
...
Mandatory. Tick all that apply
...
Many answers can be provided
...
Combined
...
n/a
...
Container for combining multiple questions in a block
...
Table
...
n/a
...
A form of Combined Question formatted into a table
...
Date
...
Mandatory, selected on calendar
...
Calendar Picker
...
Range
...
Mandatory, 0-2147483647
...
Number field entry.
...
Attachment (required)
...
Mandatory Attachment (non empty file). Maximum attachment's size is 5 MB (default, configurable)
...
Any question can be configured to accept attachments
...
Attachment (optional)
...
Optional Attachment
Individual Answer Scores
Answers can be given an automated Score. Available Answer Scores and the scoring mechanism depends on the Assessment’s Category.
Example of Scores:
Score value | Description |
High | High risk answer |
Medium | Medium risk answer |
Low | Low risk answer |
Not Evaluated | Not scored |
Fail | Mandatory fail of the whole Assessment |
Info | Answer has been collected for information only |
Overall Assessment Scoring
The individual Answer Scores are combined to give an overall Assessment score. Available Scores and the scoring mechanism are specified for each Assessment type.
User Roles
Assurance Manager
Assurance Managers send Assessments to Completers and assign Assessors to review them.
Assurance Managers can monitor the progress of all Assessments, as well as manage all Contacts, Users, Organisations and Assessments in the system.
Assurance Manager with Customer Admin
As well as Assurance Manager capabilities, Assurance Managers with Customer Admin can inspect the total usage of the platform, viewing statistics and data regarding the use of the system. They can also view the current subscription dates and subscription limits. All of this is done via the Usage & Statistics page.
Completer
Completers work for Organisations being assured using Rizikon Assurance. Rizikon Assurance allows Completers to complete the Assessments that have been assigned to them, upload comments and attachments to support answers, delegate questions to colleagues who are not contacts or users, and receive feedback on answers from Assessors.
Assessor
Assessors work on behalf of or for Customers doing assurance of Organisations. They review Assessments submitted by Completers.
Crossword Admin
Crossword Admins may have a user account on the system to be used if they are required to provide technical support.
User Roles versus System Capabilities
System Capabilities | Assurance Manager | Assurance Manager with Admin | Assessor | Completer |
Create & Send Assessment. Assign Completers and Assessors | Yes | Yes | No | No |
Complete and submit Assessment | No | No | No | Yes |
Review Assessment, flag questions, add comments and return to Completer | No | No | Yes | No |
Assign User Roles to Contacts | Yes | Yes | No | No |
View All Assessments, Organisations and Contacts | Yes | Yes | No | No |
View assigned Assessments | N/A | N/A | Yes | Yes |
Add Organisations and Contacts | Yes | Yes | No | No |
View Usage and licensing | No | Yes | No | No |
Manage Organisation Tags | Yes | Yes | No | No |
Edit Assessment metadata | Yes | Yes | No | No |
Reset own password and configure Two-factor Authentication | Yes | Yes | Yes | Yes |
Reset other users passwords and access to the system | Yes | Yes | No | No |
Managing User Roles
User roles are assigned to Contacts by Assurance Managers via the Manage Contacts page.
Screens and Views
Introduction
Rizikon Assurance is a web-based application. It can be accessed via a modern web browser with enabled support for JavaScript and cookies. Rizikon Assurance supports following browsers in versions no more than one year old:
Google Chrome
Mozilla Firefox
Apple Safari
Microsoft Edge
Other web browsers and older versions of supported browsers usually should work but it is not guaranteed.
The general web page layout of Rizikon Assurance depends on the size of a user device’s screen or the web browser’s window. Some web page elements might be minimised on smaller screens, but all described functionalities are still accessible. Minor visual details might also vary depending on a web browser, a computer, an operating system and a monitor.
Usual web browser functionalities like: following a web link, “Go back” button (or similar), opening multiple web pages in separate windows or tabs, printing web page content are expected to work with Rizikon Assurance with following notes:
If there is any partially filled form, and the user leaves the current page in any manner (including but only: closing the web browser’s window or tab, following a web link, clicking the browser’s “Go back” button, etc.), the content of the form might be lost without a warning;
If a user opens multiple Rizikon Assurance pages in separate windows or tabs, they share the same login session. It means e.g. that if user logouts in one window or tab, he or she logouts in all other windows and tabs too.
Common Screen Elements and Operations
There are some common elements that appear on multiple Rizikon Assurance screens:
Top Menu - allows navigation among the main screens of Rizikon Assurance, it differs between Assurance Manager Section and Portal Section, see below.
“Current User” menu in the top right corner - displays the name of the currently logged user, and offers for user-specific operations.
“Return” button - goes to a logically previous screen, depends on the current screen.
“Cancel” button - abandons filling the current form and goes to a previous screen, depends on the current screen.
“Save changes” buttons - validates whether entered data on the form is correct (e.g. values for required fields are provided), then if it is correct, submits entered data to be saved and closes the current form returning to a logically previous screen. If the data is not correct, it presents information what is wrong or missing and allows the user to enter correct data and try again.
Main Sections: Assurance Manager and Portal
Rizikon Assurance web application includes two distinctive sections:
“Assurance Manager” - available to Users with role “Assurance Manager”.
“Portal” - available to all Users that are allowed to log in to Rizikon Assurance.
Current User menu
...
The “Current User” menu is located in the top right corner of each page or - on smaller screens - as the last element of Top Menu.
It displays the name of the current User and offers access to following operations:
...
“About Rizikon Assurance” - opens a web page with a description of Rizikon Assurance in a new window or tab.
“Switch to Portal” - goes to “Summary” page of the Portal Section, available only if the current page is a part of the Assurance Manager Section.
“Switch to Assurance Manager” - goes to “Summary” page of the Assurance Manager Section, available only if the current page is a part of the Portal Section and the current User has role “Assurance Manager”.
“Change Password” - goes to a page that allows to change the current user’s password.
“Two-Factor Authentication” - goes to a page that allows the current user to establish personal Two Factor Authentication settings for Rizikon Assurance or disable it.
“Logout” - logouts the current User from Rizikon Assurance.
Top Menu [Assurance Manager]
On every page of the Assurance Section following Top Menu is displayed:
...
It allows navigation to the following pages:
There is also “Current User” menu in the right corner.
...
On small or narrow screens the menu can be displayed in a minimised form, and its content is shown only after clicking on the icon:
Summary [Assurance Manager]
This view is accessible to a User with the Assurance Manager role. It displays summary information regarding the status, progress and results of all Assessments.
Assurance Managers with the Customer Admin capability will also see a menu item on the left to navigate to system usage and limits statistics.
There are three main panels:
“Organisation Criticality Distribution” page displays Organisation’s criticality score based on the scorecard chosen.
“Status of Assessments” panel displays the total number of Assessments and numbers of the Assessments per Stage of processing based Assessment Status, current date and Submission Target or Decision Target (see Assessment properties) dates. The panel can be filter to one of Assessment Categories.
“Assessment Score Distribution” panel displays a pie chart with numbers of Assessments per Assessment Score. The chart can be filtered by Assessment Category and some of Assessment Statuses.
Screenshot for illustration - Summary - Criticality Dashboard and Status od Assessments
Organisations [Assurance Manager]
Organisations list
The Organisation listing view displays all Organisations (by default only Active ones) in the system for the Assurance Manager role in a table view. Additionally there is a search & filter function that allows filtering of the Organisations displayed. For any visible Organisation it is possible to go to its Details page.
Organisation attribute | Sortable? | Filterable? |
Name | Yes | Yes |
Primary Contact | Yes | Yes |
Person Responsible | Yes | Yes |
Count of Assessments associated | No | Yes |
Tags | No | Yes |
The function Create Organisation is accessible from this page.
...
Screenshot for illustration - Organisation Listing
Organisation Details
The view shows details of one Organisation.
...
Operations available:
Edit Organisation - goes to “Edit Organisation” page where it is possible to change some organisation parameters.
View Assessments - goes to “Assessments List” page filtered to the Organisation.
View Contacts - goes to “Contacts List” page filtered to Contacts associated with Organisation.
Create Assessment - goes to “Create Assessment” page with prefilled “Organisation” field of a new Assessment to the current Assessment.
Assign Tags - opens “Assign Tag” dialog box.
Deactivate Organisation (only if the Organisation is Active) - shows a confirmation dialog and if approved, marks the Organisation as Inactive (Active property is set to false).
Activate Organisation (only if the Organisation is Inactive) - shows a confirmation dialog and if approved, marks the Organisation as Inactive (Active property is set to false).
Create Organisation
This page allows to create a new Organisation. See the description of the Organisation data entity for the meaning of data fields.
...
Typing a name or email address of a Contact in Primary Contact or Person Responsible field shows a selection of matching Contacts and allows selecting one of them.
It is possible to create a new Contact by pressing one of “add new” buttons under “Primary Contact” or “Person Responsible” fields. It opens “Create Contact” page and if a Contact is created, assigns the newly created Contact to the appropriate fields.
Impact field contains impact (0 - 5; Unclassified - Very High), Default Scorecard (choice of scorecards in dropdown menu) and Link Organisation to Credit-safe listed company function.
The Organisation is actually created only after clicking on “Create” button.
If “Create Another” checkbox is selected, after creating a new Organisation, a new empty form “Create Organisation” appears again allowing to create another organisation. Otherwise page Organisations Details of the new Organisation is shown.
After filling the form, clicking on the button “Create” completes the creation of the new Organisation.
Edit Organisation
This page allows to change some details of an Organisation. See the description of Organisation data entity for the meaning of data fields. See also above.
...
Assessments [Assurance Manager]
...
Assessments list
The Assessments list view shows selected attributes of all Assessments (by default only ones that are not Archived) in the system in a tabular form. The list can be filtered down by:
Assessment Name (this filter also matches a part of the name);
Assessment Category
Organisation
Assessment Status
assigned Primary Completer or Primary Assessor
It is possible to show also Archived assessments (this option appears only if any Archived Assessment matches the current filter).
It is possible to show only Assessments that should be renewed, i.e. which Renewal Date is in the past.
From this view it is possible to create a new Assessment or go to details of any shown Assessment.
The function Create Assessment is available from this page.
Assessment Details
The Assessment Details view shows details of one Assessment.
...
Operations available:
“Go to assessment” - goes to “Assessment View” page in the Portal Section of Rizikon Assurance.
“Edit Assessment” - goes to “Edit Assessment” page.
“Send Assessment” or “Renew Assessment” - available depending on Assessment Status - sends an automatic email notification to the Completer and changes the status of the Assessment to “Send to completion”.
“Resend Assessment” - available depending on Assessment Status - resends an automatic email notification to the Completer;
“Actions”:
“Send reminder emails” - available depending on Assessment Status - sends automatic email notifications to Completers or Assessors (depending on Status) about the Assessment awaiting their attention.
“Cancel Assessments” - changes Assessment Status to “Cancelled”.
“Reinitiate Assessment” - available only if Assessment Status is “Cancelled” - changes Assessment Status to “Draft”.
Create Assessment
This page starts a 2-step process for creating a new Assessment. At the first stage an Assessment Category and an Organisation needs to be selected:
...
Typing the name of an Organisation (or a part of the name) shows a list of matching Organisations for selection. Clicking on “Create new organisation” button opens “Create Organisation” page that allows to create a new Organisation. The newly created Organisation is automatically assigned to the field “Organisation”.
At the second step, the rest of attributes of the Assessment can be provided:
...
See the description of the Assessment data entity for information about the meaning of the fields.
Typing a part of a name or an email of a Contact in Completer or Assessor fields shows a list of matching Contacts and allows selecting one of them.
More Completers or Assessors can be added to the Assessment by clicking respectively buttons “Assign more completers” or “Assign more assessors”.
Clicking “Create new completer” or “Create new assessor” opens page “Create Contact” that allows to create a new Contact. The newly created Contact is assigned to an appropriate field of the Assessment.
Edit Assessment
The Edit Page page allows to change some metadata of one Assessment.
...
See the description of Assessment data entity for information about the meaning of the fields. See also above for information about entering metadata for Assessments.
Contacts [Assurance Manager]
Contacts list
...
The Contacts list view shows all Contacts registered in Rizikon Assurance (by default not including Deleted Contacts) in a tabular form. The list can be filtered by:
Name (or a part of the name)
Email address
Organisation
The function Create Contact is available from this page.
Clicking on any Contact’s Full Name goes to “Contact Details” page for the selected Contact.
Contact Details
The Contact Details view shows details of one Contact.
Available operations:
“Edit Contact” - goes to “Edit Contact” page
“View Assessments” - goes to “Assessments list” page with the filter set to this Contact being a Completer or Assessor.
“Add Capabilities” - a sub-menu that allows to add more roles (“capabilities”) to the Contact.
“Actions” - a sub-menu with additional operations
“Send Invitation Email” - available only if the Contact has not set up a password - sends an automatic invitation email to the Contact with a link allowing to configure the account for the first time;
“Send Reset Password Email” - available only if the Contact has set up a password - sends an automatic email to the Contact with a link allowing to reset the current password;
“Unlock login after security block” - available if the Contact’s current Security Status is Blocked - removes Security Block, allowing the Contact to access Rizikon Assurance.
“Change Status” - a sub-menu that allows to change the current status of the Contact.
It is also possible to remove associated Roles (“Capabilities”) by clicking the “Remove” button next to the Role intended to be removed from the Contact.
...
Create Contact
The Create Contact page allows to create a new Contact. See the description of the Contact date entity information about the meaning of the fields.
If “Completer” checkbox is selected (default), the new Contact gets “Completer” role (capability), and can be associated with Assessments as the Primary Completer or an Additional Completer.
If “Assessor” checkbox is selected , the new Contact gets “Assessor” role (capability), and can be associated with Assessments as the Primary Assessor or an Additional Assessor.
If “Create Another” checkbox is selected, after creating a new Contact, a new empty “Create Contact” form appears again allowing to create another Contact. Otherwise “Contact Details” view of the new Contact is shown.
If “Send Invitation Email” is selected (default), after creating the new Contact Rizikon Assurance sends an automatic invitation email to the Contact with a link allowing to set up a password for the Contact.
...
Edit Contact
The Edit Contact allows to change some data about the Contact.
Selecting or deselecting “Completer” and/or “Assessor” checkboxes adds or removes respective roles (capabilities) to/from the Contact.
Tools [Assurance Manager]
Data Upload
This screen allows to upload data about Assessments, Organisations and Contacts from existing sources. See here for more information.
Organisation Tags
This screen shows the list of existing tags that can be associated with Organisations. It allows to create new tags, edit or delete them.
In RA 2.0 we have introduced new group of system tags : Risk and Impact Tags. Both of those range from unclassified to very high and represent: organisation’s security risk and organisation's security impact.
...
Usage and Limits
This page displays useful information on the limits, subscriptions, usage and licensing of the system.
...
Top Menu [Portal]
On every page of Portal section the top menu is displayed:
...
It allows navigation to following screens:
There is also “Current User” menu in the right corner.
...
On small or narrow screens the menu can be displayed in a minimised form, and its content is shown only after clicking on the icon:
Summary [Portal]
Assessment page - Completer view [Portal]
...
Assessment page - Assessor view [Portal]
...
Assessment Review page - Assessor view [Portal]
...
Configurable items
This section describes all areas of configuring Rizikon Assurance for the Customer.
...
Configurable Option
...
Description
...
Notes
...
Name
...
Internal id
...
As appears in url
...
Description
...
Display Name
...
Used in
...
Support Email
...
Email address of customer support contact
...
(shown in emails and on the support centre page)
...
Support Phone
...
Phone number of Customer support
...
As displayed on the “Contact Us” tab
...
Support Hours
...
Support contact hours
...
As displayed on the “Contact Us” tab
...
Base URL
...
Alternative Rizikon URL for a given tenant
...
e.g. “https://rizikon.example.com”. Requires appropriate IT configuration on the client side (DNS config).
...
Extra URL Parameters
...
Additional parameters added to URLs
...
Eg, “param1=value1”
...
Terms and Conditions URL
...
Provides a Terms and Conditions URL for the tennant
...
Found on login page.
...
Privacy Statement URL
...
Adds a link “Statement regarding Data Privacy from {tenant}” on the Security Centre Tab
...
Max Attachment Size
...
Sets the maximum attachment size when uploading to questions
...
Default value is 5 MB.
...
Max Number of Attachments Per Answer
...
Number of attachments possible for each question
...
Max Number of Attachments Per Assessment
...
Number of attachments possible for each Assessment
...
Custom Question Set Visibility
...
Configuration for the question sets selectable on the tennant
...
Tenant Logo
...
Logo of customer displayed on the login screen and on the top left of every page in the system.
...
Logos will be rescaled to have height 70px.
...
E-mail logo
...
Logo to be attached to automated emails from the tenant.
Custom Assessments
In addition to the Standard Library of Assessments, custom Question Sets can be implemented with specific questions, scoring and reports specified by each Customer. The visibility of the Assessment can be as as described in Configurable Items.
The assessment itself may be implemented using the previously specified Question Types, Per Question Scoring, and overall mark scheme.
Client logo
It is possible to upload the client’s logo to be visible on all pages of the system after login, as well as on the login page for that tenant. This is configurable, as described in Configurable Items
Workflows - KF
Assessment Workflow
...
Assessments can be in the following statuses:
...
Assessment Status
...
Description
...
Notes
...
Draft
...
Assessment not initiated
...
Not answerable or visible to the listed completer, and no email sent.
...
Sent for Completion
...
Assessment initiated
...
Answerable and visible to completers, with email notification sent to Primary Completer
...
Opened
...
Assessment opened within Rizikon Assurance by a completer
...
In Progress
...
Completer has answered at least 1 question
...
Ready for Submission
...
Completer has answered all questions that were mandatory and visible
...
Submitted
...
Completer has submitted the Assessment
...
Completer can no longer edit anything within the assessment. Automatic report has been generated. Primary Assessor receives email notification, and can now take actions.
...
Under Review
...
Assessor has opened the Submitted Assessment
...
Sent for Clarification
...
Assessor has used the “send back” action
...
Assessment becomes editable and notification sent to Primary Completer. Assessor can no longer take actions.
...
Approved
...
Assessor uses the “Approve” action.
...
Assessment uninitiated and neither Assessor nor completer may make edits or take further actions within the assessment.
...
Rejected
...
Assessor uses the “Reject” action.
...
Assessment uninitiated and neither Assessor nor completer may make edits or take further actions within the assessment.
...
Cancelled
...
Assessment has been cancelled by an Assurance Manager.
...
Assessment uninitiated and neither Assessor nor completer may make edits or take further actions within the assessment.
In the case of an automatic notification email being sent to a contact, whether Completer or Assessor, regarding assessment actions, if the contact has not yet been invited to the Rizikon Assurance Instance, they will receive an invitation email instead of the notification email.
Outputs and Reports
Reports are automatically generated every time an assessment is submitted. This uses the predefined scoring algorithms for Per Question Scoring, and overall mark scheme to create an Executive Summary and section-by-section breakdown of the assessment.
In some cases, reports may also be Updated (regenerated) by the Assessor to update any manual scoring they may have applied to the assessment. This can be done on the action menu under “Approve”, “Reject”, and “Send Back”. This option will generate a new report in the list with identifier “[Reviewed]”.
Reports will be viewable to assessors, and can be either viewable or hidden to the completer. If a report is hidden from the completer, they will instead view a submission record detailing when the assessment was submitted.
Reports are printable in PDF format, as well as downloadable in a word document.
Uploads and downloads via CSV
Uploading data
It is possible to upload data in CSV format about Contacts, Organisations and Assessments. Blank templates are provided on the Data Upload page.
The templates used are downloadable by all Assurance Managers on the following page: https://assurance.rizikon.io/manager/bulkdataupload. Can be found under the “Tools” dropdown, “Data Upload”.
Standard Assessments
Standard Assessments are provided to customers for use at their own discretion and risk. It is strongly recommended that customers review them before use to determine their fitness for the customers assurance purposes.
List of Standard Assessments
Standard Assessment | Purpose & description |
Supplier On-boarding | Obtaining basic information from a new supplier. Read more |
GDPR Data Processor Responsibilities | Gathering information on GDPR compliance for Data Processors Read more. |
Security Low Risk | Cyber Essentials based Assessment for checking a foundational level of Cyber Security Read more. |
Security High Risk | IASME Governance based Assessment for checking a more substantial level of Cyber Security. Read more. |
ISO27001 | ISO2001 based |
Modern Slavery Risk | Obtaining core information on ethical trading and Modern Slavery in the organisation and supply chain. Read more. |
Anti-Bribery and Corruption | Obtaining core information on ethical trade in reference to Bribery and Corruption in the organisation and supply chain.Read more. |
UK 2018 National Minimum Wage | Checking compliance with Labour Market Regulations on the minimum wage in an organisation. Read more. |
Security
Security architecture
...
User access to Rizikon is managed through a log-in of user email address and password through Amazon Web Services (AWS) Certificate Manager.
All information is encrypted at rest and in transit. (TLS 1.2 with RSA-2048 for encryption in transit; AES-256 for encryption at rest). Passwords hashed (using PBKDF-2) when stored and a random salt is used for all users of the system. Data is encrypted “end-to-end” via HTTPS between the user and server.
Data from the Rizikon Instance is held in the United Kingdom with redundancy and back-up strategies in place to minimise risk of data loss or outages.
Two-factor Authentication (2FA)
Two Factor Authentication is an optional setting for all users. The settings for this can be located under the “Current User” Settings dropdown.
A guide is provided on the configuration page, which can be located at https://www.rizikon.io/kb/security/two-factor-authentication
Rizikon Assurance utilises the Google Authenticator app for Two Factor Authentication.
Technology Stack & Infrastructure Regions
The application is mostly written in Java. The data is stored in encrypted PostGres database.
Data and Hosting is supplied by Amazon Web Services, spread across two UK availability zones.
Google Cloud (UK region) is used for archive purposes and as a Recovery hosting in the event of AWS non-availability.