What are divisions?

A division can be any logical partition of an organisation. Abriska allows an organisation to create as many hierarchical levels as are required. This allows individual departments or business units to utilise different areas of the application, but still allows for reporting to be conducted against any, or all, of these levels.

Creating a new division

Navigate to Organisation Setup > Divisions

To add a new division, click on the ‘Create New Division’ button. Enter the division name, description and select the parent division from the drop down.

To edit an existing division, click on the division name from the hierarchy; this will bring up the division form.

Deleting a division

Divisions can only be deleted when there are no activities or resources attached to that division. If a division is able to be deleted then the ‘Delete Division’ button will be visible on the sidebar of the division form.

What are Contacts?

Any individual, who is required to view or edit information within Abriska, must be set up as a contact and assigned a role. Contacts can also be used to allocate ownership of various items within the application (see 'Contact Responsibilities', below).

To view the list of current contacts, click on ‘Contacts’ from the organisation setup page.

Teams

Abriska also allows an organisation to distribute responsibilities to a ‘Team’. A ‘Team’ is essentially a group of Abriska contacts which allows for ownership to be added, amended or deleted by any user within the team of which an item is allocated. Teams can be allocated ownership of any item that can be allocated to a single contact.

Teams are displayed on the same page as contacts, but are viewed by selecting the 'Teams' tab.

Creating a New Contact

To add a new contact, click ‘Create a New Contact’ from Organisation Setup > Contacts. The contact must be assigned to a division. A contact can only be assigned a username after they have been created, by editing the contact.

To amend the details of an existing contact, click on the ‘edit’ link associated with that individual contact. This will display the contact edit form.

Assigning Log on Rights

The following descriptions refer to the sidebar of the contact edit form.

Assigning an Username

To limit access to Abriska, each user requires a unique username and password combination. The user cannot modify their username, but can modify their password at any time. When setting up a new contact, they must first be allocated a unique username. To assign a username, click ‘Edit Username’. The username can be emailed to the user only if a valid email address has been supplied for them during setup.

After a username has been configured, it will either be accepted and the application will return to the contact screen or it will return a warning message to the username form.

A password or Abriska role cannot be assigned until a unique username has been created for a contact.

Assigning a Password

To enable a user to access Abriska, a password must be assigned. This is initially set by the administrator and can then be changed by the user. To assign a password, click ‘Edit Password’. The password form will then be displayed. When a user first logs onto the system, they will be prompted to change their password from the initial one configured.

Assigning an Abriska Role

Users within Abriska can be allocated different permissions via their role. A description of each role can be found here.

When a new user is created, the default role will be ‘Basic User’. Should this need to be modified, click ‘Assign Abriska Role’. To amend a role, select the relevant role from the displayed form and press ‘Submit’ to save.

The current roles exist within Abriska:

• Basic User - This allows users to logon to Abriska and complete specific elements that have been allocated to them i.e. undertake control assessments, risk assessment that has been assigned to them or a BIA activity that has been assigned to them. The user does not have the ability to modify the base setup of Abriska.
• Reports User - This allows the user the same level as a basic user but can also view the reports that have already been run
• Division Admin - Can view, create, modify and archive everything within a division and sub division. The can't modify any of the configuration within the organisation.
• Org. Admin - This allows the user full access to modify the base setup of the organisation and also full access to the reporting available.
• Parent Org. Admin - If multiple organisations have been created, this permission level allows the user full Org. Admin access over this organisation and any sub organisation.

Creating a New Team

To add a new team, click ‘Create a New Team’ from Organisation Setup > Contacts, give the team a name and choose which division it should be a part of. To amend the details of an existing team, click on the ‘Teams’ tab and then click on the 'edit' link that is associated with that team.

To assign a contact to a team, click the 'edit' link for to the contact that is to be assigned. From the contact setup form, select 'Assign to Team' from the sidebar. This option is only available for existing contacts when the organisation has at least one team set up.

Deleting a Contact or Team

Contacts cannot be fully deleted; they are only hidden from view. The reason for this is that removing the contact fully would corrupt the application. Deleted contacts will, however, not be displayed in other parts of the application and cannot log in to Abriska.

To remove a contact or team, navigate to the corresponding 'contact edit form' or 'team edit form'. From here, select 'Delete Contact' or 'Delete Team', as applicable. Please note that contacts cannot be restored from within the application after they have been deleted. If a contact is deleted accidentally, then please contact support.

End Dated Contacts

Deleted contacts are archived and can be viewed by clicking 'View End Dated Contacts' from Org Setup > Contacts. If an ended contact still has active responsibilities then these can be reassigned to another contact by clicking 'Manage Responsibilities'.

Contact Responsibilities

Contacts can be assigned the following items. Please refer to any relevant pages below for more information on allocating responsibilities.

• Assets
• Activities (BIA module)
• Controls (GAP module)
• Assessments (RA module)
• Audits (NCR module)

A contact's assigned responsibilities can be viewed from the contact edit form.

Archiving/Deactivating contacts

Contacts can be archived if they are no longer needed or in the event an admin user leaves the business. This can be achieved by the following:

Organisation > Organisation set up > Contacts > Edit > Archive Contact

What are Documents?

Document links can be created within Abriska to link individual BIA activities and organisational controls to a referenced support document stored within the organisation's document management system or on a file share. As an example, an organisation could create a referenced link to their Information Security policy (stored within their document management system) to demonstrate their implementation of control 5.1.1.

Creating a New Document

To add, amend, or delete documents, click “Organisation Setup” and then “Documents” from the organisation homepage. To create a new document, click on the “Create New Document” link in the documents sidebar. To amend the details of an existing document, click on the “Edit” link associated with that individual document. To delete a document reference, or multiple document references, click on the checkboxes associated with individual document references and press “Submit” to remove.

Document upload restrictions

There is a 5MB limit on each document being uploaded to Abriska.

What is the risk appetite?

ISO 31000 defines risk appetite as the: “total amount of risk that an organisation is prepared to accept, tolerate or be exposed to at any point in time” Abriska uses a standard Red-Amber-Green (RAG) matrix, by default, to represent an organisation's tolerance to any specific risks. The risk appetite is viewable by clicking on “RA Setup” from the main organisation screen, then selecting “Setup Risk Appetite”.

risk Matrix Setup

Individual cells within the risk matrix can be modified by clicking on the cell which will cause the cell to cycle through the available colours. The risk boundaries can be defined in multiple ways in order to handle non-integer values for risk scores that will arise during risk assessment.

Linear Risk Matrix Setup

If the organisation is using a linear risk matrix then input the upper boundaries for each colour in the text boxes. The lower boundaries cannot be set directly but are changed to equal the upper boundary of the preceding colour. The diagram does not update in real time; submit the form to save changes.

Adding New Colours

Click “Setup Colours” displayed on the appetite matrix screen and a list of configured colours is displayed. To modify a colour, click on a coloured box and a “colour picker” panel will appear. Choose a new colour by using the scale and clicking the required colour shade. This will then change the colour of this tab. To delete a colour, click the “delete” link associated with that colour.