Exception Questionnaire

Jkelley · ‎03-15-2024

I am wondering how the Exception Questionnaire in Vulnerability Response is useful for approvers/where the answers can be found? I know the metric results and assessment instance questions are linked to the state change approval record, but they aren't useful or in a readable format, and some answers are not even available on that table depending on their data type. Is there a form view of the submitted questionnaire with the answers that I am missing somewhere?

We have a questionnaire that we added many questions to of various data types, that need to be reviewed prior to approval/rejection.

thank you!

william_tran · ‎03-15-2024

Hi Jkelley,

Within the Vulnerability State Change Approval record, there should be a reference field (assessment_instance) called 'Questionnaire' that is available on the form. This is the record that will store all the information about that specific Questionnaire that was submitted for the VCA record. The 'Related Link' will have a click-able link that will open the questionnaire in a more readable format.

Please let me know if this helps.

Best,

William

View solution in original post

Chris Walker1 · ‎04-23-2024

@Jkelley

Thank you for your post and hope you are doing well! Answering both questions per your inquiry below:

1. Impactful usage and business value: An exception questionnaire aids the organization in prioritizing and address vulnerabilities based on the potential impact. It allows security teams to assess the risk associated with each vulnerability disclosed and determine if an exception may be warranted. Thus, a questionnaire can assist the analyst in providing further data insights, artifacts, and justification to make tracking effective and standardized. This directly impacts compliance objectives to maintain regulatory requirements and industry standard practices. It further validates that exceptions and proceeding questions answered were properly justified, documented, and accelerate the reduction of overall total risk exposure of non-compliant assets.

2. Configure Exception Management for Vulnerability Response

Navigate to All > Vulnerability Response > Administration > Exception Management.

To configure questionnaires based on conditions for exception and false-positive requests:
1. In the VR Questionnaire Configuration section, select New.
2. In the Questionnaire Configuration - New Record form, fill in the fields and select Submit.
  For more information on the Questionnaire Configuration form fields, see Questionnaire Configuration form fields.
  
  The created questionnaire appears in the VR Questionnaire Configuration section of the Settings for VR Exception Management form.
For example, if you want to configure questionnaire for false-positive requests for critical vulnerable items, then select the False positive for vulnerable items approval rule, provide the condition as Risk rating is 1 - Critical and select the desired questionnaire in the Questionnaire Configuration form.

As you can see below, Vulnerability Response includes an Exception Questionnaire and Compensating Control Questionnaire forms. Both can be accessed and configured with your organizations questions and template/branding and other variables.

From here, navigate your mouse to the information (i) icon - to the right of the *Questionnaire to request exception

On the next screen, locate the SURVEY DESIGNER button - this will allow you to customize the pre-made questionnaire template in a readable format with drag and drop functionality.

Example Screenshot

To locate Exception Requests - Questionnaire Responses

1. Navigate to the Vulnerability Manager Workspace or IT Remediation Workspace

2. Go to the List View

3. Select Exception requests - my requests - view an exception - scroll to the bottom where you will locate Questionnaire - to the right - select the (i) record to open the record - you will be presented with the list of questions.

I hope you found this post helpful. If so, please mark my response as correct.

Cheers.