Collecting evidence from RAM

Control Compliance Suite lets you connect to the Response Assessment module and assign the CCS assets to questionnaires to collect the evidence data.

Table: Collect data from RAM lists all the tasks that you must do to successfully view the evidence data from the questionnaires.

Table: Collect data from RAM

Task

Description

Assign roles

Assign the Asset Viewer role to users answering the questionnaire about CCS assets. The role determines what you can see and perform in the CCS Console.

See Adding users and groups to a role.

Configure the RAM database

Configure the SQL Server settings to connect to the RAM database.

See Configuring the Response Assessment module settings.

Create asset groups

Create the asset groups to use in the questionnaires. Individual assets can be used but they must be part of an asset group for the Policy module to use.

An asset group consists of assets of one or more types. The grouping is represented in a hierarchical fashion with nested subsets. You can create dynamic and static asset groups to organize the assets into logical groups.

See Creating a dynamic asset group.

See Creating a static asset group.

Enable the CCS connection

Enable the connection to the CCS application server to collect the evidence data.

See Adding a link to Control Compliance Suite.

Create a questionnaire

Create a questionnaire or choose a questionnaire from the predefined content folders.

Refer to the Response Assessment module User Guide for steps on how to create a questionnaire.

Add an asset group variable

Create a user-defined property and assign it to a CCS asset.

See Adding a user-defined property in RAM.

Invite questionnaire users

Invite users to the new questionnaire and select the CCS asset to link to the questionnaire.

See Publishing a questionnaire with invitations in RAM.

Create a policy

After the evidence data is in the database, create a policy for the questionnaire from the CCS console.

Create a policy and link it to the same asset group that is linked to the questionnaire. The policy reports do not work if not linked to the same asset group.

See Creating a new policy.

See Importing a Word policy.

Map control statements

After the policy is created, map the control statements to the policy. The control statements are mapped to the frameworks and regulations that your enterprise must adhere to.

The policy reports do not work if the policy and questions in the questionnaire are not linked to the same control statements.

See Mapping policies to control statements.

Publish the policy

After the policy is mapped to the control statements, publish the policy for user acceptance.

See Publishing a policy.

Synchronize the reporting database

After the policy is published, synchronize the reporting database to run reports.

Note:

Evidence from RAM is only imported if it exists in the Evidence table of the RAM database.

See Running a job now.

Run reports

After data is synchronized, run the following reports to view the RAM data:

  • Overall Policy Compliance Score

  • Policy Results Report

  • Third Party Control Statement Mapping

See Scheduling a report .

See Viewing a report.