Documente Academic
Documente Profesional
Documente Cultură
Legal Notice
Copyright 2013 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, the Checkmark Logo and are trademarks or registered
trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other
names may be trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is required
to provide attribution to the third party (Third Party Programs). Some of the Third Party
Programs are available under open source or free software licenses. The License Agreement
accompanying the Software does not alter any rights or obligations you may have under
those open source or free software licenses. Please see the Third Party Legal Notice Appendix
to this Documentation or TPIP ReadMe File accompanying this Symantec product for more
information on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use,
copying, distribution, and decompilation/reverse engineering. No part of this document
may be reproduced in any form by any means without prior written authorization of
Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,
ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO
BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL
OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED
IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in
Commercial Computer Software or Commercial Computer Software Documentation", as
applicable, and any successor regulations. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S.
Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com
Technical Support
Symantec Technical Support maintains support centers globally. Technical
Supports primary role is to respond to specific queries about product features
and functionality. The Technical Support group also creates content for our online
Knowledge Base. The Technical Support group works collaboratively with the
other functional areas within Symantec to answer your questions in a timely
fashion. For example, the Technical Support group works with Product Engineering
and Symantec Security Response to provide alerting services and virus definition
updates.
Symantecs support offerings include the following:
A range of support options that give you the flexibility to select the right
amount of service for any size organization
For information about Symantecs support offerings, you can visit our website at
the following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement
and the then-current enterprise technical support policy.
Hardware information
Operating system
Network topology
Problem description:
Customer service
Customer service information is available at the following URL:
www.symantec.com/business/support/
Customer Service is available to assist with non-technical questions, such as the
following types of issues:
customercare_apac@symantec.com
semea@symantec.com
supportsolutions@symantec.com
Contents
Chapter 2
11
15
16
17
18
19
21
22
23
Chapter 3
Chapter 4
27
28
39
40
41
55
63
72
85
Contents
Chapter 5
Appendix A
109
110
111
113
114
114
117
119
119
119
120
Contents
120
120
121
121
10
Contents
Chapter
Understanding CCS
Assessment Manager
This chapter includes the following topics:
Light-weight, Web-based clients for Lets you perform the assessment-related operations
CCS Assessment Manager
by using the browser-based UIs.
administrators and attesters.
Structured approach and a proven Standardizes the assessment process for the more
methodology
effective corporate-wide assessments.
12
Multi-lingual support
English
German
French
Spanish
Italian
Simplified Chinese
Japanese
Korean
Predefined questionnaires
Assessment delegation
Section delegation
Schedule assessments
Response aggregation
CCS AM Administrators
CCS AM end-users
CCS Assessment Manager uses the following two types of assessments to gather
information about the organization's current compliance posture:
User assessments
Table 1-1 describes the asset compliance and user assessments in CCS Assessment
Manager.
13
14
Table 1-1
Regularly install the latest security patches on the computers on which you
install the CCS Assessment Manager and the database server.
Enable SSL on the IIS Web site that you use to install the CCS Assessment
Manager Web portals.
To enable SSL on IIS, use the certificates that are issued by a trusted
certificate authority.
Use HTTPS and disable HTTP access to the CCS Assessment Manager Web
portals.
Restrict the proxy server access to legitimate users if you use a proxy
between the browser and the Web server. Additionally, enable appropriate
security measures on the proxy server.
For CCS Assessment Manager Service account, choose a user account that does
not have administrative access on the computer that has CCS Assessment
Manager installed. Use the user account from Users group.
For a CCS Assessment Manager that is installed on the Windows 2003 computer,
the service user should have administrative privileges on the local computer.
Note: Since the user is not Machine administrator, the Launch Admin Web
Portal shorcut on the Assessement Manager Console and the preview of video
and images in the Edit Question window is not available. The user can preview
the attached videos and images from the Admin Web Portal.
15
16
Enable SSL and use the certificates that are issued by a trusted certificate
authority.
Restrict the Service User account access on RAM_DB only to a user with
the db_owner privileges. Restrict database access to Service Account users
only.
Enable regular antivirus scans on the CCS Assessment Manager file repository.
The location of the CCS Assessment Manager file repository is as follows:
<install dir>\CCS Assessment Manager\CCS Assessment Manager
Server\Repository
Tasks
Administrators
Power Users
View questionnaires
Create questionnaires
Edit questionnaires
Delete questionnaires
Review questionnaires
Publish questionnaires
Table 1-2
Tasks
Administrators
Power Users
Create assessments
Assign assessments
Accept/decline assessments
Respond to assessments
Review responses
Create reports
CCS Assessment
Manager Admin
Web client
CCS Assessment
Lets the attesters provide the assessment response.
Manager Web client
17
18
CCS Assessment
Manager server
Content packs
Group
Question
Answer
You can perform the following tasks by using the CCS Assessment Manager client:
Create a questionnaire.
Download, import, and customize an OCIL 2.0 regulatory content pack into a
questionnaire.
Delete a questionnaire.
You create or manage a questionnaire with the following CCS Assessment Manager
Client tools:
Weight
Wizard
Answer
Templates
Spell
Checker
19
20
Note: Your user account must belong to the RAM_Administrators group or the
RAM_PowerUsers group on the CCS Assessment Manager server to access the
CCS Assessment Manager Admin portal.
The CCS Assessment Manager administrators can use the Admin Web client to
perform the following tasks:
Review and approve a questionnaire
Initiate an assessment
User assessment
Track responses
Review responses
Generate reports
21
22
subsequently. The language preference remains the same unless you specify a
different language again.
Only CCS Assessment Manager Web portal interface is displayed in the language
that you select. The assessments are always displayed in the language that they
are created by the author. If you do not specify any language from the Select
Language drop-down list, then the UI is displayed as per the browser locale.
Note: To view more languages in the Select Language list, you must install the
language pack. For more information about the availability of your desired
language contact Symantec technical support.
The CCS Assessment Manager attester can use the Admin Web client to perform
the following tasks:
Submit response
Delegate assessment
Review responses
Aggregate responses
Decline assessment
By default, the CCS Assessment Manager Server installation creates the RAM_DB
SQL Server database. During installation, you can also choose to use a previously
created empty database.
Note: You need sys_admin privileges to use the default CCS Assessment Manager
database or a custom database. To use a pre-created database, you must have the
db_owner permissions on the pre-created database.
See About the CCS Assessment Manager components on page 17.
German
English
Spanish
French
Italian
23
24
Chapter
User assessments
Create the IT assets or the business assets in CCS. In case of business assets,
you must associate IT assets to the business assets.
You can also, Import the assets to CCS by using LDAP or a .csv file.
26
Business Objectives that you can achieve with CCS Assessment Manager
User assessments
Assign asset owners to each asset. Users can be assigned in the format of
domain\user.
User assessments
A user assessment lets you collect responses from the end-users in your
organization for non-IT assessments. A user assessment typically comprises
quiz-based questionnaires and lets you assess the attesters based on the individual
scores.
You do not have to integrate with Control Compliance Suite to initiate user
assessments.
In case of user assessment, the attesters do not have the option to decline or
delegate an assessment. As an administrator, after you receive the user responses,
you can generate the operational reports by using the CCS Assessment Manager
reporting capabilities.
See Creating a user assessment on page 47.
Chapter
To meet the mentioned business objectives by using the CCS Assessment Manager
infrastructure, you do the following:
Create questionnaires.
28
Creating a questionnaire
You start the assessment process with questionnaire creation. You can import a
pre-defined questionnaire or create a new questionnaire that suits your
organizational requirements.
You can create questionnaires in the following languages:
German
French
Spanish
Italian
Simplified Chinese
Japanese
Korean
You can create a questionnaire from the CCS Assessment Manager Admin client.
You must have an administrator's role to be able to create a questionnaire.
When you create a questionnaire, you can add single or multiple questions to a
group in the questionnaire. The maximum length of a question is 1024 characters,
including spaces. In the console, a question that is over 255 characters in length
is not completely displayed. The complete question is visible in the Web client
and in the Reporting tools.
You can select the following question types:
Choice
Numeric
Boolean
String
Note: At any point of time during the questionnaire creation, you can save the
questionnaire in the database. To save the questionnaire, right-click the
questionnaire and click Save.
To create a questionnaire
Launch the CCS Assessment Manager console, and then click New
Questionnaire in the dialog box that appears.
Type the questionnaire name in the New Questionnaire dialog box, and then
click OK.
Alternatively, in the CCS Assessment Manager console toolbar, click File >
New Questionnaire.
In the New Questionnaire dialog box, type the name of the questionnaire
and then click OK.
Select the questionnaire and then in the CCS Assessment Manager taskbar,
click Edit Selected.
See Editing a questionnaire name on page 30.
Right-click the questionnaire and then select Add > New Groups.
In the Add a group dialog box, type the name for the group of questions and
then click Add Group.
See Creating a direct group or a nested group on page 38.
Right-click the group name and then select Add > New Questions.
In the Add Questions dialog box, from the Select the type of question
drop-down list, select the type of question that you want to add.
The options that become available in the Select the answer template
drop-down list depend on the type of question that you make.
In the Select the answer template drop-down list, select the template that
you want to provide for the question that you have typed.
10 Click Add.
After you create the questionnaire, login to the Admin Web portal to publish
the questionnaire and then send the assessments to the attesters.
See CCS Assessment Manager tasks and permissions on page 86.
29
30
Launch the CCS Assessment Manager client and open the questionnaire for
which you want to create a copy.
Right-click the questionnaire and then click Save As from the menu that
displays.
When you create a copy of a questionnaire, the original title of the
questionnaire is appended by "_copy".
Type a name for the duplicate questionnaire if required, and then click OK.
You can open the questionnaire from the CCS Assessment Manager server
and make modifications.
Once you create a copy of an existing questionnaire, you can change the
version of the questionnaire.
Click Notice and then in the Modify Property Value dialog box, enter the
content for the notice. Click OK.
Editing text
You can edit the text of any object. An object is a questionnaire name, a group
name, a question, or an answer.
To edit text
31
32
In the CCS Assessment Manager console, right-click a question and click Edit.
In the Edit Question dialog box, use the tools to add rich-text formatting to
the question.
Click Preview to view the HTML version of the question, once you are done
with the formatting.
In the CCS Assessment Manager console, right-click a question and click Edit.
In the Edit Question dialog box, click Insert Video > Upload and Insert Video
from the toolbar.
In the Insert File dialog box, click Browse to navigate to the location where
the video is stored.
In the editing pane of the Edit Question dialog box, click Insert Video > Insert
web video from the toolbar.
In the Insert URL dialog box, type the URL for the video that you want to
insert.
In the CCS Assessment Manager console, right-click a question and click Edit.
In the editing pane of the Edit Question dialog box, click Insert image >
Upload and Insert image from the toolbar.
In the Insert File dialog box, click Browse to navigate to the location where
the image is stored.
In the editing pane of the Edit Question dialog box, click Insert image >
Insert web image from the toolbar.
In the Insert URL dialog box, type the URL for the image that you want to
insert.
In the CCS Assessment Manager console, right-click a question and click Edit.
In the Edit Question dialog box, select the text to which you want to add a
hyperlink and then click Insert Link from the toolbar.
In the Type drop-down list, select the type of link that you want to add.
In the URL text box, type the URL that you want to provide a link for.
In the Title text box, type the title for the link.
Click Remove Link if you want to remove the hyperlink from the selected
text.
33
34
In the CCS Assessment Manager console, right-click a question and click Edit.
In the Edit Question dialog box, click Insert special characters from the
toolbar.
In the Insert special characters dialog box, select the special character that
you want to insert and then click Close.
Adding a template
You can add a user-defined template to the predefined sets.
See Adding answers using the answer templates on page 35.
To add a template
Click Add.
In the Add Answer to Template window, type the value for a single answer.
Click OK.
Adding answers
You add a custom answer to a choice question. You can add one answer at a time,
or you can add several answers.
See Adding answers using the answer templates on page 35.
To add answers
Right-click on a selected choice question and select Add > New Answers.
In the Add One Answer per line dialog box, type an answer.
You can add several answers, but each answer must be on a separate line.
Deleting a questionnaire
You can delete an existing questionnaire by using the CCS Assessment Manager
client.
To delete a questionnaire
In the CCS Assessment Manager client, open the questionnaire that you want
to delete.
Select the questionnaire and then from the console toolbar, select Edit >
Remove Selected.
Right-click the questionnaire and then click Delete on the menu that
displays.
Select the questionnaire and then from the task bar at the bottom of the
console, click Remove Selected.
35
36
Note: You can delete a published questionnaire only if there are no active
assessments associated with it.
Open the questionnaire for which you want to create a version and then
right-click.
In the Modify Property Value box, type the version number and then click
OK.
Note: You must save the questionnaire for the latest version to display in the
CCS Assessment Manager Admin Web client.
Importing questionnaires
You can make necessary changes in the OCIL v2.0 XML file on your local computer
and then import the file into CCS Assessment Manager.
Apart from the OCIL questionnaires, you can also import the XMLQ questionnaires
that belong to CCS Assessment Manager 10.5 or earlier. When you import an
XMLQ file, the questionnaire is converted from the XMLQ format to the OCIL
format.
Questionnaire import is not supported in case of the following:
The OCIL files that contain cyclic references from one questionnaire to another
questionnaire within the same document.
Note: The questionnaire that you import must have the document tag. An OCIL
document without the document tag is not valid.
The version of an imported XMLQ file is reset to 1 if the existing questionnaire
version is greater than 32000.
When you import an OCIL questionnaire, the severity value for a 'Fail' result is
set to 3 and the severity value for a 'Pass' result is set to 1 by default. For the other
results such as Error, Unknown, Not Tested, and Not Applicable, the severity value
is 0 by default.
At the time of import, variables, artifacts, and the test action of numeric and string
questions are imported successfully, but they are not used in the assessment
process.
After evaluation of a questionnaire as per OCIL specifications, the assessment
report displays the result states as mentioned below:
Table 3-1
OCIL result after evaluation
Pass
Pass
Fail
Fail
Not Applicable
Not Applicable
Not tested
Not Applicable
Unknown
Unknown
Error
Unknown
To import a questionnaire
In the Import dialog box, navigate to the location where you have saved the
questionnaire and then click Open.
Click OK on the message prompt that confirms the successful import of the
questionnaire.
An error message displays if you have selected an invalid file. Click OK on
the error message and then repeat 2.
37
38
Exporting questionnaires
You can export questionnaires by using the CCS Assessment Manager console
and save them on your local computer. You must be a CCS Assessment Manager
administrator to be able to export a questionnaire. If you want to import a
questionnaire that you have already exported, you must delete the questionnaire
from the CCS Assessment Manager database and then import. If you modify an
existing questionnaire, you must save the questionnaire before you export.
To Export a questionnaire
In the Export Questionnaire dialog box, navigate to the location where you
want to save the file and then click Save.
In the Add One Group per line dialog box, type the group name.
You can add several groups, but each group name must be on a separate line.
Press Enter to start the next line.
After you have entered the group names, click Add Group.
In the Add One Group per line dialog box, type the group name.
You can add several nested groups, but each group name must be on a separate
line. Press Enter to start the next line.
After you have entered the group names, click Add Group.
In Edit Group dialog box, enter the new name for the selected group.
Reviewing a questionnaire
As an administrator, you can review a questionnaire before you go ahead and
publish.
To review a questionnaire
39
40
You can use the pagination at the bottom of the questionnaire to browse
through all the pages.
Review the questionnaire and then click Publish if you want to publish the
questionnaire.
Publishing a questionnaire
You can publish the CCS Assessment Manager questionnaires by using the CCS
Assessment Manager Admin Web portal. After you publish, the questionnaire is
available in the CCS Assessment Manager Admin client in the read-only format.
You can initiate assessments by using a published questionnaire.
A published questionnaire can also be unpublished if there are no active
assessments associated with it. When you unpublish a questionnaire, the status
of the questionnaire changes from 'Published' to 'Draft' and the version of the
questionnaire increments by one. Once the questionnaire is unpublished it is
available for editing in the Admin Thick console.
The predefined questionnaires are in the published state by default.
You must be an administrator to be able to publish the CCS Assessment Manager
questionnaires.
To publish a questionnaire
Log in to the CCS Assessment Manager Admin Web portal and then go to
Manage > Questionnaires.
From the questionnaires list box, check the questionnaire that you want to
publish, and then click Publish.
You can select only one questionnaire at a time to publish. Multiple selection
is not supported.
Unpublishing a questionnaire
You can unpublish a CCS Assessment Manager questionnaire if you want to make
modifications in a questionnaire that is already published. You can unpublish a
questionnaire only if there are no active assessments associated with it. After you
unpublish, the state of the questionnaire changes to 'Draft' and the questionnaire
is longer available for assessment creation. The version of a questionnaire
increments by one each time you unpublish a questionnaire. If you have multiple
questionnaires by the same name, the latest version takes the maximum version
number out of the existing questionnaires and then increments it by one.
You must be a CCS Assessment Manager administrator to be able to unpublish a
questionnaire
To unpublish a questionnaire
Log in to the CCS Assessment Manager Admin Web portal and then go to
Manage > Questionnaires.
From the questionnaires list box, check the questionnaire that you want to
unpublish, and then click Unpublish.
You can select only one questionnaire at a time to unpublish. Multiple
selection is not supported.
Assessment creation
As an administrator, you create an assessment by using an existing questionnaire
and sending it to the attesters for response collection.
A CCS Assessment Manager assessment can be of the following two types:
User assessment
An asset compliance assessment lets you collect attester responses and evidences
to assess compliance for procedural controls based on regulatory mandates,
policies, or risk objectives. You can further delegate a user assessment and then
compile the responses to create reports.
An asset compliance assessment uses the assets in the CCS asset system. To create
an asset compliance assessment, you must configure the CCS settings from the
CCS Assessment Manager console.
See Configuring CCS Assessment Manager to connect to Control Compliance
Suite on page 113.
A user assessment lets you collect responses from the end-users in your
organization for non-IT assessments. A user assessment typically comprises
41
42
quiz-based questionnaires and lets you assess the attesters based on the individual
scores. You cannot delegate a user assessment.
The assessment creation procedure also includes the following aspects of the CCS
Assessment Manager assessments:
Specifying the CCS assets that you want the assessment to scope, in case of
an asset compliance assessment.
Configuring notifications and selecting the email template for the notifications.
From the Questionnaires list box, select the questionnaire that you want to
use for the assessment and then click Next.
This option is not available when you launch the New Assessment wizard
from the Publish Questionnaire dialog box.
In the Add Attesters panel, do the following and then click Next:
In the Select attester by asset owner section, specify whether you want
to send the assessment to business asset owners or individual asset owners.
A business asset group is a business entity that is associated with business
functions. Business assets can also be collections of physical assets that
represent business entities. For example, banks with departments, servers,
processes and data centers are business assets.
An individual asset group is the group of assets based on the asset type.
For example, for a group of UNIX assets in your organization across various
locations, you can have a group of individual assets named UNIX_assets.
From the asset hierarchy list that is displayed in the Asset Browser, check
the assets or the asset groups that you want to scope for the assessment,
and then click View Asset Details.
Note: The list of assets is fetched from the CCS asset system. To see the
assets in the Asset Browser list box, you must specify the required
configuration settings to connect to CCS.
See Configuring CCS Assessment Manager to connect to Control
Compliance Suite on page 113.
The Owner field displays the owner of the asset or the asset group that
you select. The field displays Not assigned if the selected asset does not
have an asset owner in the CCS asset system.
43
44
Click View Asset Details to view the details of the selected asset and then
click Close.
If you have selected business assets, then you can only view the asset
details from the Asset Details page. However, if you have selected
individual assets, then you select or deselect an asset from the displayed
list.
Note: In case of individual assets, you can select only up to 3000 assets
from the Asset Browser.
In the Edit Attesters panel, in the Selected Attesters list box, click Edit if
you want to change the asset owner. After you make the changes, click Save
to save and close the dialog box, and then click Next.
The Asset Owner field appears blank if the selected asset does not have an
asset owner in the CCS asset system. You can manually enter the asset owner's
name by clicking Edit.
The user account and the Email address of the asset owner that you specify
is fetched from Active Directory.
The Email Address text box appears blank if the asset owner has not
configured the mailbox. You can manually enter the email address by clicking
Edit.
In the Assign Sections panel, check Assign sections (optional) if you want
to assign certain sections of the assessment to other users.
In the Selected Attesters list box, do the following:
Select the attester to whom you want to assign selected sections of the
assessment and then click Assign Sections.
The Assign Sections button becomes available only when you select the
attesters.
Uncheck the groups or the sections that you do not want to assign and
then click OK.
Note: Click Reset to default state of assign section if you want to discard
the changes that you made. The default state has all the sections assigned
to the attester.
In the Prerequisites panel, add the prerequisite documents and the URLs, if
any.
The maximum number of attachments that you can provide is 10, which is
the default limit. To change the default limit, edit the value of the key<add
key="MaxPrerequisiteCount" value="10" />in the configuration file: <Install
Dir>\CCS Assessment Manager Server\webclient\web.config
The default size limit for the attachments is 200 MB. To change the size limit:
In the Add URLs text box, enter a Web site link and then click Add to add
the URL to the list box.
45
46
In the Name text box, enter a name for the URL or the file that you have
added. The name that you enter for the prerequisite is displayed to the
attester in the Prerequisite section of the assessment. If you do not enter
a name for the prerequisite, then only the link is displayed to the attester.
You can remove the URLs and the prerequisite documents by clicking
Remove All.
Once you add the prerequisite documents and URLs, the attachments are
available for the attesters to view or read during the assessment.
In the Assessment Options panel, do the following and then click Next:
In the Due Date box, type the date by which the attester must submit the
responses. Alternatively, click on the calendar icon to select the date.
From the Email Template drop-down list, specify whether you want
to use the default templates or the custom templates for the
notifications.
The custom templates display only when you have created and saved
the custom templates.
Note: An error is displayed if a template is corrupted or if the template
hirarchy is missing.
Check Send Reminder if you want to enable reminders for the attester.
The <number of> days before due date text box becomes available
only when you check Send Reminder. Enter a value for the number of
days before the due date on which you want to send the reminder.
Note: If you want to schedule an assessment, you must ensure that the
reminder date is later than the schedule date.
In the Assessment Title panel, do the following and then click Next:
In the Assessment Title text box, type a name for the assessment. By
default, the Assessment Title text box displays the name of the
questionnaire that you have selected.
In the Welcome Text box, enter a brief introduction about the assessment.
The welcome text is displayed on the Assessment Welcome page on the
CCS Assessment Manager portal. This is an optional step.
In the Date and Time text box, enter and the date and the time when you
want the assessment to be sent to the attesters.
You can send the assessment on the same day or on a later date. The
default date that is displayed in the Date and Time text box is a day before
the due date of the assessment. You must not enter a date which is later
than the assessment due date.
The asset owners and the assets that you have included in the assessment
are resolved with the CCS asset system before the assessment is sent to
the selected attesters. If an asset is no longer in the asset system, then
the asset is excluded from the assessment. In such scenarios, you cannot
view these attesters in the Track Response page of the assessment. You
can view the CCS Assessment Manager logs for more details.
47
48
From the Questionnaires list box, select the questionnaire that you want to
use for the assessment and then click Next.
In the Add Attesters panel, in the Search Attesters text box, enter the group
name or the individual attester's name to whom you want to send the
assessment and then click Add.
The user accounts of the attester or the user group that you specify are fetched
from Active Directory. If you want to add a user from a different domain,
then specify the user name in the following format:
<domain>\<user name>
To delete an attester, click the check box against the attester's name and then
click Remove.
Click Next.
In the Prerequisites panel, add the prerequisite documents and the URLs, if
any.
The maximum number of attachments that you can provide is 10, which is
the default limit. To change the default limit, edit the value of the key<add
key="MaxPrerequisiteCount" value="10" />in the configuration file: <Install
Dir>\CCS Assessment Manager Server\webclient\web.config
The default size limit for the attachments is 200 MB. To change the size limit:
Note: The file formats that are allowed by default are: bmp, csv, doc, docx,
gif, jpg, log, pdf, png, ppt, pptx, raw, rpt,tif, tiff, txt, wav, xml, xls, xlsx,
zip, wmv, avi, flv, mov, mpg, 3gp, asf, swf.
However, to change the default file format, edit the key in web.config as:
<add key="PrerequisiteExtSupport" value=bmp,csv,doc,
docx,gif,jpg,log,pdf,png,ppt,pptx,raw,rpt,tif,tiff,txt,wav,xml,xls,xlsx,zip,wmv,avi,flv,mov,mpg,3gp,asf,swf
/>
In the Add URLs text box, enter a Web site link and then click Add to add
the URL to the list box.
In the Name text box, enter a name for the URL or the file that you have
added. The name that you enter for the prerequisite is displayed to the
attester in the Prerequisite section of the assessment. If you do not enter
a name for the prerequisite, then only the link is displayed to the attester.
You can remove the URLs and the prerequisite documents by clicking
Remove All.
Once you add the prerequisite documents and URLs, the attachments are
available for the attesters to view or read during the assessment.
In the Assessment Options panel, do the following and then click Next:
In the Due Date box, type the date by which the attester must submit the
responses. Alternatively, click on the calendar icon to select the date.
From the Email Template drop-down list, specify whether you want
to use the default templates or the custom templates for the
notifications.
The custom templates display only when you have created and saved
the custom templates.
Note: An error is displayed if a template is corrupted or if the template
hierarchy is missing.
49
50
Check Send Reminder if you want to enable reminders for the attester.
The <number of> days before due date text box becomes available
only when you check Send Reminder. Enter a value for the number of
days before the due date on which you want to send the reminder.
Note: If you want to schedule an assessment, you must ensure that the
reminder date is later than the schedule date.
In the Minimum Passing text box, enter a value for the minimum
percentage that the attester must score to pass the assessment.
Check Show correct answers on last failed attempt if you want the
correct answers to be displayed against the attester's responses on
the result page after the attester fails in the last attempt.
In case of passed attempts, the correct answers are always displayed
on the result page.
In the Assessment Title panel, do the following and then click Next:
In the Assessment Title text box, type a name for the assessment. By
default, the Assessment Title text box displays the name of the
questionnaire that you have selected.
In the Welcome Text box, enter a brief introduction about the assessment.
The Welcome text is displayed on the Assessment Welcome page on the
CCS Assessment Manager portal. This is an optional step.
In the Date and Time text box, enter and the date and the time when you
want the assessment to be sent to the attesters.
You can send the assessment on the same day or on a later date. The
default date that is displayed in the Date and Time text box is a day before
the due date of the assessment. You must not enter a date which is later
than the assessment due date.
The attesters that you have selected for a scheduled user assessment are
validated before the assessment is sent. If a particular attester does not
exist anymore, that attester is excluded from the assessment. If you have
assigned the assessment to a single attester and the attester is no longer
valid by the scheduled date of the assessment, then you cannot view the
assessment in the Current Assessments tab. You can view the CCS
Assessment Manager logs for more details.
Viewing assessments
As an administrator, you can view the currently active assessments and the past
assessments from the Assessments tab of the CCS Assessment Manager Admin
Web portal.
The Assessments tab lets you do the following tasks:
Create an assessment
Edit an assessment
Use the Current Assessments tab to view the following details of the active
assessments:
Name of an assessment
Type of an assessment
The name of the questionnaire that has been used to create an assessment
51
52
You can view both the asset compliance assessments and the user assessments
from the Current Assessments tab.
An assessment is listed in the Current Assessments tab until the expiration date.
By default, the expiration date for an assessment is 90 days after the assessment
due date. An administrator can modify the value for the number of days after the
due date when an assessment expires.
See Configuration parameters in CCS Assessment Manager on page 103.
An asset compliance assessment is listed in the Current Assessments tab based
on the following criteria:
The administrator has accepted the attester responses, but the assessment
has still not reached the expiration date that is configured by the administrator.
If the attester has not provided the responses yet and the assessment has not
yet reached its expiration date.
After an assessment goes beyond the expiration date, it is no longer listed in the
Current Assessments tab. You can view the expired assessments in the Past
Assessments tab.
Note: You may see an assessment in the Curent Assessment tab even afer it
reaches the expiration date. This happens when an assessment has pending tasks
to be completed by the administrator when the assessment expires.
Sometimes, the assessments that are scheduled for a later date may fail at the
time when it is sent to the selected attesters. In such cases, the status of the
assessment displays as "Error". This happens due to any of the following reasons
that may occur at the time of sending the assessment to the attesters:
The CCS Assessment Manager server is not able to connect to the CCS
application server.
The CCS Assessment Manager server is not able to resolve the IT assets or the
business assets, based on the asset type selection.
If the selected business assets are not mapped to any IT assets in the CCS asset
system.
The CCS Assessment Manager server is not able to resolve the selected users.
Use the Past Assessments tab to view the following details of the expired
assessments:
Name of an assessment
Type of an assessment
The name of the questionnaire that has been used to create an assessment
Editing an assessment
With the appropriate Admin rights, you can edit an existing assessment by using
the CCS Assessment Manager Admin Web client. You can edit the assessments
that are already sent as well the assessments that are scheduled. You can edit all
the options in a scheduled assessment. For example, you can add or delete attesters,
modify the due date for submission and so on.
However, for the assessments that have already been sent to the attesters, you
can modify the following:
Add more assets and associate the attesters to the newly added assets for an
asset compliance assessment.
You cannot modify the assets and the corresponding asset owners who are
already added.
Add new attesters for a user assessment. However, you cannot remove the
attesters who are already added.
53
54
For both asset compliance and user assessments, you can extend the due date
of submission for the assessment.
When you edit an assessment to add more assets, the edited version is assigned
to the attester as a new assessment.
In the Current Assessments tab, check the assessment that you want to edit
and then in the taskbar on top, click Edit.
In the Edit Assessment wizard panels, make the required changes and then
click Finish in the Schedule panel.
Scheduling an assessment
You can schedule an assessment for a later date, if you do not want to immediately
assign the assessment to the selected attesters. You can schedule an assessment
only during assessment creation. When you schedule an assessment, the date
that you specify must a date before the due date of the assessment.
In case of asset compliance assessments, the asset owners and the assets that you
have included in the assessment are resolved with the CCS asset system before
the assessment is sent to the selected attesters. If an asset is no longer in the asset
system, then the asset is excluded from the assessment. In such scenarios, you
cannot view these attesters in the Track Response page of the assessment. You
can view the CCS Assessment Manager logs for more details.
A scheduled assessment may fail due to any of the following reasons at the time
of sending the assessment:
If there are no IT assets associated to the selected business assets at the time
of sending the assessment.
Note: When an assessment fails, the Schedule Status column displays the status
as Error.
To schedule an assessment
In the Date and Time text box, enter and the date and the time when you
want the assessment to be sent to the attesters.
The default date that is displayed in the Date and Time text box is a day
before the due date of the assessment.
Click Finish.
Responding to an assessment
The Assessments tab of the Assessment Manager Web client lets you access the
assessments that have been assigned to you. As an attester, you can do the
following:
Launch the CCS Assessment Manager Web client and then go to Assessments.
55
56
Add comments
You can click on the link to view the supporting documents and URLs after
you attach.
After you provide your responses, click Submit to submit the assessment.
At any point of time during your response, click Cancel to close the questionnaire
and go back to the Questionnaire welcome page. After you open a questionnaire,
click Close and go back to the Questionnaires page.
See Adding comments in a response on page 56.
See Attaching supporting documents on page 57.
See Attaching supporting URLs on page 57.
See Delegating an assessment on page 57.
Go to the Response page of the assessment and then click Save and Close.
In the Response page, click the Comments tab and then enter your comments.
In the Response page, click the Supporting Documents tab, and then click
Attach .
Navigate to the location where you have the document saved, select the
document and then click Open.
If you want to remove an attachment, click the Delete icon against the
attachment. To remove all the attachments at the same time, click Clear All.
In the text box, enter the URL and then click Add.
If you want to remove a URL, click the Delete icon against the URL. To remove
all the URLs at the same time, click Clear All.
Delegating an assessment
When you receive an asset compliance assessment, you may delegate the
assessment to another user if you do not have sufficient information to provide
the responses.
There may be scenarios wherein you delegate an assessment to other CCS
Assessment Manager users, and then the assigned users decline the assessment.
In such cases, you may decline the assessment after you accept the declination
requests from the users to whom you had delegated the assessment.
57
58
Login to the CCS Assessment Manager Web client and click the Assessments
tab.
In the Add Attesters dialog box, do the following and then click OK:
In the Due Date For Attesters box, enter the date by which the attester
to whom you are assigning the assessment must submit the responses.
The due date that you specify must be earlier than the original due date
of the assessment.
In the Enter user name or the group name text box, enter the user names
to whom you want to delegate the assessment and then click Add.
In the Comments text box, enter a brief description about the assessment.
You can click Cancel to discard your inputs and to go back to the assessment
welcome page.
On the assessment welcome page, click Delegation Details to view the details
about the assessment delegation, and then click Send Assessment.
You can click Edit to make the following modifications to the delegation
operation:
Once you delegate an assessment, you can view the responses of the assigned
attesters from the response page.
See Providing an aggregated response on page 59.
Provide your aggregated response based on the attester response and the
evidence.
Note: You must approve the attester response before you proceed with response
aggregation.
To analyse the attester response in the Response page
In the Response page, under each question, you can see the following tabs:
Answer
59
60
Comments
Supporting Documents
Supporting URLs
Assets
Attester Response
You use the Answer, Comments, Supporting Documents, and the Supporting
URLs tabs to provide your own aggregated response.
Click the Assets tab to see the assets that the user has selected for the
response. You can uncheck any of the assets that you want to exclude from
your aggregated response.
Click the Attester Response tab to see the response that the user has provided
and then click View/Attach.
The left-hand pane displays the assets that the attester has selected for
the response.
The right-hand pane displays the supporting documents and the URLs
that the attester has provided for each asset.
Click an asset to display the supporting evidence, and then click View to view
the documents or visit the URLs.
In the left-hand pane, check the assets that you want to include in your
aggregated response and then click Attach.
Note: Make sure that when you select any supporting evidence for aggregation,
you also select the corresponding asset along with it.
In the Response page, in the Assets section, check an asset and then use the
relevant tab to provide your comments or the supporting evidence for the
selected asset.
See Adding the attester's attachments for an aggregated response on page 61.
In the My Assessments tab, click the assessment for which you want to
provide an aggregated response.
In the Response page, under the questions that you had delegated, click the
Answers from Attesters section.
In the View/Attach Additional Details dialog box, do the following and then
click Attach:
In the Supporting URLs section, check the URLs that you want to attach
to your response.
61
62
Declining an assessment
After you receive an assessment, you may choose to decline the assessment in
case the subject of the assessment is no longer within the portfolio of your job
profile. The option to decline an assessment is present only in the asset compliance
assessments.
There may be scenarios wherein you delegate an assessment to other CCS
Assessment Manager users, and then the assigned users decline the assessment.
In such cases, you may decline the assessment after you accept the declination
requests from users to whom you delegated the assessment.
To decline an assessment
Launch the CCS Assessment Manager Web client and then go to Assessments
> My Assessments.
In the Decline Assessment dialog box, enter your comments regarding the
declination request and then click OK.
The Comments field is mandatory when you decline an assessment.
Launch the CCS Assessment Manager Admin Web client and then go to
Manage > Assessments.
In the Comments text box, enter a brief description about your action.
This is an optional field.
Click Accept to accept the declination request. Or, click Resend to reject
the declination request and to reassign the assessment.
Launch the CCS Assessment Manager end-user Web client and then go to
Assessments.
In the Comments text box, enter a brief description about your action.
This is an optional field.
Click Accept to accept the declination request. Or, click Resend to reject
the declination request and to reassign the assessment.
Response collection
As the CCS Assessment Manager administrator, you can login to the CCS
Assessment Manager Admin Web client and view the list of assessments that have
been assigned to the attesters. You can click on any assessment to view the
response details.
You can collect attester responses for user assessments and asset compliance
assessments.
When you receive the response for an assessment, you can also view the supporting
documents and other evidences that the attester attaches with the response.
63
64
If you are a CCS Assessment Manager user and you delegate an assessment that
is assigned to you, you can view the aggregated response and attach responses
from the delegates before you submit the response of your assessment. The CCS
Assessment Manager administrator can use the aggregated response that you
provide for reports and dashboards by using the CCS infrastructure and the CCS
Assessment Manager.
See Viewing an assessment response (Admin) on page 65.
See CCS Assessment Manager tasks and permissions on page 86.
Opening an assessment
When a CCS Assessment Manager administrator or a CCS Assessment Manager
user assigns you an assessment, the assessment is available for you in the CCS
Assessment Manager Web client.
You can view an assessment by doing any one of the following:
Use the link that is provided for the assessment in the notification mail.
After you open a questionnaire, the left-hand tree pane displays the hierarchical
structure of the questions within the groups and the nested groups. You can
navigate to any question or group within the questionnaire by clicking the
corresponding heading in the tree-pane.
If the questionnaire contains questions within nested groups, then the response
page displays the question along with the group hierarchy.
Let us consider the following example:
You have a questionnaire with the title HIPAA Security Rule Toolkit Checklist,
which contains the group Administrative Safeguards. The Administrative
Safeguards group contains two nested groups - Security Management Processes
and Risk Assessment Policies.
The group hierarchy for the HIPAA Security Rule Toolkit Checklist questionnaire
is displayed on the response page as follows:
HIPAA Security Rule Toolkit Checklist > Administrative Safeguards > Security
Management Processes > Risk Assessment Policies
Note: The group name is displayed for the first question of every group and not
for every question.
Launch the CCS Assessment Manager Web client and then go to Assessments.
The name of the questionnaire that has been used for the assessment.
The version of the questionnaire that has been used for the assessment.
The name of the user who imported the assessment into CCS Assessment
Manager.
65
66
In the Current Assessments tab, click on the assessment for which you want
to view the response.
The Summary section in the Assessment Details page displays the following
information:
The name of the questionnaire that has been used for the selected
assessment and the questionnaire version.
The Attester Details section in the Assessment Details page displays the
following information:
The name of the attesters to whom the assessment has been assigned.
The individual score attained by each attester for the selected assessment.
The score is displayed only in case of user assessments.
The details of the assets that are in scope for the attester. Click the Asset
details link to view the asset details.
In the Assessment Details page, in the View column, click on the Response
link for the assessment response that you want to view.
Note: The Response link becomes active only after the attester submits the
response.
In the Assessment Response page, you can view the following:
The supporting URLs that the attester has provided for the responses.
Click Accept if you want to accept the response that you have received from
the attester.
Click Resend if you want to reject and reassign the assessment to the attester.
You must provide your comments when you resend an assessment.
You can also view an assessment response from the report page.
To view an assessment response from a report
On the Manage > Assessments page, click on the assessment for which you
want to view the attester response.
On the Assessment Details page, click View Assessment Report, and then
click any of the charts.
On the drill-down report, in the lower grid, click on any of the response detail
values for the attester whose response you want to view.
On the page that displays the response details, in the Answers column, click
on an answer to go to the response page.
In the response page, you can view the attester response, the comments, and
the supporting evidence that the attester has provided.
67
68
Launch the CCS Assessment Manager Admin Web client and then go to
Manage > Assessments.
In the Accept Response dialog box, do the following and then click OK:
In the Comments text box, enter a brief description before you accept the
assessment. This is an optional field
Check Send Email Notification to inform the attester about the acceptance
of the assessment through Email.
Launch the CCS Assessment Manager Admin Web client and then go to
Manage > Assessments.
In the Resend Response dialog box, do the following and then click Send:
In the Comments text box, enter your comments to inform the attester
why you have reassigned the assessment. This field is mandatory.
In the Due Date text box, view the due date by which the attester must
submit the assessment.
The CCS Assessment Manager user who has assigned you the assessment.
In the My Assessments grid, click on the assessment for which you want to
view the response.
The Delegation Details section in the Assessment Welcome page displays
the following information:
69
70
The name of the attesters to whom the assessment has been assigned.
In the Delegation Details section, in the View column, click on the Response
link for the assessment response that you want to view.
Note: The Response link becomes active only after the attester submits the
response.
In the Assessment Response page, you can view the following:
The supporting URLs that the attester has provided for the responses.
Click Accept if you want to accept the response that you have received from
the attester.
Click Resend if you want to reject and reassign the assessment to the attester.
You must provide your comments when you resend an assessment.
Launch the CCS Assessment Manager end-user Web client and then go to
Assessments.
In the Accept Response dialog box, do the following and then click OK:
In the Comments text box, enter a brief description before you accept the
assessment. This is an optional field
Check Send Email Notification to inform the attester about the acceptance
of the assessment through Email.
Launch the CCS Assessment Manager end-user Web client and then go to
Assessments.
In the Resend Response dialog box, do the following and then click Send:
In the Comments text box, enter your comments to inform the delegated
attester why you have reassigned the assessment. This field is mandatory.
In the Due Date text box, view the due date by which the delegated attester
must submit the assessment.
71
72
Report generation
A CCS Assessment Manager administrator can generate reports after the response
collection and analysis of the user responses.
See CCS Assessment Manager tasks and permissions on page 86.
CCS Assessment Manager lets you export the report detail information and create
the charts that visualize the information and perform the following tasks:
With CCS Assessment Manager, you can create operational reports for the
assessments that you have initiated. You can select an assessment and then create
a report. You can also export the report to a .xls file.
See Creating assessment reports on page 73.
If you have Control Compliance Suite deployed in your environment and if you
configured the External Data Integration settings, then you can import the CCS
Assessment Manager reports into CCS. You can use the CCS Assessment Manager
panels to view the compliance reports in CCS.
To be able to view the compliance reports with the CCS Assessment Manager
evidence, you must map the CCS Assessment Manager questions or groups to the
control statements by using the CCS Controls Studio.
For detailed information on mapping controls, see the Control Compliance Suite
User Guide.
If a question and a policy are mapped to the same control statement, the question
can be used as evidence for the policy. The same CCS asset must be part of the
policy and the questionnaire.
To create reports
Launch the CCS Assessment Manager Admin Web portal and go to Manage
> Assessments.
In the Current Assessments tab, click on the link for the assessment for
which you want to create a report.
On the Report page, click on the Response Status Score chart to view the
assessment report.
In case of an asset compliance report, the following details are displayed:
73
74
On the Report page, click on the Response Status by group graph to view
the following details:
The questionnaire groups, attester, and the response status of each group
in a tabular format.
Click Email this report at the top of the page to email the report.
An email client must be installed on the computer from which the report is
to be emailed.
The Report page displays the graphical representation of the assessment response
status on the basis of the following criteria:
You can click on the charts to have a detailed report of the assessment response
status.
To create user assessment reports
Launch the CCS Assessment Manager Admin Web portal and go to Manage
> Assessments.
In the Current Assessments tab, click on the link for the assessment for
which you want to create a report.
On the Report page, click on the Response Status Score chart to view the
following details:
On the Report page, click on the Response Status by group graph to view
the following details:
The questionnaire groups, attesters, and the response status of each group
in a tabular format.
Click Email this report at the top of the page to email the report.
An email client must be installed on the computer from which the report is
to be emailed.
The Report page displays the assessment report with regards to the specified
assets. The report displays the graphical representation of the assessment response
status on the basis of the following criteria:
You can click on the charts to have a detailed report of the assessment response
status.
75
76
Launch the CCS Assessment Manager Admin Web portal and go to Manage
> Assessments.
In the Current Assessments tab, click on the link for the assessment for
which you want to create a report.
On the Report page, click on the Response Status Score chart to view the
following details:
On the Report page, click on the Response Status by group graph to view
the following details:
The questionnaire groups, attesters, and the response status of each group
in a tabular format.
Click Email this report at the top of the page to email the report.
An email client must be installed on the computer from which the report is
to be emailed.
Emailing a report
You can email a CCS Assessment Manager report to a CCS Assessment Manager
user from the Admin Web client. When you email a report, the link to the relevant
report is included in the mail. You must be a CCS Assessment Manager
administrator to view the CCS Assessment Manager reports.
If you use Internet Explorer to access the CCS Assessment Manager Admin Web
client, the email client fails to construct the mail if the questionnaire name
contains non-ASCII characters. For internationalized content, the email body may
contain non-ASCII characters.
To resolve this issue, do the following:
On the Internet Explorer, click Tools > Internet Options, and then click the
Advanced tab.
Under the International section, check Use UTF-8 for mailto links.
To mail a report
In the CCS Assessment Manager Admin Web client, click the Reports tab.
In the Reports section, select the assessment from the Select an assessment
drop-down list.
The email client launches with the default mail text that includes the name
of the report and the link to the report page on CCS Assessment Manager
Admin Web client.
Description
Dimension (X axis)
Measure (Y axis)
Chart style
2D-bar chart
Properties
As an example, let us consider that you have a business asset by the name BA1,
which is associated to three assets: Asset1, Asset2, and Asset3.
77
78
You evaluate these assets by using the three questions: Question1, Question2, and
Question3.
The following table displays the evaluation results of the questions against the
assets:
Question
Asset1
Asset2
Asset3
Question1
Pass
Pass
Fail
Question2
Fail
Fail
Pass
Question3
Pass
Pass
Pass
Description
Normalized Severity
Scope Asset
Assessment Name
Asset Department
Asset Location
Questionnaire
Column name
Description
Answer
Asset Custodian
Asset IP address
Asset Name
Asset Owner
Asset Site
Asset Type
CCS Status
Comments
79
80
Column name
Description
Question
Question Importance
User name
Description
Dimension (X axis)
Measure (Y axis)
Chart style
2D-bar chart
Properties
The following is an example to determine the questions with the failed score:
You have three assets: Asset1, Asset2, and Asset3.
You evaluate these assets by using the three questions: Question1, Question2, and
Question3.
The following table displays the evaluation results of the questions against the
assets:
Question
Asset1
Asset2
Asset3
Question1
Pass
Pass
Fail
Question2
Fail
Fail
Pass
Question
Asset1
Asset2
Asset3
Question3
Pass
Pass
Pass
Description
Asset Name
Question
Answer
Assessment Name
Asset Custodian
Asset Department
Asset IP address
Asset Location
Asset Owner
Asset Type
CCS Status
Comments
81
82
Column name
Description
Evidence Details
Normalized Severity
Question Importance
Questionnaire
User name
Class Type
Question Type
Severity
Description
Dimension (X axis)
Measure (Y axis)
Chart style
2D-bar chart
Properties
Description
Asset Name
CCS Status
Answer
Assessment Name
Asset Confidentiality
Asset Custodian
Asset Department
Asset IP address
Asset Location
Asset Owner
Asset Site
Asset Type
83
84
Column name
Description
Comments
Normalized Severity
Question
Question Type
Question Importance
Questionnaire
User name
Chapter
86
Tasks
Administrators
Power Users
Attesters
View
questionnaires
Create
questionnaires
Edit questionnaires Y
Delete
questionnaires
Review
questionnaires
Publish
questionnaires
Create assessments Y
Delegate
assessments
Accept/decline
assessments
Respond to
assessments
Review responses
Create reports
Purge evidence by
date
Clear temporary
files
Table 4-1
Tasks
Administrators
Power Users
Attesters
Add prerequisite
documents to an
assessment
Edit CCS
Assessment
Manager settings
Install content
packs
Boolean
Choice
Numeric
String
87
88
The ability to define the possible answers to a question that an end user can
choose from.
The ability to define the possible actions that an organization can take on the
basis of an end user's response.
The header logo, which displays on the left-hand top corner of each page.
For the header logo, Symantec recommends that you use an image file that is
on a transparent background with 233x41 in pixels at 72 DPI.
The Home page message, which displays at the top of the CCS Assessment
Manager Web client Home page.
The Home page message can contain up to 1024 characters. You can enter the
Home page message in any of the following languages:
English
German
French
Spanish
Italian
Simplified Chinese
Japanese
Korean
For the header logo and the Home page background image, CCS Assessment
Manager supports the following image file formats:
.png
. jpg
.bmp
.gif
.tiff
For the Home page background image, Symantec recommends that you use an
image file that contains a neutral background color. The image file size must be
within the range of 964x300 to 1600x1200 pixels at 72 DPI.
See Customizing the CCS Assessment Manager Web client user interface
on page 89.
Coordinate 1 refers to the position of the graphic element that contains your
organization's branding.
Coordinate 2 refers to the background pattern of the image, which should
preferably merge into white.
89
90
Launch the CCS Assessment Manager Web client and then go to Settings >
General.
In the Header Logo section, click Add and then navigate to the location where
you have the image saved.
The Header Logo list can contain multiple images. Click Remove if you want
to remove an entry from the list.
After you add the header logo, the specified logo is displayed at the top of the
assessment pages.
If you select {No branding header file}, then the header logo is removed from
the Web portal.
In the Favorite Icon section, click Add and then navigate to the location
where you have the image saved.
The Favorite Icon list can contain multiple images. Click Remove if you want
to remove an entry from the list.
After you add the image for the favorite icon, the icon is displayed for the
assessments in your browser's Favorites list.
If you select {No favicon file}, then the favorite icon is removed from the Web
portal.
In the Home Page Message section, enter the message that you to be displayed
on the Web client Home page.
The Home page message can contain up to 1024 characters.
After you add the text for the Home page message, the end users can see the
Welcome message on the Web client Home page.
In the Home Page Background Image section, click Add and then navigate
to the location where you have the image saved.
The Home Page Background Image list can contain multiple images. Click
Remove if you want to remove an entry from the list.
After you add the background image, the image is displayed as the background
for the Web client.
Click Save to apply the configured settings to the CCS Assessment Manager
Web client. Else, click Discard Changes if you do not want to apply the changes
that you configured.
See About customizing the CCS Assessment Manager Web client UI on page 88.
When a CCS Assessment Manager user declines to take an assessment and the
administrator accepts the declination.
When a CCS Assessment Manager user declines to take an assessment and the
administrator rejects the declination.
The email notifications use a templated format, which is specified in the CCS
Assessment Manager email templates. The templates are installed on the CCS
Assessment Manager server.
The following default email templates get stored during the installation of CCS
Assessment Manager:
AMAcceptDeclineRequestTemplate
AMAcceptResponseEmailTemplate
AMDeclineRequestTemplate
AMInvitationEmailTemplate
AMRejectDeclineRequestTemplate
AMRejectResponseEmailTemplate
AMReminderEmailTemplate
91
92
CCS Assessment Manager contains plain text and HTML templates. During the
product installation, if you select Microsoft Exchange as your mail server, then
the email notifications use the plain text templates. If you select SMTP, then the
email notifications use the HTML templates. If you want to use images or videos
in the notification mails, then you must use the HTML templates.
Following are the various default templates that are available with CCS Assessment
Manager:
AMAcceptDeclineRequestSubjectTemplate Contains the subject that is used for email
notifications for assessment acceptance or
declination requests. This template uses the
mail body text as specified in the
AMAcceptDeclineRequestTemplate.
AMAcceptResponseEmailSubjectTemplate
AMDeclineRequestSubjectTemplate
AMInvitationEmailSubjectTemplate
AMRejectDeclineRequestSubjectTemplate
AMRejectResponseEmailSubjectTemplate
AMReminderEmailSubjectTemplate
English
German
French
Spanish
Italian
Simplified Chinese
Japanese
Korean
When you create an assessment, in the Assessment Options panel, you can specify
whether you want to use a default template or a custom template. Only an
administrator has the permissions to select the email notification templates.
Note: You must have the email server configured during the CCS Assessment
Manager installation to send or receive email notifications.
93
94
Locate the following folder on the computer where the CCS AM Server is
installed:
<install directory>\Symantec\CCS Assessment Manager\CCS Assessment
Manager Server\Application Server\Templates\Email
Only the default folder that contains the English templates is located in the
Email folder.
Copy all the contents of the Default folder to the new folder.
Edit the contents of the files in the copied folder for the required language
or format.
Note: Only the contents of the files must be changed. Keep the file names
unchanged.
Once the custom template is created for a specific language or format, then that
template is visible in the Assessment Creation Wizard along with the default
template.
You can then choose to create an email notification to send emails to the end user
in the default template or the custom template in other language.
Follow the same procedure to create templates for different formats or for other
supported languages.
You must have the CCS Assessment Manager licenses stored in a local folder or
a shared network drive.
The license utility installs the following licenses:
CCS Assessment Manager Base license
CCS Assessment Manager Base Maintenance Required to install the CCS Assessment
license
Manager server and CCS Assessment
Manager content.
CCS Assessment Manager User license
Navigate to the location where you have the licenses stored and select the
.slf file that contains the CCS Assessment Manager licenses.
You can now use the CCS Assessment Manager functionalities.
95
96
you have specified. You must restart the CCS Assessment Manager Service if you
modify the IIS settings.
To log out of the CCS Assessment Manager Admin Web client
In the CCS Assessment Manager Admin Web client Home page, click Logout.
The Logout link is present at the top right-hand corner of the Home page.
Table 4-2
Question
Calculation
Normalized severity
Question1
3/5 * 10
Question2
4/5 * 10
Question3
5/5 * 10
10
In case of a questionnaire group, the answer severity is calculated for all the
questions including the sub-groups.
Consider the following example:
Questionnaire Q1 contains the group G1, which contains question Question1 and
a sub-group G2. The sub-group G2 contains Question2 and Question3. The
maximum selected severity for the questions is four.
The severity values for the user responses for the questions in G1 and G2 are as
follows:
Question1 in G1 - Severity 2
Question2 in G2 - Severity 3
Question3 in G2 - Severity 4
CCS Assessment Manager uses the following formula to calculate the severity for
the questions in G1:
Min (AVG (answer severity for Question1 + answer severity for Question2 + answer
severity for Question3), 10)
Table 4-3 displays the severity calculation for the questions in G1 in the
questionnaire Q1:
Table 4-3
Group
Calculation
Normalized severity
G1
(2+3+4)/3
CCS Assessment Manager uses the following formula to calculate the severity for
the questions in G2:
Min (AVG (answer severity for Question2 + answer severity for Question3), 10)
Table 4-4 displays the severity calculation for the questions in G2 in the
questionnaire Q1:
97
98
Table 4-4
Group
Calculation
Normalized severity
G2
(3+4)/2
3.5
Replace a weight.
See Replacing a weight on page 100.
Load a profile
Save a profile.
the answers. You estimate the weight values used in the custom scale. You should
use the standards and best practices of your organization as a guide when you
assign the weights. The results are displayed when the reports are available in
the Admin portal.
To use the quizzing tool, you must assign a weight for each answer.
Note: For the imported OCIL questionnaires, the severity for the correct answer
of a boolean or choice question is minimal (severity 3).
Question scale settings
Table 4-5
Weight
Name
Weight
Value
Description
Disabled
Low
Medium
Mid-priority control
High
Highest
You can assign a different weight to each answer. You can have only one correct
answer, but you can give partial points for other answers. All user-defined answers
are disabled and have a weight value of zero, by default.
You can modify the weight of an answer using the Weight Wizard. You can increase
or decrease the weight to reflect your organization's standards. You can disable
the weight of an answer. The Report Wizard ranks results by the weight value.
Answer scale settings
Table 4-6
Weight
Name
Weight
Value
Description
Disabled
Minimal
Moderate
Severe
Very Severe 4
99
100
Table 4-6
Weight
Name
Weight
Value
Description
Extreme
In the Weight Wizard lower area, move the slider to increase or decrease the
severity.
Click Apply.
Replacing a weight
The Quick Replace tool searches either the questions or the answers. You can
filter the search by the current weight value or a text string, or an object type.
You can modify the search options. You can modify the result to remove objects.
You can assign a new weight for every selected object.
You can use the following search options:
Partial Match
Full Match
To replace a weight
Click Apply.
Click on the Assign Weights tab. In the Weight Definitions message box,
click Yes.
.bmp
.gif
.jpg
.png
.raw
101
102
tif
.tiff
wav
.csv
.doc
docx
.log
.ppt
.ptx
.rpt
.txt
.xml
.xls
.xlsx
.zip
Note: Attachments in executable format or .zip files that contains executable
files are not supported.
Table 4-7
<base location>\CCSAMServer.<datetime
stamp>
<base location>\CCSAMConsole.<datetime
stamp>
<base
location>\Installs\CCSAMInstallerLog.<datetime
stamp>
<base
location>\CCSAMWebPortal.<datetime
stamp>
Table 4-8 lists the CCS Assessment Manager LogLevels and their descriptions:
Table 4-8
LogLevel
Description
ERROR
EXCEPTION
WARNING
Logs onlywarningmessages.
INFO
TRACE
RAMServer.exe.config
103
104
Web.config
Parameter
Usage
<Add key="MaxImageFileSizeInMB"
value="<enter value here>" />
<Add key="MaxVideoFileSizeInMB"
value="<enter value here>" />
<add key="EmailServiceType" value="<enter Enter the value to specify whether you want
value here>" />
to configure SMTP or Exchange profile to
send email notifications.
<add key="EmailServiceInfo" value="<enter Enter the SMTP server information that you
value here>" />
want to use for the email notifications.
Specify the SMTP server name if you have
configured SMTP. Specify the Exchange
profile if you have configured Exchange.
Table 4-9
Parameter
Usage
<add key="EmailFromAddress"
value="<enter email address>" />
<add key="MaxAllowedAttester"
value="<enter value here>" />
Parameter
Usage
<add key="MaxFileAttachment"
value="<enter value here>" />
105
106
Table 4-10
Parameter
Usage
<add key="MaxPrerequisiteCount"
value="<enter value here>" />
<add
key="NoOfDaysBeforeReachingDueDate"
value="<enter value here>" />
<add key="NoOfDaysBeforeLastAccess"
value="<enter value here>" />
<add
key="HomePageConfigImageExtSupport"
value="bmp,gif,jpg,png" />
<add
Enter the value for the maximum size of
key="MaxHomePageConfigImageFileSizeKB" images that you want to specify for the CCS
value="<enter value here>" />
AM Web portal home page images. The
default value is 50 MB.
Table 4-10
Parameter
Usage
<add key="DaysAfterDueDate"
value="<enter value here>" />
<add key="MaxAllowedAttester"
value="<enter value here>" />
Settings to launch the CCS AM Web portal links from the CCS Web
Console
The trusted host configuration must be set up to allow the CCS web console to
launch the CCS AM web portals.
You can configure trusted hosts from the "trustedHosts" section in the web.config
file. Following is the path to the web.config file:
<install dir>\CCS Assessment Manager Server\webclient\web.config
The trustedHosts section contains the following parameters:
Host name - Host name of the machine where the CCS web portal is installed.
The host name field is auto-populated.
FQDN - Fully qualified domain name of the machine where the CCS web portal
is installed.
The FQDN field is auto-populated.
IP address - List of IP addresses of the machine where the CCS web portal is
installed. This is an optional field.
The IP addresses must be added manually. One or more IP addresses can be
specified.
If the IP address changes then the IP address in the trusted Hosts configuration
must be updated manually.
107
108
The trusted host configuration is auto-populated when the CCS settings are
configured from the Tools > Settings window in the thick console of CCS AM.
For the auto-population of the configuration, the user who is setting the
configuration must be a CCS Administrator and must be a CCS AM Administrator
or a CCS AM Power-User. In case the trusted Hosts configuration section is not
visible in the web.config file then the trustedHosts configuration must be added
manually.
To populate the settings manually in the web.config file, add the structure of the
trusted Hosts configuration, mentioned earlier, to the <configuration> node in
the web.config file. Add the section after the <configsections> node and provide
the required values.
Chapter
About the Control Compliance Suite and the CCS Assessment Manager
integration
110
RAM.CCSEvidence
RAM.CCSEvidenceLast7Days
RAM.CCSEvidenceLast30Days
RAM.CCSEvidenceLast90Days
The CCS AM Service user must have Assets Viewer permission on the asset system.
The Control Compliance Suite and the CCS Assessment Manager integration
provides a comprehensive framework that let you achieve do the following:
Pull in the CCS Assessment Manager asset compliance data and represent the
data with the help of reports and dashboards.
Integrate the compliance process with the existing CCS asset management
systems.
Note: You must configure the CCS settings by using the CCS Assessment Manager
console before you go ahead with the data integration.
See Configuring CCS Assessment Manager to connect to Control Compliance
Suite on page 113.
Perform the following steps to use to CCS AM data for policy and mandate
compliance
Map the CCS AM questionnaire and the policy controls in Controls Studio.
See Mapping CCS AM questionnaires to control statements on page 114.
111
112
Import the CCS Assessment Manager data into CCS by using an ODBC data
connector.
Run the reporting sync job and the global metrics job.
Use the CCS dashboards to represent the CCS Assessment Manager data.
Note: You can launch the CCS Web portal from the CCS Assessment Manager
Admin Web portal Reports tab by clicking the Go to the CCS dashboards link.
10 View the CCS Assessment Manager evidence from CCS Web portal.
You must have CCS AM Administrator privileges to be able to launch the
evidence link.
Perform the following steps to use to CCS AM data for risk score calculation
Map the CCS AM questionnaire and the policy controls in Controls Studio.
See Mapping CCS AM questionnaires to control statements on page 114.
Note: To be able to create mappings, the CCS service user must be a member
of the RAM_Administrators group or the RAM_PowerUsers group.
Import the CCS Assessment Manager data into CCS by using an ODBC data
connector.
Run the reporting sync job and the global metrics job.
Use the Risk Dashboard to see the risk score calculation for the CCS
Assessment Manager data.
See About severity calculation for answers in a CCS Assessment Manager
questionnaire on page 96.
Perform the following steps to use to CCS AM data to view in CCS panels
Import the CCS Assessment Manager data into CCS by using an ODBC data
connector.
Run the reporting sync job and the global metrics job.
Use the CCS panels to view the CCS Assessment Manager data.
In the CCS Assessment Manager console, navigate to Tools > CCS Assessment
Manager Server Tools > Settings.
113
114
Provide the User Principal Name (UPN) of the user in whose context the
application server service is running. For example, user@domain.com.
The Admin Portal URL text box displays the default link for the Admin Web
portal. If you make changes to the IIS settings, click Refresh to get the updated
URL.
Click OK.
From the External Data Systems list, select the CCS Assessment Manager
data system and then do one of the following:
From the taskbar, select System Tasks > Add Data Connection.
Right-click the data system and then select Add Data Connection.
In the Specify Data Connection Parameters panel, do the following and then
click Next:
Connection name
The following fields are displayed when you select ODBC from the Connection
type drop-down list:
Data location
Query type
115
116
Table/View/SQL command
In the Select Data Fields panel, select the data fields that you want to include
when you import the CCS AM data and then click Next.
You must select minimum two fields to import data.
In the Data Import Schedule panel, select one of the following schedule
options and then click Next:
Run now
Select this option to run the job immediately after you click Finish.
Run periodically
Select this option to run the job on a specified date and time.
Provide the following information:
Start on
Run once
In the Email Notification panel, check Send Notification if you want to send
a notification upon the success or failure of the data import execution. Both
the tabs in the Email Notification panel contain the same options. Enter the
following information and then click Next:
Subject
Message
To (Email IDs)
In the Summary panel, view the summary and then click Finish.
You can use the Mandate dashboard in CCS to view a graphical representation
of the asset compliance for Mandates, for example: HIPAA.
Detailed textual representation of the Mandate can be viewed from Mandate
based reports.
You can use the Policy dashboard to view a graphical representation of the
asset compliance for Policy, for example: Your Organization's IT Security
Policy.
Detailed textual representation of the Policies can be viewed from Policy based
reports.
The dashboards displays asset based evidence from the CCS AM attester responses.
You can view the following evidence data for each asset.
Attester name
Attester response
117
118
Appendix
Troubleshooting
This appendix includes the following topics:
svc-Integrated-4.0
ExtensionlessUrl-Integrated-4.0
120
Troubleshooting
About troubleshooting the CCS Assessment Manager issues
SQL database fails because the previous domain user does not have rights in the
SQL server. Moreover, the current user account cannot be resolved.
Solution: To resolve this issue, execute the following command for the CCS AM
database:
sp_changedbowner <new db_owner username>
Add a site where the CCS AM server is installed in Local Intranet from the
Internet Options.
Troubleshooting
About troubleshooting the CCS Assessment Manager issues
121
122
Troubleshooting
About troubleshooting the CCS Assessment Manager issues