CCS Assessment Manager User Guide

Symantec CCS Assessment
Manager User Guide

Version 11.0
Symantec CCS Assessment Manager User Guide

The software described in this book is furnished under a license agreement and may be used
only in accordance with the terms of the agreement.
Documentation version: 11.0
Legal Notice
Copyright 2013 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, the Checkmark Logo and are trademarks or registered
trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other
names may be trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is required
to provide attribution to the third party (Third Party Programs). Some of the Third Party
Programs are available under open source or free software licenses. The License Agreement
accompanying the Software does not alter any rights or obligations you may have under
those open source or free software licenses. Please see the Third Party Legal Notice Appendix
to this Documentation or TPIP ReadMe File accompanying this Symantec product for more
information on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use,
copying, distribution, and decompilation/reverse engineering. No part of this document
may be reproduced in any form by any means without prior written authorization of
Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,
ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO
BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL
OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED
IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in
Commercial Computer Software or Commercial Computer Software Documentation", as
applicable, and any successor regulations. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S.
Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com
Technical Support
Symantec Technical Support maintains support centers globally. Technical
Supports primary role is to respond to specific queries about product features
and functionality. The Technical Support group also creates content for our online
Knowledge Base. The Technical Support group works collaboratively with the
other functional areas within Symantec to answer your questions in a timely
fashion. For example, the Technical Support group works with Product Engineering
and Symantec Security Response to provide alerting services and virus definition
updates.
Symantecs support offerings include the following:
A range of support options that give you the flexibility to select the right
amount of service for any size organization
Telephone and/or Web-based support that provides rapid response and

up-to-the-minute information
Upgrade assurance that delivers software upgrades
Global support purchased on a regional business hours or 24 hours a day, 7

days a week basis
Premium service offerings that include Account Management Services
For information about Symantecs support offerings, you can visit our website at
the following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support agreement
and the then-current enterprise technical support policy.
Contacting Technical Support

Customers with a current support agreement may access Technical Support
information at the following URL:
Before contacting Technical Support, make sure you have satisfied the system
requirements that are listed in your product documentation. Also, you should be
at the computer on which the problem occurred, in case it is necessary to replicate
the problem.
When you contact Technical Support, please have the following information
available:
Product release level
Hardware information
Available memory, disk space, and NIC information
Operating system
Version and patch level
Network topology
Router, gateway, and IP address information
Problem description:
Error messages and log files
Troubleshooting that was performed before contacting Symantec
Recent software configuration changes and network changes
Licensing and registration

If your Symantec product requires registration or a license key, access our technical
support Web page at the following URL:
Customer service
Customer service information is available at the following URL:
Customer Service is available to assist with non-technical questions, such as the
following types of issues:
Questions regarding product licensing or serialization
Product registration updates, such as address or name changes
General product information (features, language availability, local dealers)
Latest information about product updates and upgrades
Information about upgrade assurance and support contracts
Information about the Symantec Buying Programs
Advice about Symantec's technical support options
Nontechnical presales questions
Issues that are related to CD-ROMs, DVDs, or manuals
Support agreement resources

If you want to contact Symantec regarding an existing support agreement, please
contact the support agreement administration team for your region as follows:
Asia-Pacific and Japan
customercare_apac@symantec.com
Europe, Middle-East, and Africa
semea@symantec.com
North America and Latin America
supportsolutions@symantec.com
Contents
Technical Support ............................................................................................... 4

Chapter 1
Understanding CCS Assessment Manager .................... 11

About CCS Assessment Manager .....................................................
Recommended security practices for CCS Assessment Manager ............
About the roles and permissions in CCS Assessment Manager ..............
About the CCS Assessment Manager components ..............................
About the CCS Assessment Manager Client .................................
About the CCS Assessment Manager Admin Web client .................
About the CCS Assessment Manager end-user Web client ..............
About the CCS Assessment Manager Server ................................
About the content packs ..........................................................
Chapter 2
11
15
16
17
18
19
21
22
23
Business Objectives that you can achieve with CCS

Assessment Manager ................................................... 25
Asset compliance assessments ........................................................ 25
User assessments ......................................................................... 26
Chapter 3
Chapter 4
How do you meet your business objectives ................... 27

How do you meet your business objectives ........................................
Creating a questionnaire .........................................................
Reviewing a questionnaire .......................................................
Publishing a questionnaire ......................................................
Assessment creation ...............................................................
Responding to an assessment ...................................................
Response collection ................................................................
Report generation ..................................................................
27
28
39
40
41
55
63
72
General concepts and tasks in CCS Assessment

Manager ..........................................................................
85
CCS Assessment Manager tasks and permissions ............................... 86

About Open Checklist Interactive Language (OCIL) documents ............. 87
About customizing the CCS Assessment Manager Web client UI ........... 88
Contents
Customizing the CCS Assessment Manager Web client user

interface ......................................................................... 89
About CCS Assessment Manager email templates ............................... 91
Creating custom email templates .............................................. 93
Using the CCS Assessment Manager License Management
utility .................................................................................. 94
Logging out of the CCS Assessment Manager Web portal ..................... 95
About the Answer Templates ......................................................... 96
About severity calculation for answers in a CCS Assessment Manager
questionnaire ........................................................................ 96
About the Weight Wizard tasks ...................................................... 98
About adding a custom scale to a CCS Assessment Manager
assessment ..................................................................... 98
Modifying the custom scale of an answer ................................. 100
Replacing a weight ................................................................ 100
Customizing the custom scale definitions ................................. 101
About providing supporting documents for your response ................. 101
About CCS Assessment Manager logs ............................................. 102
Configuration parameters in CCS Assessment Manager ..................... 103
Settings to launch the CCS AM Web portal links from the CCS
Web Console .................................................................. 107
Chapter 5
CCS Assessment Manager and Symantec Control

Compliance Suite integration ................................... 109
About Control Compliance Suite ....................................................
About the Control Compliance Suite and the CCS Assessment Manager
integration ..........................................................................
How CCS AM data is consumed in Control Compliance Suite ...............
Configuring CCS Assessment Manager to connect to Control
Compliance Suite ............................................................
Mapping CCS AM questionnaires to control statements ...............
Importing CCS Assessment Manager data using an ODBC
connector .....................................................................
Viewing the CCS AM compliance data in CCS dashboards and
reports .........................................................................
Appendix A
109
110
111
113
114
114
117
Troubleshooting ................................................................. 119

About troubleshooting the CCS Assessment Manager issues ...............
CCS AM Web portals do not function correctly ...........................
Assessment submission takes longer than expected ....................
Error message is displayed when Admin or End user portal is
launched .......................................................................
119
119
119
120
Contents
Unable to view images or videos in thick client ..........................

Unable to connect to CCS Application server .............................
Access denied error message is displayed ..................................
Unable to launch CCS AM web portal .......................................
120
120
121
121
10
Contents
Chapter
Understanding CCS
Assessment Manager
This chapter includes the following topics:
About CCS Assessment Manager
Recommended security practices for CCS Assessment Manager
About the roles and permissions in CCS Assessment Manager
About the CCS Assessment Manager components

CCS Assessment Manager (CCS AM) helps you assess your organization's IT and
non-IT compliance posture by using quiz-based assessments. The CCS AM
assessments are based on OCIL-compliant questionnaires that are created or
imported by the CCS AM administrators, who then distribute the assessments
amongst the attesters.
See About Open Checklist Interactive Language (OCIL) documents on page 87.
Following are the primary benefits of the CCS Assessment Manager:
OCIL-compliant data format
Provides creation and import of OCIL-compliant

questionnaires.
Light-weight, Web-based clients for Lets you perform the assessment-related operations
CCS Assessment Manager
by using the browser-based UIs.
administrators and attesters.
Structured approach and a proven Standardizes the assessment process for the more
methodology
effective corporate-wide assessments.
12
Understanding CCS Assessment Manager

Multi-lingual support
CCS Assessment Manager is available in the following

languages:
English
German
French
Spanish
Italian
Simplified Chinese
Japanese
Korean
Weight capability emphasizes the

severity of the answers
Lets you assign weightage to an answer to obtain more

accurate business relevant data.
Faster turnaround times
Increases the productivity gains.
Easy import functionality
Facilitates the integration of questionnaires and

provides a comprehensive assessment management
library to support the business objectives.
Following are the primary features of the CCS Assessment Manager:

Review and publish questionnaires
Lets you review a questionnaire from the

Admin Web portal and then publish the
questionnaire. A questionnaire becomes
available for assessments when it is in
'Published' state.
Predefined questionnaires
A comprehensive library provides a matrix

of questionnaires to address many
regulations and best practices.
Assessment delegation
Lets you delegate an assessment to other

CCS Assessment Manager users. Assessment
delegation is possible only in asset
compliance assessments.
Section delegation
Lets you assign specific sections of an

assessment to CCS Assessment Manager
users. Only CCS AM administrators can
assign sections to users during assessment
creation. Section delegation is possible only
in asset compliance assessments.

Accept or resend an assessment response
Lets you accept a response or reassign it to

the attester if the response is not
appropriate. The option to accept or resend
an assessment is available only in asset
Schedule assessments
Lets you specify the date and time to assign

an assessment to the attesters.
Response aggregation
Lets you aggregate attester responses before

you submit the assessment.
CCS Assessment Manager has a role-based distribution of user operations. Each

role includes a set of permissions that enables you to perform various functions.
With the appropriate permissions, you can create or import questionnaires, provide
answers to the questionnaires, collect the user responses, and generate reports.
The roles in CCS AM are as follows:
CCS AM Administrators
CCS AM Power Users
CCS AM end-users
CCS Assessment Manager uses the following two types of assessments to gather
information about the organization's current compliance posture:
Asset compliance assessments
User assessments
Table 1-1 describes the asset compliance and user assessments in CCS Assessment
Manager.
13
14

Table 1-1
About CCS AM assessments
What is an asset compliance assessment What is a user assessment

An asset compliance assessment lets you
collect attester responses and evidences to
assess compliance for procedural controls
based on regulatory mandates, policies, or
risk objectives.
Note: You must have Control Compliance

Suite 11.0 with Product Update 2013-2
(11.0.10300) installed if you want to carry
out asset compliance assessments.
Additionally, you must configure the CCS
settings in the CCS Assessment Manager
console.
A user assessment lets you collect responses

from the end-users in your organization for
non-IT assessments. A user assessment
typically comprises quiz-based
questionnaires and lets you assess the
attesters based on the individual scores.
Note: You do not have to integrate with

Control Compliance Suite to initiate user
assessments.
See Configuring CCS Assessment Manager to connect to Control Compliance

Suite on page 113.
A CCS Assessment Manager administrator can login to the Admin Web client and
view the list of assessments that have been assigned to the attesters. The
administrator collects the attester responses for user assessments and asset
compliance assessments. The administrator can also view the supporting
documents and other evidences that the attester attaches with the response.
A CCS Assessment Manager administrator can generate reports after the collection
user responses and export the reports for a graphical representation of the
information.
With CCS Assessment Manager, you can generate and view operational reports
for the assessments that you have initiated. You can also export the report to a
.xls file.
After response collection, the administrator can have a holistic view of the
organization's compliance posture and decide on the required course of action.
The CCS AM administrator can view the reports for each assessment, which lets
the administrator drill down to the specific response by using the Web interface.
Attached evidence documents help the administrator better understand the
attester response. In case of asset compliance assessments, the administrator can
create reports and dashboards by using the CCS Reporting and Analytics
infrastructure. The CCS AM administrator can drill-down by using the links in a
report and view the response of the attesters as evidence.

Recommended security practices for CCS Assessment Manager
Recommended security practices for CCS Assessment

Manager
Symantec reccommends the following security best practices for CCS Assessment
Manager operations:
Regularly install the latest security patches on the computers on which you
install the CCS Assessment Manager and the database server.
Do the following to enable a secure communication between the browser and

the Web portals:
Enable SSL on the IIS Web site that you use to install the CCS Assessment
Manager Web portals.
To enable SSL on IIS, use the certificates that are issued by a trusted
certificate authority.
Use HTTPS and disable HTTP access to the CCS Assessment Manager Web
portals.
Restrict the proxy server access to legitimate users if you use a proxy
between the browser and the Web server. Additionally, enable appropriate
security measures on the proxy server.
Do not accept certificates from unknown sources on the browser.
Use Microsoft Exchange profiles for mail server communication.

Note: HTML formatted mails are not supported by Microsoft Exchange profiles.
For CCS Assessment Manager Service account, choose a user account that does
not have administrative access on the computer that has CCS Assessment
Manager installed. Use the user account from Users group.
For a CCS Assessment Manager that is installed on the Windows 2003 computer,
the service user should have administrative privileges on the local computer.
Note: Since the user is not Machine administrator, the Launch Admin Web
Portal shorcut on the Assessement Manager Console and the preview of video
and images in the Edit Question window is not available. The user can preview
the attached videos and images from the Admin Web Portal.
For SQL server operations, ensure the following:
15
16

About the roles and permissions in CCS Assessment Manager
Enable SSL and use the certificates that are issued by a trusted certificate
authority.
Restrict the Service User account access on RAM_DB only to a user with
the db_owner privileges. Restrict database access to Service Account users
only.
Enable regular antivirus scans on the CCS Assessment Manager file repository.
The location of the CCS Assessment Manager file repository is as follows:
<install dir>\CCS Assessment Manager\CCS Assessment Manager
Server\Repository
About the roles and permissions in CCS Assessment

Manager
CCS Assessment Manager has a role-based distribution of user operations. Each
role includes a set of permissions that enables you to perform various functions.
With the appropriate permissions, you can create or import questionnaires, provide
answers to the questionnaires, collect the user responses, and generate reports.
The tasks that you can perform with CCS Assessment Manager depend on your
role. The role that you have as a CCS Assessment Manager user determines the
extent of your functions.
When the user is added to the RAM_Administrators group the user is assigned
the Administrator role. Similary, when a user is added to the RAM_PowerUsers
group the user is assigned the Power User role.
Table 1-2 lists the CCS Assessment Manager roles and the tasks that you can
perform with the appropriate permissions.
Table 1-2
Roles and permissions in CCS Assessment Manager
Tasks
Administrators
Power Users
View questionnaires
Create questionnaires
Edit questionnaires
Delete questionnaires
Review questionnaires
Publish questionnaires

Table 1-2
Roles and permissions in CCS Assessment Manager (continued)
Tasks
Administrators
Power Users
Create assessments
Assign assessments
Accept/decline assessments
Respond to assessments
Review responses
Create reports
Purge evidence by date
Clear log files
Clear temporary files
Add prerequisite documents to Y

an assessment
Edit CCS Assessment Manager Y

settings
Install content packs
See About CCS Assessment Manager on page 11.

The following list describes the CCS Assessment Manager components:
CCS Assessment
Manager client
Lets you manage questionnaires and assign weightage to the answers

by using the Weight Wizard.
CCS Assessment
Manager Admin
Web client
Lets the CCS Assessment Manager administrators review and publish

questionnaires, manage assessments, and view reports.
CCS Assessment
Lets the attesters provide the assessment response.
Manager Web client
17
18

CCS Assessment
Manager server
The CCS Assessment Manager Server provides services to the CCS

Assessment Manager clients.
The CCS Assessment Manager Server lets the administrators and
attesters logon from any computer with an Internet connection to
perform the assigned tasks.
The CCS Assessment Manager Server also manages schedules for
the scheduled assessments, email integration, and sending
invitations.
Content packs
Created for different regulatory or best-practice verifications and

checks.
See About the CCS Assessment Manager Client on page 18.

See About the CCS Assessment Manager Admin Web client on page 19.
See About the CCS Assessment Manager end-user Web client on page 21.
See About the CCS Assessment Manager Server on page 22.
See About the content packs on page 23.
About the CCS Assessment Manager Client

The CCS Assessment Manager client uses a tree structure to view and create
groups, questions, and answers into questionnaires. Each level in the tree is a
node. You can do common tasks by right-clicking a node.
Use the CCS Assessment Manager client to create and manage the questionnaires,
which is the source of your assessments. Click the plus sign (+) to expand a group
and show detailed information.
When you create a questionnaire, you work with the following tree-level nodes:
Questionnaire
A set of questions you can use to collect responses.
Group
A collection of questions and responses to the questions. You can have

a primary group that contains multiple nested groups.
Question
An inquiry that asks for a response.
Answer
A possible solution to the question.
You can perform the following tasks by using the CCS Assessment Manager client:
Create a questionnaire.
Download, import, and customize an OCIL 2.0 regulatory content pack into a
questionnaire.

Create a copy of a questionnaire.
Delete a questionnaire.
Import questionnaires that are in the XMLQ format.
You create or manage a questionnaire with the following CCS Assessment Manager
Client tools:
Weight
Wizard
Change the severity of an answer.
Answer
Templates
Add a predefined list to one or more questions.
Spell
Checker
Check the spelling of questions and answers.
See About the CCS Assessment Manager components on page 17.
About the CCS Assessment Manager Admin Web client

The CCS Assessment Manager Admin Web client is a single-window access to
various Admin-related functions that you perform after the questionnaire creation.
You must have the CCS Assessment Manager server installed to be able to launch
the CCS Assessment Manager Admin Web client.
Use the following URL to launch the Admin Web client:
http://<CCS_AM-Server>/CCSAM_Web/Admin
You can use HTTP or HTTPS, depending on which protocol is enabled on the IIS
server. Additionally, if you have configured any of the protocols other than the
default port number, then you must specify the port number too. In that case, use
the following format for the URL:
<protocol>://<CCS AM-Server>:<port>/CCSAM_Web/Admin
By default, the Web address uses the FQDN of the CCS Assessment Manager server.
However, if you manually change the IIS settings and provide an external Web
address, then the Web portal uses the address that you have specified. You must
restart the CCS Assessment Manager Service if you modify the IIS settings.
You can also launch the Admin Web client from the Start menu of your computer.
Go to Start > All Programs > Symantec Corporation > CCS Assessment Manager
Admin Web Client.
You can launch the CCS Assessment Manager Admin Web client from the Start
menu only if you have the CCS Assessment Manager server installed on the
computer.
19
20

Note: Your user account must belong to the RAM_Administrators group or the
RAM_PowerUsers group on the CCS Assessment Manager server to access the
CCS Assessment Manager Admin portal.
The CCS Assessment Manager administrators can use the Admin Web client to
perform the following tasks:
Review and approve a questionnaire
You can review a questionnaire that another

administrator has created. An administrator
publishes a questionnaire only after the
questionnaire has been approved.
Publish and unpublish a questionnaire
You can publish or unpublish a questionnaire

by using the CCS Assessment Manager
Admin Web client. When you publish a
questionnaire, it is ready to be distributed
among the CCS Assessment Manager end
users.
Initiate an assessment
Once a questionnaire is approved and

published, you can initiate an assessment by
sending the assessment to the selected
attesters.
You can initiate the following types of
assessments:
Asset compliance assessment
User assessment
See Asset compliance assessments

on page 25.
See User assessments on page 26.
Edit an assessment
You can edit the assessments that are

already sent as well the assessments that are
scheduled.
Track responses
You can track the attester responses and see

the completion percentage of the
assessment.
Review responses
You can review the responses that the

attesters have submitted.

Approve or resend responses
You can approve the responses that you

receive or reassign to the attester for
modifications in the response that you
received.
Generate reports
You can consolidate the responses that you

receive and then generate reports.
You can view the reports for the end-user
assessments from CCS Assessment Manager.
For compliance-related reports, you must
login to Control Compliance Suite.
About the CCS Assessment Manager end-user Web client

A CCS Assessment Manager attester can use the CCS Assessment Manager Web
client by using the Internet browser. Log in to the CCS Assessment Manager Web
client to provide your responses to an assigned assessment. With the appropriate
permissions, you can administer the Web client.
Use the following URL to launch the Web client:
http://<CCS_AM-Server>/RA_Webclient
Note: You may use https if the protocol is enabled on IIS server. Also, if the http
or https protocol is configured to use other than the default port number, you
must specify the port number as:
<protocol>://<CCS AM-Server>:<port >/RA_WebClient
By default, the Web address uses the FQDN of the CCS Assessment Manager server.
However, if you manually change the IIS settings and provide an external Web
address, then the Web portal uses the address that you have specified. You must
restart the CCS Assessment Manager Service if you modify the IIS settings.
You can select the language in which you want to view the Web client UI from the
Select Language drop-down list, however the culture specific formatting will be
according to the browser locale. The language options that display in the
drop-down list depend on the languages that you select during the CCS Assessment
Manager Language Pack installation. The default language for the Web client
depends on the browser locale. For example, if your browser locale is German, the
default selection in the Select Language drop-down list is German.
When you select a language from the Select Language drop-down list, the specified
language becomes the default selection when you launch the Web client
21
22

subsequently. The language preference remains the same unless you specify a
different language again.
Only CCS Assessment Manager Web portal interface is displayed in the language
that you select. The assessments are always displayed in the language that they
are created by the author. If you do not specify any language from the Select
Language drop-down list, then the UI is displayed as per the browser locale.
Note: To view more languages in the Select Language list, you must install the
language pack. For more information about the availability of your desired
language contact Symantec technical support.
The CCS Assessment Manager attester can use the Admin Web client to perform
the following tasks:
Submit response
You can submit responses after you complete

a questionnaire, so that the administrator
can view your responses, and proceed with
the evaluation.
Delegate assessment
You can delegate the assessment to another

user if you do not have sufficient
information to provide the responses.
Review responses
You can review the responses that the

attesters have submitted.
Approve or resend responses
You can approve the responses that you

receive or reassign to the attester for
modifications in the response that you
received.
Aggregate responses
You can aggregate the attester responses

before you submit the assessment.
Decline assessment
You can decline an assessment in case the

subject of the assessment is no longer within
the portfolio of your job profile.
About the CCS Assessment Manager Server

The CCS Assessment Manager Server is a windows service that provides data
services to the Symantec CCS Assessment Manager clients.

By default, the CCS Assessment Manager Server installation creates the RAM_DB
SQL Server database. During installation, you can also choose to use a previously
created empty database.
Note: You need sys_admin privileges to use the default CCS Assessment Manager
database or a custom database. To use a pre-created database, you must have the
db_owner permissions on the pre-created database.
About the content packs

The content packs are prepackaged questionnaires that contain the set of
questionnaires that are normally required to complete a compliance audit. You
install the CCS Assessment Manager Content Packs by using the content installer.
The content installer is present at the following location:
<install media>\CCS Assessment Manager Content
After installation, you can load the content pack into the CCS Assessment Manager
console and customize the questions to match your needs, if necessary. You can
add or modify the ranking of the questions by using the Weight Wizard tool.
You use the content packs that are shipped with the CCS Assessment Manager as
a template.
By default, the CCS Assessment Manager Content Pack includes questionnaires
in the following languages:
German
English
Spanish
French
Italian
23
24

Chapter
Business Objectives that

you can achieve with CCS
Assessment Manager
User assessments

An asset compliance assessment lets you collect attester responses and evidences
to assess compliance for procedural controls based on regulatory mandates,
policies, or risk objectives. You must have Control Compliance Suite 11.0 with
Product Update 2013-2 (11.0.10300) installed if you want to carry out asset
Note: If the version of Control Compliance Suite is earlier than 11.0 with Product
Update 2013-2 (11.0.10300), then you may still be able to create asset compliance
assessment however, you will not be able to view the policy and mandate
compliance reports for CCS Assessment Manager.
As an administrator, before you initiate an asset compliance assessment, you
must do the following:
Create the IT assets or the business assets in CCS. In case of business assets,
you must associate IT assets to the business assets.
You can also, Import the assets to CCS by using LDAP or a .csv file.
26
Business Objectives that you can achieve with CCS Assessment Manager
User assessments
Assign asset owners to each asset. Users can be assigned in the format of
domain\user.
Configure the CCS Assessment Manager with CCS settings.
Note: To view CCS Assessment Manager questionnaires in CCS Control Studio

and to view the CCS Assessment Manager evidence on CCS dashboards, the CCS
user account must be a part of the RAM_Administrators group and the
RAM_PowerUsers group.
When you assign an asset compliance assessment, the attester has the option to
respond, delegate, or decline the assessment.
Suite on page 113.
User assessments
A user assessment lets you collect responses from the end-users in your
organization for non-IT assessments. A user assessment typically comprises
quiz-based questionnaires and lets you assess the attesters based on the individual
scores.
You do not have to integrate with Control Compliance Suite to initiate user
assessments.
In case of user assessment, the attesters do not have the option to decline or
delegate an assessment. As an administrator, after you receive the user responses,
you can generate the operational reports by using the CCS Assessment Manager
reporting capabilities.
See Creating a user assessment on page 47.
Chapter
How do you meet your

business objectives
How do you meet your business objectives

CCS Assessment Manager provides you with the tools that let you simplify the
complex challenges of regulatory compliance in an organization. By using the
CCS Assessment Manager components, you can evaluate and measure the
processes, controls, and the business relevance of your organization by using the
pre-defined and customized questionnaires.
With the CCS Assessment Manager questionnaires, you can meet the following
business objectives:
Create a snapshot of your organization's current security and compliance

posture by using the procedural control assessments.
See Asset compliance assessments on page 25.
Evaluate the end-users in your organization for non-IT assessments by using

the quiz-based questionnaires.
See User assessments on page 26.
To meet the mentioned business objectives by using the CCS Assessment Manager
infrastructure, you do the following:
Create questionnaires.
Publish and distribute the questionnaires among the end-users.
Provide response to the questionnaire that has been assigned to you.
28

Collect the assessment responses from the end-users.
Create reports for evaluation and analysis.
Creating a questionnaire
You start the assessment process with questionnaire creation. You can import a
pre-defined questionnaire or create a new questionnaire that suits your
organizational requirements.
You can create questionnaires in the following languages:
German
French
Spanish
Italian
Simplified Chinese
Japanese
Korean
You can create a questionnaire from the CCS Assessment Manager Admin client.
You must have an administrator's role to be able to create a questionnaire.
When you create a questionnaire, you can add single or multiple questions to a
group in the questionnaire. The maximum length of a question is 1024 characters,
including spaces. In the console, a question that is over 255 characters in length
is not completely displayed. The complete question is visible in the Web client
and in the Reporting tools.
You can select the following question types:
Choice
Numeric
Boolean
String
Note: At any point of time during the questionnaire creation, you can save the
questionnaire in the database. To save the questionnaire, right-click the
questionnaire and click Save.

To create a questionnaire
Launch the CCS Assessment Manager console, and then click New
Questionnaire in the dialog box that appears.
Type the questionnaire name in the New Questionnaire dialog box, and then
click OK.
Alternatively, in the CCS Assessment Manager console toolbar, click File >
New Questionnaire.
In the New Questionnaire dialog box, type the name of the questionnaire
and then click OK.
If you want to rename the questionnaire, do one of the following:
In the CCS Assessment Manager console, right-click the questionnaire

and select Rename.
Select the questionnaire and then in the CCS Assessment Manager taskbar,
click Edit Selected.
See Editing a questionnaire name on page 30.
Right-click the questionnaire and then select Add > New Groups.
In the Add a group dialog box, type the name for the group of questions and
then click Add Group.
See Creating a direct group or a nested group on page 38.
Right-click the group name and then select Add > New Questions.
In the Add Questions dialog box, from the Select the type of question
drop-down list, select the type of question that you want to add.
The options that become available in the Select the answer template
drop-down list depend on the type of question that you make.
Type the question.
In the Select the answer template drop-down list, select the template that
you want to provide for the question that you have typed.
10 Click Add.
After you create the questionnaire, login to the Admin Web portal to publish
the questionnaire and then send the assessments to the attesters.
See CCS Assessment Manager tasks and permissions on page 86.
29
30

Creating a copy of an existing questionnaire

You can create a copy of an existing questionnaire by using the CCS Assessment
Manager client. When you save the duplicate questionnaire, it is available in the
CCS Assessment Manager server.
To create a copy of a questionnaire
Launch the CCS Assessment Manager client and open the questionnaire for
which you want to create a copy.
Right-click the questionnaire and then click Save As from the menu that
displays.
When you create a copy of a questionnaire, the original title of the
questionnaire is appended by "_copy".
Type a name for the duplicate questionnaire if required, and then click OK.
You can open the questionnaire from the CCS Assessment Manager server
and make modifications.
Once you create a copy of an existing questionnaire, you can change the
version of the questionnaire.
See Updating the questionnaire versions on page 36.
Editing a questionnaire name

Only a CCS Assessment Manager administrator can modify a questionnaire name.
The maximum length of a name can be 1024 characters, including spaces.
To edit a questionnaire name
In the CCS Assessment Manager console, select a questionnaire and then do

one of the following:
Right-click and then select Rename.
In the CCS Assessment Manager taskbar, click Edit Selected.
In Edit Questionnaire dialog box, type a name for the questionnaire.
Click OK to close the dialog box.
See Creating a questionnaire on page 28.
Editing the questionnaire properties

Only a CCS Assessment Manager administrator can change the properties of a
questionnaire.
You can do the following:

Change the questionnaire name.
Add or change the questionnaire description.
To edit the questionnaire properties
In the CCS Assessment Manager console, right-click a questionnaire and the

select Properties.
In the Selected Object's Properties dialog box, do the following:
Click Document Description and then in the Modify Property Value

dialog box, enter a description for the questionnaire. Click OK.
Click Notice and then in the Modify Property Value dialog box, enter the
content for the notice. Click OK.
Click Additional Information and then in the Modify Property Value

dialog box, enter the additional information for the questionnaire. Click
OK.
Click Questionnaire Version and then in the Modify Property Value

dialog box, enter the version number for the questionnaire. Click OK.
Editing text
You can edit the text of any object. An object is a questionnaire name, a group
name, a question, or an answer.
To edit text
In the CCS AM console, select the object. An object is a questionnaire name,

a group name, a question, or an answer.
Click Edit Selected in the lower toolbar.
In the edit section, type your change.
Press Enter to apply the changes.
Formatting the text of a question

You can add rich-text formatting a question when you add questions to a
questionnaire. You can use the editing tools to provide additional information
about a question in the questionnaire. The information that you provide are
available for the attester in the Additional Information section under each
question.
31
32

To formatting the text of a question
In the CCS Assessment Manager console, right-click a question and click Edit.
In the Edit Question dialog box, use the tools to add rich-text formatting to
the question.
Click Preview to view the HTML version of the question, once you are done
with the formatting.
Click Apply and then click Close.
See Inserting images in a question on page 33.

See Inserting video files in a question on page 32.
See Providing Web links in a question on page 33.
See Inserting special characters in a question on page 34.
Inserting video files in a question

You can insert videos in a question by using the editing pane on the CCS
Assessment Manager console. You can insert images and videos from your local
computer, or from a Web site.
Uploading and inserting video files from your local computer
In the Edit Question dialog box, click Insert Video > Upload and Insert Video
from the toolbar.
In the Insert File dialog box, click Browse to navigate to the location where
the video is stored.
Upload and insert video files from a Web site
In the editing pane of the Edit Question dialog box, click Insert Video > Insert
web video from the toolbar.
In the Insert URL dialog box, type the URL for the video that you want to
insert.
See Formatting the text of a question on page 31.


Inserting images in a question

You can insert images in a question by using the CCS Assessment Manager console.
You can insert images from your local computer, or from a Web site.
Uploading and inserting images from your local computer
In the editing pane of the Edit Question dialog box, click Insert image >
Upload and Insert image from the toolbar.
In the Insert File dialog box, click Browse to navigate to the location where
the image is stored.
Upload and insert images from a Web site
In the editing pane of the Edit Question dialog box, click Insert image >
Insert web image from the toolbar.
In the Insert URL dialog box, type the URL for the image that you want to
insert.
Providing Web links in a question

You can insert Web links in a question by using the editing pane on the CCS
Assessment Manager console.
To provide Web links in a question
In the Edit Question dialog box, select the text to which you want to add a
hyperlink and then click Insert Link from the toolbar.
In the Link Properties dialog box, do the following:
In the Type drop-down list, select the type of link that you want to add.
In the URL text box, type the URL that you want to provide a link for.
In the Bookmark drop-down list, select the bookmark.
In the Target drop-down list, make a selection depending on whether you

want the linked site to open in a new window or the same window.
In the Title text box, type the title for the link.
Check Visible if you want the link to be underlined.
Click Remove Link if you want to remove the hyperlink from the selected
text.
33
34


Inserting special characters in a question

You can insert special characters in a questionnaire by using the editing pane on
the CCS Assessment Manager console.
To insert special characters
In the Edit Question dialog box, click Insert special characters from the
toolbar.
In the Insert special characters dialog box, select the special character that
you want to insert and then click Close.

Adding a template
You can add a user-defined template to the predefined sets.
See Adding answers using the answer templates on page 35.
To add a template
In the Answer Template Editor, click Add Template.
Click Add.
In the Add Answer to Template window, type the value for a single answer.
Click OK.
Adding answers
You add a custom answer to a choice question. You can add one answer at a time,
or you can add several answers.

To add answers
Right-click on a selected choice question and select Add > New Answers.
In the Add One Answer per line dialog box, type an answer.
You can add several answers, but each answer must be on a separate line.
When you are finished, click Add Answer.
Adding answers using the answer templates

The Answer Template contains several sets of predefined answers. You can add
the answers to one or more questions during questionnaire creation.
See Adding a template on page 34.
See Adding answers on page 34.
To add answers using the Answer Template
In the CCS Assessment Manager console, select a question, right-click, and

select Add > Templates.
In the submenu, select one of the answers.

The answers are applied to the selected question.
Deleting a questionnaire
You can delete an existing questionnaire by using the CCS Assessment Manager
client.
To delete a questionnaire
In the CCS Assessment Manager client, open the questionnaire that you want
to delete.
To delete the questionnaire, do one of the following:
Select the questionnaire and then from the console toolbar, select Edit >
Remove Selected.
Right-click the questionnaire and then click Delete on the menu that
displays.
Select the questionnaire and then from the task bar at the bottom of the
console, click Remove Selected.
Click Yes on the confirmation message that displays to confirm the

questionnaire deletion.
35
36

Note: You can delete a published questionnaire only if there are no active
assessments associated with it.
Updating the questionnaire versions

You can update the versions of a questionnaire by using the CCS Assessment
Manager console. You cannot update versions of a questionnaire that has already
been published. For published questionnaires, the version gets incremented by
one after you unpublish. To update the version of a predefined questionnaire, you
must create a copy of the questionnaire and then change the version. You must
be a CCS Assessment Manager administrator to be able to update the version of
a questionnaire.
To create a questionnaire version
Launch the CCS Assessment Manager console.
Open the questionnaire for which you want to create a version and then
right-click.
From the menu that displays, select Properties.
In the Selected Object's Properties dialog box, click Questionnaire Version.
In the Modify Property Value box, type the version number and then click
OK.
Note: You must save the questionnaire for the latest version to display in the
CCS Assessment Manager Admin Web client.
See Creating a copy of an existing questionnaire on page 30.
Importing questionnaires
You can make necessary changes in the OCIL v2.0 XML file on your local computer
and then import the file into CCS Assessment Manager.
Apart from the OCIL questionnaires, you can also import the XMLQ questionnaires
that belong to CCS Assessment Manager 10.5 or earlier. When you import an
XMLQ file, the questionnaire is converted from the XMLQ format to the OCIL
format.
Questionnaire import is not supported in case of the following:
The OCIL files that contain cyclic references from one questionnaire to another
questionnaire within the same document.
The OCIL and XMLQ files that contain hopping options.

Note: The questionnaire that you import must have the document tag. An OCIL
document without the document tag is not valid.
The version of an imported XMLQ file is reset to 1 if the existing questionnaire
version is greater than 32000.
When you import an OCIL questionnaire, the severity value for a 'Fail' result is
set to 3 and the severity value for a 'Pass' result is set to 1 by default. For the other
results such as Error, Unknown, Not Tested, and Not Applicable, the severity value
is 0 by default.
At the time of import, variables, artifacts, and the test action of numeric and string
questions are imported successfully, but they are not used in the assessment
process.
After evaluation of a questionnaire as per OCIL specifications, the assessment
report displays the result states as mentioned below:
Table 3-1
OCIL result after evaluation
Result state in the assessment report
Pass
Pass
Fail
Fail
Not Applicable
Not Applicable
Not tested
Not Applicable
Unknown
Unknown
Error
Unknown
To import a questionnaire
In the CCS Assessment Manager console toolbar, go to File > Import.
In the Import dialog box, navigate to the location where you have saved the
questionnaire and then click Open.
Click OK on the message prompt that confirms the successful import of the
questionnaire.
An error message displays if you have selected an invalid file. Click OK on
the error message and then repeat 2.
See Exporting questionnaires on page 38.
37
38

Exporting questionnaires
You can export questionnaires by using the CCS Assessment Manager console
and save them on your local computer. You must be a CCS Assessment Manager
administrator to be able to export a questionnaire. If you want to import a
questionnaire that you have already exported, you must delete the questionnaire
from the CCS Assessment Manager database and then import. If you modify an
existing questionnaire, you must save the questionnaire before you export.
To Export a questionnaire
In the CCS Assessment Manager console toolbar, go to File > Export.
In the Export Questionnaire dialog box, navigate to the location where you
want to save the file and then click Save.
In the confirmation prompt, click OK.

The exported file is saved as a .XML file.
See Importing questionnaires on page 36.
Creating a direct group or a nested group

A group is a logical collection of questions and answers within a questionnaire
and is the second-highest level in the questionnaire hierarchy. You can create
nested groups to create a hierarchical structure for the questions in a
questionnaire. You must add at least one direct group before you add questions
to a questionnaire. You can create nested groups within an existing nested group.
A nested group can contain questions and nested groups at the same level.
The maximum length of a group name is 255 characters, including spaces.
To create a direct group
In the CCS Assessment Manager console, right-click on the questionnaire

and then click Add > New Groups. Alternatively, select a questionnaire and
then click Add Group in the lower toolbar of the CCS Assessment Manager
console.
In the Add One Group per line dialog box, type the group name.
You can add several groups, but each group name must be on a separate line.
Press Enter to start the next line.
After you have entered the group names, click Add Group.

To create a nested group
In the CCS Assessment Manager console, right-click on an existing group and

then click Add > New Groups. Alternatively, select an existing group and
then click Add Group in the lower toolbar of the CCS Assessment Manager
console.
In the Add One Group per line dialog box, type the group name.
You can add several nested groups, but each group name must be on a separate
line. Press Enter to start the next line.
After you have entered the group names, click Add Group.
Editing a group name

You can modify a group name. The maximum length of a group name can be 1024
characters, including spaces.
To edit a group name
In the CCS Assessment Manager console, select a group.
Right-click and then select Rename.
In Edit Group dialog box, enter the new name for the selected group.
Click OK to close the dialog box.
Reviewing a questionnaire
As an administrator, you can review a questionnaire before you go ahead and
publish.
To review a questionnaire
In the CCS Assessment Manager Admin Web portal, go to Manage >

Questionnaires.
In the Questionnaires table, click on the questionnaire that you want to

review.
The questionnaire review page contains the following sections:
The summary section, which provides the summary of the questionnaire.
The left-hand side panel, which contains the following sub-sections:

Questionnaire
Displays the entire questionnaire in a

hierarchical tree-structure. You can
navigate to any question by clicking on
the respective question in the panel.
39
40

The main questionnaire section
Displays the questions of the

questionnaire in read-only mode.
You can use the pagination at the bottom of the questionnaire to browse
through all the pages.
Review the questionnaire and then click Publish if you want to publish the
questionnaire.
Click Close if you want to publish the questionnaire later.
Publishing a questionnaire
You can publish the CCS Assessment Manager questionnaires by using the CCS
Assessment Manager Admin Web portal. After you publish, the questionnaire is
available in the CCS Assessment Manager Admin client in the read-only format.
You can initiate assessments by using a published questionnaire.
A published questionnaire can also be unpublished if there are no active
assessments associated with it. When you unpublish a questionnaire, the status
of the questionnaire changes from 'Published' to 'Draft' and the version of the
questionnaire increments by one. Once the questionnaire is unpublished it is
available for editing in the Admin Thick console.
The predefined questionnaires are in the published state by default.
You must be an administrator to be able to publish the CCS Assessment Manager
questionnaires.
To publish a questionnaire
Log in to the CCS Assessment Manager Admin Web portal and then go to
Manage > Questionnaires.
From the questionnaires list box, check the questionnaire that you want to
publish, and then click Publish.
You can select only one questionnaire at a time to publish. Multiple selection
is not supported.
See Unpublishing a questionnaire on page 40.

Unpublishing a questionnaire
You can unpublish a CCS Assessment Manager questionnaire if you want to make
modifications in a questionnaire that is already published. You can unpublish a

questionnaire only if there are no active assessments associated with it. After you
unpublish, the state of the questionnaire changes to 'Draft' and the questionnaire
is longer available for assessment creation. The version of a questionnaire
increments by one each time you unpublish a questionnaire. If you have multiple
questionnaires by the same name, the latest version takes the maximum version
number out of the existing questionnaires and then increments it by one.
You must be a CCS Assessment Manager administrator to be able to unpublish a
questionnaire
To unpublish a questionnaire
Log in to the CCS Assessment Manager Admin Web portal and then go to
Manage > Questionnaires.
From the questionnaires list box, check the questionnaire that you want to
unpublish, and then click Unpublish.
You can select only one questionnaire at a time to unpublish. Multiple
selection is not supported.
See Publishing a questionnaire on page 40.

Assessment creation
As an administrator, you create an assessment by using an existing questionnaire
and sending it to the attesters for response collection.
A CCS Assessment Manager assessment can be of the following two types:
Asset compliance assessment
User assessment
policies, or risk objectives. You can further delegate a user assessment and then
compile the responses to create reports.
An asset compliance assessment uses the assets in the CCS asset system. To create
an asset compliance assessment, you must configure the CCS settings from the
CCS Assessment Manager console.
Suite on page 113.
41
42

scores. You cannot delegate a user assessment.
The assessment creation procedure also includes the following aspects of the CCS
Assessment Manager assessments:
Specifying the CCS assets that you want the assessment to scope, in case of
an asset compliance assessment.
Editing attesters based on the current asset ownerships.
Assign specific sections of the questionnaire to selected attesters.
Attaching prerequisite documents or URLs for the attesters. This is an optional

step.
Specifying the scoring criteria for user assessments.
Configuring notifications and selecting the email template for the notifications.
Configuring reminders for the attesters.
Sending the assessment to the attesters.
See Creating an asset compliance assessment on page 42.

Creating an asset compliance assessment

policies, or risk objectives. An asset compliance assessment uses the assets in the
CCS asset system. The asset hierarchy and the asset type that are displayed when
you create an asset compliance assessment, use the locale in which you have
installed Control Compliance Suite. For example, if you have installed Control
Compliance Suite in French, then the asset hierarchy and the asset type are
displayed in French.
You must have Control Compliance Suite 11.0 with Product Update 2013-2
(11.0.10300) installed if you want to carry out asset compliance assessments and
configure the CCS settings by using the CCS Assessment Manager console.
Note: To view CCS Assessment Manager questionnaires in CCS Control Studio
and to view the CCS Assessment Manager evidence on CCS dashboards, the CCS
user account must be a part of the RAM_Administrators group and the
RAM_PowerUsers group.

As an administrator, you create an assessment and send the assessment to the

selected asset owners. You create an assessment by using a questionnaire, which
is already reviewed and published.
See Assessment creation on page 41.
To create an asset compliance assessment
In the CCS Assessment Manager Admin Web client, go to Manage >

Assessments and then in the taskbar on top, click Create.
In the Select Questionnaire and Assessment Type panel of the New

Assessment wizard, select Asset Compliance from the Assessment Type
drop-down list.
From the Questionnaires list box, select the questionnaire that you want to
use for the assessment and then click Next.
This option is not available when you launch the New Assessment wizard
from the Publish Questionnaire dialog box.
In the Add Attesters panel, do the following and then click Next:
In the Select attester by asset owner section, specify whether you want
to send the assessment to business asset owners or individual asset owners.
A business asset group is a business entity that is associated with business
functions. Business assets can also be collections of physical assets that
represent business entities. For example, banks with departments, servers,
processes and data centers are business assets.
An individual asset group is the group of assets based on the asset type.
For example, for a group of UNIX assets in your organization across various
locations, you can have a group of individual assets named UNIX_assets.
From the asset hierarchy list that is displayed in the Asset Browser, check
the assets or the asset groups that you want to scope for the assessment,
and then click View Asset Details.
Note: The list of assets is fetched from the CCS asset system. To see the
assets in the Asset Browser list box, you must specify the required
configuration settings to connect to CCS.
See Configuring CCS Assessment Manager to connect to Control
Compliance Suite on page 113.
The Owner field displays the owner of the asset or the asset group that
you select. The field displays Not assigned if the selected asset does not
have an asset owner in the CCS asset system.
43
44

Click View Asset Details to view the details of the selected asset and then
click Close.
If you have selected business assets, then you can only view the asset
details from the Asset Details page. However, if you have selected
individual assets, then you select or deselect an asset from the displayed
list.
Note: In case of individual assets, you can select only up to 3000 assets
from the Asset Browser.
In the Edit Attesters panel, in the Selected Attesters list box, click Edit if
you want to change the asset owner. After you make the changes, click Save
to save and close the dialog box, and then click Next.
The Asset Owner field appears blank if the selected asset does not have an
asset owner in the CCS asset system. You can manually enter the asset owner's
name by clicking Edit.
The user account and the Email address of the asset owner that you specify
is fetched from Active Directory.
The Email Address text box appears blank if the asset owner has not
configured the mailbox. You can manually enter the email address by clicking
Edit.
In the Assign Sections panel, check Assign sections (optional) if you want
to assign certain sections of the assessment to other users.
In the Selected Attesters list box, do the following:
Select the attester to whom you want to assign selected sections of the
assessment and then click Assign Sections.
The Assign Sections button becomes available only when you select the
attesters.
In the Assign Questionnaire Sections dialog box, expand the questionnaire

node.
By default, all the sections of the questionnaire are assigned to the selected
attester.
Uncheck the groups or the sections that you do not want to assign and
then click OK.

Note: Click Reset to default state of assign section if you want to discard
the changes that you made. The default state has all the sections assigned
to the attester.
On the Assign Sections panel click Next.

Note: You can edit the section assignments by clicking on the Edit link.
In the Prerequisites panel, add the prerequisite documents and the URLs, if
any.
The maximum number of attachments that you can provide is 10, which is
the default limit. To change the default limit, edit the value of the key<add
key="MaxPrerequisiteCount" value="10" />in the configuration file: <Install
Dir>\CCS Assessment Manager Server\webclient\web.config
The default size limit for the attachments is 200 MB. To change the size limit:
Specify the new limit in KB in the value attribute as: <add

key="MaxPrerequisiteSizeKB" value="204800" />
Specify the new limit in KB in the maxRequestLength attribute as:

<httpRuntime maxRequestLength="204810" executionTimeout="1800"
/>
Specify the new limit in bytes in the maxAllowedContentLength attribute

as: <requestLimits maxAllowedContentLength="209725440" />
The Prerequisites panel is optional. If you want to add attachments, do the

following and then click Next:
Click Add Files to add the prerequisite documents.

Note: The file formats that are allowed by default are: bmp, csv, doc, docx,
gif, jpg, log, pdf, png, ppt, pptx, raw, rpt,tif, tiff, txt, wav, xml, xls, xlsx,
zip, wmv, avi, flv, mov, mpg, 3gp, asf, swf.
However, to change the default file format, edit the key in web.config as:
<add key="PrerequisiteExtSupport" value=bmp,csv,doc,
docx,gif,jpg,log,pdf,png,ppt,pptx,raw,rpt,tif,tiff,txt,wav,xml,xls,xlsx,zip,wmv,avi,flv,mov,mpg,3gp,asf,swf
/>
In the Add URLs text box, enter a Web site link and then click Add to add
the URL to the list box.
45
46

In the Name text box, enter a name for the URL or the file that you have
added. The name that you enter for the prerequisite is displayed to the
attester in the Prerequisite section of the assessment. If you do not enter
a name for the prerequisite, then only the link is displayed to the attester.
You can remove the URLs and the prerequisite documents by clicking
Remove All.
Check Require Acknowledgement if you want an acknowledgement that

the user has read the prerequisite documents or the Web site content.
Once you add the prerequisite documents and URLs, the attachments are
available for the attesters to view or read during the assessment.
In the Assessment Options panel, do the following and then click Next:
In the Due Date box, type the date by which the attester must submit the
responses. Alternatively, click on the calendar icon to select the date.
In the Email Notification section, do the following:
Check Send Notification if you want to enable email notifications. By

enabling the email notification option, you ensure that the selected
attester receives email notifications about the assignment.
From the Email Template drop-down list, specify whether you want
to use the default templates or the custom templates for the
notifications.
The custom templates display only when you have created and saved
the custom templates.
Note: An error is displayed if a template is corrupted or if the template
hirarchy is missing.
From the Importance drop-down list, select the level of importance

that you want to assign to the notification. The default value is Normal.
Check Send Reminder if you want to enable reminders for the attester.
The <number of> days before due date text box becomes available
only when you check Send Reminder. Enter a value for the number of
days before the due date on which you want to send the reminder.
Note: If you want to schedule an assessment, you must ensure that the
reminder date is later than the schedule date.
In the Assessment Title panel, do the following and then click Next:

In the Assessment Title text box, type a name for the assessment. By
default, the Assessment Title text box displays the name of the
questionnaire that you have selected.
In the Welcome Text box, enter a brief introduction about the assessment.
The welcome text is displayed on the Assessment Welcome page on the
CCS Assessment Manager portal. This is an optional step.
10 In the Schedule panel, do the following and then click Finish:
Click Yes to schedule the assessment for a later date.
In the Date and Time text box, enter and the date and the time when you
want the assessment to be sent to the attesters.
You can send the assessment on the same day or on a later date. The
default date that is displayed in the Date and Time text box is a day before
the due date of the assessment. You must not enter a date which is later
than the assessment due date.
The asset owners and the assets that you have included in the assessment
are resolved with the CCS asset system before the assessment is sent to
the selected attesters. If an asset is no longer in the asset system, then
the asset is excluded from the assessment. In such scenarios, you cannot
view these attesters in the Track Response page of the assessment. You
can view the CCS Assessment Manager logs for more details.
Click No if you do not want to schedule the assessment. The assessment

is sent immediately to the selected attesters if you do not enable the
assessment schedule.
See Editing an assessment on page 53.

See About CCS Assessment Manager email templates on page 91.
Creating a user assessment

scores.
As an administrator, you create a user assessment and send the assessment to
the selected attesters. You can create an assessment by using a questionnaire,
which is already reviewed and published.
See Assessment creation on page 41.
47
48

To create a user assessment

Assessments and then in the taskbar on top, click Create.
In the Select Questionnaire and Assessment Type panel of the New

Assessment wizard, select User Assessment from the Assessment Type
drop-down list.
From the Questionnaires list box, select the questionnaire that you want to
use for the assessment and then click Next.
In the Add Attesters panel, in the Search Attesters text box, enter the group
name or the individual attester's name to whom you want to send the
assessment and then click Add.
The user accounts of the attester or the user group that you specify are fetched
from Active Directory. If you want to add a user from a different domain,
then specify the user name in the following format:
<domain>\<user name>
To delete an attester, click the check box against the attester's name and then
click Remove.
Click Next.
In the Prerequisites panel, add the prerequisite documents and the URLs, if
any.
The maximum number of attachments that you can provide is 10, which is
the default limit. To change the default limit, edit the value of the key<add
key="MaxPrerequisiteCount" value="10" />in the configuration file: <Install
Dir>\CCS Assessment Manager Server\webclient\web.config
The default size limit for the attachments is 200 MB. To change the size limit:
Specify the new limit in KB in the value attribute as: <add

key="MaxPrerequisiteSizeKB" value="204800" />
Specify the new limit in KB in the maxRequestLength attribute as:

<httpRuntime maxRequestLength="204810" executionTimeout="1800"
/>
Specify the new limit in bytes in the maxAllowedContentLength attribute

as: <requestLimits maxAllowedContentLength="209725440" />
The Prerequisites panel is optional. If you want to add attachments, do the

following and then click Next:
Click Add Files to add the prerequisite documents.

Note: The file formats that are allowed by default are: bmp, csv, doc, docx,
gif, jpg, log, pdf, png, ppt, pptx, raw, rpt,tif, tiff, txt, wav, xml, xls, xlsx,
zip, wmv, avi, flv, mov, mpg, 3gp, asf, swf.
However, to change the default file format, edit the key in web.config as:
<add key="PrerequisiteExtSupport" value=bmp,csv,doc,
docx,gif,jpg,log,pdf,png,ppt,pptx,raw,rpt,tif,tiff,txt,wav,xml,xls,xlsx,zip,wmv,avi,flv,mov,mpg,3gp,asf,swf
/>
In the Add URLs text box, enter a Web site link and then click Add to add
the URL to the list box.
In the Name text box, enter a name for the URL or the file that you have
added. The name that you enter for the prerequisite is displayed to the
attester in the Prerequisite section of the assessment. If you do not enter
a name for the prerequisite, then only the link is displayed to the attester.
You can remove the URLs and the prerequisite documents by clicking
Remove All.
Check Require Acknowledgment if you want an Acknowledgment that

the user has read the prerequisite documents or the Web site content.
Once you add the prerequisite documents and URLs, the attachments are
available for the attesters to view or read during the assessment.
In the Assessment Options panel, do the following and then click Next:
In the Due Date box, type the date by which the attester must submit the
responses. Alternatively, click on the calendar icon to select the date.
In the Email Notification section, do the following:
Check Send Notification if you want to enable email notifications. By

enabling the email notification option, you ensure that the selected
attester receives email notifications about the assignment.
From the Email Template drop-down list, specify whether you want
to use the default templates or the custom templates for the
notifications.
The custom templates display only when you have created and saved
the custom templates.
Note: An error is displayed if a template is corrupted or if the template
hierarchy is missing.
49
50

From the Importance drop-down list, select the level of importance

that you want to assign to the notification. The default value is Normal.
Check Send Reminder if you want to enable reminders for the attester.
The <number of> days before due date text box becomes available
only when you check Send Reminder. Enter a value for the number of
days before the due date on which you want to send the reminder.
Note: If you want to schedule an assessment, you must ensure that the
reminder date is later than the schedule date.
In the Scoring Criteria section, do the following:
In the Minimum Passing text box, enter a value for the minimum
percentage that the attester must score to pass the assessment.
In the Number of Extra Attempts Allowed text box, enter a value

for the number of times that the attester gets to take the
assessment.
Check Show correct answers on last failed attempt if you want the
correct answers to be displayed against the attester's responses on
the result page after the attester fails in the last attempt.
In case of passed attempts, the correct answers are always displayed
on the result page.
In the Assessment Title panel, do the following and then click Next:
In the Assessment Title text box, type a name for the assessment. By
default, the Assessment Title text box displays the name of the
questionnaire that you have selected.
In the Welcome Text box, enter a brief introduction about the assessment.
The Welcome text is displayed on the Assessment Welcome page on the
CCS Assessment Manager portal. This is an optional step.
In the Schedule panel, do the following and then click Finish:
Click Yes if you want to enable scheduling for the assessment.
You can send the assessment on the same day or on a later date. The
default date that is displayed in the Date and Time text box is a day before
the due date of the assessment. You must not enter a date which is later
than the assessment due date.

The attesters that you have selected for a scheduled user assessment are
validated before the assessment is sent. If a particular attester does not
exist anymore, that attester is excluded from the assessment. If you have
assigned the assessment to a single attester and the attester is no longer
valid by the scheduled date of the assessment, then you cannot view the
assessment in the Current Assessments tab. You can view the CCS
Assessment Manager logs for more details.
Click No if you do not want to schedule the assessment. If you do not

schedule the assessment, the assessment is sent as soon as you click Finish.

See About CCS Assessment Manager email templates on page 91.
Viewing assessments
As an administrator, you can view the currently active assessments and the past
assessments from the Assessments tab of the CCS Assessment Manager Admin
Web portal.
The Assessments tab lets you do the following tasks:
Create an assessment
Edit an assessment
View the current assessments
View the past assessments
Use the Current Assessments tab to view the following details of the active
assessments:
Name of an assessment
Completion percentage of an assessment

In case of multiple attesters, the completion percentage displays the aggregated
response completion percentage of all the attesters.
Schedule status of an assessment
Due date of an assessment
Type of an assessment
The name of the questionnaire that has been used to create an assessment
Version of the questionnaire has been used to create an assessment
Creation date of an assessment
The name of the user who has created or imported an assessment
51
52

The number of prerequisite documents or URLs that are attached to an

assessment.
You can click on the link to download and view the attachments.
You can view both the asset compliance assessments and the user assessments
from the Current Assessments tab.
An assessment is listed in the Current Assessments tab until the expiration date.
By default, the expiration date for an assessment is 90 days after the assessment
due date. An administrator can modify the value for the number of days after the
due date when an assessment expires.
See Configuration parameters in CCS Assessment Manager on page 103.
An asset compliance assessment is listed in the Current Assessments tab based
on the following criteria:
If there is any action pending on the administrator for an assessment,

irrespective of the assessment due date.
The administrator has accepted the attester responses, but the assessment
has still not reached the expiration date that is configured by the administrator.
If the attester has not provided the responses yet and the assessment has not
yet reached its expiration date.
After an assessment goes beyond the expiration date, it is no longer listed in the
Current Assessments tab. You can view the expired assessments in the Past
Assessments tab.
Note: You may see an assessment in the Curent Assessment tab even afer it
reaches the expiration date. This happens when an assessment has pending tasks
to be completed by the administrator when the assessment expires.
Sometimes, the assessments that are scheduled for a later date may fail at the
time when it is sent to the selected attesters. In such cases, the status of the
assessment displays as "Error". This happens due to any of the following reasons
that may occur at the time of sending the assessment to the attesters:
The CCS Assessment Manager server is not able to connect to the CCS
application server.
The CCS Assessment Manager server is not able to resolve the IT assets or the
business assets, based on the asset type selection.
If the selected business assets are not mapped to any IT assets in the CCS asset
system.
The CCS Assessment Manager server is not able to resolve the selected users.

Use the Past Assessments tab to view the following details of the expired
assessments:
Name of an assessment
Completion percentage of an assessment

Schedule status of an assessment
Due date of an assessment
Type of an assessment
The name of the questionnaire that has been used to create an assessment
Version of the questionnaire has been used to create an assessment
Creation date of an assessment
The name of the user who has created or imported an assessment

assessment.

See Viewing an assessment response (Admin) on page 65.
Editing an assessment
With the appropriate Admin rights, you can edit an existing assessment by using
the CCS Assessment Manager Admin Web client. You can edit the assessments
that are already sent as well the assessments that are scheduled. You can edit all
the options in a scheduled assessment. For example, you can add or delete attesters,
modify the due date for submission and so on.
However, for the assessments that have already been sent to the attesters, you
can modify the following:
Add more assets and associate the attesters to the newly added assets for an
asset compliance assessment.
You cannot modify the assets and the corresponding asset owners who are
already added.
Add new attesters for a user assessment. However, you cannot remove the
attesters who are already added.
53
54

For both asset compliance and user assessments, you can extend the due date
of submission for the assessment.
When you edit an assessment to add more assets, the edited version is assigned
to the attester as a new assessment.
Note: As a best practice, while creating or editing an assessment avoid selecting

a business asset that is part of multiple hierarchies for the same assessment.
To edit an assessment

Assessments.
In the Current Assessments tab, check the assessment that you want to edit
and then in the taskbar on top, click Edit.
In the Edit Assessment wizard panels, make the required changes and then
click Finish in the Schedule panel.
Scheduling an assessment
You can schedule an assessment for a later date, if you do not want to immediately
assign the assessment to the selected attesters. You can schedule an assessment
only during assessment creation. When you schedule an assessment, the date
that you specify must a date before the due date of the assessment.
In case of asset compliance assessments, the asset owners and the assets that you
have included in the assessment are resolved with the CCS asset system before
the assessment is sent to the selected attesters. If an asset is no longer in the asset
system, then the asset is excluded from the assessment. In such scenarios, you
cannot view these attesters in the Track Response page of the assessment. You
can view the CCS Assessment Manager logs for more details.
A scheduled assessment may fail due to any of the following reasons at the time
of sending the assessment:
If the CCS Assessment Manager Server is unable to connect to CCS Application

Server .
If the CCS Assessment Manager is unable to resolve the specified IT assets or

the business assets at the time of sending the assessment.
If there are no IT assets associated to the selected business assets at the time
of sending the assessment.

In case of a user assessment, if CCS Assessment Manager is unable to resolve

the users at the time of sending the assessment.
Note: When an assessment fails, the Schedule Status column displays the status
as Error.
To schedule an assessment
In the New Assessment wizard, in the Schedule panel, do the following:
Click Yes to schedule the assessment for a later date.
The default date that is displayed in the Date and Time text box is a day
before the due date of the assessment.
Click Finish.
Responding to an assessment
The Assessments tab of the Assessment Manager Web client lets you access the
assessments that have been assigned to you. As an attester, you can do the
following:
Assign the assessment to other CCS Assessment Manager users.
Provide your responses to the assessment yourself.
Note: The option to delegate an assessment to other users is available only in an

asset compliance assessment.
To respond to an assessment
Launch the CCS Assessment Manager Web client and then go to Assessments.
In the My Assessments section, in the Assessments column that lists the

assessments that have been assigned to you, click on an assessment.
In the Assessment Details page, click Proceed.
After you open a questionnaire, you can do the following:
View details of a questionnaire
Enter your response
55
56

Add comments
Attach supporting documents
Attach supporting URLs
You can click on the link to view the supporting documents and URLs after
you attach.
After you provide your responses, click Submit to submit the assessment.
At any point of time during your response, click Cancel to close the questionnaire
and go back to the Questionnaire welcome page. After you open a questionnaire,
click Close and go back to the Questionnaires page.
See Adding comments in a response on page 56.
See Attaching supporting documents on page 57.
See Attaching supporting URLs on page 57.
See Delegating an assessment on page 57.
Saving an assessment to resume later

You can save an incomplete assessment and resume later.
To save and resume an assessment later
Go to the Response page of the assessment and then click Save and Close.
See Responding to an assessment on page 55.
Adding comments in a response

When you respond to an assessment, you can provide comments to support your
answer. The supporting comments act as the evidence for the response that you
provide.
To add a comment
In the Response page, click the Comments tab and then enter your comments.


Attaching supporting documents

When you respond to an assessment, you can attach documents to support your
answer. The supporting documents act as the evidence for the response that you
provide.
To attach supporting documents
In the Response page, click the Supporting Documents tab, and then click
Attach .
Navigate to the location where you have the document saved, select the
document and then click Open.
If you want to remove an attachment, click the Delete icon against the
attachment. To remove all the attachments at the same time, click Clear All.

Attaching supporting URLs

When you respond to an assessment, you can attach URLs to support your answer.
The supporting URLs act as the evidence for the response that you provide.
To attach supporting URLs
In the Response page, click the Supporting URLs tab.
In the text box, enter the URL and then click Add.
If you want to remove a URL, click the Delete icon against the URL. To remove
all the URLs at the same time, click Clear All.

Delegating an assessment
When you receive an asset compliance assessment, you may delegate the
assessment to another user if you do not have sufficient information to provide
the responses.
There may be scenarios wherein you delegate an assessment to other CCS
Assessment Manager users, and then the assigned users decline the assessment.
In such cases, you may decline the assessment after you accept the declination
requests from the users to whom you had delegated the assessment.
57
58

See Declining an assessment on page 62.

To delegate an assessment
Login to the CCS Assessment Manager Web client and click the Assessments
tab.
In the My Assessments section, click the assessment that you want to

delegate.
On the assessment welcome page, click Add Attesters.
In the Add Attesters dialog box, do the following and then click OK:
In the Due Date For Attesters box, enter the date by which the attester
to whom you are assigning the assessment must submit the responses.
The due date that you specify must be earlier than the original due date
of the assessment.
In the Enter user name or the group name text box, enter the user names
to whom you want to delegate the assessment and then click Add.
In the Comments text box, enter a brief description about the assessment.
You can click Cancel to discard your inputs and to go back to the assessment
welcome page.
On the assessment welcome page, click Delegation Details to view the details
about the assessment delegation, and then click Send Assessment.
You can click Edit to make the following modifications to the delegation
operation:
Change the due date for the assessment.

Note: It is recommended that you do not prepone the due date of the
assessment.
Change the reminder (in days) for the user.
Remove the current attester or add another attester.
Once you delegate an assessment, you can view the responses of the assigned
attesters from the response page.
See Providing an aggregated response on page 59.

Providing an aggregated response

When you delegate an asset compliance assessment, you can view the attester
responses from the response page and then provide an aggregated response based
on the user responses.
Consider a scenario, wherein you have received an assessment for which you do
not have the adequate information to provide the responses. You delegate the
assessment to other CCS Assessment Manager users to gather the required
information. When the attesters submit their responses, you need to analyze the
response that you have received and then provide an aggregated response. When
you provide an aggregated response, you can attach the supporting documents
that the attesters have provided. The attached documents and URLs act as the
evidence for the response that you provide. You can provide the aggregated
response and add the attachments from the Response page.
Your response may contain one or more levels of aggregation, depending on the
number of attesters that the assessment is delegated to. As the final aggregation,
you select the assets and the supporting evidence that you receive and attach for
each asset. You can also provide your own set of evidence to support your response.
For each question and each asset in scope, the administrator receives the evidence
that you provide and what you attach from the other attester responses.
The process of response aggregation involves the following steps:
Analyse the attester response in the Response page.
View the attester response and the supporting evidence.
Provide your aggregated response based on the attester response and the
evidence.
Note: You must approve the attester response before you proceed with response
aggregation.
To analyse the attester response in the Response page
In the CCS Assessment Manager Web client, go to Assessments.
In the My Assessments section, click an assessment to go to the Assessment

Summary page.
In the Assessments Summary page, click Proceed.
To view the attester response and the supporting evidence
In the Response page, under each question, you can see the following tabs:
Answer
59
60

Comments
Supporting Documents
Supporting URLs
Assets
Attester Response
You use the Answer, Comments, Supporting Documents, and the Supporting
URLs tabs to provide your own aggregated response.
Click the Answer tab to view the attester response.
Click the Assets tab to see the assets that the user has selected for the
response. You can uncheck any of the assets that you want to exclude from
your aggregated response.
Click the Attester Response tab to see the response that the user has provided
and then click View/Attach.
The View/Attach Attester Response dialog box displays the following:
The left-hand pane displays the assets that the attester has selected for
the response.
The right-hand pane displays the supporting documents and the URLs
that the attester has provided for each asset.
Click an asset to display the supporting evidence, and then click View to view
the documents or visit the URLs.
In the left-hand pane, check the assets that you want to include in your
aggregated response and then click Attach.
Note: Make sure that when you select any supporting evidence for aggregation,
you also select the corresponding asset along with it.
To provide an aggregated response
In the Response page, in the Assets section, check an asset and then use the
relevant tab to provide your comments or the supporting evidence for the
selected asset.
Click Submit to submit the aggregated response.

At any point of time during your response, you can click Save and Close to
save your responses and resume later. You can click Cancel to cancel the
response submission.

See Adding the attester's attachments for an aggregated response on page 61.
Adding the attester's attachments for an aggregated response

Consider a scenario, wherein you have received an assessment for which you do
not have the adequate information to provide the responses. You delegate the
assessment to other CCS Assessment Manager users to gather the required
information. When the attesters submit their responses, you need to analyze the
response that you have received and then provide an aggregated response. When
you provide an aggregated response, you have to attach the supporting documents
that the attesters have provided. The attached documents and URLs act as the
evidence for the response that you provide. You can provide the aggregated
response and add the attachments from the Response page.
Note: You must have the appropriate permissions to be able to delegate an
assessment.
To add the attester's attachments for an aggregated response
In the CCS Assessment Manager Web portal, go to the Assessments page.
In the My Assessments tab, click the assessment for which you want to
provide an aggregated response.
In the Assessment Summary page, click View Response.
In the Response page, under the questions that you had delegated, click the
Answers from Attesters section.
In the Attachments column, click Add attachment.
In the View/Attach Additional Details dialog box, do the following and then
click Attach:
In the Supporting Documents section, check the supporting documents

that you want to attach to your response.
You may go through the document before you attach by clicking on the
View link that displays against each document.
In the Supporting URLs section, check the URLs that you want to attach
to your response.
In the Response page, click Submit to forward your aggregated response to

the administrator.
See Providing an aggregated response on page 59.

61
62

Declining an assessment
After you receive an assessment, you may choose to decline the assessment in
case the subject of the assessment is no longer within the portfolio of your job
profile. The option to decline an assessment is present only in the asset compliance
assessments.
There may be scenarios wherein you delegate an assessment to other CCS
Assessment Manager users, and then the assigned users decline the assessment.
In such cases, you may decline the assessment after you accept the declination
requests from users to whom you delegated the assessment.
To decline an assessment
Launch the CCS Assessment Manager Web client and then go to Assessments
> My Assessments.
Click on the assessment that you want to decline.
At the Assessment Details page, click on the Decline link.
In the Decline Assessment dialog box, enter your comments regarding the
declination request and then click OK.
The Comments field is mandatory when you decline an assessment.
See Accepting or rejecting declination requests (Admin) on page 62.
Accepting or rejecting declination requests (Admin)

When you assign an asset compliance assessment, the attester has the option to
decline the assessment. The attester may choose to decline an asset compliance
assessment if the assessment is not within the purview of the attester's business
portfolio. When an attester declines an assessment, the administrator can either
accept or reject the declination request.
To accept or reject declination requests
Launch the CCS Assessment Manager Admin Web client and then go to
Manage > Assessments.
In the Current Assessments tab, click an assessment.
In the Assessment Details page, click on the Decline Pending option.
In the Declination Details dialog box, do the following:
In the Comments text box, enter a brief description about your action.
This is an optional field.
Click Accept to accept the declination request. Or, click Resend to reject
the declination request and to reassign the assessment.

See Accepting an attester response (Admin) on page 68.

See Resending an assessment (Admin) on page 68.
Accepting or rejecting declination requests (Attester)

When you assign an asset compliance assessment, the delegated attester has the
option to decline the assessment. The delegated attester may choose to decline
an asset compliance assessment if the assessment is not within the purview of
the attester's business portfolio. When an delegated attester declines an
assessment, the attester who had delegated the assessment can either accept or
reject the declination request.
To accept or reject declination requests
Launch the CCS Assessment Manager end-user Web client and then go to
Assessments.
In the My Assessments grid, click an assessment.
In the Assessment Welcome page, click on the Decline Pending option.
In the Declination Details dialog box, do the following:
In the Comments text box, enter a brief description about your action.
This is an optional field.
Click Accept to accept the declination request. Or, click Resend to reject
the declination request and to reassign the assessment.
See Accepting an attester response (Attester) on page 70.

See Resending an assessment (Attester) on page 71.
Response collection
As the CCS Assessment Manager administrator, you can login to the CCS
Assessment Manager Admin Web client and view the list of assessments that have
been assigned to the attesters. You can click on any assessment to view the
response details.
You can collect attester responses for user assessments and asset compliance
assessments.
When you receive the response for an assessment, you can also view the supporting
documents and other evidences that the attester attaches with the response.
63
64

If you are a CCS Assessment Manager user and you delegate an assessment that
is assigned to you, you can view the aggregated response and attach responses
from the delegates before you submit the response of your assessment. The CCS
Assessment Manager administrator can use the aggregated response that you
provide for reports and dashboards by using the CCS infrastructure and the CCS
Assessment Manager.
See Viewing an assessment response (Admin) on page 65.
Opening an assessment
When a CCS Assessment Manager administrator or a CCS Assessment Manager
user assigns you an assessment, the assessment is available for you in the CCS
Assessment Manager Web client.
You can view an assessment by doing any one of the following:
Navigate to the My Assessments page in the CCS Assessment Manager Web

client.
Use the link that is provided for the assessment in the notification mail.
After you open a questionnaire, the left-hand tree pane displays the hierarchical
structure of the questions within the groups and the nested groups. You can
navigate to any question or group within the questionnaire by clicking the
corresponding heading in the tree-pane.
If the questionnaire contains questions within nested groups, then the response
page displays the question along with the group hierarchy.
Let us consider the following example:
You have a questionnaire with the title HIPAA Security Rule Toolkit Checklist,
which contains the group Administrative Safeguards. The Administrative
Safeguards group contains two nested groups - Security Management Processes
and Risk Assessment Policies.
The group hierarchy for the HIPAA Security Rule Toolkit Checklist questionnaire
is displayed on the response page as follows:
HIPAA Security Rule Toolkit Checklist > Administrative Safeguards > Security
Management Processes > Risk Assessment Policies
Note: The group name is displayed for the first question of every group and not
for every question.

To open an assessment in the CCS Assessment Manager Web client
Launch the CCS Assessment Manager Web client and then go to Assessments.
In the My Assessments section, in the Assessments column that lists the

assessments that have been assigned to you, click on an assessment.
In the Assessment Details page, you can do any of the following:
Click Add Attesters to assign the assessment to other CCS Assessment

Manager users.
Click Proceed to provide your responses to the questions.
To open an assessment from the notification mail
Click on the link that is provided in the notification mail.

The link takes you to the Assessments page in the CCS Assessment Manager
Web client.

Viewing an assessment response (Admin)

As the CCS Assessment Manager administrator, you can log in to the CCS
Assessment Manager Admin Web client and view the list of assessments that have
been assigned to the attesters from Assessments page.
In the CCS Assessment Manager Admin Web client, the Current Assessments tab
on the Assessments page displays the following details for each active assessment:
The name of the assessment.
The completion percentage of the assessment.

The due date of the assessment.
The type of the assessment.
The name of the questionnaire that has been used for the assessment.
The version of the questionnaire that has been used for the assessment.
The creation date of the assessment.
The name of the user who imported the assessment into CCS Assessment
Manager.
65
66

To view an assessment response

Assessments.
In the Current Assessments tab, click on the assessment for which you want
to view the response.
The Summary section in the Assessment Details page displays the following
information:
Name of the selected assessment.
The cumulative completion percentage of the selected assessment.
The cumulative status of the attesters for the selected assessment.
The date on which the assessment was created or imported.
The name of the questionnaire that has been used for the selected
assessment and the questionnaire version.
The type of the assessment.
Name of the user who created or imported the assessment.
The date by which the attester must submit the response.

assessment.
The Attester Details section in the Assessment Details page displays the
following information:
The name of the attesters to whom the assessment has been assigned.
The current status of the assessment for each attester.
The response percentage of the assessment for each attester.
The individual score attained by each attester for the selected assessment.
The score is displayed only in case of user assessments.
The link to go to the responsee page.
The date by which the attester must provide the response.
The details of the assets that are in scope for the attester. Click the Asset
details link to view the asset details.
In the Assessment Details page, in the View column, click on the Response
link for the assessment response that you want to view.

Note: The Response link becomes active only after the attester submits the
response.
In the Assessment Response page, you can view the following:
The attester's answer for each question in the questionnaire.
The attester's comments for the responses.
The supporting documents that the attester has provided as evidence to

the responses.
The supporting URLs that the attester has provided for the responses.
In case of an Asset Compliance assessment response, the Assets tab displays

the list of assets that are specified for each question. The attester can select
the asset that is specific to the response.
Click Accept if you want to accept the response that you have received from
the attester.
Click Resend if you want to reject and reassign the assessment to the attester.
You must provide your comments when you resend an assessment.
You can also view an assessment response from the report page.
To view an assessment response from a report
On the Manage > Assessments page, click on the assessment for which you
want to view the attester response.
On the Assessment Details page, click View Assessment Report, and then
click any of the charts.
On the drill-down report, in the lower grid, click on any of the response detail
values for the attester whose response you want to view.
On the page that displays the response details, in the Answers column, click
on an answer to go to the response page.
In the response page, you can view the attester response, the comments, and
the supporting evidence that the attester has provided.
See Response collection on page 63.

67
68

Accepting an attester response (Admin)

As an Administrator, you can accept an assessment response after you validate
the response and the supporting evidence that the attester provides. Once the
administrator accepts an assessment, the attester cannot modify the response.
To accept an attester response
In the Current Assessments section, click an assessment.
In the Assessment Details page, click Response.
On the Response page, click Accept.
In the Accept Response dialog box, do the following and then click OK:
In the Comments text box, enter a brief description before you accept the
assessment. This is an optional field
Check Send Email Notification to inform the attester about the acceptance
of the assessment through Email.
You can click Cancel to cancel the accept operation.

Note: The assessment report is available in the CCS dashboards only if the
administrator accepts the attester response.
Resending an assessment (Admin)

You can reassign an assessment to the attester if the response that the attester
provided lacks the required information.
To resend an assessment
In the Current Assessments section, click an assessment.
In the Assessment Details page, click View.
On the Response page, click Resend.
In the Resend Response dialog box, do the following and then click Send:

In the Comments text box, enter your comments to inform the attester
why you have reassigned the assessment. This field is mandatory.
In the Due Date text box, view the due date by which the attester must
submit the assessment.
Check Send Email Notification to inform the attester about the

reassignment of the assessment through Email.
You can click Cancel to cancel the resend operation.

Viewing assessment response (Attester)

As the CCS Assessment Manager user, you can log in to the CCS Assessment
Manager end-user Web client and view the list of assessments that you have
delegated to the attesters from Assessment Welcome page.
In the CCS Assessment Manager end-user Web client, the My Assessments grid
on the Assessments page displays the following details for each active assessment:
The name of the assessment.
The due date of the assessment.
The current status of the assessment.
The Pass or Fail status of the assessment response.

This information is available only for user assessment.
The number of attempts that is allowed as against the number of attempts

that you have used to respond to the assessment.
This information is available only for user assessment.
Tthe assessment has been delegated or not.
The CCS Assessment Manager user who has assigned you the assessment.
The date on which the assessment was assigned to you.
To view an assessment response
In the CCS Assessment Manager end-user Web client, go to Assessments.
In the My Assessments grid, click on the assessment for which you want to
view the response.
The Delegation Details section in the Assessment Welcome page displays
the following information:
69
70

The name of the attesters to whom the assessment has been assigned.
The progress of the assessment for each attester.
The link to go to the responsee page.
The date the assessment was delegated.
The date by which the attester must provide the response.
In the Delegation Details section, in the View column, click on the Response
link for the assessment response that you want to view.
Note: The Response link becomes active only after the attester submits the
response.
In the Assessment Response page, you can view the following:
The attester's answer for each question in the questionnaire.
The attester's comments for the responses.
The supporting documents that the attester has provided as evidence to

the responses.
The supporting URLs that the attester has provided for the responses.
In case of an Asset Compliance assessment response, the Assets tab displays

the list of assets that are specified for each question. The attester can select
the asset that is specific to the response.
Click Accept if you want to accept the response that you have received from
the attester.
Click Resend if you want to reject and reassign the assessment to the attester.
You must provide your comments when you resend an assessment.

Accepting an attester response (Attester)

As an Attester, you can accept an assessment response from the delegated
assessment after you validate the response and the supporting evidence that the
attester provides. Once the attester accepts an assessment, the delegated attester
cannot modify the response.

To accept an attester response
Assessments.
In the Assessment Welcome page, click Response.
On the Response page, click Accept.
In the Accept Response dialog box, do the following and then click OK:
In the Comments text box, enter a brief description before you accept the
assessment. This is an optional field
Check Send Email Notification to inform the attester about the acceptance
of the assessment through Email.
You can click Cancel to cancel the accept operation.

See Accepting or rejecting declination requests (Attester) on page 63.
Resending an assessment (Attester)

You can reassign an assessment to the delegated attester if the response that the
attester provided lacks the required information.
To resend an assessment
Assessments.
In the Assessment Welcome page, click View.
On the Response page, click Resend.
In the Resend Response dialog box, do the following and then click Send:
In the Comments text box, enter your comments to inform the delegated
attester why you have reassigned the assessment. This field is mandatory.
In the Due Date text box, view the due date by which the delegated attester
must submit the assessment.
Check Send Email Notification to inform the attester about the

reassignment of the assessment through Email.
You can click Cancel to cancel the resend operation.
71
72


See Accepting or rejecting declination requests (Attester) on page 63.
Report generation
A CCS Assessment Manager administrator can generate reports after the response
collection and analysis of the user responses.
CCS Assessment Manager lets you export the report detail information and create
the charts that visualize the information and perform the following tasks:
Create a remediation task list.
Identify the task owners.
Set the necessary action items to track the process.
With CCS Assessment Manager, you can create operational reports for the
assessments that you have initiated. You can select an assessment and then create
a report. You can also export the report to a .xls file.
See Creating assessment reports on page 73.
If you have Control Compliance Suite deployed in your environment and if you
configured the External Data Integration settings, then you can import the CCS
Assessment Manager reports into CCS. You can use the CCS Assessment Manager
panels to view the compliance reports in CCS.
To be able to view the compliance reports with the CCS Assessment Manager
evidence, you must map the CCS Assessment Manager questions or groups to the
control statements by using the CCS Controls Studio.
For detailed information on mapping controls, see the Control Compliance Suite
User Guide.
CCS Assessment Manager evidence in Control Compliance

Suite
You must have Control Compliance Suite (CCS) installed to use the questionnaires
as evidence. In the CCS Policy view, you have control statements mapped to a
policy. The control statements must also be mapped to the questions in Controls
Studio. The Symantec Controls Studio maps the control statements to the questions
in the questionnaire. The Controls Studio also maps the control statements to
policies and mandates.

If a question and a policy are mapped to the same control statement, the question
can be used as evidence for the policy. The same CCS asset must be part of the
policy and the questionnaire.
Creating assessment reports

As an administrator, you can create reports and dashboards based on the response
that you receive from the attesters for a particular assessment.
For a selected assessment, you can create reports based on the following criteria:
The response score
The response status
The response status by group
To create reports
Launch the CCS Assessment Manager Admin Web portal and go to Manage
> Assessments.
In the Current Assessments tab, click on the link for the assessment for
which you want to create a report.
In the Assessment Details page, click View Assessment Report.
The Report page displays the graphical representation of the assessment on

the basis of the following criteria:
The response score of the attesters.
The response status of the assessments.
The response status by the groups in the questionnaire.
On the Report page, click on the Response Status Score chart to view the
assessment report.
In case of an asset compliance report, the following details are displayed:
The top 10 assets with low score.
The attesters, questions, and the corresponding aggregated status for

each question in a tabular format.
In case of a user assessment report, the following details are displayed:
The top 10 attesters with low score.
The attesters, questions, and the corresponding aggregated status for

each question in a tabular format.
73
74

On the Report page, click on the Response Status by group graph to view
the following details:
The questionnaire groups and the corresponding aggregated response

status.
The questionnaire groups, attester, and the response status of each group
in a tabular format.
Click Export to export the report into a .XLS file.
Click Email this report at the top of the page to email the report.
An email client must be installed on the computer from which the report is
to be emailed.

See Creating reports for the user assessments on page 74.
Creating reports for the user assessments

that you receive from the attesters for a particular user assessment.
The response score
The response status
The Report page displays the graphical representation of the assessment response
status on the basis of the following criteria:
You can click on the charts to have a detailed report of the assessment response
status.
To create user assessment reports
> Assessments.

following details:
The top 10 attesters with low score.
The response status details for each attester.

status.
The questionnaire groups, attesters, and the response status of each group
to be emailed.

See Creating reports for the asset compliance assessments on page 75.
Creating reports for the asset compliance assessments

that you receive from the attesters for an asset compliance assessment.
The response score
The response status
The Report page displays the assessment report with regards to the specified
assets. The report displays the graphical representation of the assessment response
status on the basis of the following criteria:
You can click on the charts to have a detailed report of the assessment response
status.
75
76

To create asset compliance reports
> Assessments.
following details:
The top 10 assets with low score.
The response status details for each asset.

status.
The questionnaire groups, attesters, and the response status of each group
to be emailed.

Emailing a report
You can email a CCS Assessment Manager report to a CCS Assessment Manager
user from the Admin Web client. When you email a report, the link to the relevant
report is included in the mail. You must be a CCS Assessment Manager
administrator to view the CCS Assessment Manager reports.
If you use Internet Explorer to access the CCS Assessment Manager Admin Web
client, the email client fails to construct the mail if the questionnaire name
contains non-ASCII characters. For internationalized content, the email body may
contain non-ASCII characters.
To resolve this issue, do the following:

On the Internet Explorer, click Tools > Internet Options, and then click the
Advanced tab.
Under the International section, check Use UTF-8 for mailto links.
To mail a report
In the CCS Assessment Manager Admin Web client, click the Reports tab.
In the Reports section, select the assessment from the Select an assessment
drop-down list.
Click View Report.
In the reports page, click Email this report.

to be emailed.
The email client launches with the default mail text that includes the name
of the report and the link to the report page on CCS Assessment Manager
Admin Web client.

See Creating reports for the asset compliance assessments on page 75.
Top 10 business assets that have low scores

The Top 10 business assets that have low scores panel displays the 10 business
assets with the highest risk score in descending order. The risk score is calculated
against the assets that are associated to the selected business asset. The panel
displays a 2D-bar chart.
The panel displays the following information:
Components
Description
Dimension (X axis)
Displays the business assets that have the

highest risk scores.
Measure (Y axis)
Displays the normalized severity of the

responses.
Chart style
2D-bar chart
Properties
The Properties button on the title bar opens

the Panel Properties.
As an example, let us consider that you have a business asset by the name BA1,
which is associated to three assets: Asset1, Asset2, and Asset3.
77
78

You evaluate these assets by using the three questions: Question1, Question2, and
Question3.
The following table displays the evaluation results of the questions against the
assets:
Question
Asset1
Asset2
Asset3
Question1
Pass
Pass
Fail
Question2
Fail
Fail
Pass
Question3
Pass
Pass
Pass
The results of the table are as follows:

Question1 failed against 1 asset.
Question2 failed against 2 assets.
Now, when you create a report, the report shows BA1 as one of the top 10 business
assets that have low scores as Asset1, Asset2, and Asset3 belong to BA1. The
displayed risk score is the mean value of all the asset risk scores.
You can click one of the bars to drill down and view a table for detailed information.
The table displays the following information in context of the assets that are
associated to the selected business asset:
Column name
Description
Normalized Severity
Displays the normalized severity for the

asset.
The normalized severity displays the mean
value of all the asset risk scores.
Scope Asset
Displays the name of the asset in scope.
Assessment Name
Displays the name of the assessment.
Asset Department
Displays the department name that includes

the asset.
Asset Location
Displays the location of the asset.
Questionnaire
Displays the name of the questionnaire that

includes the question which failed.

Column name
Description
Answer
Displays the answer that the attester

provided.
Asset Availability Score
Displays the availability score of the asset

that you selected on the bar chart.
Asset Confidentiality Score
Displays the confidentiality score of the

asset that you selected on the bar chart.
Asset Custodian
Displays the name of the custodian for the

asset that you selected on the bar chart.
Asset Display Path
Displays the location of the asset in the CCS

asset system.
Asset Fully Qualified Name
Displays the fully qualified name of the asset

that you selected on the bar chart.
Asset Host Name
Displays the Host name of the asset that you

selected on the bar chart.
Asset Integrity Score
Displays the integrity score for the asset that

you selected on the bar chart.
Asset IP address
Displays the IP address of the asset that you

Asset Name
Displays the name of the asset that you

Asset Owner
Displays the owner of the asset that you

Asset Site
Displays the site name that contains the

asset.
Asset Type
Displays the type of the asset.
CCS Status
Displays the CCS status of the asset.
Comments
Displays the comments that the attester may

have provided.
Consolidated Asset risk score
Displays the consolidated risk score for the

asset.
Evidence Created Date
Displays the date on which the evidence was

collected.
79
80

Column name
Description
Question
Displays the question for which the asset

scored a 'Fail'.
Question Importance
Displays the severity of the question.
Questionnaire Group Name
Displays the group name that includes the

question which failed.
User name
Displays the name of the user who has

provided the failed answer.
Top 10 failed questions for asset compliance

The Top 10 failed questions for asset compliance panel displays the 10 questions
that have received the highest number of failed responses in descending order.
The panel displays a 2D-bar chart.
Components
Description
Dimension (X axis)
The questions that have failed with regards

to the assets on the Y axis.
Measure (Y axis)
Name of the assets for which the attester

response has failed with regards to the
questions on the X axis.
Chart style
2D-bar chart
Properties

the Panel Properties
The following is an example to determine the questions with the failed score:
You have three assets: Asset1, Asset2, and Asset3.
You evaluate these assets by using the three questions: Question1, Question2, and
Question3.
The following table displays the evaluation results of the questions against the
assets:
Question
Asset1
Asset2
Asset3
Question1
Pass
Pass
Fail
Question2
Fail
Fail
Pass

Question
Asset1
Asset2
Asset3
Question3
Pass
Pass
Pass
The results of the table are as follows:

Question2 failed against 2 assets.
The table displays the following columns:
Column name
Description
Asset Name
Displays the name of the asset.
Question
Displays the question that received a

response with a fail score.
Answer
Displays the answer.
Assessment Name
Displays the name of the asset custodian.
Asset Custodian
Displays the name of the asset owner.
Asset Department

the asset.
Asset Display Path
Displays the display path of the asset.
Displays the fully qualified name of the

asset.
Asset host name
Displays the Host name of the asset.
Asset IP address
Displays the IP address of the asset.
Asset Location

asset system.
Asset Owner
Displays the name of the asset owner.
Asset Type
Displays the type of asset.
CCS Status
Displays the CCS status of the asset.
Comments

have provided.
81
82

Column name
Description

asset.

collected.
Evidence Details
Displays the details of the evidence.
Normalized Severity

asset.
Question Importance
Questionnaire


User name

Class Type
Displays the class type of the user.
Question Type
Displays the type of question - boolean or

choice question.
Severity
Displays the severity of the answer.
Top 10 failed assets for asset compliance

The Top 10 failed assets for asset compliance panel displays the top 10 assets
that have received the highest number of failed responses in descending order.
The panel displays a 2D-bar chart.
Components
Description
Dimension (X axis)
The CCS status for the assets that have

failed.
Measure (Y axis)
Name of the assets that have failed.
Chart style
2D-bar chart
Properties

the Panel Properties

Following is an example to determine the questions with the failed scores:

You have three assets: Asset1, Asset2, and Asset3.
You evaluate these assets and the status of these assets is 'Fail', which is depicted
by the bar chart.
The table displays the following columns:
Column name
Description
Asset Name
Displays the name of the asset.
CCS Status
Displays the CCS status for the asset, which

is 'Fail'.
Answer
Displays the answer that the attester

provided with respect to the asset.
Assessment Name
Displays the name of the assessment.
Asset Availability Score
Displays the availability score of the asset.
Asset Confidentiality
Displays the confidentiality score of the

asset.
Asset Custodian
Displays the name of the asset custodian.
Asset Department

the asset.
Asset Display Path

asset system.
Displays the fully qualified name of the

asset.
Asset Host Name
Displays the Host name of the asset.
Asset Integrity Score
Displays the integrity score for the asset.
Asset IP address
Displays the IP address of the asset.
Asset Location
Displays the location of the asset.
Asset Owner
Displays the owner of the asset.
Asset Site
Displays the site name that contains the

asset.
Asset Type
Displays the type of asset.
83
84

Column name
Description
Comments

have provided.

asset.

collected.
Normalized Severity

asset.
Question
Displays the question for which the asset

scored a 'Fail'.
Question Type
Displays the type of the question - boolean

or choice question.
Question Importance
Questionnaire


User name

Chapter
General concepts and tasks

in CCS Assessment
Manager
CCS Assessment Manager tasks and permissions
About Open Checklist Interactive Language (OCIL) documents
About customizing the CCS Assessment Manager Web client UI
About CCS Assessment Manager email templates
Using the CCS Assessment Manager License Management utility
Logging out of the CCS Assessment Manager Web portal
About the Answer Templates
About severity calculation for answers in a CCS Assessment Manager

questionnaire
About the Weight Wizard tasks
About providing supporting documents for your response
About CCS Assessment Manager logs
Configuration parameters in CCS Assessment Manager
86
General concepts and tasks in CCS Assessment Manager


The permissions that you have to perform various operations in CCS Assessment
Manager depends on your user role.
Table 4-1 lists the CCS Assessment Manager tasks and the user roles that have
the required permissions to perform the tasks.
Table 4-1
CCS AM tasks and the role-based access levels
Tasks
Administrators
Power Users
Attesters
View
questionnaires
Create
questionnaires
Edit questionnaires Y
Delete
questionnaires
Review
questionnaires
Publish
questionnaires
Create assessments Y
Delegate
assessments
Accept/decline
assessments
Respond to
assessments
Review responses
Create reports
Purge evidence by
date
Clear log files
Clear temporary
files

About Open Checklist Interactive Language (OCIL) documents
Table 4-1
CCS AM tasks and the role-based access levels (continued)
Tasks
Administrators
Power Users
Attesters
Add prerequisite
documents to an
assessment
Edit CCS
Assessment
Manager settings
Install content
packs
About Open Checklist Interactive Language (OCIL)

documents
The Open Checklist Interactive Language (OCIL) defines a standard format to
publish a set of questions that you circulate among the target users. OCIL also
specifies the procedures to interpret the user responses. OCIL provides a
standardized approach to express and evaluate non-automated security checks,
so that the security policies of your organization are not exposed to vulnerabilities.
OCIL provides you with a well-defined and structure standard to represent the
manual security checks that you want to implement across your organization.
CCS Assessment Manager 11.0 lets you create questionnaires that are based on
the schema that OCIL v2.0 specifies. You can also import questionnaires that
follow the OCIL format and customize them to suit your organizational
requirements. If you have XMLQ files that belong to CCS Assessment Manager
10.5 or earlier, the XMLQ files are converted to OCIL when you import the
questionnaires into CCS Assessment Manager 11.0.
The following list includes the features that the OCIL format supports:
Ability to define questions that are supported.

The types of questions that OCIL supports are as follows:
Boolean
Choice
Numeric
String
87
88

The ability to define the possible answers to a question that an end user can
choose from.
The ability to define the possible actions that an organization can take on the
basis of an end user's response.
The ability to enumerate the result set.
For more information, refer to http://scap.nist.gov/specifications/ocil/
About customizing the CCS Assessment Manager Web

client UI
You can customize the user interface of the CCS Assessment Manager Web client
to reflect your organization's branding. Use the Settings page on the CCS
Assessment Manager Web client to configure the user interface display settings.
You can customize the following on the Web client:
The header logo, which displays on the left-hand top corner of each page.
For the header logo, Symantec recommends that you use an image file that is
on a transparent background with 233x41 in pixels at 72 DPI.
The favorite icon, which displays on your browser tab.

For the favorite icon, CCS Assessment Manager supports only the .ico format.
The image file size must be 16x16 in pixels at 72 DPI.
The footer information, which displays at the bottom of each page.

The footer information can contain up to 75 characters.
The Home page message, which displays at the top of the CCS Assessment
Manager Web client Home page.
The Home page message can contain up to 1024 characters. You can enter the
Home page message in any of the following languages:
English
German
French
Spanish
Italian
Simplified Chinese
Japanese
Korean

For the header logo and the Home page background image, CCS Assessment
Manager supports the following image file formats:
.png
. jpg
.bmp
.gif
.tiff
For the Home page background image, Symantec recommends that you use an
image file that contains a neutral background color. The image file size must be
within the range of 964x300 to 1600x1200 pixels at 72 DPI.
See Customizing the CCS Assessment Manager Web client user interface
on page 89.
Customizing the CCS Assessment Manager Web client user interface

You can customize the user interface of the CCS Assessment Manager Web client
to reflect your organization's branding. Use the Settings page on the CCS
Assessment Manager Web portal to configure the user interface display settings.
When you configure the Home page background image, make sure that the graphic
element that contains your organization's branding is in the top left corner. The
graphic must not exceed 250 pixels in width and 210 pixels in height. Symantec
recommends that you select pale texture or pattern for your background image.
The below image explains the dimensions that you must use for the Home page
background image.
Coordinate 1 refers to the position of the graphic element that contains your
organization's branding.
Coordinate 2 refers to the background pattern of the image, which should
preferably merge into white.
89
90

To customize the CCS Assessment Manager Web client user interface
Launch the CCS Assessment Manager Web client and then go to Settings >
General.
In the Header Logo section, click Add and then navigate to the location where
you have the image saved.
The Header Logo list can contain multiple images. Click Remove if you want
to remove an entry from the list.
After you add the header logo, the specified logo is displayed at the top of the
assessment pages.
If you select {No branding header file}, then the header logo is removed from
the Web portal.
In the Favorite Icon section, click Add and then navigate to the location
where you have the image saved.
The Favorite Icon list can contain multiple images. Click Remove if you want
to remove an entry from the list.
After you add the image for the favorite icon, the icon is displayed for the
assessments in your browser's Favorites list.
If you select {No favicon file}, then the favorite icon is removed from the Web
portal.
In the Footer Information section, enter the copyright information of your

organization.
The footer information can contain up to 75 characters.
After you add the text for the footer, the footer section is displayed at the
bottom of your assessment pages.
In the Home Page Message section, enter the message that you to be displayed
on the Web client Home page.
The Home page message can contain up to 1024 characters.
After you add the text for the Home page message, the end users can see the
Welcome message on the Web client Home page.

In the Home Page Background Image section, click Add and then navigate
to the location where you have the image saved.
The Home Page Background Image list can contain multiple images. Click
Remove if you want to remove an entry from the list.
After you add the background image, the image is displayed as the background
for the Web client.
Click Save to apply the configured settings to the CCS Assessment Manager
Web client. Else, click Discard Changes if you do not want to apply the changes
that you configured.
See About customizing the CCS Assessment Manager Web client UI on page 88.

In CCS Assessment Manager, you can configure the email notifications to be sent
to the users on the following events:
When a CCS Assessment Manager administrator assigns or reassigns an

assessment to a CCS Assessment Manager user.
When a CCS Assessment Manager user declines to take an assessment.
When a CCS Assessment Manager user declines to take an assessment and the
administrator accepts the declination.
When a CCS Assessment Manager user declines to take an assessment and the
administrator rejects the declination.
The email notifications use a templated format, which is specified in the CCS
Assessment Manager email templates. The templates are installed on the CCS
Assessment Manager server.
The following default email templates get stored during the installation of CCS
Assessment Manager:
AMAcceptDeclineRequestTemplate
AMAcceptResponseEmailTemplate
AMDeclineRequestTemplate
AMInvitationEmailTemplate
AMRejectDeclineRequestTemplate
AMRejectResponseEmailTemplate
AMReminderEmailTemplate
91
92

CCS Assessment Manager contains plain text and HTML templates. During the
product installation, if you select Microsoft Exchange as your mail server, then
the email notifications use the plain text templates. If you select SMTP, then the
email notifications use the HTML templates. If you want to use images or videos
in the notification mails, then you must use the HTML templates.
Following are the various default templates that are available with CCS Assessment
Manager:
AMAcceptDeclineRequestSubjectTemplate Contains the subject that is used for email
notifications for assessment acceptance or
declination requests. This template uses the
mail body text as specified in the
AMAcceptDeclineRequestTemplate.
AMAcceptResponseEmailSubjectTemplate
Contains the subject that is used for email

notifications when the administrator accepts
an assessment response. This template uses
the mail body text as specified in the
AMAcceptResponseEmailTemplate.
AMDeclineRequestSubjectTemplate

notifications when the administrator
declines an assessment response. This
template uses the mail body text as specified
in the AMDeclineRequestTemplate.
AMInvitationEmailSubjectTemplate

notifications when the administrator assigns
an assessment to an attester. This template
uses the mail body text as specified in the
AMInvitationEmailTemplate.
AMRejectDeclineRequestSubjectTemplate

notifications when the administrator rejects
an assessment declination request from an
attester. This template uses the mail body
text as specified in the
AMRejectDeclineRequestTemplate.
AMRejectResponseEmailSubjectTemplate

notifications when the administrator resends
the assessment to an attester. This template
uses the mail body text as specified in the
AMRejectResponseEmailTemplate.

AMReminderEmailSubjectTemplate
Contains the subject that is used for

assessment reminders. This template uses
the mail body text as specified in the
AMReminderEmailTemplate.
You can find the predefined templates at the following location:

<install directory>\Symantec\CCS Assessment Manager\CCS Assessment Manager
Server\Application Server\Templates\Email
You can also create custom templates by creating a copy of a default template.
Alternatively, you can make the required modifications in a default template
itself. You must save the custom templates and the default templates at the same
location.
You can create custom templates in any of the following languages:
English
German
French
Spanish
Italian
Simplified Chinese
Japanese
Korean
When you create an assessment, in the Assessment Options panel, you can specify
whether you want to use a default template or a custom template. Only an
administrator has the permissions to select the email notification templates.
Note: You must have the email server configured during the CCS Assessment
Manager installation to send or receive email notifications.
Creating custom email templates

You can create custom template to send emails in languages other than English
or to change the format of the email notification.
93
94

Using the CCS Assessment Manager License Management utility
To create a custom template
Locate the following folder on the computer where the CCS AM Server is
installed:
<install directory>\Symantec\CCS Assessment Manager\CCS Assessment
Manager Server\Application Server\Templates\Email
Only the default folder that contains the English templates is located in the
Email folder.
Create a new folder for the required language.
Copy all the contents of the Default folder to the new folder.
Edit the contents of the files in the copied folder for the required language
or format.
Note: Only the contents of the files must be changed. Keep the file names
unchanged.
Once the custom template is created for a specific language or format, then that
template is visible in the Assessment Creation Wizard along with the default
template.
You can then choose to create an email notification to send emails to the end user
in the default template or the custom template in other language.
Follow the same procedure to create templates for different formats or for other
supported languages.
Using the CCS Assessment Manager License

Management utility
You require valid licenses to use all the features of CCS Assessment Manager. In
case your CCS Assessment Manager licenses expire, you can procure new licenses
and add the licenses by using the CCS Assessment Manager License Management
utility.
You can launch the license utility from the following location:
<install dir>\Symantec\CCS Assessment Manager\CCS Assessment Manager
Server\Application Server\RAMLicenseManagement.exe
Alternatively, on the Windows taskbar, click Start > All Programs > Symantec
Corporation > CCS Assessment Manager > CCS Assessment Manager License
Utility.

Logging out of the CCS Assessment Manager Web portal
You must have the CCS Assessment Manager licenses stored in a local folder or
a shared network drive.
The license utility installs the following licenses:
CCS Assessment Manager Base license
Required to install the CCS Assessment

Manager server.
CCS Assessment Manager Base Maintenance Required to install the CCS Assessment
license
Manager server and CCS Assessment
Manager content.
CCS Assessment Manager User license
Required to distribute assessments among

the attesters.
RAM ISO Questionnaire license
Required to install the ISO content.
To use the CCS Assessment Manager License Management utility
Go to the mentioned location and double-click RAMLicenseUtility.exe.
In the CCS Assessment Management License Management dialog box, click

Add Licenses.
Navigate to the location where you have the licenses stored and select the
.slf file that contains the CCS Assessment Manager licenses.
You can now use the CCS Assessment Manager functionalities.
Logging out of the CCS Assessment Manager Web

portal
You must log out from the CCS Assessment Manager Admin Web client as well
as the Attester Web client to secure your Assessment Manager data. After you
log out, you must close all the active windows with the CCS Assessment Manager
sessions to ensure a secure logout.
To log back in, use the respective URL's.
Note: You may use https if the protocol is enabled on IIS server. Also, if the http
or https protocol is configured to use other than the default port number, you
must specify the port number.
By default, the Web address uses the Fully Qualified Domain Name of the CCS
Assessment Manager server. However, if you manually change the IIS settings
for the Host name and site bindings, then the Web portal uses the address that
95
96

you have specified. You must restart the CCS Assessment Manager Service if you
modify the IIS settings.
To log out of the CCS Assessment Manager Admin Web client
In the CCS Assessment Manager Admin Web client Home page, click Logout.
The Logout link is present at the top right-hand corner of the Home page.

You can add a predefined list of answers to one or more single-choice questions
by using the answer templates. You can either use the pre-defined answer
templates or customize the pre-defined answer templates before you use.
See Adding a template on page 34.
About severity calculation for answers in a CCS

Assessment Manager questionnaire
The CCS Assessment Manager administrator, who creates a questionnaire can
configure the severity for the answers of a Boolean or Choice question.
The maximum severity for the answers in a questionnaire is the numeric value
that is defined by using the Weight Wizard during the questionnaire creation.
This severity value is common for all the questions in a questionnaire.
Following is the formula that CCS Assessment Manager uses for the severity
calculation of a question:
Normalized severity of a question= Min ((Answer severity / Max of answer severity
for questionnaire) * 10, 10)
Consider the following example:
Questionnaire Q1 contains three questions, where the maximum selected severity
for the questions is five. The severity values for the user responses are as follows:
Question1 - Severity 3
Table 4-2 displays how the severity calculation is done:

About severity calculation for answers in a CCS Assessment Manager questionnaire
Table 4-2
Severity calculation for questions
Question
Calculation
Normalized severity
Question1
3/5 * 10
Question2
4/5 * 10
Question3
5/5 * 10
10
In case of a questionnaire group, the answer severity is calculated for all the
questions including the sub-groups.
Consider the following example:
Questionnaire Q1 contains the group G1, which contains question Question1 and
a sub-group G2. The sub-group G2 contains Question2 and Question3. The
maximum selected severity for the questions is four.
The severity values for the user responses for the questions in G1 and G2 are as
follows:
Question1 in G1 - Severity 2
CCS Assessment Manager uses the following formula to calculate the severity for
the questions in G1:
Min (AVG (answer severity for Question1 + answer severity for Question2 + answer
severity for Question3), 10)
Table 4-3 displays the severity calculation for the questions in G1 in the
questionnaire Q1:
Table 4-3
Severity Calculation for answers in a questionnaire group
Group
Calculation
Normalized severity
G1
(2+3+4)/3
CCS Assessment Manager uses the following formula to calculate the severity for
the questions in G2:
Min (AVG (answer severity for Question2 + answer severity for Question3), 10)
Table 4-4 displays the severity calculation for the questions in G2 in the
questionnaire Q1:
97
98

Table 4-4
Severity Calculation for answers in a nested questionnaire group
Group
Calculation
Normalized severity
G2
(3+4)/2
3.5

You can perform the following tasks with the Weight Wizard:
Modify the severity of an answer.

See Modifying the custom scale of an answer on page 100.
Replace a weight.
See Replacing a weight on page 100.
Load a profile
Save a profile.
Clear the assigned weights
Customize the weight definitions.

See Customizing the custom scale definitions on page 101.
About adding a custom scale to a CCS Assessment Manager assessment

You can add a scale format to an assessment by using the Weight Wizard. The
CCS Assessment Manager (CCS Assessment Manager) uses a scale of one or zero.
A correct response receives a one weight value. The other answers are considered
incorrect and receive a zero weight value. CCS Assessment Manager lets you add
a rating or a weight to your questions, answers, or both. You use the Weight Wizard
tool to customize the weights that are used in your scale. You can disable the
weights of a question, if necessary.
Only boolean and choice questions can have a different weight applied. If you add
a custom scale to a choice question, the Report Wizard reports the answer with
the highest value. Text or memo questions are always disabled and have a weight
value of zero. All user-defined questions are disabled and have a weight of zero,
by default.
If the answers for a boolean question have no relative relationship to one another,
then you must use the default scale of one and zero. A report would report the
frequency of each answer. For a custom scale, you want each answer to represent
a standard interval from one another.
In a custom scale assessment, questions receive different weight values. When
you create a question, you assign a weight to the question or assign a weight to

the answers. You estimate the weight values used in the custom scale. You should
use the standards and best practices of your organization as a guide when you
assign the weights. The results are displayed when the reports are available in
the Admin portal.
To use the quizzing tool, you must assign a weight for each answer.
Note: For the imported OCIL questionnaires, the severity for the correct answer
of a boolean or choice question is minimal (severity 3).
Question scale settings
Table 4-5
Weight
Name
Weight
Value
Description
Disabled
Question not weighted
Low
Low priority or non-urgent control
Medium
Mid-priority control
High
High priority control
Highest
Top priority of the organization
You can assign a different weight to each answer. You can have only one correct
answer, but you can give partial points for other answers. All user-defined answers
are disabled and have a weight value of zero, by default.
You can modify the weight of an answer using the Weight Wizard. You can increase
or decrease the weight to reflect your organization's standards. You can disable
the weight of an answer. The Report Wizard ranks results by the weight value.
Answer scale settings
Table 4-6
Weight
Name
Weight
Value
Description
Disabled
Severity value not used
Minimal
Low exposure, but continue monitoring
Moderate
Moderate exposure, investigate further
Severe
Significant exposure, assign corrective action
Very Severe 4
Vulnerable, take immediate action
99
100

Answer scale settings (continued)
Table 4-6
Weight
Name
Weight
Value
Description
Extreme
Highly vulnerable, possible loss of important infrastructure

with recovery questionable
Modifying the custom scale of an answer

You assign the custom scale of an answer. For any question, you can select a
different scale for each answer. You can increase or decrease the severity to reflect
your organization's standards. You can disable the severity of an answer to give
the answer no value. You see the results when the reports are available in the CCS
Assessment Manager Admin portal.
If you use the quizzing feature, you must assign a minimal value to the correct
answer. The minimal value returns a score that passes. A value that is greater
than the minimal value should be assigned to any incorrect answer.
To modify the severity of an answer
Select a question and right-click.
In the submenu, select Tools > Weight Wizard.
In the Weight Wizard lower area, move the slider to increase or decrease the
severity.
Click Apply.
Replacing a weight
The Quick Replace tool searches either the questions or the answers. You can
filter the search by the current weight value or a text string, or an object type.
You can modify the search options. You can modify the result to remove objects.
You can assign a new weight for every selected object.
You can use the following search options:
Partial Match
Full Match
To replace a weight
In the Weight Wizard, click Quick Replace.
Select the object type and search options.

About providing supporting documents for your response
In the Assign New Weight drop-down box, select a new weight.
Click Apply.
Customizing the custom scale definitions

The Define Weights tab lets you customize the weight labels and the associated
colors. You can change the label or name for any category. You can change the
background colors for any severity definition. A weight value has a text color. You
can change the text color. You can change the value definitions. The changes
affect only the current assessment.
We recommend that you always label the lowest value as disabled.
To customize the weight definitions
In the Define Weights area, select a row.
Type a name in the Weight Name box.
In the Weight Color box, select a color.
In the Text Color box, select a color.
In the Description box, type a description.
Click on the Assign Weights tab. In the Weight Definitions message box,
click Yes.
About providing supporting documents for your

response
When you respond to a questionnaire, you can attach files and URLs as that serve
as evidences to the response that you provide. You can attach image files, videos,
and documents as evidence. If you have multiple files, you can compress the files
into a .zip file and then attach. When you add URLs for external Web sites, the
number of URLs that you provide must not exceed 50. In total, you can attach up
to 25 files; however, the total file size must not exceed 8 MB.
The following types of image and video files are supported:
.bmp
.gif
.jpg
.png
.raw
101
102

tif
.tiff
wav
The following types of document files are supported:
.csv
.doc
docx
.log
.pdf
.ppt
.ptx
.rpt
.txt
.xml
.xls
.xlsx
.zip
Note: Attachments in executable format or .zip files that contains executable
files are not supported.

The CCS Assessment Manager logs let you have a better understanding of the
events that occur when you use the product.
Following is the base location for all CCS Assessment Manager logs:
%allusersprofile%\Symantec.CSM\Logs\CCSAMConsole
Table 4-7 lists the locations where you can find the logs for the various CCS
Assessment Manager components:

Table 4-7
CCS Assessment Manager components and their log locations
CCS Assessment Manager components Log location

CCS Assessment Manager server
<base location>\CCSAMServer.<datetime
stamp>
CCS Assessment Manager client
<base location>\CCSAMConsole.<datetime
stamp>
CCS Assessment Manager installer
<base
location>\Installs\CCSAMInstallerLog.<datetime
stamp>
CCS Assessment Manager Web client
<base
location>\CCSAMWebPortal.<datetime
stamp>
Table 4-8 lists the CCS Assessment Manager LogLevels and their descriptions:
Table 4-8
CCS Assessment Manager LogLevels and their descriptions
LogLevel
Description
ERROR
Logs only error messages.
EXCEPTION
Logs only exception messages.
WARNING
Logs onlywarningmessages.
INFO
Logs only information messages.
TRACE
Logs only trace information.
ERROR and Exception
Logs error and exception messages.
ERROR, Exception, and Warning
Logs error, exception, and warning

messages.
INFO,WARNING, and ERROR
Logs info, warning, and error messages.
Configuration parameters in CCS Assessment

Manager
You use the following two .config files to configure various parameters in CCS
Assessment Manager:
RAMServer.exe.config
103
104

Web.config
The RAMServer.exe.config file is present at the following location:

Server\Application Server
Table 4-9 includes information on the various parameters that you can configure
by using the RAMServer.exe.config file.
Table 4-9
Parameters that you can configure in the RAMServer.exe.config file
Parameter
Usage
<Add key="MaxImageFileSizeInMB"
value="<enter value here>" />
Enter the value in MB for the maximum size

of files for image attachments. The default
value is 1 MB.
This parameter is applicable for the images
that an administrator inserts in a question
during questionnaire creation.
<Add key="MaxVideoFileSizeInMB"

of files for video attachments. The default
value is 10 MB.
This parameter is applicable for the videos
that an administrator inserts in a question
during questionnaire creation.
<add key="EmailServiceType" value="<enter Enter the value to specify whether you want
value here>" />
to configure SMTP or Exchange profile to
send email notifications.
<add key="EmailServiceInfo" value="<enter Enter the SMTP server information that you
value here>" />
want to use for the email notifications.
Specify the SMTP server name if you have
configured SMTP. Specify the Exchange
profile if you have configured Exchange.
Note: The Exchange profile must be

configured in context of the CCS AM service
user.
<add key="SMTPServerPort" value="<enter Enter the port number that you want to
value here>" />
configure for SMTP. You do not have to
specify any value if you have configured
Exchange.

Table 4-9
Parameters that you can configure in the RAMServer.exe.config file

(continued)
Parameter
Usage
<add key="EmailFromAddress"
value="<enter email address>" />
Enter the email ID that you want to use to

send out the email notifications. This
parameter is used only if you have
configured SMTP.
<add key="MaxAllowedAttester"
Enter the maximum number of users that

an attester can select to delegate an
assessment. The default value is 50.
Note: You must change the default value in

the RAMServer.exe.config and the
Web.config files if you want to assign the
assessment to more than 50 attesters.
The Web.config file is present at the following location:

Server\webclient
Table 4-10 includes information on the various parameters that you can configure
by using the web.config file.
Table 4-10
Parameters that you can configure in the Web.config file
Parameter
Usage
<add key="MaxFileSizeKB" value="<enter

value here>" />

of files that an attester can attach as
supporting document while responding to
an assessment. The default value is 20 MB.
<add key="MaxURLCount" value="<enter

value here>" />
Enter the value for the maximum number of

URLs that an attester can attach as
supporting evidence while responding to an
<add key="MaxFileAttachment"

attachments that an attester can add as
supporting evidence while responding to an
105
106

Table 4-10
Parameters that you can configure in the Web.config file (continued)
Parameter
Usage
<add key="AttachmentExtSupport" value= Specify the attachment formats that an

"bmp,csv,doc,docx,gif,jpg,log,pdf,png,ppt, attester can attach while responding to an
pptx,raw,rpt,tif,tiff,txt,wav,xml,xls,xlsx,zip" assessment.
/>
<add key="PrerequisiteExtSupport" value= Specify the attachment formats for the
"bmp,csv,doc,docx,gif,jpg,log,pdf,png,ppt, prerequisite documents that an attester can
pptx,raw,rpt,tif,tiff,txt,wav,xml,xls,xlsx,zip, add while responding to an assessment.
wmv,avi,flv,mov,mpg,3gp,asf,swf" />
<add key="MaxPrerequisiteSizeKB"
Enter the value for the maximum size of files

for prerequisites that an administrator can
add during assessment creation. The default
value is 200 MB.
To modify the value of this parameter refer
to step 6 of the Creating a user assessment
topic.
<add key="MaxPrerequisiteCount"

prerequisites that an administrator can add
during assessment creation. The default
value is 10.
<add
key="NoOfDaysBeforeReachingDueDate"
Enter the value in days, within which you

want the assessments that are reaching the
due date to display on CCS AM Web portal
home page. The default value is 7 days.
<add key="NoOfDaysBeforeLastAccess"
Enter the value in days, within which you

want the assessments that were last accessed
to display on CCS AM Web portal home page.
The default value is 7 days.
<add
key="HomePageConfigImageExtSupport"
value="bmp,gif,jpg,png" />
Specify the attachment formats that are

allowed for the CCS AM Web portal home
page images.
<add
Enter the value for the maximum size of
key="MaxHomePageConfigImageFileSizeKB" images that you want to specify for the CCS
AM Web portal home page images. The
default value is 50 MB.

Table 4-10
Parameters that you can configure in the Web.config file (continued)
Parameter
Usage
<add key="DaysAfterDueDate"
Enter the value that you want to specify for

the number of days after the due date when
an assessment expires and moves to the Past
Assessments category. The default value is
90 days after the due date of an assessment.
<add key="MaxAllowedAttester"
Enter the maximum number of users that

an attester can select to delegate an
Note: You must change the default value in

the RAMServer.exe.config and the
Web.config files if you want to assign the
assessment to more than 50 attesters.
Settings to launch the CCS AM Web portal links from the CCS Web
Console
The trusted host configuration must be set up to allow the CCS web console to
launch the CCS AM web portals.
You can configure trusted hosts from the "trustedHosts" section in the web.config
file. Following is the path to the web.config file:
<install dir>\CCS Assessment Manager Server\webclient\web.config
The trustedHosts section contains the following parameters:
Host name - Host name of the machine where the CCS web portal is installed.
The host name field is auto-populated.
FQDN - Fully qualified domain name of the machine where the CCS web portal
is installed.
The FQDN field is auto-populated.
IP address - List of IP addresses of the machine where the CCS web portal is
installed. This is an optional field.
The IP addresses must be added manually. One or more IP addresses can be
specified.
If the IP address changes then the IP address in the trusted Hosts configuration
must be updated manually.
Following is the structure of the trusted Hosts configuration:

<trustedHosts>
107
108

<host name="<host name>" fqdn="<fqdn>">

<ipAddress value="<IP address 1>"/>
<ipAddress value="<IP address 2>"/>
</host>
</trustedHosts>
The trusted host configuration is auto-populated when the CCS settings are
configured from the Tools > Settings window in the thick console of CCS AM.
For the auto-population of the configuration, the user who is setting the
configuration must be a CCS Administrator and must be a CCS AM Administrator
or a CCS AM Power-User. In case the trusted Hosts configuration section is not
visible in the web.config file then the trustedHosts configuration must be added
manually.
To populate the settings manually in the web.config file, add the structure of the
trusted Hosts configuration, mentioned earlier, to the <configuration> node in
the web.config file. Add the section after the <configsections> node and provide
the required values.
Chapter
CCS Assessment Manager

and Symantec Control
Compliance Suite
integration
About Control Compliance Suite
About the Control Compliance Suite and the CCS Assessment Manager
integration
How CCS AM data is consumed in Control Compliance Suite
About Control Compliance Suite

Control Compliance Suite automates key IT governance processes. Control
Compliance Suite ensures coverage of external mandates through written policy
creation, dissemination, track acceptance, and exception management. Control
Compliance Suite demonstrates compliance to both the external and the internal
policies by automating the assessment of technical and procedural controls. In
turn, Control Compliance Suite evaluates this assessment against risk criteria.
Evidence of compliance can be gathered without the use of an installed software
agent on configurations, permissions, patches, vulnerabilities, and manual
attestation of procedural activities. Control Compliance Suite also helps to fix
deviations from the standards that enable immediate corrective actions or triggers
to third-party response workflow systems.
110
CCS Assessment Manager and Symantec Control Compliance Suite integration

About the Control Compliance Suite and the CCS Assessment Manager integration
Control Compliance Suite helps enterprises to implement, measure, and maintain

compliance with security configuration standards. Control Compliance Suite
provides precise reports about where your organization does or does not comply
with internal technical standards and industry regulations. Control Compliance
Suite offers a specific-purpose query capability as well as entitlement reports and
the specific steps to address noncompliant servers or workstations.
About the Control Compliance Suite and the CCS

Assessment Manager integration
The Control Compliance Suite (CCS) and the CCS Assessment Manager (CCS
Assessment Manager) together give you a holistic picture of your organization's
compliance posture. Whereas CCS lets you execute the technical checks, CCS
Assessment Manager takes it one step forward by letting you execute the manual
checks with the help of the questionnaires.
The CCS user account that creates the data connection must be a part of
RAM_administrators or RAM_Powerusers group in CCS_AM and must have view
permissions to the following:
CCS Assessment Manager database view
RAM.CCSEvidence
RAM.CCSEvidenceLast7Days
The CCS AM Service user must have Assets Viewer permission on the asset system.
The Control Compliance Suite and the CCS Assessment Manager integration
provides a comprehensive framework that let you achieve do the following:
Lower the cost of risk and compliance posture assessment.
Define, review, and disseminate written policies to end-users as mapped to

specific, measurable controls.
Produce evidence for policy compliance and regulatory compliance.
Pull in the CCS Assessment Manager asset compliance data and represent the
data with the help of reports and dashboards.
Simplify the remediation process.
Integrate the compliance process with the existing CCS asset management
systems.

Note: You must configure the CCS settings by using the CCS Assessment Manager
console before you go ahead with the data integration.
Suite on page 113.
How CCS AM data is consumed in Control Compliance

Suite
This section contains detailed information about how the CCS Assessment Manager
data is consumed for policy and mandate compliance, and risk score in CCS.
Note: You must have Control Compliance Suite 11.0 with Product Update 2013-2
(11.0.10300) installed if you want to leverage CCS Reporting and Analytics for
CCS Assessment Manager evidence.
Let us take the following two use cases to understand the workflow:
Using CCS AM data for policy and mandate compliance
Using CCS AM data for risk score calculation
Using the CCS AM data to view in CCS panels
Perform the following steps to use to CCS AM data for policy and mandate
compliance
Configure the CCS settings by using the CCS AM console.

Suite on page 113.
Create and publish a CCS Assessment Manager questionnaire.

Map the CCS AM questionnaire and the policy controls in Controls Studio.
See Mapping CCS AM questionnaires to control statements on page 114.
Create CCS Assessment Manager assessments and assign the assessments to

the attesters.
111
112

Collect assessment response from the attesters

Configure the external data systems
Import the CCS Assessment Manager data into CCS by using an ODBC data
connector.
Run the reporting sync job and the global metrics job.
Use the CCS dashboards to represent the CCS Assessment Manager data.
Note: You can launch the CCS Web portal from the CCS Assessment Manager
Admin Web portal Reports tab by clicking the Go to the CCS dashboards link.
10 View the CCS Assessment Manager evidence from CCS Web portal.
You must have CCS AM Administrator privileges to be able to launch the
evidence link.
Perform the following steps to use to CCS AM data for risk score calculation
Define a security objective.
Map the CCS AM questionnaire and the policy controls in Controls Studio.
See Mapping CCS AM questionnaires to control statements on page 114.
Note: To be able to create mappings, the CCS service user must be a member
of the RAM_Administrators group or the RAM_PowerUsers group.

the attesters.

connector.

Use the Risk Dashboard to see the risk score calculation for the CCS
Assessment Manager data.
See About severity calculation for answers in a CCS Assessment Manager
questionnaire on page 96.
Perform the following steps to use to CCS AM data to view in CCS panels
Configure the CCS settings by using the CCS AM console.

Suite on page 113.
Create and publish a CCS Assessment Manager questionnaire.


the attesters.

connector.
Use the CCS panels to view the CCS Assessment Manager data.
Configuring CCS Assessment Manager to connect to Control

Compliance Suite
You can configure the CCS Assessment Manager (CCS Assessment Manager) to
connect to the Control Compliance Suite (CCS) if CCS is present in the environment.
You must have the CCS Assessment Manager Server installed.
To configure CCS Assessment Manager to connect to Control Compliance Suite
In the CCS Assessment Manager console, navigate to Tools > CCS Assessment
Manager Server Tools > Settings.
In the Settings dialog box, check CCS present in the environment.
113
114

Provide the application server name.
Provide the application server port number.
Provide the user name.
Provide the User Principal Name (UPN) of the user in whose context the
application server service is running. For example, user@domain.com.
The Admin Portal URL text box displays the default link for the Admin Web
portal. If you make changes to the IIS settings, click Refresh to get the updated
URL.
Click OK.
Mapping CCS AM questionnaires to control statements

You map the CCS Assessment Manager questionnaires to the controls by using
the CCS Controls Studio.
To map CCS AM questionnaires
In the Control Compliance Suite console, go to Manage > Content to launch

the CCS Controls Studio.
In the left-hand pane, click Assessment Manager Evidence.
In the Assessment Manager Evidence pane, right-click and then select

Connect.
Provide the CCS Assessment Manager Server name and port number to
connect.
Expand the questionnaire group from the Assessment Manager Evidence

pane and select the questions that you want to map.
In the Statment Mappings page, from the Available Statements section,

select the control statements and drop them into the Mapped Statements
section.
Importing CCS Assessment Manager data using an ODBC connector

Use the ODBC data connection to import data from CCS Assessment Manager.
To configure an ODBC data connection
In the CCS console, go to Manage > External Data Integration.
From the External Data Systems list, select the CCS Assessment Manager
data system and then do one of the following:
From the taskbar, select System Tasks > Add Data Connection.

Right-click the data system and then select Add Data Connection.
In the Specify Data Connection Parameters panel, do the following and then
click Next:
Connection name
Enter the name of the CCS Assessment Manager

data connection.
Data import site
Select a site to route the job to the CCS Managers

that are present in it.
The following fields are displayed when you select ODBC from the Connection
type drop-down list:
Data location
Select an existing data location or select New to

create a new data location for the data connection.
In the Add Data Location dialog box, do the
following and then click OK:
In the Name text box, enter a name for the CCS
AM database location.
After you add a data location, you can view the
data location in the Settings > General > System
Configuration > Data Locations pane.
In the Description text box, enter a brief
description on the CCS AM database location.
To enter the connection string, click the browse
button (...) to launch the Data Link Properties
dialog box.
On the Provider tab, select Microsoft OLE
DB Provider for SQL Server and then click
Next.
On the Connection tab, provide the CCS AM
server name and the credentials, and then
click OK.
Query type
Select the table or view name that you want to use

for data import.
115
116

Table/View/SQL command
For table ro view name, enter RAM.CCSEvidence.

You may also specify an SQL command to import
data.
You can fetch CCS AM data by using any of the
following views:
You may configure the EDI job to execute
everyday.
You may configure the EDI job to execute twice
a month.
You may configure the EDI job to execute every
month.
Once the configuration is complete, execute the the

EDI job based on the selected view.
Note: In the CCS AM data, if any column name

contains special characters, specify the SQL
command with escaped column names.
In the Select Data Fields panel, select the data fields that you want to include
when you import the CCS AM data and then click Next.
You must select minimum two fields to import data.
In the Data Import Schedule panel, select one of the following schedule
options and then click Next:
Run now
Select this option to run the job immediately after you click Finish.
Run periodically
Select this option to run the job on a specified date and time.
Provide the following information:
Start on
Run once
Run every <number of days>
In the Email Notification panel, check Send Notification if you want to send
a notification upon the success or failure of the data import execution. Both
the tabs in the Email Notification panel contain the same options. Enter the
following information and then click Next:

Subject
Message
From (Email ID)
To (Email IDs)
In the Summary panel, view the summary and then click Finish.
Viewing the CCS AM compliance data in CCS dashboards and reports

CCS provides Mandate and Policy dashboards and reports to view asset compliance
data from CCS AM.
You can use the Mandate dashboard in CCS to view a graphical representation
of the asset compliance for Mandates, for example: HIPAA.
Detailed textual representation of the Mandate can be viewed from Mandate
based reports.
You can use the Policy dashboard to view a graphical representation of the
asset compliance for Policy, for example: Your Organization's IT Security
Policy.
Detailed textual representation of the Policies can be viewed from Policy based
reports.
The dashboards displays asset based evidence from the CCS AM attester responses.
You can view the following evidence data for each asset.
Attester name
Attester response
Link to the attester response
You can view the same details in respective reports.

Note: In case the questionnaire group is mapped to the control statements, then
the attester response is not displayed in the dashboards and reports. You can click
on the Link to the attester response to view the details.
117
118

Appendix
Troubleshooting
This appendix includes the following topics:
About troubleshooting the CCS Assessment Manager issues
About troubleshooting the CCS Assessment Manager

issues
This chapter contains information on the general procedures that you can use to
troubleshoot issues in the CCS Assessment Manager.
CCS AM Web portals do not function correctly

Symptom: The CCS AM Web portals do not display the updated data.
This may happen on IIS 7, when the HTTP handler is not in the correct sequence.
Solution: For the CCS AM Web portals to function as expected and to display all
the data correctly, launch the IIS 7 Management snap-in and view the ordered
list of the HTTP handlers for the CCSAM_Web and RA_Webclient sites.
The HTTP handlers must be in the following sequence:
svc-Integrated-4.0
ExtensionlessUrl-Integrated-4.0
Assessment submission takes longer than expected

Symptom: Submission of assessment response takes long and then fails.
This may happen in a scenario wherein you have moved the CCS AM database
from one domain to another. The user account with the db_owner role is still
associated to the previous domain user account and the broker activation for the
120
Troubleshooting
SQL database fails because the previous domain user does not have rights in the
SQL server. Moreover, the current user account cannot be resolved.
Solution: To resolve this issue, execute the following command for the CCS AM
database:
sp_changedbowner <new db_owner username>
Error message is displayed when Admin or End user portal is launched

Symptom: The 'Service Unavailable message is displayed when the Admin portal
or the End user portal is launched.
Solution: Set SPN of the CCS AM server as follows:
SetSpn -a http/hostname "ServiceUser"
SetSpn -a http/fqdnname " ServiceUser "
setspn.exe -a Symantec.CSM.RAMServer/ hostname "ServiceUser"
setspn.exe -a Symantec.CSM.RAMServer/ fqdnname " ServiceUser "
Restart the computer after setting the SPNs.
Unable to view images or videos in thick client

Symptom: Videos or images that are attached to questions are not displyed on
the thick client.
Solution: Perform the following steps
Add a site where the CCS AM server is installed in Local Intranet from the
Internet Options.
Close and re-launch CCS Assessment Manager client .
Make sure the service user is a machine administrator.
Unable to connect to CCS Application server

Symptom: Unable to connect to CCS Application server while creating asset
compliance assessment.
Solution: Make sure that the date/time setting of the CCS Application server and
the CCS AM server is in sync.
Reset IIS and create an assessment again.
Troubleshooting
Access denied error message is displayed

Symptom: An Access denied error message is displayed if the assessment link is
launched from an email.
Solution: The administrator who sent the assessment might have deleted the
assessment. Contact the CCS AM administrator to verify if that assessment is still
available.
Unable to launch CCS AM web portal

Symptom: The CCS AM web portal fails to launch and the following error message
is displayed:
Could not load type 'System.ServiceModel.Activation.HttpModule' from assembly
'System.ServiceModel, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089'
To view the error message in detail set customErrors mode to RemoteOnly. Change
the value of the customErrors mode at the following location:
<installdir>\CCS Assessment Manager Server\webclient\web.config <customErrors
mode ="RemoteOnly" defaultRedirect
="~/Views/Shared/Error.cshtml"></customErrors>
Solution: This error may occur if the IIS is installed after installing .NET
Framework 4, or if the 3.0 version of the WCF Http Activation module is installed
after installing IIS and .NET Framework 4.
To resolve this issue, run the following command line:
aspnet_regiis.exe /iru
The Aspnet_regiis.exe file can be found at the following location:

%windir%\Microsoft.NET\Framework64\v4.0.30319 (on a 64-bit computer)
Refer to the Microsoft website for more information on the corresponding KB
article(2015129).
121
122
Troubleshooting

CCS Assessment Manager User Guide

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

CCS Assessment Manager User Guide

Încărcat de

Drepturi de autor:

Formate disponibile

Symantec CCS Assessment

Manager User Guide

Symantec CCS Assessment Manager User Guide

Telephone and/or Web-based support that provides rapid response and

Upgrade assurance that delivers software upgrades

Global support purchased on a regional business hours or 24 hours a day, 7

Premium service offerings that include Account Management Services

Contacting Technical Support

Product release level

Available memory, disk space, and NIC information

Version and patch level

Router, gateway, and IP address information

Error messages and log files

Troubleshooting that was performed before contacting Symantec

Recent software configuration changes and network changes

Licensing and registration

Questions regarding product licensing or serialization

Product registration updates, such as address or name changes

General product information (features, language availability, local dealers)

Latest information about product updates and upgrades

Information about upgrade assurance and support contracts

Information about the Symantec Buying Programs

Advice about Symantec's technical support options

Nontechnical presales questions

Issues that are related to CD-ROMs, DVDs, or manuals

Support agreement resources

Europe, Middle-East, and Africa

North America and Latin America

Technical Support ............................................................................................... 4

Understanding CCS Assessment Manager .................... 11

Business Objectives that you can achieve with CCS

How do you meet your business objectives ................... 27

General concepts and tasks in CCS Assessment

CCS Assessment Manager tasks and permissions ............................... 86

Customizing the CCS Assessment Manager Web client user

CCS Assessment Manager and Symantec Control

Troubleshooting ................................................................. 119

Unable to view images or videos in thick client ..........................

About CCS Assessment Manager

Recommended security practices for CCS Assessment Manager

About the roles and permissions in CCS Assessment Manager

About the CCS Assessment Manager components

About CCS Assessment Manager

Provides creation and import of OCIL-compliant

Understanding CCS Assessment Manager

CCS Assessment Manager is available in the following

Weight capability emphasizes the

Lets you assign weightage to an answer to obtain more

Faster turnaround times

Increases the productivity gains.

Easy import functionality

Facilitates the integration of questionnaires and

Following are the primary features of the CCS Assessment Manager:

Lets you review a questionnaire from the

A comprehensive library provides a matrix

Lets you delegate an assessment to other

Lets you assign specific sections of an

Understanding CCS Assessment Manager

Accept or resend an assessment response

Lets you accept a response or reassign it to

Lets you specify the date and time to assign

Lets you aggregate attester responses before

CCS Assessment Manager has a role-based distribution of user operations. Each