Xylok Documentation
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  2. /
  3. Analysis
  4. /
  5. Control Rater

Control Rater

Prerequisites

  • Have CIA levels selected for the client
  • Rebuild the CCI Rater
  • Mark CCIs

When to Rebuild

Click the Rebuild button any time:

  • The Client CIA levels or RMF overlays change
  • The CCI Rater is rebuilt
  • Updates are made to the CCI Rater comments, ratings, or review dates

Manually entered comments (see below) will be fully preserved across a rebuild.

After a rebuild, you can filter on the updated date range to location items which were recently changed.

Default Treatment

By default, Controls are treated as compliant if all the underlying CCIs are Compliant or Unreviewed. This is done to allow easier review of the control rating roll up without having completed review of every single CCI.

Beyond that, the status is determined from highest mitigated risk rating of the underlying CCIs. If all underlying CCIs are Not-Applicable, the control will also be not-applicable.

Columns

The columns displayed on the main rater page are non-editable in the rater and instead reflect the statuses/comments set inside the modal (see below) for each rating. By clicking on a rating’s row, these values can be changed. All of the columns except “Definition” are sortable.

Each row can be selected and a modal will appear with the sections described below.

  • Definition: The top of each modal includes the definition of the Control. The “More Info” link at the end will open the Control reference page which includes the definition, related controls and related CCIs.
  • Mitigated Risk: Pulled from the “worst” rating for the underlying CCIs (worst-to-best: Non-Compliant, Not Applicable, Compliant). If all of the underlying CCIs are unreviewed, this will still be marked as Compliant.
  • Comment: By default, a comment will be built from the underling CCIs’ comments. However, a manual comment can be written instead if desired, which will be used in place of the default comment in all reports.
  • Included Data: A table which lists all CCIs associated with the Control for reference.
  • Reviewed Date: Displays the last time this CCI was marked as “Reviewed” as well as a"Mark Reviewed" button. This allows the user to keep track of “reviewing” each CCI in the case that no actual data has changed from the last assessment. This “Reviewed” property gets automatically updated by using the “Save” button as well.

Reports

Security Assessment Report

This report covers the results of an assessment from multiple levels of control review. Tabs of CCI ratings, rolled-up control ratings, top-level controls, and control families are all included. In addition, there are colored risk charts for inclusion in other reports and presentations. Click the “Export SAR” button at the top of the page to download.

gdoc_arrow_left_alt CCI Rater Control Rating Management gdoc_arrow_right_alt