Updated: Isora Lite User Guide

6 min read

What is Isora Lite?

Isora Lite is a free tool for performing security risk assessment on third-party (vendor) products using the HECVAT. In addition to allowing creation of surveys to be submitted to and filled out by the vendors, previously submitted and stored assessments can also be accessed. This allows users to avoid having to repeat assessments which have already been performed by other organizations using Isora Lite.

Who should read this document?

Anyone who wants to assess third-party vendor products using Isora Lite.

Who should not read this document?

Vendors do not need this document. They do not need to access Isora Lite directly; all they need to do is go to the URL which an Isora Lite user sends them, fill out and lock their answers, and optionally acknowledge to complete the assessment.

How to Access Isora Lite

To access Isora Lite, go to https://lite.isora.saltycloud.com .

For members of higher education institutions, your native Single Sign-On (SSO) credentials can be used to access Isora Lite. The first time you log in, a new account will automatically be created for you as a member of your organization with the authority to create and launch assessments. In subsequent logins, you should continue to log in using SSO.

If you do not belong to a higher ed institution, an Isora Lite account will be manually created for you and credentials will be provided by SaltyCloud.

Anytime you want to log out of Isora Lite, simply click the “logout” button in the upper right-hand corner.

Working With Assessments in Isora Lite

Use the Assessment page to create a new vendor assessment or access existing assessments. In Isora Lite, vendor assessments are the only type of assessments you can do. If you were using the full version of Isora GRC, there would be other types of assessments available. Use the tabs to access both open and complete assessments. Open assessments include those that have been created by your organization, but not yet launched (submitted to vendors). As long as an assessment has not yet been launched, you can still edit it. Open assessments also include those that have been launched, but the vendor has not yet completed them. Completed assessments have been filled out, completed by the vendors, and acknowledged by either the vendor or by you.

How-To: Create a New Vendor Assessment

  1. On the assessment page, click the “new assessment” button.
  1. Click the “select a product” link.
  1. Fill in the form, choosing a vertical option from the drop-down list, and click the “select” button.
  1. You are returned to the new assessment entry box. If you realize you made a mistake, you can go back and re-enter the product info using the refresh button in the upper right corner. Fill in the rest of the fields.
  1. Choose an expiration date for the survey. If the vendor does not fill out the survey before it expires, the assessment will disappear from Isora Lite! If you would like extra security, you can specify a password for the vendor to use to access the assessment. However, the URL itself is unique, so you can also think of the URL like a password. If you want other Isora Lite users to be able to see the results of the assessment once it’s completed, check the “allow report to be viewed by other users” checkbox. Then click the “save” button.
  1. On the open assessments tab, you can now see your new assessment (you may need to expand the “Vendor Assessment” heading). If you are ready to submit it to the vendor, you can click the “launch” button. Once an assessment is launched, it cannot be edited.
  1. The page updates to show you a URL for the vendor assessment. You can then copy this URL and share it with the vendor.

    If you click on the “view” button or name of the assessment, you can view the list of questions, in case you actually wanted to fill it out yourself rather than having the vendor fill it out.

Working With Open Assessments

In the open assessments tab, you can see a list of assessments that have been created by your organization but either haven’t been launched yet, or haven’t been completed.

How-To: Edit an Open Assessment

  1. To view open assessments, expand the Vendor Assessment header.

  1. To edit an open (and unlaunched) assessment, click the “edit” button next to the product name.

  1. In the “edit assessment” window, you can make changes as needed. You can even re-enter the product info by using the circle arrow button in the upper right-hand corner. Don’t forget to click “save” when you’re finished.

How-To: Launch an Open Assessment

  1. To submit an assessment for vendor completion, click the “launch” button.

  1. Once launched, you are provided a URL for the vendor to use to fill out the assessment. You can copy and paste this URL to share it with the vendor. If you specified a password for the assessment, make sure you have a way to also share the password with the vendor. If you lose track of the URL, you can always come back into the open assessments tab and find the URL again.

Acknowledging a Vendor Assessment

Once a vendor has filled out all of the questions in an assessment, the assessment is ready to be acknowledged. Usually, the vendor does the acknowledgment, but it’s also possible for the representative from the requesting institution to do it. The assessment isn’t considered complete until it has been acknowledged.

Follow these steps to acknowledge an outstanding vendor assessment:

  1. Navigate to the assessment, either by locating it in the open Vendor Assessments tab or by using the direct URL.
  1. Click the acknowledge button at the top.

The acknowledge button is only visible when all questions have been answered and locked. Once acknowledged, no answers can be changed and the assessment will disappear from the open tab and appear as a report under the complete tab.

If you are a representative of an institution requesting a vendor assessment and you want the opportunity to review (and perhaps question) the answers being provided by the vendor, please instruct them not to acknowledge the survey themselves. For example, maybe they put something as “not applicable” but you think it really is applicable and you want them to answer yes or no. Or maybe you want them to give more details in their explanation. You might want to communicate back and forth a few times with the vendor. Once the “acknowledge” button has been clicked, you wouldn’t be able to change any answers.

Viewing Completed Assessments

In the completed assessments tab, you’ll see a list of assessments that have already been completed by the vendors. This may include shared assessments that were submitted by other organizations. In the listing for each assessment, you can see not only the basic information about the product, but also the name of whatever organization submitted the assessment. It is possible for multiple organizations to assess the same products and share the results.

To see the results of the assessment, click the “view report” button. An example report is shown below.

The report includes comparative information to other vendors in the same vertical that have been assessed with Isora Lite. To view the full survey, including questions and answers, click the “Answer details” link.

Use your web browser’s print feature if you would like to print or save a copy of the report, or use the CSV download button on the Answer details tab.

Interpreting Reports

The overall score on a completed vendor assessment (or report) is based on survey responses. Each question has a preferred answer and some answers may receive partial credit. Some questions have “informational” value and their answers don’t impact the overall score. When you look at the Answer details tab for the report, you can see a breakdown for how the vendor scored in each category of questions, how they answered each question, and how the questions contributed to the overall score. If any supporting documentation was uploaded, you should be able to access that as well.

Questions that had favorable answers will be shown with a green checkmark; those with unfavorable answers have a red cross, and informational questions are shown with in blue with an “i” icon.

In the Summary tab, you can see comparative information with other vendors in the same vertical, including an average for that vertical. This is based on which reports you have access to. So if another user has access to a different set of reports, they might see a different average value reflected here.

Did this answer your question?