Task assurance methods

The chosen assurance method depends on the type of the task itself, but additional assurance can be added to strengthen overall task assurance level. In this article, you can read more about the different assurance methods and how to use them.

General assurance methods

Writing a process description

The process description is an important part of collecting evidence for how a task is being carried out. The spot for the process description can be found in the implementation tab of your task card. That room can be used to give more detailed information about how the task is being carried out.

For most of our tasks there is an example process description. Example process descriptions can be adapted to your needs, in order to make it fir to your organization's task implementation.

Task Due Date

The due date feature can be used when you want strong reminders for a task. Reminders are sent seven days before the due date, as well as on the actual due date.

A due date can be useful, for example, when you want to make certain improvements before a task can be documented as fully completed.

Review cycle for a task

You can increase your confidence on the task information being accurate by enabling a task review. Review can be set to monthly, quarterly, bi-annual or annual frequency.

The point of task reviews is to request the task owner to confirm that all related information on the task is up-to-date. We recommend enabling a review especially for high priority tasks.

Task-specific assurance methods

Linked documentation

Maintaining related documentation is the main assurance method for some of the organizational tasks in Cyberday. You will see a link to already created documentation items or you will find e.g. "0 data systems". By clicking the link you will be taken to the documentation list (in this case: data systems).

Examples of organizational themes that require maintaining documentation are e.g. asset management, risk management, partner management or incident management.

Read more about documentation in Cyberday here.

Linked reports

The linking (or creation) of a report is the main assurance method for some of the organizational tasks in Cyberday. When you activate a task, which requires you to link a specific report and you open the task card, you can find an overview of the reports, which are needed as assurance for this specific task. If you have already created any of the needed reports, those are automatically linked there. In case you do not yet have that report, you can click the "+ create report" button and you will be taken straight to the report, which you can adjust if needed.

Read more about reporting in Cyberday here.

Linked guidelines

For "people tasks", the main assurance method is the creation and sharing of guidelines for the employee guidebook. The employees can then read and accept the guideline by accessing their individual Cyberday Guidebook. If you activate and edit a task which connected guidelines, you can find a link to the guidelines section, which leads you to the list of activated and suggested guidelines for this task. If you already have some guidelines activated and shared with your employees, you can also see a progress bar as a quick overview of the current acceptance rate of your employees.

If you click on the link, you will get to the guidelines section of the policy and you can receive more detailed information about the guideline, its acceptance and further, you can activate skill tests and case examples or edit the guideline itself.

How an activated guideline looks like when you click on the link in the task card, in this case "12 remote work and mobile devices", see screenshot below

Linking a security system (technology)

Technical tasks require the integration of a security system for implementation. You can select a system from a list or add a completely new one. The task card will show if it is a technical task and if you need to connect a technical system.

When you go to the 'Security Systems' section, you can edit the area and add systems for the implementation.

Additional assurance options

On each of the task card, the implementation-tab has a part additional assurance information. By clicking it, you can see all possible ways to add additional assurance for the task.

Under the link "Additional assurance information" in the bottom of the task card, you can find a list of other assurance options that you can add to your task. This can mean either the

• linking of external files (make sure you have a SharePoint link in the organization settings): You will get the option to select from the SharePoint after you have clicked this option (this feature works only in Teams app)
• Is there a system enforcing this task? (if you are managing a task rather in a technical way, even if the task type originally was another one)

• Which units / sites should confirm their implementation of task? - Select relevant units or sites that should describe their own implementation of this measure in their own description
• Which people need to confirm implementing their part? - Request selected users (e.g. data system or unit owners) to confirm through Taskbook once they have executed their part of the task. You can write instructions of needed actions.

• Should employees follow task-related guidance? - If you want to implement this task through employee guidance, connect relevant guidelines to this task and distribute them for acceptance to relevant people through Guidebook.
• Want to write internal how-to instructions for this task?- If you want to write a more detailed step-by-step explanation to help with periodically implementing this task, you should write it on the how-to -section. This text is internal and won't be visible on reports.

You can add any additional assurance information to your task at any point. The more assurance you are collecting for a task, the stronger its security layer will get.

Which units / sites should confirm their implementation of task?

You can also always add additional assurance methods to task, one of the methods being divide implementation to units/sites. You can divide the implementation, if for example different sites or units are participating in the task implementation in different ways.

The implementation of tasks may vary for example based on units or sites, which is why it is possible to enhance the implementation of tasks by adding descriptions from the owners of these units or sites. Owners of the units and facilities provide additional details for the task.

You will need to pick relevant units or sites who need to write their own description for the task. Unit / task owner will be responsible for creating the requested description.

Task owner will see progress of the description request on the task card. Review cycle for the descriptions will match automatically with the task's review cycle

Which people need to confirm implementing their part?

Assurance of task execution can be strengthened by selecting owners of different items to supplement the information. When an item's owner is requested to oversee the execution, they will receive the task to complete in their taskbook. All users associated with the units can view the task and execution instructions in their taskbook and are guided to mark their part as complete.

When is a task "Not relevant" and when is it "Done"?

Marking a task as "Not relevant" affects the compliance score. Generally, tasks in "Not relevant" status are not calculated into the score.

In the compliance report, scoring is calculated based on the status of the requirement.

• If a requirement has multiple tasks (e.g., 4 tasks), and you mark 1 as done and 3 as "Not relevant", the requirement is considered fully completed (dark green status). In this case, you receive full compliance points for the requirement because the organization is handling the part of the requirement that is relevant to them.

Note on scoring: If all tasks of a requirement are marked "Not relevant" (or the requirement has only one task which is marked not relevant), you do not accrue any compliance points for that requirement. This is because, technically, the organization is doing nothing for that requirement.

Best Practice: Conscious Decision vs. Irrelevance

It is important to distinguish between a situation where something is truly irrelevant and a situation where the organization has made a conscious policy decision.

If the organization has a clear decision or policy regarding why something does not apply to you, the task could often be marked as "Done" with explanation, rather than "Not relevant".

Example: A task concerns the processing of children's personal data. Your organization has made a policy decision: "We do not offer services to people under 16 years of age, and thus we do not process children's personal data."

In this case:

1. Mark the task as Done.
2. Record the justification in the process description: "We do not offer services to people under 16, so no processing of children's data occurs."

This ensures that the item has a clear owner and the decision is documented. If the operating environment changes later (e.g., you start offering services to younger people), the task exists and the owner can react to it. If the task were simply hidden with "Not relevant" status, the risk of the matter being forgotten during a change increases.

Questions and feedback

Do you have any further questions, would need another help article or would like to give some feedback? Please contact our team via team@cyberday.ai or the chat box in the right lower corner.