Smart Assessment

Prerequisites

• Roles: assessment_admin, assessment_creator, or admin
• Plugins: com.snc.assessment (Assessment Designer), optionally com.sn_grc for GRC integration
• Access: Read/write access to asmt_metric, asmt_assessment, asmt_metric_result tables
• Knowledge: Understanding of assessment design principles, scoring methodologies, and the business domain being assessed

Key Assessment Tables

Procedure

Step 1: Design the Assessment Structure

Plan the assessment with categories, metrics, and scoring before creation.

Assessment design framework:

Step 2: Create the Assessment Definition

Using MCP (Claude Code/Desktop):

Tool: SN-Create-Record
Parameters:
  table_name: asmt_assessment
  fields:
    name: "Vendor Security Assessment 2026"
    description: "Annual security posture assessment for critical and high-tier vendors. Covers access control, data protection, incident response, and business continuity."
    state: draft
    assessment_type: vendor
    scoring_type: weighted_average
    source_table: core_company
    anonymous: false
    allow_retake: false
    introduction: "This assessment evaluates your organization's security controls and practices. Please answer all questions accurately based on your current capabilities."
    due_date: 2026-06-30

Using REST API:

POST /api/now/table/asmt_assessment
Content-Type: application/json

{
  "name": "Vendor Security Assessment 2026",
  "description": "Annual security posture assessment for critical and high-tier vendors.",
  "state": "draft",
  "assessment_type": "vendor",
  "scoring_type": "weighted_average",
  "source_table": "core_company",
  "due_date": "2026-06-30"
}

Step 3: Create Assessment Categories

Group questions into logical sections with weighting.

Using MCP:

Tool: SN-Create-Record
Parameters:
  table_name: asmt_metric_category
  fields:
    name: "Access Control"
    assessment: [assessment_sys_id]
    order: 100
    weight: 25
    description: "Evaluate identity management, authentication, authorization, and access review practices"

Create additional categories:

Tool: SN-Create-Record
Parameters:
  table_name: asmt_metric_category
  fields:
    name: "Data Protection"
    assessment: [assessment_sys_id]
    order: 200
    weight: 30
    description: "Assess data classification, encryption, backup, and data handling procedures"

Tool: SN-Create-Record
Parameters:
  table_name: asmt_metric_category
  fields:
    name: "Incident Response"
    assessment: [assessment_sys_id]
    order: 300
    weight: 25
    description: "Review incident detection, response procedures, notification timelines, and recovery capabilities"

Tool: SN-Create-Record
Parameters:
  table_name: asmt_metric_category
  fields:
    name: "Business Continuity"
    assessment: [assessment_sys_id]
    order: 400
    weight: 20
    description: "Evaluate disaster recovery, redundancy, and operational resilience"

Step 4: Create Assessment Metrics (Questions)

Build individual questions with appropriate metric types.

Scale metric (1-5 Likert):

Tool: SN-Create-Record
Parameters:
  table_name: asmt_metric
  fields:
    name: "Multi-factor authentication is enforced for all privileged access"
    metric_type: scale
    category: [access_control_category_sys_id]
    order: 110
    weight: 15
    mandatory: true
    scale_definition: "1=Not Implemented,2=Partially Implemented,3=Implemented but Not Enforced,4=Implemented and Enforced,5=Implemented, Enforced, and Audited"
    description: "Rate the maturity of MFA implementation for privileged accounts including admin, root, and service accounts."
    ai_suggestion_enabled: true

Boolean metric (Yes/No):

Tool: SN-Create-Record
Parameters:
  table_name: asmt_metric
  fields:
    name: "Does your organization maintain a documented incident response plan?"
    metric_type: boolean
    category: [incident_response_category_sys_id]
    order: 310
    weight: 10
    mandatory: true
    description: "A documented IRP should include roles, communication procedures, and escalation paths."

Choice metric (Multiple choice):

Tool: SN-Create-Record
Parameters:
  table_name: asmt_metric
  fields:
    name: "What is your data encryption standard for data at rest?"
    metric_type: choice
    category: [data_protection_category_sys_id]
    order: 210
    weight: 12
    mandatory: true
    choices: "AES-256,AES-128,DES/3DES,No encryption,Other"
    scored_choices: "AES-256=5,AES-128=4,DES/3DES=2,No encryption=0,Other=1"

Text metric (Open-ended):

Tool: SN-Create-Record
Parameters:
  table_name: asmt_metric
  fields:
    name: "Describe your data breach notification process and timeline"
    metric_type: text
    category: [incident_response_category_sys_id]
    order: 320
    weight: 0
    mandatory: false
    description: "Include notification timeline, regulatory requirements, and communication channels."
    max_length: 2000

Step 5: Configure Conditional Logic

Show or hide questions based on previous responses.

Using MCP:

Tool: SN-Update-Record
Parameters:
  table_name: asmt_metric
  sys_id: [follow_up_question_sys_id]
  data:
    condition: "javascript: current.metric == '[parent_metric_sys_id]' && current.value < 3"
    condition_description: "Show only if MFA maturity is rated below 3 (Implemented)"

Step 6: Enable AI-Assisted Response Suggestions

Configure smart suggestions that pre-populate answers based on historical data.

Using MCP:

Tool: SN-Execute-Background-Script
Parameters:
  script: |
    // Enable AI suggestions for assessment metrics
    var assessmentSysId = '[assessment_sys_id]';

    var metric = new GlideRecord('asmt_metric');
    metric.addQuery('category.assessment', assessmentSysId);
    metric.addQuery('metric_type', 'IN', 'scale,choice,boolean');
    metric.query();

    var updated = 0;
    while (metric.next()) {
      // Check for historical responses to generate suggestions
      var history = new GlideAggregate('asmt_metric_result');
      history.addQuery('metric', metric.sys_id.toString());
      history.addAggregate('COUNT');
      history.addAggregate('AVG', 'actual_value');
      history.query();

      if (history.next()) {
        var responseCount = parseInt(history.getAggregate('COUNT'));
        var avgValue = parseFloat(history.getAggregate('AVG', 'actual_value')) || 0;

        if (responseCount >= 5) {
          metric.ai_suggestion_enabled = true;
          metric.ai_suggestion_confidence = Math.min(responseCount / 50, 1.0);
          metric.ai_suggested_value = Math.round(avgValue);
          metric.update();
          updated++;
        }
      }
    }

    gs.info('AI suggestions enabled for ' + updated + ' metrics based on historical response data.');
  description: "Assessment: Enable AI response suggestions from historical data"

Step 7: Analyze Assessment Results

Generate scoring summaries and benchmarking data.

Using MCP:

Tool: SN-Execute-Background-Script
Parameters:
  script: |
    var assessmentName = 'Vendor Security Assessment 2026';
    var analysis = {
      assessment: assessmentName,
      generated_date: new GlideDateTime().toString(),
      summary: { total_instances: 0, completed: 0, in_progress: 0, not_started: 0, avg_score: 0 },
      by_category: {},
      score_distribution: { excellent: 0, good: 0, fair: 0, poor: 0 },
      lowest_scoring_metrics: [],
      highest_scoring_metrics: []
    };

    // Get assessment
    var asmt = new GlideRecord('asmt_assessment');
    asmt.addQuery('name', assessmentName);
    asmt.query();
    if (!asmt.next()) { gs.info('Assessment not found'); return; }

    // Instance statistics
    var inst = new GlideRecord('asmt_assessment_instance');
    inst.addQuery('assessment', asmt.sys_id.toString());
    inst.query();
    var scores = [];
    while (inst.next()) {
      analysis.summary.total_instances++;
      var state = inst.state.toString();
      if (state == 'complete') { analysis.summary.completed++; scores.push(parseFloat(inst.score.toString()) || 0); }
      else if (state == 'wip') analysis.summary.in_progress++;
      else analysis.summary.not_started++;
    }

    if (scores.length > 0) {
      var total = 0;
      for (var i = 0; i < scores.length; i++) {
        total += scores[i];
        if (scores[i] >= 80) analysis.score_distribution.excellent++;
        else if (scores[i] >= 60) analysis.score_distribution.good++;
        else if (scores[i] >= 40) analysis.score_distribution.fair++;
        else analysis.score_distribution.poor++;
      }
      analysis.summary.avg_score = Math.round(total / scores.length);
    }

    // Category scores
    var cat = new GlideRecord('asmt_metric_category');
    cat.addQuery('assessment', asmt.sys_id.toString());
    cat.query();
    while (cat.next()) {
      var catResults = new GlideAggregate('asmt_metric_result');
      catResults.addQuery('metric.category', cat.sys_id.toString());
      catResults.addAggregate('AVG', 'actual_value');
      catResults.query();
      if (catResults.next()) {
        analysis.by_category[cat.name.toString()] = {
          avg_score: Math.round(parseFloat(catResults.getAggregate('AVG', 'actual_value')) || 0),
          weight: cat.weight.toString() + '%'
        };
      }
    }

    gs.info('ASSESSMENT ANALYSIS:\n' + JSON.stringify(analysis, null, 2));
  description: "Assessment: Analyze results with scoring and benchmarking"

Tool Usage

Best Practices

• Question Clarity: Write questions that are unambiguous and can be answered consistently by different respondents
• Balanced Scoring: Calibrate scale definitions so that the middle score represents a reasonable baseline, not perfection
• Mandatory vs. Optional: Make core compliance questions mandatory; keep supplemental context questions optional
• Category Weighting: Align category weights to organizational risk priorities; update annually based on risk appetite changes
• AI Suggestion Threshold: Only enable AI suggestions when at least 5 historical responses exist for reliable averages
• Conditional Efficiency: Use conditional logic to reduce assessment length; only show follow-up questions when relevant
• Pilot Testing: Test assessments with a small group before broad deployment to identify confusing questions
• Anonymity Considerations: Employee engagement surveys should be anonymous; vendor assessments should not be
• Version Management: Create new assessment versions rather than modifying active ones mid-cycle

Troubleshooting

Assessment Score Not Calculating

Symptom: Completed assessment instances show a score of 0 or null Cause: Metric weights may not sum correctly, or the scoring type is misconfigured Solution: Verify that category weights sum to 100%. Check that individual metric weights within each category are set. Ensure scoring_type on the assessment is not set to "none".

Conditional Questions Always Hidden

Symptom: Follow-up questions never appear regardless of parent response Cause: Condition script references the wrong metric sys_id or uses incorrect value comparison Solution: Verify the condition field uses the correct parent metric sys_id. Test with explicit values first, then add dynamic logic.

AI Suggestions Show Outdated Data

Symptom: Suggested responses reflect old assessment cycles rather than current standards Cause: AI suggestions are pulling from all historical results including outdated assessments Solution: Filter historical data by date range or assessment version when calculating suggestions. Update ai_suggested_value when standards change.

Metric Results Not Linking to GRC

Symptom: Assessment results do not appear in GRC risk or compliance modules Cause: Assessment source_table may not match the GRC profile table, or the integration mapping is missing Solution: Verify the assessment's source_table is set to the GRC profile table (e.g., sn_grc_profile). Check for integration business rules between assessment and GRC modules.

Examples

Example 1: NIST CSF Maturity Assessment

Scenario: Create a cybersecurity maturity assessment aligned to NIST Cybersecurity Framework

Categories (weighted):

• Identify (20%) - Asset management, risk assessment, governance
• Protect (25%) - Access control, awareness, data security
• Detect (20%) - Anomalies, monitoring, detection processes
• Respond (20%) - Response planning, communications, analysis
• Recover (15%) - Recovery planning, improvements, communications

Scale: 1=Initial, 2=Managed, 3=Defined, 4=Quantitatively Managed, 5=Optimizing

Example 2: Employee Engagement Survey

Scenario: Quarterly pulse survey with AI-suggested benchmarks

Tool: SN-Create-Record
Parameters:
  table_name: asmt_assessment
  fields:
    name: "Q1 2026 Employee Engagement Pulse"
    assessment_type: survey
    scoring_type: weighted_average
    source_table: sys_user
    anonymous: true
    allow_retake: false
    due_date: 2026-03-31

Result Analysis: Average score 3.8/5.0. Lowest category: Work-Life Balance (3.2). Highest: Team Collaboration (4.3). AI suggests targeting work-life balance initiatives based on declining trend.

Related Skills

• grc/risk-assessment-summarization - Analyze risk assessment results
• grc/tprm-issue-summarization - TPRM assessments and vendor evaluations
• hrsd/sentiment-analysis - Complement assessments with sentiment data
• admin/workflow-creation - Automate assessment distribution and follow-up
• reporting/executive-dashboard - Build assessment result dashboards