CIS - IRM Fundamentals Flashcards
1
Q
Integrated risk management
A
is a set of practices, supported by a risk-aware culture and enabling technologies, that improve decision making and performance through an integrated view of how well an organization manages its unique set of risks.
2
Q
2 workspaces for IRM
A
Compliance Workspace
Risk Workspace
3
Q
360 degree view
A
displaying upstream, downstream, and related records are available for many types of records.
4
Q
sn_audit.manager
A
a manager of the internal audit team and is responsible for creating audit engagements and monitoring the status of audit tasks and issues.
5
Q
citation
A
a breakdown of the authority document.
6
Q
control objective
A
the breakdown of a policy
7
Q
Controls
A
test plans are related to
8
Q
Entities
A
people, places, or objects that need to be monitored in order to manage risks, track control compliance, and reviewed as part of audit engagements.
i.e. organization’s assets, vendors, business services, and business units.
9
Q
Entity types
A
dynamic categories containing one or more entities.
They are associated to policies, control objectives, risk frameworks, and risk statements.
10
Q
Entity classes
A
Top-level organizational structure used to tag entities across different entity types.
An entity can belong to many entity types, but it can have only one entity class.
One entity type can have entities that belong to different entity classes.
11
Q
Entity tiers
A
a way for an organization to logically group entity classes and then filter reports by those groupings. They are used for building entity hierarchy between various entity classes.
12
Q
entity scoping
A
when an organization defines what people, places, or objects, such as processes, vendors, and departments, should be monitored for compliance and included in risk management.
13
Q
benefits of entities
A
- Scalable - leverages other ServiceNow data
- Repeatable - dynamically creates new entities that inherit controls and risks
- visibility - provides visibility on multiple levels of the organization
14
Q
Commonly leveraged tables often begin with
A
- cmn - for common tables
- sys - for system tables
- cmdb_ci - for cmdb tables
- core - for core tables
15
Q
When entities are created and associated individually, a control is only created for that entity.
A
true
16
Q
risks can be automatically generate for all entities associated with the entity type
A
when entity type is created, populated and associated with risk statements
17
Q
Cascading updates
A
if an entity is deactivated, all associated controls, risks, indicators, and test plans are retired. If the entity ever gets reactivated again, the associated controls and risks revert to the Draft state.
18
Q
corporate compliance
A
means having internal policies and procedures in place to prevent and detect violations of applicable laws, regulations, and ethical standards.
19
Q
regulations
A
a law or rule governing the behavior and practices of an industry or market that is set and maintained by a constituted authority or regulatory body.
are issued by regulatory bodies for many diverse reasons, such as to regulate the way business is conducted to ensure ethical practices and fair competition.
20
Q
General Data Protection Regulation (GDPR)
A
Regulation protecting the data of individuals residing in the European Union (E.U.) and the European Economic Area, regardless of where the data is stored or processed.
Applicable to any company storing or processing data
21
Q
Sarbanes-Oxley (SOX) Act of 2002
A
Law passed by U.S. Congress to help protect investors from fraudulent financial reporting by corporations.
Applicable to all publicly traded companies in the United States and wholly owned subsidiaries and foreign companies that are publicly traded and do business in the United States.
22
Q
Health Insurance Portability and Accountability of 1996 (HIPAA)
A
Federal U.S. law requiring the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
Applicable to healthcare providers if they transmit health information electronically in connection with covered transactions
23
Q
standard
A
benchmark circulated by a regulatory agency and created to enforce the provisions of legislation.
24
Q
standards example
A
- Payment card industry data security standard
- National Institute of standards and technology 800-53
- ISO/IEC 27001
- Criminal Justice Information Services (CJIS) compliance standard
25
framework
a group of underlying and interrelated procedures, policies, regulations, guidelines, codes of conduct, and other regulatory documents sourced from legislation and meant to codify and clarify the intent of a law/act/regulation.
Broad overview or outline of interlinked items that supports a particulate approach to meet a specific objective and serves as a guide to be modified as required
26
examples of framework
1. FedRAMP (Federal Risk and Authorization Management Program)
2. Center of Internet Security (CIS)
3. Control Objectives for information and related technology (COBIT)
4. HITRUST Common Security Framework
27
Compliance Admin (sn_compliance.admin)
Set up the policy and compliance application
Coordinate and facilitate configuration requests
Delete authority documents, citations, policies, policy statements, and controls
28
Compliance Manager (sn_compliance.manager)
Manage the compliance library
Relate control objectives to citations and policies
Create and manage entity types and entity filters
Leverage entity types and entities for scoping
Approve and retire policies and track policy exceptions
Manage policy acknowledgement campaigns and related audiences
Triage, monitor, and review compliance issues
Monitor control testing and control performance
29
Compliance User (sn_compliance.user)
Create policies and manage the policy lifecycle
Relate policies to control objectives
Send out policy acknowledgement campaigns and monitor progress
Schedule and follow-up with attestations for control validation
Respond to an indicator task
Create, manage, and review issues
Request evidence for controls, policies, and issues
30
GRC business user (sn_grc.business_user)
Leveraged across GRC applications. This role is targeted at users that support the GRC process.
Respond to issues and evidence requests
Perform indicator tasks
Perform remediation tasks
31
Control Owner (sn_compliance.user)
Respond to control tests and evidence requests on the controls they own
Respond to indicator tasks assigned by the compliance team
Create and manage control issues
32
Corporate compliance analyst (sn_compliance_ws.corporate_compliance_analyst)
tracks compliance activities and helps compliance managers to ensure that the organization is compliant with various regulations and policies.
Analyze and update the existing policies and related documents.
Implement policies and controls when assigned.
Monitor the performance of controls.
Schedule and follow up attestations.
33
Corporate compliance manager (sn_compliance_ws.corporate_compliance_manager)
manages internal standards, policies, and control processes that match the external regulatory standards.
Ensure that all policies and regulations are being followed.
Create and maintain policies up to the level of defining and applying controls.
Approve and track policy exceptions and issues.
Manage the team appropriately.
34
IT compliance manager (sn_compliance_ws.it_compliance_manager)
IT compliance manager manages internal standards, policies, and control processes that are exclusively IT-related to comply with the external regulatory standards.
35
Authority documents
compile the regulatory content that business processes follow for compliance.
36
Citation
defines a section of an authority document to which an organization must comply.
A citation maps to one authority document
Citations can be part of hierarchical, parent-child relationships
Citations can be mapped to one or many control objectives.
Citations are mapped to control objectives so that compliance is measured as a control is tested.
37
Policy
defines an internal practice that an organization or business process must follow to ensure compliance and reduce risk exposure.
can be categorized and related to control objectives.
policy defines an internal practice that an organization or business process must follow to ensure compliance and reduce risk exposure.
38
Control objective
is an objective, direction, or standard that acts as guidance for company interactions and operations. Many times, based on citations
frequently referred to as internal compliance requirements.
39
control
is the implementation of a control objective for a scoped entity.
40
Compliance score percentage
80 or higher in green
80 to 50 in yellow
Below 50 in red
41
things about Policies
1. can be created manually or imported using a ServiceNow transform map.
2. can be arranged in parent-child hierarchical relationships with other policies and with control objectives.
3. can be sorted into manageable, reportable groups through type and category fields.
4. can be related to multiple control objectives.
42
Procedure
Fixed, step-by-step sequence of activities or course of action that must be followed to correctly perform a task
43
Standard
Documentation of requirements, specifications, guidelines, or characteristics that can be used consistently to ensure that materials, products, processes, and services are fit for their purpose
44
Plan
Written account of an intended future course of action aimed to achieve specific goal(s) or objective(s) within a specific timeframe
45
Checklist
List of items required to be done to perform a specific task or set of tasks
46
Template
Design, mold, or pattern of an item or group of items that serves as a basis or guide for designing or constructing similar items
47
Policy record lifecycle
1. Draft - default state upon creation
2. Review
3. Awaiting approval - all approvers must approve. if there's no approvers, policy automatically gets published
4. Published - a KB article gets published
5. Retired - the KB article also gets retired
48
who can create policies
compliance users and above
49
who can move policies into review state
compliance users and above
50
who can move a policy from Review to the next state?
any of the named Reviewers or the Policy Owner
51
when do approvers receive notification?
after policy goes to Awaiting Approval state
52
who can manually retire a policy?
compliance manager or policy owner
53
Policy acknowledgement campaigns
allow customers to define a policy and present that policy for review and acknowledgement by employees in a company
54
Controls are automatically generated when
an entity type is associated with a control objective and the “Creates controls automatically” checkbox is checked.
55
Controls can also be manually created when
associated with an entity from the All Controls module or from the Controls related list on a control objective.
56
When Inherit from control objective option is enabled
the control automatically inherits the name and description of the control objective.
57
A control is considered implemented if we have a way to measure it.
True
58
Control attestations
surveys that gather evidence to prove that a control is implemented. The attestation provides documentation that the control owner has a defined method to measure the control.
59
Indicators
Indicators are used to measure if a control is effective or not and are powerful data collectors.
60
Control tests
can be part of an audit or compliance process used to validate if the control method is effectively designed and is operationally effective.
61
answers the question, “Has the control been implemented?”
Control attestations
62
answers the question, “Is the control effective?”
Indicators
63
answers the question, “Is the control effective from a design and operation standpoint?”
Control tests
64
control record lifecycle
Draft (default state upon creation) > Attest > Review > Monitor > Retire
65
all compliance users can modify the control in Draft state
Draft stage of control
66
control owners are assigned the control by default
only assigned to user can complete
Attest stage of control
67
controls are automatically moved to review after attestation is completed
Compliance manager can review
Review stage of control
68
in this stage, controls cannot be edited,
indicators are scheduled and updates are made by indicators
monitor stage of control
69
Compliance manager can manually retire control
when control is no longer relevant
automatically set to this stage when entity becomes inactive
retire stage of control
70
Policy exception management
allows an organization to assess the impact that a policy exception can have on related entities, with a related workflow for approving or rejecting an exception request.
71
who may be involved in the policy exception workflow?
the control owner,
the compliance manager,
the risk manager
72
Policy extension
can be requested before the policy exception expires.
73
how can policy exception be created?
1. policy exception module
2. from issue record
3. from control objective record
4. service portal
5. integration registry
74
policy exception record lifecycle
New > Pending Verification (optional) > Analyze > Review > Awaiting Approval > Approved > Closed
75
who can request a policy exception?
snc_internal users
76
who can modify a policy exception during analyze stage?
compliance manager
77
who can submit more info of policy exception during review stage?
requester or risk manager
78
who reviews the policy exception
compliance manager
79
who approves the policy exception
compliance manager
80
who closes the policy exception
compliance manager
81
Issues
a task that allows end users to track the response to remediate or accept the issue.
82
issue triage record lifecycle
New > Analyze > Review > Close
83
who reviews the triage issue?
compliance manager
risk manager
triage manager
84
who can close the triage issue?
triage manager
triage team
85
remediate issue
This provides a choice to fix the underlying issue causing the control failure or risk exposure
86
accept issue
This provides a choice to create an exception for a known control failure or risk. Note that this is not a policy exception
Accepting a control issue will cause the control status to remain non-compliant until the control is re-assessed
87
issue record lifecycle
New > analyze > respond > review > closed
88
who is responsible for selecting issue rating during analyze stage of the issue lifecycle?
Issue Manager
89
who completes the response and manage in the respond state of the issue lifecycle
issue owners
90
who reviews the issue and accepts resolution/request more info from the owner
issue manager
91
who closes the issue
issue manager
92
Policy Overview dashboard
The Policy Overview dashboard provides different views of controls associated with your policies.
It gives an overview of the total number of controls grouped by different parameters and the number of compliant controls.
93
Attestation Overview dashboard
The Attestation Overview dashboard provides views of attestations.
Attestation respondents can see attestation status and list of pending attestations.
94
Compliance Overview dashboard
The Compliance Overview dashboard provides views into the source of compliance requirements, the level of compliance, and trends.
95
Policy Exception Overview dashboard
The Policy Exception Overview dashboard provides views into the number, severity, and source of policy exceptions. It shows exempted controls.
96
Policy Acknowledgement dashboard
The Policy Acknowledgement dashboard provides views into the number and statuses of policy acknowledgements. It also shows policy exemptions.
97
Regulatory change management
the management of regulatory, policy, and/or procedural changes that apply to an organization.
98
Regulatory changes
sourced from regulatory intelligence providers such as Thomson Reuters Regulatory Intelligence or from public RSS feeds.
99
Regulatory alerts
Regulatory alerts are an aggregation of different regulatory events and documents sourced from multiple regulatory intelligence providers.
100
RSS feeds
web feeds that allow users and applications to access updates to websites in a standardized format.
These feeds allow users to track different websites in a single news aggregator.
101
RCM Admin (sn_grc_reg_change.admin)
Set up the regulatory change management application
Coordinate and facilitate configuration requests
Maintain taxonomy values
102
RCM IT Admin (sn_grc_reg_change.it_admin)
Set up the regulatory intelligence providers in the ServiceNow RCM application
103
RCM Admin (sn_grc_reg_change.manager
Monitor the progress of regulatory change initiatives within the organization
View all the regulatory content updates relevant to the organization
Assign new regulatory alerts that are sourced from external sources
Assign regulatory tasks within the teams responsible for managing regulatory change.
104
RCM User (sn_grc_reg_change.user)
Assess the applicability of regulatory alerts to the organization
Initiate impact assessments and assign them to subject matter experts (SMEs) or owners within the organization
Complete assigned regulatory tasks
Create actions tasks for the risk and compliance users to complete
105
GRC business user (sn_grc.business_user)
Respond to impact assessments assigned to them
106
Regulatory change management in the compliance workspace
It provides a single-pane view with a personalized experience and a simplified user journey.
The home page provides actionable insights and quick links.
The contextual side panel displays the regulatory taxonomy for each regulatory alert record.
107
Activity Overview - RCM in Compliance Workspace
Displays alerts, change tasks, import document tasks, alerts by overall impact, impacted entities, and taxonomy alerts.
108
Tracking - RCM in Compliance Workspace
Displays status of open and unassigned alerts, ongoing and overdue impact assessments, open and overdue issues, open and new action tasks.
109
Trends - RCM in Compliance Workspace
Displays past trends over a period of time such as open alerts for the last 12 months..
110
Task Contextual Pane - RCM in Compliance Workspace
Displays all the tasks assigned to individual and to their group.
111
Taxonomy management application
helps in classifying and categorizing the alert.
can be used to manage categories for our content classification across GRC modules.
112
Regulatory Bodies
Organizations that exercises regulatory functions,
i.e. government agency, trade associations, self-regulatory organization
113
Sectors
different business segments for organizations,
i.e. banking, insurance, medical devices
114
Themes
broad topics that can be used to classify regulatory content
i.e., privacy, operational resilience, regulatory filings
115
Jurisdictions
geography where a regulatory or legal body can extend their legal authority
116
Content Types
Different categories of a content that a regulatory body can issue.
i.e. legislative materials, regulations, rules
117
The regulatory change management life cycle starts with the regulatory alert record.
true
118
Regulatory alert lifecycle
new
impact assessment (optional)
In progress
Deferred
Cancelled
Closed
119
Who can can assign an alert record?
sn_grc_reg_change.admin or the sn_grc_reg_change.manager (RCM Admin or RCM Manager)
120
Who is assigned to work on an alert?
sn_grc_reg_change.user (RCM User)
121
who can cancel an alert?
This action is available to managers and users of regulatory event alerts, and to managers of source document alerts
122
Impact Radius Calculation
To calculate, the existing regulatory library is searched for the matching citation names, the name of the provider, and the source field.
Based on these results, action tasks are created and recommended by the system.
123
regulatory change task
used by the stakeholders to collaborate and craft an action plan.
It serves as the parent for all the action tasks that should be created to complete the identified changes.
124
regulatory change task record lifecycle.
New - assigned to RCM user
Respond - calculation of impact radius
Awaiting Approval - RCM Manager approves
Implementation
Closed
125
Source document import task
used to ingest a particular source document that is received from the provider into the regulatory library.
126
source document import task lifecycle
Ready to import - assigned to RCM User
In progress
Awaiting for Approval - approved by RCM admin or RCM Manager
Implementation (optional)
Closed
127
Action tasks
created for regulatory change tasks and source document import tasks.
128
created for regulatory change tasks and source document import tasks.
true
129
Types of RCM Application
Compliance - contains compliance related action type
Risk - contains all risk-related action tasks
130
Regulatory Calendar
The Regulatory Calendar provides an overview of the regulatory tasks. The calendar helps with planning and managing these tasks.
131
Data Quality tab (Audit mngt dashboard)
includes important information such as missing information on issues and tasks.
132
Remediation tab (Audit mngt dashboard)
displays remediation tasks, including those that are past due.
133
Issues tab (Audit mngt dashboard)
provides a snapshot of all issues by engagement, state, and assignee.
134
Control Testing (Audit mngt dashboard)
provides control testing status for both effective and non effective controls.
135
Task Management (Audit mngt dashboard)
includes details for all audit tasks: Activity, Audit Task, Control Test, Interview, Walkthrough.
136
Audit Engagements (Audit mngt dashboard)
provides a big picture of all engagements.
137
Overview (Audit mngt dashboard)
displays the audit activities over the course of a year and is helpful for the annual audit planning and monitoring.
138
Audit Manager dashboard
includes several tabs for audit managers.
139
Audit Overview dashboard
provides an executive view into reports such as engagement results and engagement breakdowns by entities, controls, tasks, and issues.
140
an engagement is closed when
1. engagement is closed as incomplete during the Scope, Validate, or Fieldwork states.
2. There are no open audit tasks, observations, or issues after the engagement is approved.
3. All of the follow up tasks, observations and issues are closed.
141
audit engagement lifecycle
Scope
Validate and Plan
Fieldwork
Awaiting Approval
Follow up
Closed
142
audit engagement
is an audit project that may include audit tasks that accomplish a set of objectives or goals.
are scoped with auditable units or entities
143
audit plan
helps to manage different types of audits in a periodic manner and group engagements in a logical manner.
144
auditee
the person responsible for providing support during the audit, validating audit findings, and agreeing to audit actions.
145
GRC business user (sn_grc.business_user)
Partner with the auditor on the action plan
Respond to observations and evidence requests
Resolve issues converted from the observation
146
External auditor (sn_audit.external_auditor)
Assigned as auditor for an engagement and audit tasks
Perform audit against specific regulation
View closed engagements and tasks
147
Engagement project manager (sn_audit_advanced.engagement_project_manager)
Complete advanced planning with audit plans and engagements
Create resource and costs plans and approve time cards
148
Audit user (sn_audit.user)
Perform fieldwork (walkthroughs, interviews, control testing, etc.)
Document the work and findings
Resolve and/or follow up with audit findings
149
Audit manager (sn_audit.manager)
Create audit plans and engagements, including records necessary to conduct the audit, such as milestones, tasks, and evidence requests
Approve audit tasks, workpapers, and engagements
150
Audit Admin (sn_audit.admin)
Set up the Audit Management application
Coordinate and facilitate configuration requests
Delete engagements, audit tasks, test templates, and test plans
151
steps to complete typical internal audit
Audit Planning
Audit Fieldwork
Follow up
Year End
152
Audit Management
uses compliance and risk data to scope, plan, and prioritize audit engagements.
153
risk identification dashboard
It helps keep track of various records or objects which are in transit in the risk identification workflow.
154
Risk Register dashboard (Advanced Risk)
displays the risk assessments instances in the list view sorted by residual risks.
155
Advanced Risk Assessment Overview dashboard
gives an overview of the performance of any risk assessment methodology based on the risk assessment instances.
156
Operational Risk Management dashboard
enables an entity owner to view the complete risk posture for the enterprise in a single consolidated report.
157
By building an indicator template, an indicator is also automatically created for every risk scoped with an entity from the related entity type.
true
158
Indicator templates
recommended to be set up to help generate multiple indicators for similar risks.
set up on a risk statement which is associated to an entity type
159
Scripted indicators
use a custom script to collect the data.
160
Basic indicators
are automated indicators based on an indicator source.
161
Manual indicators
are used for data that cannot be retrieved from a ServiceNow instance because it comes from an external system
162
risk indicator
can identify the possibility of a future adverse event. They serve as an early warning system, allowing organizations to take preventative actions.
163
risk transfer
Transfer risk to another party or entity
If you select Transfer, the Risk Response Task number prefix is TFT and Task Type is Risk Transfer
164
risk mitigation
Deploy mitigating controls
If you select Mitigate, the Risk Response Task number prefix is MGT and Task Type is Risk Mitigation
165
Risk avoidance
Reject the risk and deploy measures to avoid risk
If you select Avoid, the Risk Response Task number prefix is AVT and Task Type is Risk Avoidance
166
Risk acceptance
Business owner understands and signs of on the risk
If you select Accept, the Risk Response Task number prefix is APT and Task Type is Risk Acceptance
167
risk assessment through risk record
can be initiated from the Risk record itself, replacing the classic risk assessment with ARA but keeping the lifecycle on the risk form.
168
Object - based risk assessment
tied to a RAM scoped with an object.
Assessors can initiate directly from the object record after configuration is complete.
169
risk assessment scheduler
used to initiate risk assessments on multiple entities for all registered risks scoped with those entities.
170
risk assessment scope
initiates risk assessments on one entity from an entity class for the set of registered risks scoped with that entity.
allows an entity owner to manage the risk assessments for their assessable entities.
171
Factor contribution type
can be qualitative, quantitative, or both. Review the example based on qualitative contribution type.
The response options are Low (L), Medium (M), or High (H)
Each factor has a qualitative weight adding up to 100%
172
Group factors
manual or automated factors that are grouped to create a combined score.
173
automated scripted factor
type of automated factor that uses scripts to define how a factor will fetch data from ServiceNow records or publicly available data.
174
Automated factors
automatically fetch data from ServiceNow tables or databases and from publicly available data that does not reside within ServiceNow.
175
Manual factors
require human responses because the questions are subjective and difficult to determine based on data.
176
Policies
defines an internal practice that an organization or business process must follow to ensure compliance and reduce risk exposure. Policies can be categorized and related to control objectives.
177
Procedure
Fixed, step-by-step sequence of activities or course of action that must be followed to correctly perform a task
178
Standard
Documentation of requirements, specifications, guidelines, or characteristics that can be used consistently to ensure that materials, products, processes, and services are fit for their purpose
179
Plan
Written account of an intended future course of action aimed to achieve specific goal(s) or objective(s) within a specific timeframe
180
Checklist
List of items required to be done to perform a specific task or set of tasks
181
Framework
Broad overview or outline of interlinked items that supports a particulate approach to meet a specific objective and serves as a guide to be modified as required
182
Template
Design, mold, or pattern of an item or group of items that serves as a basis or guide for designing or constructing similar items
183
Risk management
refers to a coordinated set of activities, used by an organization, to control the many risks that could impact their ability to achieve business objectives.
184
Enterprise risk/enterprise risk management
to develop a holistic, portfolio view of the most significant risks to the organization.
185
IT Risk
any threat to an organization's data, critical systems and business processes.
186
Operational risk
uncertainties and hazards an organization faces when attempting to perform day-to-day business activities.
187
Risk Management and GRC: Advanced Risk applications
help to continuously monitor and identify high-impact risks and to improve risk-based decision-making; thereby, reducing reaction time effectively.
188
Benefits of risk management
Improved risk-based decisions
Increased productivity
189
Risk assessments
performed in virtually every organization and the size and scope of risk assessments vary greatly
190
Principles of Risk Assessment
Risk identification
Risk analysis
Risk evaluation
Risk treatment
Risk Monitoring
191
Risk statements
a defined consequence that can occur if a threat exploits a vulnerability.
It is a general statement about a potential risk that can occur anywhere in the organization.
serve as a template to generate risks per entity.
192
Risks
the likelihood of a given threat against a potential vulnerability and the resulting impact of that adverse event on the organization.
193
Risk frameworks
used to categorize risk statements
194
Parent risk statements
from GRC: Advanced Risk, can set parent-child relationship between risk
195
Risk applicability
determine which risks are applicable by considering their entity framework.
196
Risk Admin (sn_risk.admin)
Set up the risk management and advanced risk applications
Coordinate and facilitate configuration requests
Maintain connections across the enterprise and integrations throughout the ServiceNow platform
197
Risk Manager (sn_risk.manager)
Create and manage entity types and entity filters
Leverage entity types and entities for scoping
Define risk criteria and overall risk management framework
198
risk user (sn_rick.user)
Manage the risks owned by their respective business / assets including identification, assessment, and response
Monitor the progress of the risk response tasks and ensure they are remediated within the timelines
Monitor and escalate the risks to the risk manager which may impact the enterprise
199
Risk reader (sn_risk.reader)
Receives read-access to most risk reporting tables and risk dashboards
Generally given to managers and executives to monitor their risk posture
200
GRC Business User (snc_grc.business_user)
Respond to risk assessments
Respond to issue tasks, indicator tasks, remediation tasks, and risk event tasks
Report risk events in their business
201
ARA assessor (snc_risk_advanced.ara_assessor)
Take assessments
Respond to the assessment
Reassign the assessment
202
ARA Approver (sn_risk_advanced.ara_approver)
Approve the assessment
203
Business Operational Risk Manager (sn_risk_workspace.business_op_risk_manager)
the risk champions.
They assist operational risk managers and are the first lines of defense for each individual line of business.
They are responsible to manage the risk posture of their specific business units.
204
IT Risk Manager (sn_risk_workspace.IT_risk_manager)
the primary person responsible for establishing and maintaining the organization-wide IT risk management program.
205
risk heatmap
a data visualization tool that graphically represents an organization's risk data. The individual values contained in a matrix are shown in colors that denote a meaning.
206
Advanced Risk Assessment
contributes to creating an integrated risk platform, supporting various kinds of risk assessment methodologies, and enabling the organization to embed risk assessment in day-to-day operations and influence its overall strategy.
207
RAM (Risk Assessment Methodologies)
a unique risk assessment template that can be applied to assess a risk scoped with an entity or an object.
208
risk and control self-assessment (RCSA)
to ensure normal business objectives will be met without disruption from unknown or unmitigated risk.
allows an organization to evaluate all risks and control effectiveness related to a specific entity, commonly a line of business (LOB) or department, on a set frequency.
209
Inherent risk assessment type
Inherent risk is the risk level without controls or mitigating actions.
210
Control effectiveness assessment type
Controls can be preventative, detective, or corrective.
211
Residual risk assessment type
the leftover risk after the implementation of controls.
alculated based on the effectiveness of the control(s) and overall inherent risk score.
212
Factors
can contribute to either numerical risk score (qualitative contribution) or could be used for calculating annual loss expectancy (ALE) values (quantitative contribution).
Factors can be manual, automated, or grouped.
