GRC Part 1 Flashcards
What is the database table name for Control Objectives starting with Orlando?
sn_compliance_policy_statement
Can you nest or stack policy records?
Yes
Can you nest or stack control objectives?
Yes
What GRC record generates a KB article when approved
Policy
What must be set up for controls to be generated?
The Control Objective has the checkbox for “Create Controls Automatically” checked and Entity Type is applied to the Control Objective,
Attestations are generated when a control is moved from draft to what?
Attest
What can you do with the Policy Acknowledgement feature?
Send out policies for review & acknowledgement, Track responses on the campaign record, designate the campaign audience for acknowledgement.
What can you NOT do with the Policy Acknowledgement feature
Enable employees to ask for more info about the policy.
A control attestation can be used to measure the level of compliance - T or F
False
How many entity types can an entity belong to?
None, 1 or multiple
Entities can be added to an entity type via what methods?
Manually, from the All Entities module or using a filter defined on the Entity Type record.
Entities can be added to an entity type on a Policy Related List - True or False
False
An entity must always relate to a record in a ServiceNow table - True or False
False
What records are generated when an entity type is related to a risk statement/template?
Risks, Risk Indicators (if there is an indicator template related to the risk statement)
Risk Frameworks are required records in Risk Framework Process - T or F
False
What’s another name for Risk Statement Records
Risk Templates
Risk statements can be nested or created in a hierarchy - T or F
True
Risk Events always involve a loss - T or F
False
Customers may refer to Risk Events as Loss Events - T or F
True
Risk Events are the same as Risk Statements - T or F
False
Risk Events can be related to Risks - T or F
True
What is the module name for all Registered Risks?
Risk->Risk Register->All Risks
Entity Types can be applied at what level to generate risks?
Risk Framework and Risk Statement/Template
Default Risk Scoring Method in SN baseline is ___
Quantitative
What does ALE refer to in Risk Scoring
Annualized Loss Expectancy - Expected loss in a single year - SLE (Single Loss Expectancy) x ARO (Annual Rate of Occurrence)
What is equivalent to SLE in Qualitative Risk Scoring?
Single Loss Expectancy - Impact - $$$$
What is equivalent to ARO in Qualitative Risk Scoring?
Annual Rate of Occurrence - Likelihood - %
Which type of risk is “worst case scenario” according to ServiceNow?
Inherent (not residual or calculated)
Calculated Risk Scoring values are impacted by Controls and Indicators. Can you configure one control to have more weight than another control?
Yes
Risk Responses are generated after Risk Assessments are complete - T or F
True
Which fields cover the duration covered by the audit? (not the dates that the audit occurred)
Audit Period (start and end)
When creating an audit engagement record, what record is used to scope the audit?
Entity
Control Test Records are set up to control the Design of the Control and the Effectiveness of the Control. When is a control set to ineffective?
When either the design effectiveness or the operational effectiveness of the control are set to ineffective.
When an audit engagement is created and an entity is related to it, what records are automatically related to the engagement when it moves to Validate?
Risks, Controls, Test Plans, Indicator Results
When an audit engagement is created and an entity is related to it, what records are NOT automatically related to the engagement?
Policies, Control Objectives
A control objective in SN GRC is often called what by people in the GRC industry? (3)
Control Objective, Requirement, Control Template
If an entity type has 5 entities related to it, then when the entity type is related to a control objective, 5 controls will ALWAYS be generated - T or F
False - Depends on whether the “Create Controls automatically” checkbox is checked on the control objective.
Can you nest or stack Risk Statements?
Yes, but only with Advanced Risk (and post NY)
Can a Risk Manager update Entity Types and Entities?
Yes (requires grc.manager and risk manager inherits it)
Entity Types can be applied at what level to generate Registered Risks
Risk Framework or Risk Statement
Alternative Terms for a Control Objective (4)
Control, Control Template, Requirement, Policy Statement
Alternative Terms for an Entity (4)
Scope definition, Scope Object, Target, Profile
Alternative Terms for an Entity Type (1)
Entity Group
Alternative Term for a Control (1)
Control Instance
Alternative Term for a Risk Statement
Risk Template
Alternative Term for an Issue
Finding
NY onward - table name for Entity Class
sn_grc_profile_class
NY onward - table name for Entity Type
sn_grc_profile_type
NY onward - table name for Entity
sn_grc_profile
NY onward - table name for Control Objectives
sn_compliance_policy_statement
What are compliance related roles in order of inheritance
Compliance Developer, Admin, Manager, User, Reader
What are Risk related roles in order of inheritance
Risk Admin, Manager, User, Reader
What roles do you get with GRC Developer?
Compliance Developer
What roles do you get with GRC Admin?
Risk Admin and Compliance Admin
What roles inherit Survey Reader?
Compliance User and Risk User
What role will Compliance Managers group get?
sn_compliance.manager
What can Compliance Managers with sn_compliance.manager role do?
1) Create Entity Classes, Entity Types and Entities 2) Create Issues, Indicators and Remediation Tasks 3) Create Policies, Control Objectives, Policy Exceptions, Controls, Authority Documents, Citations
What role will Compliance Analysts group get?
sn_compliance.user
What can Compliance Analysts with sn_compliance.user role do?
1) View Authority Documents and Citations 2) Create Policies, Control Objectives, Policy Exceptions and Controls
What can Compliance Managers do that Analysts cannot?
1) Create Entity Classes, Entity Types and Entities 2) Create Issues, Indicators and Remediation Tasks 3) Create Authority Documents, Citations
What role will Risk Managers get?
sn_risk.manager
What can Risk Managers do with the sn_risk.manager role?
1) Create Entity Classes, Entity Types and Entities 2) Create Issues, Indicators and Remediation Tasks 3) Create Policy Exceptions 4) View Risk Frameworks, RIsk Statements, Assessments, Risk Response Tasks 5) Create Risks, Risk Frameworks, Risk Statements 6) View GRC Workbench
What role will Risk Analysts get?
sn_risk.user
What can Risk Analysts do with the sn_risk.user role?
1) Create Policy Exceptions 2) View Risk Frameworks, Risk Statements, Assessments, Risk Response Tasks, Risks
What role is needed to answer a risk assessment?
No role
What role is needed to create a risk assessment
Risk Assessment Creator (sn_risk.asmt_creator)
What role is needed to answer a control attestation?
No role
What role is needed to create policies?
Compliance User (Analyst)
What role is needed to approve policies?
Compliance User (Analyst)
What role is needed to Submit a control for attestation?
Compliance User (Analyst)
What role is needed to create an issue for Risk?
Risk User
What role is needed to Create an indicator template for Risk?
Risk Manager
What role is needed to Create a Policy Exception from Control Issue?
Compliance User (Analyst)
What role is needed to retire policies
Compliance Manager
An entity can only be related to a single entity class - T or F
True
What tables are frequently used on the Entity Type filter to generate Entities
Department, Group, Service (not Control or Indicator)
Entity Owner is derived from Managed by field on the Service record for the Critical Service Entity Type - T or F
True
What tables are extended from the Document table?
Risk Framework, Policy, Authority Document
What tables are extended from the Content table?
Risk Statement, Control Objective, Citation
What tables are extended from the Item table?
Risk, Control
What is the Policy Lifecycle?
Draft, Review, Awaiting Approval, Published, Retired
Who can create a Policy?
Compliance Users/Analysts and above
Who can set a Policy to Review state?
Compliance users/analysts and above
Who can move a Policy from Review to its next state?
Named reviewer or the Policy Owner
Compliance admins can move a Policy from Review to its next state - T or F
False
A policy waiting for apporval will be published when at least 1 approver approves it - True or False
False - all approvers must approve it.
What happens when a Policy is published?
A KB article is created
Who can retire a policy?
Compliance Manager or Policy Owner
What is the Control lifecycle?
Draft, Attest, Review, Monitor, Retire
Who can modify a Draft control?
Compliance users/analysts
Who can use Attest button on a Draft control?
Compliance users/analysts
Who can complete an attestation?
The person to whom it is assigned
Can a system admin complete an attestation for someone?
Only via impersonation
What is best practice when an attestation cannot be completed by its assignee?
Return the control to Draft state.
Who moves a control to the Review state?
It happens automatically when the attestation is done
Who can move a control from Review to Monitor?
Compliance Manager
When a control is in Monitor state, Indicators can be scheduled - T or F
True
Who edits the control in a Monitor state?
Controls are usually not edited when in Monitor. Updates happen via Indicators.
When does a control go to the Retire state?
Compliance is no longer required or relevant to the business (manually retired) or if the Entity becomes inactive (auto-retired)
When a control is in Retired state, Indicators will run - T or F
False
Who can manually retire a control?
Compliance Manager
What is the Issue lifecycle?
New, Analyze, Respond, Review, Closed
Who can create a new issue?
Compliance, Risk or Audit User
An issue can be related to what other things? (6)
Entities, Control Objectives, Risk Statements, Controls, Risks, other Issues
Who can move issue to Analyze?
Any GRC user
Who can move issue to Respond?
Any GRC User
What things will auto-trigger an issue creation? (4)
1) Indicator Result=Failed or Not Passed, 2) Control Attestation result is Not Implemented, 3) Control Test with state Closed Complete and Control effectiveness=Ineffective, 4) Continuous monitoring based on Configuration Test scanning results
What is the Policy Exception Lifecycle?
New, Analyze, Risk Assessment, Review, Awaiting Approval, Approved, Closed
Who can request a Policy Exception?
Any internal user.
How does a Policy Exception go from New to Analyze?
Requester uses Request Approval UI Action/button.
Who performs the Analyze phase of the Policy Exception?
Compliance Manager
How does a Policy Exception get to the Risk Assessment state?
Compliance Manager requests a risk assessment.
What happens when a Compliance Manager requests a risk assessment for a Policy Exception?
A notification goes to the Risk Manager’s group and a risk manager performs the assessment.
How does a Policy Exception get to the Review state?
Compliance Manager requests a risk assessment and risk manager requests a review.
What happens when a Policy Exception is set to Review by the Risk Manager?
Notification goes to the Compliance Manager.
What happens after a compliance manager is notified that a Policy Exception needs a Review?
Compliance manager can either 1) Approve the Policy Exception 2) Reject the Policy Exception or 3) Request a Business Level Approval.
How does a Policy Exception get to the Awaiting Approval state?
Compliance manager request Business Level Approval.
How does a Policy Exception get to the Approved state?
Compliance manager approves it during Review or Business Level approver approves it when it is Awaiting Approval.
How does a Policy Exception get to the Closed state?
Compliance manager rejects it during review (maybe?) or otherwise sets it to Closed.
Who can request an extension to an approved Policy Exception?
Control Owner
Where can you initiate a Policy Exception? (6)
Policy Exception modules, Related Lists - Issue/Control Objective/Policy, other integrated SN applications, Service Portal
What happens during Analyze phase of a Policy Exception?
Compliance manager will review and update Source, Schedule, Comments, look at impacted Controls, mitigating controls and risks, update business impact analysis including residual likelihood, impact and score.
What are options for the compliance manager when the analysis is complete for a Policy Exception? (4)
Compliance manager can either 1) approve it 2) Request more info from the Control Owner 3) Request that a Risk Manager review it (where it goes to Review state) 4) Request a business owner approval
What is the Policy Acknowledgement lifecycle?
New, Pending Acknowledgement, Closed, Cancelled
Who can create a Policy Acknowledgement campaign?
Compliance User/Analyst
Who can designate the audience for a Policy Acknowledgment campaign?
Compliance Admin or Compliance Manager
Who can be added to a Policy Acknowledgement campaign?
Users, Groups, filtered user definition.
Where can audience members of a Policy Ack campaign respond?
On the portal.
How can audience members of a Policy Ack campaign respond?
Accept, Decline or Request Exception (if allowed)