GRC Part 1 Flashcards

1
Q

What is the database table name for Control Objectives starting with Orlando?

A

sn_compliance_policy_statement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Can you nest or stack policy records?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Can you nest or stack control objectives?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What GRC record generates a KB article when approved

A

Policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What must be set up for controls to be generated?

A

The Control Objective has the checkbox for “Create Controls Automatically” checked and Entity Type is applied to the Control Objective,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Attestations are generated when a control is moved from draft to what?

A

Attest

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What can you do with the Policy Acknowledgement feature?

A

Send out policies for review & acknowledgement, Track responses on the campaign record, designate the campaign audience for acknowledgement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What can you NOT do with the Policy Acknowledgement feature

A

Enable employees to ask for more info about the policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A control attestation can be used to measure the level of compliance - T or F

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How many entity types can an entity belong to?

A

None, 1 or multiple

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Entities can be added to an entity type via what methods?

A

Manually, from the All Entities module or using a filter defined on the Entity Type record.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Entities can be added to an entity type on a Policy Related List - True or False

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

An entity must always relate to a record in a ServiceNow table - True or False

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What records are generated when an entity type is related to a risk statement/template?

A

Risks, Risk Indicators (if there is an indicator template related to the risk statement)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Risk Frameworks are required records in Risk Framework Process - T or F

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What’s another name for Risk Statement Records

A

Risk Templates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Risk statements can be nested or created in a hierarchy - T or F

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Risk Events always involve a loss - T or F

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Customers may refer to Risk Events as Loss Events - T or F

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Risk Events are the same as Risk Statements - T or F

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Risk Events can be related to Risks - T or F

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is the module name for all Registered Risks?

A

Risk->Risk Register->All Risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Entity Types can be applied at what level to generate risks?

A

Risk Framework and Risk Statement/Template

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Default Risk Scoring Method in SN baseline is ___

A

Quantitative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What does ALE refer to in Risk Scoring

A

Annualized Loss Expectancy - Expected loss in a single year - SLE (Single Loss Expectancy) x ARO (Annual Rate of Occurrence)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is equivalent to SLE in Qualitative Risk Scoring?

A

Single Loss Expectancy - Impact - $$$$

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is equivalent to ARO in Qualitative Risk Scoring?

A

Annual Rate of Occurrence - Likelihood - %

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which type of risk is “worst case scenario” according to ServiceNow?

A

Inherent (not residual or calculated)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Calculated Risk Scoring values are impacted by Controls and Indicators. Can you configure one control to have more weight than another control?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Risk Responses are generated after Risk Assessments are complete - T or F

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Which fields cover the duration covered by the audit? (not the dates that the audit occurred)

A

Audit Period (start and end)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

When creating an audit engagement record, what record is used to scope the audit?

A

Entity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Control Test Records are set up to control the Design of the Control and the Effectiveness of the Control. When is a control set to ineffective?

A

When either the design effectiveness or the operational effectiveness of the control are set to ineffective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

When an audit engagement is created and an entity is related to it, what records are automatically related to the engagement when it moves to Validate?

A

Risks, Controls, Test Plans, Indicator Results

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

When an audit engagement is created and an entity is related to it, what records are NOT automatically related to the engagement?

A

Policies, Control Objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

A control objective in SN GRC is often called what by people in the GRC industry? (3)

A

Control Objective, Requirement, Control Template

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

If an entity type has 5 entities related to it, then when the entity type is related to a control objective, 5 controls will ALWAYS be generated - T or F

A

False - Depends on whether the “Create Controls automatically” checkbox is checked on the control objective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Can you nest or stack Risk Statements?

A

Yes, but only with Advanced Risk (and post NY)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Can a Risk Manager update Entity Types and Entities?

A

Yes (requires grc.manager and risk manager inherits it)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Entity Types can be applied at what level to generate Registered Risks

A

Risk Framework or Risk Statement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Alternative Terms for a Control Objective (4)

A

Control, Control Template, Requirement, Policy Statement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Alternative Terms for an Entity (4)

A

Scope definition, Scope Object, Target, Profile

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Alternative Terms for an Entity Type (1)

A

Entity Group

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Alternative Term for a Control (1)

A

Control Instance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Alternative Term for a Risk Statement

A

Risk Template

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Alternative Term for an Issue

A

Finding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

NY onward - table name for Entity Class

A

sn_grc_profile_class

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

NY onward - table name for Entity Type

A

sn_grc_profile_type

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

NY onward - table name for Entity

A

sn_grc_profile

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

NY onward - table name for Control Objectives

A

sn_compliance_policy_statement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

What are compliance related roles in order of inheritance

A

Compliance Developer, Admin, Manager, User, Reader

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

What are Risk related roles in order of inheritance

A

Risk Admin, Manager, User, Reader

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

What roles do you get with GRC Developer?

A

Compliance Developer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

What roles do you get with GRC Admin?

A

Risk Admin and Compliance Admin

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

What roles inherit Survey Reader?

A

Compliance User and Risk User

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

What role will Compliance Managers group get?

A

sn_compliance.manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

What can Compliance Managers with sn_compliance.manager role do?

A

1) Create Entity Classes, Entity Types and Entities 2) Create Issues, Indicators and Remediation Tasks 3) Create Policies, Control Objectives, Policy Exceptions, Controls, Authority Documents, Citations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

What role will Compliance Analysts group get?

A

sn_compliance.user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

What can Compliance Analysts with sn_compliance.user role do?

A

1) View Authority Documents and Citations 2) Create Policies, Control Objectives, Policy Exceptions and Controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

What can Compliance Managers do that Analysts cannot?

A

1) Create Entity Classes, Entity Types and Entities 2) Create Issues, Indicators and Remediation Tasks 3) Create Authority Documents, Citations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

What role will Risk Managers get?

A

sn_risk.manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

What can Risk Managers do with the sn_risk.manager role?

A

1) Create Entity Classes, Entity Types and Entities 2) Create Issues, Indicators and Remediation Tasks 3) Create Policy Exceptions 4) View Risk Frameworks, RIsk Statements, Assessments, Risk Response Tasks 5) Create Risks, Risk Frameworks, Risk Statements 6) View GRC Workbench

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

What role will Risk Analysts get?

A

sn_risk.user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

What can Risk Analysts do with the sn_risk.user role?

A

1) Create Policy Exceptions 2) View Risk Frameworks, Risk Statements, Assessments, Risk Response Tasks, Risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

What role is needed to answer a risk assessment?

A

No role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

What role is needed to create a risk assessment

A

Risk Assessment Creator (sn_risk.asmt_creator)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

What role is needed to answer a control attestation?

A

No role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

What role is needed to create policies?

A

Compliance User (Analyst)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

What role is needed to approve policies?

A

Compliance User (Analyst)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

What role is needed to Submit a control for attestation?

A

Compliance User (Analyst)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

What role is needed to create an issue for Risk?

A

Risk User

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

What role is needed to Create an indicator template for Risk?

A

Risk Manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

What role is needed to Create a Policy Exception from Control Issue?

A

Compliance User (Analyst)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

What role is needed to retire policies

A

Compliance Manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

An entity can only be related to a single entity class - T or F

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

What tables are frequently used on the Entity Type filter to generate Entities

A

Department, Group, Service (not Control or Indicator)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

Entity Owner is derived from Managed by field on the Service record for the Critical Service Entity Type - T or F

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

What tables are extended from the Document table?

A

Risk Framework, Policy, Authority Document

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

What tables are extended from the Content table?

A

Risk Statement, Control Objective, Citation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

What tables are extended from the Item table?

A

Risk, Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

What is the Policy Lifecycle?

A

Draft, Review, Awaiting Approval, Published, Retired

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

Who can create a Policy?

A

Compliance Users/Analysts and above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

Who can set a Policy to Review state?

A

Compliance users/analysts and above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

Who can move a Policy from Review to its next state?

A

Named reviewer or the Policy Owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

Compliance admins can move a Policy from Review to its next state - T or F

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

A policy waiting for apporval will be published when at least 1 approver approves it - True or False

A

False - all approvers must approve it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

What happens when a Policy is published?

A

A KB article is created

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

Who can retire a policy?

A

Compliance Manager or Policy Owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

What is the Control lifecycle?

A

Draft, Attest, Review, Monitor, Retire

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

Who can modify a Draft control?

A

Compliance users/analysts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

Who can use Attest button on a Draft control?

A

Compliance users/analysts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

Who can complete an attestation?

A

The person to whom it is assigned

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

Can a system admin complete an attestation for someone?

A

Only via impersonation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

What is best practice when an attestation cannot be completed by its assignee?

A

Return the control to Draft state.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
95
Q

Who moves a control to the Review state?

A

It happens automatically when the attestation is done

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
96
Q

Who can move a control from Review to Monitor?

A

Compliance Manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
97
Q

When a control is in Monitor state, Indicators can be scheduled - T or F

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
98
Q

Who edits the control in a Monitor state?

A

Controls are usually not edited when in Monitor. Updates happen via Indicators.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
99
Q

When does a control go to the Retire state?

A

Compliance is no longer required or relevant to the business (manually retired) or if the Entity becomes inactive (auto-retired)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
100
Q

When a control is in Retired state, Indicators will run - T or F

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
101
Q

Who can manually retire a control?

A

Compliance Manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
102
Q

What is the Issue lifecycle?

A

New, Analyze, Respond, Review, Closed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
103
Q

Who can create a new issue?

A

Compliance, Risk or Audit User

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
104
Q

An issue can be related to what other things? (6)

A

Entities, Control Objectives, Risk Statements, Controls, Risks, other Issues

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
105
Q

Who can move issue to Analyze?

A

Any GRC user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
106
Q

Who can move issue to Respond?

A

Any GRC User

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
107
Q

What things will auto-trigger an issue creation? (4)

A

1) Indicator Result=Failed or Not Passed, 2) Control Attestation result is Not Implemented, 3) Control Test with state Closed Complete and Control effectiveness=Ineffective, 4) Continuous monitoring based on Configuration Test scanning results

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
108
Q

What is the Policy Exception Lifecycle?

A

New, Analyze, Risk Assessment, Review, Awaiting Approval, Approved, Closed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
109
Q

Who can request a Policy Exception?

A

Any internal user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
110
Q

How does a Policy Exception go from New to Analyze?

A

Requester uses Request Approval UI Action/button.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
111
Q

Who performs the Analyze phase of the Policy Exception?

A

Compliance Manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
112
Q

How does a Policy Exception get to the Risk Assessment state?

A

Compliance Manager requests a risk assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
113
Q

What happens when a Compliance Manager requests a risk assessment for a Policy Exception?

A

A notification goes to the Risk Manager’s group and a risk manager performs the assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
114
Q

How does a Policy Exception get to the Review state?

A

Compliance Manager requests a risk assessment and risk manager requests a review.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
115
Q

What happens when a Policy Exception is set to Review by the Risk Manager?

A

Notification goes to the Compliance Manager.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
116
Q

What happens after a compliance manager is notified that a Policy Exception needs a Review?

A

Compliance manager can either 1) Approve the Policy Exception 2) Reject the Policy Exception or 3) Request a Business Level Approval.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
117
Q

How does a Policy Exception get to the Awaiting Approval state?

A

Compliance manager request Business Level Approval.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
118
Q

How does a Policy Exception get to the Approved state?

A

Compliance manager approves it during Review or Business Level approver approves it when it is Awaiting Approval.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
119
Q

How does a Policy Exception get to the Closed state?

A

Compliance manager rejects it during review (maybe?) or otherwise sets it to Closed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
120
Q

Who can request an extension to an approved Policy Exception?

A

Control Owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
121
Q

Where can you initiate a Policy Exception? (6)

A

Policy Exception modules, Related Lists - Issue/Control Objective/Policy, other integrated SN applications, Service Portal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
122
Q

What happens during Analyze phase of a Policy Exception?

A

Compliance manager will review and update Source, Schedule, Comments, look at impacted Controls, mitigating controls and risks, update business impact analysis including residual likelihood, impact and score.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
123
Q

What are options for the compliance manager when the analysis is complete for a Policy Exception? (4)

A

Compliance manager can either 1) approve it 2) Request more info from the Control Owner 3) Request that a Risk Manager review it (where it goes to Review state) 4) Request a business owner approval

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
124
Q

What is the Policy Acknowledgement lifecycle?

A

New, Pending Acknowledgement, Closed, Cancelled

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
125
Q

Who can create a Policy Acknowledgement campaign?

A

Compliance User/Analyst

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
126
Q

Who can designate the audience for a Policy Acknowledgment campaign?

A

Compliance Admin or Compliance Manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
127
Q

Who can be added to a Policy Acknowledgement campaign?

A

Users, Groups, filtered user definition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
128
Q

Where can audience members of a Policy Ack campaign respond?

A

On the portal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
129
Q

How can audience members of a Policy Ack campaign respond?

A

Accept, Decline or Request Exception (if allowed)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
130
Q

When does a Policy Ack campaign get closed?

A

When it’s overdue. (any other???)

131
Q

When does a Policy Ack record get reset?

A

When a policy exception is expired

132
Q

Who can cancel a Policy Ack campaign?

A

Compliance manager or owner of the campaign

133
Q

What Policy and Compliance components do you get to via the P&C->Compliance module?

A

Authority Documents (sn_compliance_authority_document) and Citations (sn_compliance_citation)

134
Q

What Policy and Compliance components do you get to via the P&C->Policies and Procedures

A

Policies (sn_compliance_policy) and Control Objectives (sn_compliance_policy_statement)

135
Q

What module do you use to get to Authority Documents?

A

Policy and Compliance->Compliance

136
Q

What module do you use to get to Citations?

A

Policy and Compliance->Compliance

137
Q

What module do you use to get to Policies?

A

Policy and Compliance->Policies and Procedures

138
Q

What module do you use to get to Control Objectives

A

Policy and Compliance->Policies and Procedures

139
Q

What are table names for policy acknowledgement campaign and policy acknowledgement record

A

sn_compliance_policy_acknowledgement

sn_compliance_policy_acknowledgement_instance

140
Q

Which Script Include? Requirement is to modify who can edit a policy in the Review State.

A

ComplianceUtils

141
Q

Which Script Include? Requirement is to modify how compliance scores roll up.

A

ComplianceScoreCalculator

142
Q

Which Script Include? Requirement is to display the number of controls excluded from the compliance score.

A

AssessmentStrategy

143
Q

Which Script Include? Requirement is to use a different criteria to create control records.

A

ControlGeneratorStrategy

144
Q

Which Script Include? Requirement is to add a new state to Policy Exception process

A

PolicyException

145
Q

Which Script Include? Requirement is to modify the policy acknowledgement process.

A

PolicyAcknowledgementUtil

146
Q

How is compliance score calculated when there are no children control objectives?

A

((Sum of weight of compliant controls)/ (Sum of weight of all controls))*100 - excluding any in states of Draft,Retired or Not Applicable

147
Q

How is compliance score calculated when there ARE children control objectives?

A

Calculate compliance percentage of parent control same as if it did not have children -> ParentPerc
Get average score for all downstream (child) controls.
->ChildAvg
Score=(ParentPerc+ChildAvg)/2

148
Q

What happens if a compliance manager requests a business approval for a Policy Exception?

A

Policy Exception Business Owner Approval workflow sends a notification to the control owners for all of the controls in the impacted controls related list.

149
Q

For P&C - Entity Types can be applied to what objects (2) and which is the best practice?

A

Policies and Control Objectives. Control Objectives is best practice.

150
Q

What are the Policy Exception workflows?

A

Policy Review, Policy Approval, Policy Exception and Policy Exception Business Owner Approval

151
Q

What P&C tables can have SLAs associated with them?

A

Indicator Tasks, Issues, Policy Exceptions

152
Q

What Risk tables can have SLAS associated with them?

A

Risk Responses and Remediation Task

153
Q

What Audit tables can have SLAS associated with them?

A

Control Test, Interview, Audit, Walkthrough Task

154
Q

What Risk Event tables can have SLAS associated with them?

A

Risk Events, Risk Event Tasks

155
Q

What GRC tables are not extended from Task? (6)

A

Control, Control Objective, Registered RIsk, Risk Statement, Risk Framework, Policy

156
Q

What is the Risk Record Lifecycle

A

Draft, Assess, Respond, Review, Monitor, Retired

157
Q

Who can create a risk?

A

Risk User

158
Q

Who can create a risk statement?

A

Risk Manager

159
Q

Who can create a risk framework?

A

Risk Manager

160
Q

Who can return a risk to the Draft state?

A

Risk Manager

161
Q

Who performs risk assessment?

A

Usually Risk Owner

162
Q

What happens during risk assessment?

A

Risk is reviewed and either sent back to draft or the assessment is completed which moves the risk to Respond and generates Risk Responses

163
Q

What is the Risk Response lifecycle?

A

Draft, Work in Progress, Review, Closed

164
Q

What is “Governance” in GRC?

A

Policies and oversight to ensure consistent sustainability of internal controls and objectives while understanding inherent risk and adhering to external laws and regulations.

165
Q

What is “Risk Management” in GRC?

A

Process of determining where the org is vulnerable and exposed. Manages and monitors the System of Internal Controls

166
Q

What is “Compliance Management” in GRC?

A

Implements and manages the governance structure by managing and monitoring the system of internal controls.

167
Q

What is “Audit Management” in GRC?

A

Internal or External consultancy process to prove effectiveness of controls that are used to ensure the effectiveness of compliance.

168
Q

Where does SN GRC store external legislation/regulation data?

A

Authority documents - headers and citations. These documents dictate things an organization should do.

169
Q

What are some sources of authority documents

A

UCF (United Compliance Framework) and HITRUST, COSO, Lexis-Nexis

170
Q

How can customers use the UCF?

A

UCF will map headers and citations to control objectives.

171
Q

What is an Entity?

A

Records that aggregate GRC information related to a specific item - can be a record in any table in the instance. Examples would be applications, locations, business services, etc.

172
Q

What is a Citation?

A

Specific requirement in an authority document. Citation record relates an Authority Document to its applicable control.

173
Q

What is a policy?

A

Internal practice followed by business process to ensure compliance and reduce risk. Related to authority documents and controls.

174
Q

Where are policies published in SN?

A

Knowledge base

175
Q

What is a control objective?

A

Specific details that a process follows within a policy. They are the templates from which controls are generated.

176
Q

What is a control?

A

Actual control activity to be performed by an organization. Contains information such as owner, activity and frequency. Related to Authority Documents, Policies, and Risks via Control Objectives

177
Q

What is an issue?

A

GRC task to track control and risk issues.

178
Q

What is an indicator?

A

A metric to collect data to monitor controls and risks and collect audit evidence.

179
Q

What is a risk framework?

A

Manageable hierarchy of Risk Statements. Formalized process for managing risk. Consists of assessment, response, accountability, remediation. Related to Entity Types and Risk Statements

180
Q

What is a risk statement?

A

Defined consequence when a threat exploits a vulnerability.

181
Q

What is a risk register?

A

Repository of key attributes of potential and known risk issues.

182
Q

What is a risk?

A

Specific occurrence of a risk statement against a single entity. Also, threat or vulnerability that can adversely affect an organization’s businesses objectives. Can be related to Policies, Controls or Remediation Tasks.

183
Q

What are the possible outcomes for a risk?

A

It can be mitigated, prevented or controlled using Controls and Control Tests.

184
Q

What is Risk Criteria?

A

Qualitative or Quantitative values against which level of risk is evaluated

185
Q

What is the Risk’s Residual Score?

A

Score AFTER response strategy is implemented.

186
Q

What is the Risk’s Inherent Score

A

Score BEFORE response strategy is implemented.

187
Q

What is the Risk’s Calculated Score?

A

Score derived from inherent and residual scores - refers to actual exposure of risk based on quality of the control system.

188
Q

What is the Risk’s Inherent Likelihood?

A

Likelihood BEFORE response strategy is implemented.

189
Q

What is the Risk’s Inherent RIsk?

A

Level of Risk BEFORE response strategy is implemented.

190
Q

What is the Risk’s Residual Likelihood?

A

Likelihood AFTER response strategy is implemented.

191
Q

What is the Risk’s Residual RIsk?

A

Level of Risk AFTER response strategy is implemented.

192
Q

What is the Risk’s Qualitative Impact?

A

Uses Impact (significance of risk) and Likelihood (probability of risk occurring) ratings. Result is impact*likelihood.

193
Q

What is the Risk’s Quantitative impact?

A

SLE (Single Loss Expectancy) * ARO (Annualized rate of occurrance) = ALE (annualized Loss Expectancy)

194
Q

What is an audit engagement?

A

Audit project with audit tasks to accomplish specific objectives.

195
Q

What is an audit test plan?

A

A specific audit test of the effectiveness of a control. Used to generate control tests during engagements.

196
Q

What is an audit test plan template?

A

Used to establish criteria for many test plans. Related to control objectives.

197
Q

What is an audit task?

A

Task completed to provide evidence that a control is operating effectively

198
Q

What are the 4 types of audit tasks?

A

Control Tests, Interviews, Walkthroughs and Activities

199
Q

What are some examples of Authority Documents?

A

GDPR, HIPPA, Sarbanes-Oxley

200
Q

Where do UCF control documents go in SN GRC?

A

Control Objectives

201
Q

If you import the UCF framework to SN GRC, what tables will be populated? What relationships will be created?

A

Authority Documents, Citations, Control Objectives

Auth Doc->Citations, Citations->Ctl Obj, Relationships between overlapping Auth Docs/Citations/Ctl Objs.

202
Q

What are the different policy types? (6)

A

Procedure, Standard, Plan, Checklist, Framework, Template

203
Q

What are attestations?

A

Surveys to gather evidence to prove a control is implemented.

204
Q

Attestations are used to measure if a control is effective - T or F

A

False, Indicators are used to measure effectiveness. Attestations are just to gather evidence.

205
Q

What drives the compliance status for a control?

A

The attestation results.

206
Q

What are 3 levels of control validation?

A

Attestation (evidence), Indicators (manual or automated steps to measure effectiveness, Tests (used during audit to validate that the control is effective)

207
Q

What are entities?

A

People/Places/Things that require 1 or more of these: Risk management, Controls to be applied, Audits to be conducted.

208
Q

What can entities be related to?

A

Entity Types, upstream and downstream entities, downstream risks, downstream controls

209
Q

What are entity types assigned to?

A

Control Objectives and Risk Statements (can be assigned to policies or risk frameworks also, not best practice?)

210
Q

What is the name of the risk table?

A

sn_risk_risk

211
Q

Under what module will you find Risk Framework and Risk Statements?

A

Risk Library

212
Q

Where all can you create a risk?

A

Risk Framework Entity Type related list, Risk Statement Entity Type related list, Entity Type Risk Framework Related list, Entity Type, Risk Statement Related list. Risks are created as relationships are created.

213
Q

What happens to risk assessments if a risk is retired?

A

Assessments are cancelled.

214
Q

What are the possible risk response types and what prefix will each type of task have?

A

Risk Acceptance (APT), Risk Avoidance (AVT), Risk Mitigation (MGT), Risk Transfer (TFT)

215
Q

What is an example of a way to mitigate a risk?

A

Create a control. Relate the control to the risk.

216
Q

A control is related to a risk for mitigation purposes. What does the Control Weight field signify?

A

Weight tells us how impactful the control is in mitigating the risk - high impact=high weight, low impact=low weight. Used to determine control failure factor.

217
Q

A control is related to a risk for mitigation purposes. What does the Control Compliance field signify?

A

Control Compliance is a calculated field based on the # of controls mitigating the risk that have a compliant status. (Empty or N/A status=compliant)

218
Q

A control is related to a risk for mitigation purposes. What does the Control Non-Compliance field signify?

A

Control Non-Compliance is a calculated field based on the # of controls mitigating the risk that have a non-compliant status.

219
Q

What happens to a Risk Response Task (Avoid, Mitigate, Review types) after it is created?

A

Risk Response Task Owner moves it to Work In Progress, does necessary steps and sets the Risk Response Task to Review.

220
Q

What happens when a Risk Response Task (Avoid, Mitigate, Review type) is set to Review?

A

The Risk is also automatically set to Review. The Risk Manager will review the Response Task and determine if it can be closed.

221
Q

What happens to a Risk Response Task (Accept type) after it is created?

A

Risk Response Task Owner moves it to Work In Progress, does necessary steps and sets the Risk Response Task to Awaiting Approval.

222
Q

What happens to a Risk Response Task (Accept type) after it is set to Awaiting Approval?

A

Risk Owner approves or rejects the task. If approved, the Risk Response Task is set to Review. If rejected, the Risk Response Task is Rejected. The Risk is set to Review.

223
Q

If an “Accept” Risk Response Task is created, what is required to move the task and the risk forward?

A

Risk Owner Approval

224
Q

Controls can be identified to mitigate risk? How can you get controls to be automatically related to risks?

A

If a control objective is related to a risk statement (done manually), and if the control objective and the risk statement have the same entity, then a relationships will be automatically created between the registered risks and the controls (control instances.)

225
Q

What is a Risk Event?

A

Part of Advanced Risk - Potential or actual, financial or non-financial losses, near misses or gains that occur within an organization

226
Q

How are risk events useful?

A

They provide hard data about existing risks - ability to quantify and validate them, and provide visibility to new risks.

227
Q

What are the 2 types of Risk Events?

A

Financial, Non-financial

228
Q

Who can report a RIsk Event?

A

Any employee (via the portal.)

229
Q

What is the Risk Event Lifecycle?

A

New, Analyze, Awaiting Approval, Approved, Closed/Rejected

230
Q

What happens during the Analyze phase of a Risk Event?

A

Additional info is gathered, the Risk Event is related to Risks (new or existing), Controls, other RIsk events, response tasks and issues can be created and assigned out, approvers are assigned. When analysis is done, Risk Event is sent for approval.

231
Q

What is minimum role that approvers for a Risk Event need?

A

Risk User

232
Q

Risk Event is approved when at least 1 designated approver approves it. T or F

A

False - all approvers must approve it.

233
Q

For a Risk Event to close - all related Issues and Remediation Tasks must be closed. T or F

A

True

234
Q

What is the role of the person who analyzes a risk event, requests approval and closes the Risk Event?

A

Risk Manager

235
Q

What happens when an entity is deactivated?

A

Associated controls, risks, indicators and test plans are all deactivated or retired.

236
Q

What happens when an entity is re-activated?

A

Associated controls, risks go to Draft. Associated indicators and test plans become Active.

237
Q

Indicators in GRC are used to monitor what?

A

Controls and Risks

238
Q

What does an indicator do in GRC?

A

Continuously monitors a controls compliance/non-compliance. Within risk, an indicator will adjust a risk score up or down. Indicators are used to gather evidence of performance for the compliance and risk processes

239
Q

Risk indicators and Policy & Compliance Indicators are stored in 2 different tables. T or F

A

False. 2 modules, same table.

240
Q

What are the 3 default types/methods of indicators?

A

Manual, Basic, Script

241
Q

What are additional types of indicators that come with integrations?

A

Configuration Test, Vulnerability Response, PA Indicator

242
Q

How do you get indicators to get auto-created and related to controls or risks.

A

Create indicator templates and relate them to Risk Statements and Control Objectives. Then when an entity is applied to a Risk Statement or a Control Objective, the indicator will get related to the risk or control.

243
Q

How do issues get created (5)?

A

1) Manually 2) If an Indicator gets a result that is Failed or Not Passed 3) If a Control Attestation returns a result of Not Implemented 4) if a Control Test is Closed Complete and the Effectiveness is set to Ineffective 5) Continuous Monitoring (based on Configuration Test scan results)

244
Q

True or False - A control can be marked compliant even if it has an open issue.

A

False

245
Q

What are the 2 ways to respond to an Issue?

A

Remediate (can result in remediation tasks) or Accept (meaning the issue is an exception). If accept, the control status is non-compliant until it is re-assessed.

246
Q

Issues can be grouped under a parent. What is the parent record?

A

An issue.

247
Q

How do you group Issues?

A

From List view, select issues to group, Select Group from Actions on Selected Rows list.

248
Q

How many times can you request a policy exception for a policy?

A

1

249
Q

What is a Policy Exception?

A

A Policy Exception provides temporary relief for a non-compliant control. It will have evidence, comments and rationale to support acceptance or rejection of the Policy Exception request.

250
Q

What are the things for which you might request a Policy Exception (3)?

A

Policy, Control Objective, Issue (or combination of the 3)

251
Q

A policy exception must have related controls (that are not Draft or Retired) - T of F

A

False. This is true if the exception is for a Control Objective or an Issue. Not if it is for a Policy.

252
Q

To request a policy exception for an issue, what needs to be true about the issue?

A

It must not be in Draft or Retired and it must have at least 1 active control.

253
Q

What are the 3 groups of audit users?

A

Audit Administrators - run the internal audit department , Audit Managers - plan, conduct and manage audit engagements,
Internal Auditors - Conduct control tests and other tasks for an Audit Engagement

254
Q

What does an audit Control Test task do?

A

Performs a design or operation test to determine the effectiveness of a control

255
Q

When do you use an Interview audit task?

A

When you need to gather data for auditors, possibly to learn a process or evaluate evidence.

256
Q

When do you use a Walkthrough audit task?

A

To establish reliability of an organizaton’s internal Control over a procedure or Process

257
Q

What is an Activity audit task used for?

A

Any miscellaneous activity that is part of the audit process.

258
Q

What is the only kind of Audit task that can have a parent that is another Audit task rather than an Engagement?

A

Activity audit task.

259
Q

What are the 3 types of Audit Interview Tasks

A

Structured, Unstructured, Mixed

260
Q

Audit engagements must always be created from scratch. True or False

A

False. You can use another audit engagement as a template.

261
Q

What is a Test Template?

A

A generic audit test that applies to a control objective.

262
Q

What is a Test Plan?

A

A specific audit test that applies to a control

263
Q

What is the Engagement lifecycle?

A

Scope, Validate, Fieldwork, Awaiting Approval, Follow-up, Closed

264
Q

How do Control Test audit tasks get created during an engagement?

A

From a Control, go to the Test Plans related list and select Generate Control Test. This will create the audit tasks.

265
Q

What is the module for creating Test Templates and Test plans?

A

Audit->Audit Testing->Test Templates

Audit->Audit Testing->Test Plans

266
Q

What are the components of an audit Test Plan?

A

Design Test - steps to test the design.

Operational Test - steps to test operational effectiveness.

267
Q

What is the Control Test lifecycle?

A

Open, Work In Progress, Review, Closed

268
Q

What happens while a Control Test audit task is Work In Progress?

A

The effectiveness of the controls are evaluated. When complete, it is set to Review.

269
Q

What happens when a Control Test audit task is in Review?

A

All auditors on the engagement receive an approval test to review the Control Test task. If any one approves it, then the Control Test task moves to Closed.

270
Q

A Control Test audit task requires only one of the approvers to approve it for it to move from Review to Closed. True of False

A

True

271
Q

It is possible to skip the approval process for a Control Test audit task by just moving it to Closed. T or F

A

True

272
Q

Control Effectiveness will be “Effective” if at least one of “Design Effectiveness” or “Operational Effectiveness” is “Effective” for the control. T of F

A

False. They both must be Effective. If one is ineffective, the control is ineffective.

273
Q

What happens to the related risks when a risk statement is deactivated?

A

The risks are automatically retired.

274
Q

If a risk is in a retired state, do the indicators still run?

A

No

275
Q

What happens to the related risks when a risk statement is re-activated?

A

Risks are set to Draft.

276
Q

What role is required to manually retire a risk?

A

Risk Manager

277
Q

What is the table name for Risk Statements and Risk Frameworks?

A

sn_risk_definition and sn_risk_framework

278
Q

What are the table names for Indicators and Indicator Templates and what app are they part of?

A

sn_grc_indicator and sn_grc_indicator_template

GRC:Profiles

279
Q

What items can be related to a Risk Event? Which are in m2m tables?

A

Another Risk Event (m2m), Risk Event Task, Event Entry, Risks (m2m), Entity(m2m), Issue, Control (m2m)

280
Q

What is the Script Include if you want to modify the calculations of multiple risks on an entity?

A

RiskUtils

281
Q

What is the Script Include if you want to add additional calculations to risks?

A

RiskALECalculator

282
Q

What is the Script Include if you want to change the relationship behavior between a control and a risk?

A

MitigationControls

283
Q

What is the Script Include if you want to change the states and behaviors of risk mitigations?

A

RiskResponse

284
Q

What is the Script Include if you want to modify how risks are generated and associated to entities?

A

RiskGeneratorStrategy

285
Q

What is the Script Include if you want to adjust color and display settings when creating a risk heat map?

A

RiskHeatMap

286
Q

What SN core table can you use to see all components installed by a particular application/plugin?

A

sys_metadata

287
Q

What role is used for creating GRC attestations?

A

Attestation Creator - sn_compliance.attestation_creator

288
Q

What role is used for creating Risk assessments?

A

Risk Assessment Creator - sn_risk.asmt_creator

289
Q

What role is required to answer a risk assessment?

A

Risk Analyst (sn_risk.user) I think

290
Q

What role is required to answer a control attestation?

A

No role required

291
Q

What role is required to create a policy?

A

Compliance Analyst (sn_compliance.user)

292
Q

What role is required to approve a policy?

A

Compliance Manager (sn_compliance.manager)

293
Q

What role is required to submit a control for attestation?

A

Compliance Analyst (sn_compliance.user) I think?

294
Q

What role is required to create an issue within Risk?

A

Risk Analyst (sn_risk.user)

295
Q

What role is required to create an indicator template within Risk?

A

Risk Manager (sn_risk.manager)

296
Q

What role is required to create a policy exception?

A

Risk Analyst (sn_risk.user)

297
Q

What role is required to Retire policies?

A

Compliance Manager (sn_compliance.manager)

298
Q

What are some considerations that drive your choice of entity types?

A

Regulations you need to comply with, Who are the people working on risks and controls, How are you managing policies/exceptions/risks today? What areas are audited?

299
Q

What are Entity Classes used for?

A

Reporting and roll up of risk responsibility.

300
Q

What are the 3 parent tables in GRC:Profiles application/scope that are extended in P&C and Risk?

A

Document (sn_grc_document), Content (sn_grc_content), Item (sn_grc_item)

301
Q

What tables in P&C and Risk are extended from the Document table?

A

Risk Framework (sn_risk_framework) , Authority Document (sn_compliance_authority_document), Policy (sn_compliance_policy)

302
Q

What tables in P&C and Risk are extended from the Content table?

A

Risk Statements (sn_risk_definition), Control Objectives (sn_compliance_policy_statement), Citations (sn_compliance_citation)

303
Q

What tables in P&C and Risk are extended from the Item table?

A

Risks (sn_risk_risk), Controls (sn_compliance_control)

304
Q

An entity can only be related to a single Entity Class. T or F

A

True

305
Q

An entity can only be part of a single Entity Type. T or F

A

False. An entity can belong to 1 or multiple entity types.

306
Q

What is the table name that holds Entity Filters?

A

sn_grc_enrichment_query

307
Q

What is the name of the m2m table that relates entities and entity types?

A

sn_grc_m2m_profile_profile_type

308
Q

Indicator and Issue tables are part of what scope?

A

GRC:Profiles

309
Q

What are 3 GRC tables extended from the Global scope?

A

Indicator Task is extended from task.
Issue is extended from Planned task,
Acknowledgement Campaign is extended from task.

310
Q

What is baseline frequency for generating entities and deleting invalid entities?

A

Generating entities happens hourly.

Deleting invalid entities happens daily.

311
Q

What happens if someone requests approval for a policy record and there are no approvers designated?

A

It goes straight to published.

312
Q

What is the Control Objective lifecycle?

A

It doesn’t have one. It is managed by the lifecycle of its parent, the policy record.

313
Q

When a control goes to Attest, who receives the attestation?

A

Control Owner

314
Q

Can Policies be nested?

A

Yes

315
Q

A control objective can only be related to 1 policy. T or F

A

False.

316
Q

A control objective can be related to multiple citations. T or F

A

True. This is what allows you to test once to satisfy many requirements.

317
Q

Can Control objectives be nested?

A

Yes

318
Q

Can Citatons be nested?

A

Yes

319
Q

Authority docs and citations are required to use SN GRC. T or F

A

False

320
Q

Implementing Policy and Compliance, what is a common configuration task?

A

Updating choice lists for Category, Classification and Type fields on Control Objective table.

321
Q

A policy must be published before you can create a policy acknowledgement campaign. T or F

A

True

322
Q

Give an example of how you might define/use an indicator.

A

A policy/citation? is Manage Change Requests. A control is “All change requests must have a back out plan prior to approval.” An indicator could be defined to look at changes that have been approved and the backout plan is empty. If found, the control will be marked non-compliant.

323
Q

Are the knowledge article templates for the GRC Knowledge base stored in the same table as the templates for the other KBs?

A

No, they are in a different table and they require javascript.