GRC Part 1 Flashcards
1
Q
What is the database table name for Control Objectives starting with Orlando?
A
sn_compliance_policy_statement
2
Q
Can you nest or stack policy records?
A
Yes
3
Q
Can you nest or stack control objectives?
A
Yes
4
Q
What GRC record generates a KB article when approved
A
Policy
5
Q
What must be set up for controls to be generated?
A
The Control Objective has the checkbox for “Create Controls Automatically” checked and Entity Type is applied to the Control Objective,
6
Q
Attestations are generated when a control is moved from draft to what?
A
Attest
7
Q
What can you do with the Policy Acknowledgement feature?
A
Send out policies for review & acknowledgement, Track responses on the campaign record, designate the campaign audience for acknowledgement.
8
Q
What can you NOT do with the Policy Acknowledgement feature
A
Enable employees to ask for more info about the policy.
9
Q
A control attestation can be used to measure the level of compliance - T or F
A
False
10
Q
How many entity types can an entity belong to?
A
None, 1 or multiple
11
Q
Entities can be added to an entity type via what methods?
A
Manually, from the All Entities module or using a filter defined on the Entity Type record.
12
Q
Entities can be added to an entity type on a Policy Related List - True or False
A
False
13
Q
An entity must always relate to a record in a ServiceNow table - True or False
A
False
14
Q
What records are generated when an entity type is related to a risk statement/template?
A
Risks, Risk Indicators (if there is an indicator template related to the risk statement)
15
Q
Risk Frameworks are required records in Risk Framework Process - T or F
A
False
16
Q
What’s another name for Risk Statement Records
A
Risk Templates
17
Q
Risk statements can be nested or created in a hierarchy - T or F
A
True
18
Q
Risk Events always involve a loss - T or F
A
False
19
Q
Customers may refer to Risk Events as Loss Events - T or F
A
True
20
Q
Risk Events are the same as Risk Statements - T or F
A
False
21
Q
Risk Events can be related to Risks - T or F
A
True
22
Q
What is the module name for all Registered Risks?
A
Risk->Risk Register->All Risks
23
Q
Entity Types can be applied at what level to generate risks?
A
Risk Framework and Risk Statement/Template
24
Q
Default Risk Scoring Method in SN baseline is ___
A
Quantitative
25
What does ALE refer to in Risk Scoring
Annualized Loss Expectancy - Expected loss in a single year - SLE (Single Loss Expectancy) x ARO (Annual Rate of Occurrence)
26
What is equivalent to SLE in Qualitative Risk Scoring?
Single Loss Expectancy - Impact - $$$$
27
What is equivalent to ARO in Qualitative Risk Scoring?
Annual Rate of Occurrence - Likelihood - %
28
Which type of risk is "worst case scenario" according to ServiceNow?
Inherent (not residual or calculated)
29
Calculated Risk Scoring values are impacted by Controls and Indicators. Can you configure one control to have more weight than another control?
Yes
30
Risk Responses are generated after Risk Assessments are complete - T or F
True
31
Which fields cover the duration covered by the audit? (not the dates that the audit occurred)
Audit Period (start and end)
32
When creating an audit engagement record, what record is used to scope the audit?
Entity
33
Control Test Records are set up to control the Design of the Control and the Effectiveness of the Control. When is a control set to ineffective?
When either the design effectiveness or the operational effectiveness of the control are set to ineffective.
34
When an audit engagement is created and an entity is related to it, what records are automatically related to the engagement when it moves to Validate?
Risks, Controls, Test Plans, Indicator Results
35
When an audit engagement is created and an entity is related to it, what records are NOT automatically related to the engagement?
Policies, Control Objectives
36
A control objective in SN GRC is often called what by people in the GRC industry? (3)
Control Objective, Requirement, Control Template
37
If an entity type has 5 entities related to it, then when the entity type is related to a control objective, 5 controls will ALWAYS be generated - T or F
False - Depends on whether the "Create Controls automatically" checkbox is checked on the control objective.
38
Can you nest or stack Risk Statements?
Yes, but only with Advanced Risk (and post NY)
39
Can a Risk Manager update Entity Types and Entities?
Yes (requires grc.manager and risk manager inherits it)
40
Entity Types can be applied at what level to generate Registered Risks
Risk Framework or Risk Statement
41
Alternative Terms for a Control Objective (4)
Control, Control Template, Requirement, Policy Statement
42
Alternative Terms for an Entity (4)
Scope definition, Scope Object, Target, Profile
43
Alternative Terms for an Entity Type (1)
Entity Group
44
Alternative Term for a Control (1)
Control Instance
45
Alternative Term for a Risk Statement
Risk Template
46
Alternative Term for an Issue
Finding
47
NY onward - table name for Entity Class
sn_grc_profile_class
48
NY onward - table name for Entity Type
sn_grc_profile_type
49
NY onward - table name for Entity
sn_grc_profile
50
NY onward - table name for Control Objectives
sn_compliance_policy_statement
51
What are compliance related roles in order of inheritance
Compliance Developer, Admin, Manager, User, Reader
52
What are Risk related roles in order of inheritance
Risk Admin, Manager, User, Reader
53
What roles do you get with GRC Developer?
Compliance Developer
54
What roles do you get with GRC Admin?
Risk Admin and Compliance Admin
55
What roles inherit Survey Reader?
Compliance User and Risk User
56
What role will Compliance Managers group get?
sn_compliance.manager
57
What can Compliance Managers with sn_compliance.manager role do?
1) Create Entity Classes, Entity Types and Entities 2) Create Issues, Indicators and Remediation Tasks 3) Create Policies, Control Objectives, Policy Exceptions, Controls, Authority Documents, Citations
58
What role will Compliance Analysts group get?
sn_compliance.user
59
What can Compliance Analysts with sn_compliance.user role do?
1) View Authority Documents and Citations 2) Create Policies, Control Objectives, Policy Exceptions and Controls
60
What can Compliance Managers do that Analysts cannot?
1) Create Entity Classes, Entity Types and Entities 2) Create Issues, Indicators and Remediation Tasks 3) Create Authority Documents, Citations
61
What role will Risk Managers get?
sn_risk.manager
62
What can Risk Managers do with the sn_risk.manager role?
1) Create Entity Classes, Entity Types and Entities 2) Create Issues, Indicators and Remediation Tasks 3) Create Policy Exceptions 4) View Risk Frameworks, RIsk Statements, Assessments, Risk Response Tasks 5) Create Risks, Risk Frameworks, Risk Statements 6) View GRC Workbench
63
What role will Risk Analysts get?
sn_risk.user
64
What can Risk Analysts do with the sn_risk.user role?
1) Create Policy Exceptions 2) View Risk Frameworks, Risk Statements, Assessments, Risk Response Tasks, Risks
65
What role is needed to answer a risk assessment?
No role
66
What role is needed to create a risk assessment
Risk Assessment Creator (sn_risk.asmt_creator)
67
What role is needed to answer a control attestation?
No role
68
What role is needed to create policies?
Compliance User (Analyst)
69
What role is needed to approve policies?
Compliance User (Analyst)
70
What role is needed to Submit a control for attestation?
Compliance User (Analyst)
71
What role is needed to create an issue for Risk?
Risk User
72
What role is needed to Create an indicator template for Risk?
Risk Manager
73
What role is needed to Create a Policy Exception from Control Issue?
Compliance User (Analyst)
74
What role is needed to retire policies
Compliance Manager
75
An entity can only be related to a single entity class - T or F
True
76
What tables are frequently used on the Entity Type filter to generate Entities
Department, Group, Service (not Control or Indicator)
77
Entity Owner is derived from Managed by field on the Service record for the Critical Service Entity Type - T or F
True
78
What tables are extended from the Document table?
Risk Framework, Policy, Authority Document
79
What tables are extended from the Content table?
Risk Statement, Control Objective, Citation
80
What tables are extended from the Item table?
Risk, Control
81
What is the Policy Lifecycle?
Draft, Review, Awaiting Approval, Published, Retired
82
Who can create a Policy?
Compliance Users/Analysts and above
83
Who can set a Policy to Review state?
Compliance users/analysts and above
84
Who can move a Policy from Review to its next state?
Named reviewer or the Policy Owner
85
Compliance admins can move a Policy from Review to its next state - T or F
False
86
A policy waiting for apporval will be published when at least 1 approver approves it - True or False
False - all approvers must approve it.
87
What happens when a Policy is published?
A KB article is created
88
Who can retire a policy?
Compliance Manager or Policy Owner
89
What is the Control lifecycle?
Draft, Attest, Review, Monitor, Retire
90
Who can modify a Draft control?
Compliance users/analysts
91
Who can use Attest button on a Draft control?
Compliance users/analysts
92
Who can complete an attestation?
The person to whom it is assigned
93
Can a system admin complete an attestation for someone?
Only via impersonation
94
What is best practice when an attestation cannot be completed by its assignee?
Return the control to Draft state.
95
Who moves a control to the Review state?
It happens automatically when the attestation is done
96
Who can move a control from Review to Monitor?
Compliance Manager
97
When a control is in Monitor state, Indicators can be scheduled - T or F
True
98
Who edits the control in a Monitor state?
Controls are usually not edited when in Monitor. Updates happen via Indicators.
99
When does a control go to the Retire state?
Compliance is no longer required or relevant to the business (manually retired) or if the Entity becomes inactive (auto-retired)
100
When a control is in Retired state, Indicators will run - T or F
False
101
Who can manually retire a control?
Compliance Manager
102
What is the Issue lifecycle?
New, Analyze, Respond, Review, Closed
103
Who can create a new issue?
Compliance, Risk or Audit User
104
An issue can be related to what other things? (6)
Entities, Control Objectives, Risk Statements, Controls, Risks, other Issues
105
Who can move issue to Analyze?
Any GRC user
106
Who can move issue to Respond?
Any GRC User
107
What things will auto-trigger an issue creation? (4)
1) Indicator Result=Failed or Not Passed, 2) Control Attestation result is Not Implemented, 3) Control Test with state Closed Complete and Control effectiveness=Ineffective, 4) Continuous monitoring based on Configuration Test scanning results
108
What is the Policy Exception Lifecycle?
New, Analyze, Risk Assessment, Review, Awaiting Approval, Approved, Closed
109
Who can request a Policy Exception?
Any internal user.
110
How does a Policy Exception go from New to Analyze?
Requester uses Request Approval UI Action/button.
111
Who performs the Analyze phase of the Policy Exception?
Compliance Manager
112
How does a Policy Exception get to the Risk Assessment state?
Compliance Manager requests a risk assessment.
113
What happens when a Compliance Manager requests a risk assessment for a Policy Exception?
A notification goes to the Risk Manager's group and a risk manager performs the assessment.
114
How does a Policy Exception get to the Review state?
Compliance Manager requests a risk assessment and risk manager requests a review.
115
What happens when a Policy Exception is set to Review by the Risk Manager?
Notification goes to the Compliance Manager.
116
What happens after a compliance manager is notified that a Policy Exception needs a Review?
Compliance manager can either 1) Approve the Policy Exception 2) Reject the Policy Exception or 3) Request a Business Level Approval.
117
How does a Policy Exception get to the Awaiting Approval state?
Compliance manager request Business Level Approval.
118
How does a Policy Exception get to the Approved state?
Compliance manager approves it during Review or Business Level approver approves it when it is Awaiting Approval.
119
How does a Policy Exception get to the Closed state?
Compliance manager rejects it during review (maybe?) or otherwise sets it to Closed.
120
Who can request an extension to an approved Policy Exception?
Control Owner
121
Where can you initiate a Policy Exception? (6)
Policy Exception modules, Related Lists - Issue/Control Objective/Policy, other integrated SN applications, Service Portal
122
What happens during Analyze phase of a Policy Exception?
Compliance manager will review and update Source, Schedule, Comments, look at impacted Controls, mitigating controls and risks, update business impact analysis including residual likelihood, impact and score.
123
What are options for the compliance manager when the analysis is complete for a Policy Exception? (4)
Compliance manager can either 1) approve it 2) Request more info from the Control Owner 3) Request that a Risk Manager review it (where it goes to Review state) 4) Request a business owner approval
124
What is the Policy Acknowledgement lifecycle?
New, Pending Acknowledgement, Closed, Cancelled
125
Who can create a Policy Acknowledgement campaign?
Compliance User/Analyst
126
Who can designate the audience for a Policy Acknowledgment campaign?
Compliance Admin or Compliance Manager
127
Who can be added to a Policy Acknowledgement campaign?
Users, Groups, filtered user definition.
128
Where can audience members of a Policy Ack campaign respond?
On the portal.
129
How can audience members of a Policy Ack campaign respond?
Accept, Decline or Request Exception (if allowed)
130
When does a Policy Ack campaign get closed?
When it's overdue. (any other???)
131
When does a Policy Ack record get reset?
When a policy exception is expired
132
Who can cancel a Policy Ack campaign?
Compliance manager or owner of the campaign
133
What Policy and Compliance components do you get to via the P&C->Compliance module?
Authority Documents (sn_compliance_authority_document) and Citations (sn_compliance_citation)
134
What Policy and Compliance components do you get to via the P&C->Policies and Procedures
Policies (sn_compliance_policy) and Control Objectives (sn_compliance_policy_statement)
135
What module do you use to get to Authority Documents?
Policy and Compliance->Compliance
136
What module do you use to get to Citations?
Policy and Compliance->Compliance
137
What module do you use to get to Policies?
Policy and Compliance->Policies and Procedures
138
What module do you use to get to Control Objectives
Policy and Compliance->Policies and Procedures
139
What are table names for policy acknowledgement campaign and policy acknowledgement record
sn_compliance_policy_acknowledgement
| sn_compliance_policy_acknowledgement_instance
140
Which Script Include? Requirement is to modify who can edit a policy in the Review State.
ComplianceUtils
141
Which Script Include? Requirement is to modify how compliance scores roll up.
ComplianceScoreCalculator
142
Which Script Include? Requirement is to display the number of controls excluded from the compliance score.
AssessmentStrategy
143
Which Script Include? Requirement is to use a different criteria to create control records.
ControlGeneratorStrategy
144
Which Script Include? Requirement is to add a new state to Policy Exception process
PolicyException
145
Which Script Include? Requirement is to modify the policy acknowledgement process.
PolicyAcknowledgementUtil
146
How is compliance score calculated when there are no children control objectives?
((Sum of weight of compliant controls)/ (Sum of weight of all controls))*100 - excluding any in states of Draft,Retired or Not Applicable
147
How is compliance score calculated when there ARE children control objectives?
Calculate compliance percentage of parent control same as if it did not have children -> ParentPerc
Get average score for all downstream (child) controls.
->ChildAvg
Score=(ParentPerc+ChildAvg)/2
148
What happens if a compliance manager requests a business approval for a Policy Exception?
Policy Exception Business Owner Approval workflow sends a notification to the control owners for all of the controls in the impacted controls related list.
149
For P&C - Entity Types can be applied to what objects (2) and which is the best practice?
Policies and Control Objectives. Control Objectives is best practice.
150
What are the Policy Exception workflows?
Policy Review, Policy Approval, Policy Exception and Policy Exception Business Owner Approval
151
What P&C tables can have SLAs associated with them?
Indicator Tasks, Issues, Policy Exceptions
152
What Risk tables can have SLAS associated with them?
Risk Responses and Remediation Task
153
What Audit tables can have SLAS associated with them?
Control Test, Interview, Audit, Walkthrough Task
154
What Risk Event tables can have SLAS associated with them?
Risk Events, Risk Event Tasks
155
What GRC tables are not extended from Task? (6)
Control, Control Objective, Registered RIsk, Risk Statement, Risk Framework, Policy
156
What is the Risk Record Lifecycle
Draft, Assess, Respond, Review, Monitor, Retired
157
Who can create a risk?
Risk User
158
Who can create a risk statement?
Risk Manager
159
Who can create a risk framework?
Risk Manager
160
Who can return a risk to the Draft state?
Risk Manager
161
Who performs risk assessment?
Usually Risk Owner
162
What happens during risk assessment?
Risk is reviewed and either sent back to draft or the assessment is completed which moves the risk to Respond and generates Risk Responses
163
What is the Risk Response lifecycle?
Draft, Work in Progress, Review, Closed
164
What is "Governance" in GRC?
Policies and oversight to ensure consistent sustainability of internal controls and objectives while understanding inherent risk and adhering to external laws and regulations.
165
What is "Risk Management" in GRC?
Process of determining where the org is vulnerable and exposed. Manages and monitors the System of Internal Controls
166
What is "Compliance Management" in GRC?
Implements and manages the governance structure by managing and monitoring the system of internal controls.
167
What is "Audit Management" in GRC?
Internal or External consultancy process to prove effectiveness of controls that are used to ensure the effectiveness of compliance.
168
Where does SN GRC store external legislation/regulation data?
Authority documents - headers and citations. These documents dictate things an organization should do.
169
What are some sources of authority documents
UCF (United Compliance Framework) and HITRUST, COSO, Lexis-Nexis
170
How can customers use the UCF?
UCF will map headers and citations to control objectives.
171
What is an Entity?
Records that aggregate GRC information related to a specific item - can be a record in any table in the instance. Examples would be applications, locations, business services, etc.
172
What is a Citation?
Specific requirement in an authority document. Citation record relates an Authority Document to its applicable control.
173
What is a policy?
Internal practice followed by business process to ensure compliance and reduce risk. Related to authority documents and controls.
174
Where are policies published in SN?
Knowledge base
175
What is a control objective?
Specific details that a process follows within a policy. They are the templates from which controls are generated.
176
What is a control?
Actual control activity to be performed by an organization. Contains information such as owner, activity and frequency. Related to Authority Documents, Policies, and Risks via Control Objectives
177
What is an issue?
GRC task to track control and risk issues.
178
What is an indicator?
A metric to collect data to monitor controls and risks and collect audit evidence.
179
What is a risk framework?
Manageable hierarchy of Risk Statements. Formalized process for managing risk. Consists of assessment, response, accountability, remediation. Related to Entity Types and Risk Statements
180
What is a risk statement?
Defined consequence when a threat exploits a vulnerability.
181
What is a risk register?
Repository of key attributes of potential and known risk issues.
182
What is a risk?
Specific occurrence of a risk statement against a single entity. Also, threat or vulnerability that can adversely affect an organization's businesses objectives. Can be related to Policies, Controls or Remediation Tasks.
183
What are the possible outcomes for a risk?
It can be mitigated, prevented or controlled using Controls and Control Tests.
184
What is Risk Criteria?
Qualitative or Quantitative values against which level of risk is evaluated
185
What is the Risk's Residual Score?
Score AFTER response strategy is implemented.
186
What is the Risk's Inherent Score
Score BEFORE response strategy is implemented.
187
What is the Risk's Calculated Score?
Score derived from inherent and residual scores - refers to actual exposure of risk based on quality of the control system.
188
What is the Risk's Inherent Likelihood?
Likelihood BEFORE response strategy is implemented.
189
What is the Risk's Inherent RIsk?
Level of Risk BEFORE response strategy is implemented.
190
What is the Risk's Residual Likelihood?
Likelihood AFTER response strategy is implemented.
191
What is the Risk's Residual RIsk?
Level of Risk AFTER response strategy is implemented.
192
What is the Risk's Qualitative Impact?
Uses Impact (significance of risk) and Likelihood (probability of risk occurring) ratings. Result is impact*likelihood.
193
What is the Risk's Quantitative impact?
SLE (Single Loss Expectancy) * ARO (Annualized rate of occurrance) = ALE (annualized Loss Expectancy)
194
What is an audit engagement?
Audit project with audit tasks to accomplish specific objectives.
195
What is an audit test plan?
A specific audit test of the effectiveness of a control. Used to generate control tests during engagements.
196
What is an audit test plan template?
Used to establish criteria for many test plans. Related to control objectives.
197
What is an audit task?
Task completed to provide evidence that a control is operating effectively
198
What are the 4 types of audit tasks?
Control Tests, Interviews, Walkthroughs and Activities
199
What are some examples of Authority Documents?
GDPR, HIPPA, Sarbanes-Oxley
200
Where do UCF control documents go in SN GRC?
Control Objectives
201
If you import the UCF framework to SN GRC, what tables will be populated? What relationships will be created?
Authority Documents, Citations, Control Objectives
| Auth Doc->Citations, Citations->Ctl Obj, Relationships between overlapping Auth Docs/Citations/Ctl Objs.
202
What are the different policy types? (6)
Procedure, Standard, Plan, Checklist, Framework, Template
203
What are attestations?
Surveys to gather evidence to prove a control is implemented.
204
Attestations are used to measure if a control is effective - T or F
False, Indicators are used to measure effectiveness. Attestations are just to gather evidence.
205
What drives the compliance status for a control?
The attestation results.
206
What are 3 levels of control validation?
Attestation (evidence), Indicators (manual or automated steps to measure effectiveness, Tests (used during audit to validate that the control is effective)
207
What are entities?
People/Places/Things that require 1 or more of these: Risk management, Controls to be applied, Audits to be conducted.
208
What can entities be related to?
Entity Types, upstream and downstream entities, downstream risks, downstream controls
209
What are entity types assigned to?
Control Objectives and Risk Statements (can be assigned to policies or risk frameworks also, not best practice?)
210
What is the name of the risk table?
sn_risk_risk
211
Under what module will you find Risk Framework and Risk Statements?
Risk Library
212
Where all can you create a risk?
Risk Framework Entity Type related list, Risk Statement Entity Type related list, Entity Type Risk Framework Related list, Entity Type, Risk Statement Related list. Risks are created as relationships are created.
213
What happens to risk assessments if a risk is retired?
Assessments are cancelled.
214
What are the possible risk response types and what prefix will each type of task have?
Risk Acceptance (APT), Risk Avoidance (AVT), Risk Mitigation (MGT), Risk Transfer (TFT)
215
What is an example of a way to mitigate a risk?
Create a control. Relate the control to the risk.
216
A control is related to a risk for mitigation purposes. What does the Control Weight field signify?
Weight tells us how impactful the control is in mitigating the risk - high impact=high weight, low impact=low weight. Used to determine control failure factor.
217
A control is related to a risk for mitigation purposes. What does the Control Compliance field signify?
Control Compliance is a calculated field based on the # of controls mitigating the risk that have a compliant status. (Empty or N/A status=compliant)
218
A control is related to a risk for mitigation purposes. What does the Control Non-Compliance field signify?
Control Non-Compliance is a calculated field based on the # of controls mitigating the risk that have a non-compliant status.
219
What happens to a Risk Response Task (Avoid, Mitigate, Review types) after it is created?
Risk Response Task Owner moves it to Work In Progress, does necessary steps and sets the Risk Response Task to Review.
220
What happens when a Risk Response Task (Avoid, Mitigate, Review type) is set to Review?
The Risk is also automatically set to Review. The Risk Manager will review the Response Task and determine if it can be closed.
221
What happens to a Risk Response Task (Accept type) after it is created?
Risk Response Task Owner moves it to Work In Progress, does necessary steps and sets the Risk Response Task to Awaiting Approval.
222
What happens to a Risk Response Task (Accept type) after it is set to Awaiting Approval?
Risk Owner approves or rejects the task. If approved, the Risk Response Task is set to Review. If rejected, the Risk Response Task is Rejected. The Risk is set to Review.
223
If an "Accept" Risk Response Task is created, what is required to move the task and the risk forward?
Risk Owner Approval
224
Controls can be identified to mitigate risk? How can you get controls to be automatically related to risks?
If a control objective is related to a risk statement (done manually), and if the control objective and the risk statement have the same entity, then a relationships will be automatically created between the registered risks and the controls (control instances.)
225
What is a Risk Event?
Part of Advanced Risk - Potential or actual, financial or non-financial losses, near misses or gains that occur within an organization
226
How are risk events useful?
They provide hard data about existing risks - ability to quantify and validate them, and provide visibility to new risks.
227
What are the 2 types of Risk Events?
Financial, Non-financial
228
Who can report a RIsk Event?
Any employee (via the portal.)
229
What is the Risk Event Lifecycle?
New, Analyze, Awaiting Approval, Approved, Closed/Rejected
230
What happens during the Analyze phase of a Risk Event?
Additional info is gathered, the Risk Event is related to Risks (new or existing), Controls, other RIsk events, response tasks and issues can be created and assigned out, approvers are assigned. When analysis is done, Risk Event is sent for approval.
231
What is minimum role that approvers for a Risk Event need?
Risk User
232
Risk Event is approved when at least 1 designated approver approves it. T or F
False - all approvers must approve it.
233
For a Risk Event to close - all related Issues and Remediation Tasks must be closed. T or F
True
234
What is the role of the person who analyzes a risk event, requests approval and closes the Risk Event?
Risk Manager
235
What happens when an entity is deactivated?
Associated controls, risks, indicators and test plans are all deactivated or retired.
236
What happens when an entity is re-activated?
Associated controls, risks go to Draft. Associated indicators and test plans become Active.
237
Indicators in GRC are used to monitor what?
Controls and Risks
238
What does an indicator do in GRC?
Continuously monitors a controls compliance/non-compliance. Within risk, an indicator will adjust a risk score up or down. Indicators are used to gather evidence of performance for the compliance and risk processes
239
Risk indicators and Policy & Compliance Indicators are stored in 2 different tables. T or F
False. 2 modules, same table.
240
What are the 3 default types/methods of indicators?
Manual, Basic, Script
241
What are additional types of indicators that come with integrations?
Configuration Test, Vulnerability Response, PA Indicator
242
How do you get indicators to get auto-created and related to controls or risks.
Create indicator templates and relate them to Risk Statements and Control Objectives. Then when an entity is applied to a Risk Statement or a Control Objective, the indicator will get related to the risk or control.
243
How do issues get created (5)?
1) Manually 2) If an Indicator gets a result that is Failed or Not Passed 3) If a Control Attestation returns a result of Not Implemented 4) if a Control Test is Closed Complete and the Effectiveness is set to Ineffective 5) Continuous Monitoring (based on Configuration Test scan results)
244
True or False - A control can be marked compliant even if it has an open issue.
False
245
What are the 2 ways to respond to an Issue?
Remediate (can result in remediation tasks) or Accept (meaning the issue is an exception). If accept, the control status is non-compliant until it is re-assessed.
246
Issues can be grouped under a parent. What is the parent record?
An issue.
247
How do you group Issues?
From List view, select issues to group, Select Group from Actions on Selected Rows list.
248
How many times can you request a policy exception for a policy?
1
249
What is a Policy Exception?
A Policy Exception provides temporary relief for a non-compliant control. It will have evidence, comments and rationale to support acceptance or rejection of the Policy Exception request.
250
What are the things for which you might request a Policy Exception (3)?
Policy, Control Objective, Issue (or combination of the 3)
251
A policy exception must have related controls (that are not Draft or Retired) - T of F
False. This is true if the exception is for a Control Objective or an Issue. Not if it is for a Policy.
252
To request a policy exception for an issue, what needs to be true about the issue?
It must not be in Draft or Retired and it must have at least 1 active control.
253
What are the 3 groups of audit users?
Audit Administrators - run the internal audit department , Audit Managers - plan, conduct and manage audit engagements,
Internal Auditors - Conduct control tests and other tasks for an Audit Engagement
254
What does an audit Control Test task do?
Performs a design or operation test to determine the effectiveness of a control
255
When do you use an Interview audit task?
When you need to gather data for auditors, possibly to learn a process or evaluate evidence.
256
When do you use a Walkthrough audit task?
To establish reliability of an organizaton's internal Control over a procedure or Process
257
What is an Activity audit task used for?
Any miscellaneous activity that is part of the audit process.
258
What is the only kind of Audit task that can have a parent that is another Audit task rather than an Engagement?
Activity audit task.
259
What are the 3 types of Audit Interview Tasks
Structured, Unstructured, Mixed
260
Audit engagements must always be created from scratch. True or False
False. You can use another audit engagement as a template.
261
What is a Test Template?
A generic audit test that applies to a control objective.
262
What is a Test Plan?
A specific audit test that applies to a control
263
What is the Engagement lifecycle?
Scope, Validate, Fieldwork, Awaiting Approval, Follow-up, Closed
264
How do Control Test audit tasks get created during an engagement?
From a Control, go to the Test Plans related list and select Generate Control Test. This will create the audit tasks.
265
What is the module for creating Test Templates and Test plans?
Audit->Audit Testing->Test Templates
| Audit->Audit Testing->Test Plans
266
What are the components of an audit Test Plan?
Design Test - steps to test the design.
| Operational Test - steps to test operational effectiveness.
267
What is the Control Test lifecycle?
Open, Work In Progress, Review, Closed
268
What happens while a Control Test audit task is Work In Progress?
The effectiveness of the controls are evaluated. When complete, it is set to Review.
269
What happens when a Control Test audit task is in Review?
All auditors on the engagement receive an approval test to review the Control Test task. If any one approves it, then the Control Test task moves to Closed.
270
A Control Test audit task requires only one of the approvers to approve it for it to move from Review to Closed. True of False
True
271
It is possible to skip the approval process for a Control Test audit task by just moving it to Closed. T or F
True
272
Control Effectiveness will be "Effective" if at least one of "Design Effectiveness" or "Operational Effectiveness" is "Effective" for the control. T of F
False. They both must be Effective. If one is ineffective, the control is ineffective.
273
What happens to the related risks when a risk statement is deactivated?
The risks are automatically retired.
274
If a risk is in a retired state, do the indicators still run?
No
275
What happens to the related risks when a risk statement is re-activated?
Risks are set to Draft.
276
What role is required to manually retire a risk?
Risk Manager
277
What is the table name for Risk Statements and Risk Frameworks?
sn_risk_definition and sn_risk_framework
278
What are the table names for Indicators and Indicator Templates and what app are they part of?
sn_grc_indicator and sn_grc_indicator_template
| GRC:Profiles
279
What items can be related to a Risk Event? Which are in m2m tables?
Another Risk Event (m2m), Risk Event Task, Event Entry, Risks (m2m), Entity(m2m), Issue, Control (m2m)
280
What is the Script Include if you want to modify the calculations of multiple risks on an entity?
RiskUtils
281
What is the Script Include if you want to add additional calculations to risks?
RiskALECalculator
282
What is the Script Include if you want to change the relationship behavior between a control and a risk?
MitigationControls
283
What is the Script Include if you want to change the states and behaviors of risk mitigations?
RiskResponse
284
What is the Script Include if you want to modify how risks are generated and associated to entities?
RiskGeneratorStrategy
285
What is the Script Include if you want to adjust color and display settings when creating a risk heat map?
RiskHeatMap
286
What SN core table can you use to see all components installed by a particular application/plugin?
sys_metadata
287
What role is used for creating GRC attestations?
Attestation Creator - sn_compliance.attestation_creator
288
What role is used for creating Risk assessments?
Risk Assessment Creator - sn_risk.asmt_creator
289
What role is required to answer a risk assessment?
Risk Analyst (sn_risk.user) I think
290
What role is required to answer a control attestation?
No role required
291
What role is required to create a policy?
Compliance Analyst (sn_compliance.user)
292
What role is required to approve a policy?
Compliance Manager (sn_compliance.manager)
293
What role is required to submit a control for attestation?
Compliance Analyst (sn_compliance.user) I think?
294
What role is required to create an issue within Risk?
Risk Analyst (sn_risk.user)
295
What role is required to create an indicator template within Risk?
Risk Manager (sn_risk.manager)
296
What role is required to create a policy exception?
Risk Analyst (sn_risk.user)
297
What role is required to Retire policies?
Compliance Manager (sn_compliance.manager)
298
What are some considerations that drive your choice of entity types?
Regulations you need to comply with, Who are the people working on risks and controls, How are you managing policies/exceptions/risks today? What areas are audited?
299
What are Entity Classes used for?
Reporting and roll up of risk responsibility.
300
What are the 3 parent tables in GRC:Profiles application/scope that are extended in P&C and Risk?
Document (sn_grc_document), Content (sn_grc_content), Item (sn_grc_item)
301
What tables in P&C and Risk are extended from the Document table?
Risk Framework (sn_risk_framework) , Authority Document (sn_compliance_authority_document), Policy (sn_compliance_policy)
302
What tables in P&C and Risk are extended from the Content table?
Risk Statements (sn_risk_definition), Control Objectives (sn_compliance_policy_statement), Citations (sn_compliance_citation)
303
What tables in P&C and Risk are extended from the Item table?
Risks (sn_risk_risk), Controls (sn_compliance_control)
304
An entity can only be related to a single Entity Class. T or F
True
305
An entity can only be part of a single Entity Type. T or F
False. An entity can belong to 1 or multiple entity types.
306
What is the table name that holds Entity Filters?
sn_grc_enrichment_query
307
What is the name of the m2m table that relates entities and entity types?
sn_grc_m2m_profile_profile_type
308
Indicator and Issue tables are part of what scope?
GRC:Profiles
309
What are 3 GRC tables extended from the Global scope?
Indicator Task is extended from task.
Issue is extended from Planned task,
Acknowledgement Campaign is extended from task.
310
What is baseline frequency for generating entities and deleting invalid entities?
Generating entities happens hourly.
| Deleting invalid entities happens daily.
311
What happens if someone requests approval for a policy record and there are no approvers designated?
It goes straight to published.
312
What is the Control Objective lifecycle?
It doesn't have one. It is managed by the lifecycle of its parent, the policy record.
313
When a control goes to Attest, who receives the attestation?
Control Owner
314
Can Policies be nested?
Yes
315
A control objective can only be related to 1 policy. T or F
False.
316
A control objective can be related to multiple citations. T or F
True. This is what allows you to test once to satisfy many requirements.
317
Can Control objectives be nested?
Yes
318
Can Citatons be nested?
Yes
319
Authority docs and citations are required to use SN GRC. T or F
False
320
Implementing Policy and Compliance, what is a common configuration task?
Updating choice lists for Category, Classification and Type fields on Control Objective table.
321
A policy must be published before you can create a policy acknowledgement campaign. T or F
True
322
Give an example of how you might define/use an indicator.
A policy/citation? is Manage Change Requests. A control is "All change requests must have a back out plan prior to approval." An indicator could be defined to look at changes that have been approved and the backout plan is empty. If found, the control will be marked non-compliant.
323
Are the knowledge article templates for the GRC Knowledge base stored in the same table as the templates for the other KBs?
No, they are in a different table and they require javascript.
