GRC: Policy and Compliance Flashcards
Compliance Developer contains what roles
sn_grc.developer, sn_compliance.admin
sn_compliance.developer performs what functions
Responsible for maintaining various aspects of the platform, such as creating workflows, reports, dashboards, additional modules, and other platform specific content
sn_compliance.reader role performs what functions?
Read only access to all modules of the policy and compliance App
Complaince Reader contains what roles?
Sn_grc.reader
What are the policy record states?
Draft, Review, Awaiting Approval, Published, Retired
What are the control objective states?
Active, inactive
What are the control record states?
Draft, attest, review, monitor, retire
What are the policy exception states?
New, pending verification (if verification rules are turned on), analyze, review, awaiting approval, approved, closed
What are the policy acknowledgment states?
New, pending acknowledgment, closed, cancelled
What tables exist within the GRC: Profiles scope?
Document, Policy, Indicator
What are the two ways you can prevent certain users from seeing certain modules?
- ACL customization, 2. Before Query Business Rule to restrict row access (Return only certain records if you are member of X group or have X role etc)
What is the purpose of Entity Scoping?
Automatically create and remove entities as needed per system and business service creation in other groups. These define groups that you can apply to Control Objectives, Risks Statements, and Engagements to define what needs to be evaluated
What is the business rule that auto updates entities, controls and risks?
GRC Profile Generation; it is a scheduled job set by default to run every hour
Can entities be associated to multiple entity types?
Yes, entities can be associated with multiple entity types. Many to Many Relationship
Can an entity be related to multiple Entity Classes?
No, an entity can have only one Entity Class assigned
What are possible starting points for Entity Scoping?
Identify the current items that are being tracked; look at what needs to be compliant and what roles/teams/business units that are responsible; review risk register and control library; existing auditable units
How granular should you approach entity scoping?
Depends on the use case; Operational level vs a Strategic level approach. You will have a mixture but you should try to reduce the replication of effort. ie evaluate on a VM level or since all VM’s are created from the same image; evaulate just the image instead
What are common tables to be used within entity filters?
core_company, cmn_department, cmn_location, cmdb_ci_service, cmdb_ci_db_instance, sys_user_group, cmdb_ci_group, sysapproval_group, cmdb_ci_business_process
Are entities limited to CMDB or Core platform tables?
No, you can leverage any table in or outside of the cmdb for creating your entity filters for entity types
When a record no longer matches an entity filter, what occurs?
The related entity, controls, risks and indicators are removed from the entity type and the downstream controls retired
Entity owner field by default is defined and controlled by what?
Entity owner field is defined by the first entity filter that runs; any changes on the original cmdb record does not update the entity after creation
Does ownership of controls cascade down from changes of owners on the entity record?
No; by default the system doesn’t cascade down changes from cmdb, to entity, to controls/risks
What does entity roll-up define the roll-up of?
Entities, Controls, and Risks. Risk Assessment Methodologies are defined for an entity class. Entity Classes determine which entities can be assigned an impact assessment
What do Entity Classes allow for that Entity Types do not?
It allows for the mixing and matching of Entities with different parent tables
