GRC: Policy and Compliance

Question 1

Compliance Developer contains what roles

Answer 1

sn_grc.developer, sn_compliance.admin

Question 2

sn_compliance.developer performs what functions

Answer 2

Responsible for maintaining various aspects of the platform, such as creating workflows, reports, dashboards, additional modules, and other platform specific content

Question 3

sn_compliance.reader role performs what functions?

Answer 3

Read only access to all modules of the policy and compliance App

Question 4

Complaince Reader contains what roles?

Answer 4

Sn_grc.reader

Question 5

What are the policy record states?

Answer 5

Draft, Review, Awaiting Approval, Published, Retired

Question 6

What are the control objective states?

Answer 6

Active, inactive

Question 7

What are the control record states?

Answer 7

Draft, attest, review, monitor, retire

Question 8

What are the policy exception states?

Answer 8

New, pending verification (if verification rules are turned on), analyze, review, awaiting approval, approved, closed

Question 9

What are the policy acknowledgment states?

Answer 9

New, pending acknowledgment, closed, cancelled

Question 10

What tables exist within the GRC: Profiles scope?

Answer 10

Document, Policy, Indicator

Question 11

What are the two ways you can prevent certain users from seeing certain modules?

Answer 11

1. ACL customization, 2. Before Query Business Rule to restrict row access (Return only certain records if you are member of X group or have X role etc)

Question 12

What is the purpose of Entity Scoping?

Answer 12

Automatically create and remove entities as needed per system and business service creation in other groups. These define groups that you can apply to Control Objectives, Risks Statements, and Engagements to define what needs to be evaluated

Question 13

What is the business rule that auto updates entities, controls and risks?

Answer 13

GRC Profile Generation; it is a scheduled job set by default to run every hour

Question 14

Can entities be associated to multiple entity types?

Answer 14

Yes, entities can be associated with multiple entity types. Many to Many Relationship

Question 15

Can an entity be related to multiple Entity Classes?

Answer 15

No, an entity can have only one Entity Class assigned

Question 16

What are possible starting points for Entity Scoping?

Answer 16

Identify the current items that are being tracked; look at what needs to be compliant and what roles/teams/business units that are responsible; review risk register and control library; existing auditable units

Question 17

How granular should you approach entity scoping?

Answer 17

Depends on the use case; Operational level vs a Strategic level approach. You will have a mixture but you should try to reduce the replication of effort. ie evaluate on a VM level or since all VM’s are created from the same image; evaulate just the image instead

Question 18

What are common tables to be used within entity filters?

Answer 18

core_company, cmn_department, cmn_location, cmdb_ci_service, cmdb_ci_db_instance, sys_user_group, cmdb_ci_group, sysapproval_group, cmdb_ci_business_process

Question 19

Are entities limited to CMDB or Core platform tables?

Answer 19

No, you can leverage any table in or outside of the cmdb for creating your entity filters for entity types

Question 20

When a record no longer matches an entity filter, what occurs?

Answer 20

The related entity, controls, risks and indicators are removed from the entity type and the downstream controls retired

Question 21

Entity owner field by default is defined and controlled by what?

Answer 21

Entity owner field is defined by the first entity filter that runs; any changes on the original cmdb record does not update the entity after creation

Question 22

Does ownership of controls cascade down from changes of owners on the entity record?

Answer 22

No; by default the system doesn’t cascade down changes from cmdb, to entity, to controls/risks

Question 23

What does entity roll-up define the roll-up of?

Answer 23

Entities, Controls, and Risks. Risk Assessment Methodologies are defined for an entity class. Entity Classes determine which entities can be assigned an impact assessment

Question 24

What do Entity Classes allow for that Entity Types do not?

Answer 24

It allows for the mixing and matching of Entities with different parent tables

Question 25

What is the main purpose of the GRC Workbench interface?

Answer 25

It allows for the easy management of entity classes

Question 26

Entity class will define the upstream and downstream entities, risk and controls

Question 27

What are the GRC: Profiles scoped tables?

Answer 27

sn_grc_document, sn_grc_content, sn_grc_item

Question 28

What is the purpose of the “days after valid to date” System Property?

Answer 28

This is the number of days after the valid to date in which a Policy record is moved back to draft or review state. It is only moved to draft if there are no assigned reviewers on the record which should not be the case as it is mandatory.

Question 29

Who can send a policy back to draft after it has been moved to the Review state?

Answer 29

Anyone assigned as a Reviewer, Owner or someone within the assigned Owning Group

Question 30

When is the knowledge article related to a policy published?

Answer 30

It is published when the policy record is moved to the published state. The system will track versioning as a policy is republished after a review cycle

Question 31

What is the purpose of a policy acknowledgement campaign?

Answer 31

It is to make sure that people within the company have visibility to changes in policy and proof of receipt

Question 32

How do you define the scope of a policy acknowledgement campaign?

Answer 32

You would set this via the audience within the Policy Acknowledgement > Audience module.

Question 33

When would you be able to setup and send out a policy acknowledgement campaign?

Answer 33

You are only able to set an audience when the policy has been set to the published state