Implementation Planning 5%

Question 1

• Who should be on the core implementation team for a GRC implementation:
  a. Platform experts
  b. Board member
  c. Internal audit
  d. External audit
  e. Risk assessor
  f. CISO

Answer 1

a. Platform Experts
c. Internal Audit

(The exam will include CEO, board member as choices - they are stakeholders, not part of implementation.)

Implementer side: 
• SN platform experts
• Risk and compliance experts
• SN developer
• CMDB developer
• UI design team
• Organizational change management

Customer side:
•	Risk and Compliance experts
•	CMDB process owner
•	Foundation data process owners
•	Security operations
•	Internal audit

Question 2

Best Practices states that Risk Management should be implemented before Compliance.

a. Yes
b. No

Answer 2

b. No

Question 3

• Which of the following should be considered when estimating the size of an RCI Implementation Project? (select all that apply)
  a. Number of silos that currently manage risk.
  b. How many regulations they want to track
  c. Maturity of current risk process
  d. How much time their GRC business staff has for the project
  e. How much time their ServiceNow staff has for the project
  f. Experience with ServiceNow

Answer 3

All:

a. Number of silos that currently manage risk.
b. How many regulations they want to track
c. Maturity of current risk process
d. How much time their GRC business staff has for the project
e. How much time their ServiceNow staff has for the project
f. Experience with ServiceNow

Question 4

• What is the minimum role that a user must have to approve a Policy?
  a. Compliance User
  b. Compliance Manager
  c. Compliance Admin

Answer 4

a. Compliance User

Question 5

• What roles can create/update Entity Types?
  a. Compliance User
  b. Compliance Manager
  c. Compliance Admin
  d. Risk User
  e. Risk Manager
  f. Risk Admin

Answer 5

b. Compliance Manager
c. Compliance Admin
e. Risk Manager
f. Risk Admin

Question 6

• What role can answer a Risk Assessment?
  a. Does not need a role
  b. Risk User
  c. Compliance user
  d. Compliance Manager
  e. Risk admin
  f. Risk Assessment Creator
  g. Compliance Admin
  h. Risk Manager

Answer 6

a. Does not need a role

Question 7

What role can create a Risk Assessment?

a. Does not need a role
b. Risk User
c. Compliance user
d. Compliance Manager
e. Risk admin
f. Risk Assessment Creator
g. Compliance Admin
h. Risk Manager

Answer 7

f. Risk Assessment Creator

Question 8

• What role can answer a control attestation?
  a. Does not need a role
  b. Risk User
  c. Compliance user
  d. Compliance Manager
  e. Risk admin
  f. Risk Assessment Creator
  g. Compliance Admin
  h. Risk Manager

Answer 8

a. Does not need a role

Question 9

What role can create policies?

a. Does not need a role
b. Risk User
c. Compliance user
d. Compliance Manager
e. Risk admin
f. Risk Assessment Creator
g. Compliance Admin
h. Risk Manager

Answer 9

c. Compliance user

Question 10

What role can approve policies?

a. Does not need a role
b. Risk User
c. Compliance user
d. Compliance Manager
e. Risk admin
f. Risk Assessment Creator
g. Compliance Admin
h. Risk Manager

Answer 10

c. Compliance user

Question 11

What role can submit a control for attestation?

a. Does not need a role
b. Risk User
c. Compliance user
d. Compliance Manager
e. Risk admin
f. Risk Assessment Creator
g. Compliance Admin
h. Risk Manager

Answer 11

c. Compliance user

Question 12

What role can create an issue (risk)?

a. Does not need a role
b. Risk User
c. Compliance user
d. Compliance Manager
e. Risk admin
f. Risk Assessment Creator
g. Compliance Admin
h. Risk Manager

Answer 12

b. Risk User

Question 13

What role can create an indicator template (risk)?

a. Does not need a role
b. Risk User
c. Compliance user
d. Compliance Manager
e. Risk admin
f. Risk Assessment Creator
g. Compliance Admin
h. Risk Manager

Answer 13

h. Risk Manager

Question 14

What role can create a policy exception from a control issue?

a. Does not need a role
b. Risk User
c. Compliance user
d. Compliance Manager
e. Risk admin
f. Risk Assessment Creator
g. Compliance Admin
h. Risk Manager

Answer 14

c. Compliance user

Question 15

What role can create retire policies?

a. Does not need a role
b. Risk User
c. Compliance user
d. Compliance Manager
e. Risk admin
f. Risk Assessment Creator
g. Compliance Admin
h. Risk Manager

Answer 15

d. Compliance Manager

Question 16

Entity Types are assigned to Control Objectives, which generate Controls for every Entity listed in the Entity Type

a. Yes
b. No

Answer 16

a. Yes

Question 17

Which of the following statements are true?

a. Entity Owners can be defined at the Entity level, can be automatically applied to Risks and Controls
b. Are generated for an Entity Type from a defined filter
c. If a record no longer meets and Entity Type filter criteria, it will be deactivated (or retired) and the associated risk and controls will be retired
d. None of the above

Answer 17

a. Entity Owners can be defined at the Entity level, can be automatically applied to Risks and Controls
b. Are generated for an Entity Type from a defined filter
c. If a record no longer meets and Entity Type filter criteria, it will be deactivated (or retired) and the associated risk and controls will be retired

Question 18

What are the two major pieces of functionality that Advanded Risk provides? (Select all that apply)

a. Risk Events
b. Calculated Risk
c. Indicators
d. Risk Hierarchy

Answer 18

a. Risk Events

d. Risk Heirarchy

Question 19

• Which of the following are considerations for an implementation? Select all that apply.
  a. Will the customer use UCF?
  b. Do they have a set of corporate policies that they can integrate?
  c. Do they have a Risk Register?
  d. How are they currently measuring Risk?
  e. All of the above.

Answer 19

e. All of the above

Question 20

• It is better to start small with an Implementation.
  a. Yes
  b. No

Answer 20

a. Yes