Policy & Comp Imp Approach Flashcards
Policy Record Lifecycle
Draft Review Awaiting Approval Published Retired
Who can create a policy?
Compliance Users and above
Who can move a policy from review to AA
Named Reviewer or Policy Owner
not Compliance Manager or Admin
Who can manually retire a policy?
Compliance Manager or Policy Owner
Which record doesn’t have lifecycle
Control Objective (they are also child of policy)
Control Lifecycle
Draft Attest Review Monitor Retire
Who can create Controls
Compliance User
Who can attest to a control
Person assigned to it
sys admin can by impersonating
Who can move control into “Monitor”
Compliance Manager
this ensures that the control and attestation results are reviewed before entering monitor
How are Controls retired
- Manually by compliance manager
- automatically when entity becomes inactive
Policy Exception Lifecycle
New Analyze Review Awaiting Approval Approved Closed
Who can request policy exception?
any user with snc_internal role
Who handles policy exceptions in the “analyze” state?
Compliance Manager
3 locations policy exceptions can be initiated
Within GRC: Policy & Compliance
Service Portal
Other apps added to Integration Registry
Policy Acknowledgement Lifecycle
New
Pending Acknowledgement
Closed
Canceled
Who can set up a Policy Acknowledgement Campaign?
Who determines the audience
Compliance User sets it up
Compliance Manager or Admin identifies audience
Who can cancel a Policy Acknowledgement Campagin?
Compliance Manager or owner of campaign
Table Relationship in GRC: Policy and Compliance
Policy [sn_compliance_policy] Control Objective [sn_compliance_policy_statement] Citation [sn_compliance_citation] Authority Document [sn_compliance_authority_document]
(ALL MANY TO MANY RELATIONSHIPS)
(COs related to multiple citations allows “test once satisfy many”)
Indicator Template - table name
sn_grc_indicator_template
GRC: Profiles
Indicator - table name
sn_grc_indicator
GRC: Profiles
Control Objective - table name
sn_compliance_policy_statement
GRC: Policy & Compliance
Control - table name
sn_compliance_control
GRC: Policy & Compliance
Entity Type - table name
sn_grc_profile_type
GRC: Profiles
Entity - table name
sn_grc_profile
GRC: Profiles
Issue - table name
sn_grc_issue
GRC: Profile
Control Attestation - table name
asmt_assessment_instance
Global
Risk - table name
sn_risk_risk
GRC: Risk
**Recommend studying page 133
**Recommend studying page 133
Policy to Control Objective - table name
sn_compliance_m2m_policy_policy_statement
Control Objective to Control Objective - table name
sn_compliance_m2m_policy_stmt_policy_stmt
Control Objective to Citation - table name
sn_compliance_m2m_statement_citation
Control Objective to Entity Type - table name
sn_compliance_m2m_statement_profile_type
**recommend studying page 134
**recommend studying page 134
Audience to Audience Filters - table
sn_grc_m2m_audience_filter
Audience to User - table name
sn_grc_m2m_audience_user
Audience to User Groups - table name
sn_grc_m2m_audience_user_group
What table does Acknowledgement Campaign extend from
Task table
What table does Acknowledgement extend
It doesn’t extend from a table
Assessment Grouping Criteria - table name
[sn_grc_asmt_group_options]
Used to determine grouping criteria for control attestations and risk assessments
Change who can edit a Policy in Review State
ComplianceUtils
Change how compliance scores roll up
ComplianceScoreCalculator
Display # of controls excluded from compliance score
AssessmentStrategy
Use a different criteria to create control records
ControlGeneratorStrategy
Add the state of X to the Policy Exception Process
PolicyException
Modify the Policy Acknowledgement process
PolicyAcknowledgementUtils
Policy Form - fields to make visible
Number
Category
Classification
Formatter - activity
Control Objective form - fields to make visible
Choice list updates - category, classification, type
Add Fields - Order, Imported
Formatter - Activity
Control form - fields to make visible
Add fields - created manually
Issue form - fields to make visible
Add fields - watch list Due date Created manually Created by Created date
Two Options for changing/increasing security
ACL Customization
Business Rule Customization
Compliance Score Color Scheme
Red <50
Yellow 50-80
Green >80
What is an indicator
A filter that looks at a table for evidence
Two policy exception flows
- Initial verification (should we consider). Trigger in Substate field. Generates verification based on information in the verification rules record
- Final approval(s) (should we approve this). Triger is in State field changing to AA. Generates approval(s) based on info in Approval Rules record
Which tables can SLAs NOT be applied to
note to studier: its easier to remember the ones you can’t than the ones you can
Control Registered Risk Control Objective Risk Statement Policy Risk Framework
Baseline Default GRC Knowledgebase
Workflows with GRC KB in baseline
Can Contribute User Criteria for GRC User role
Social Q&A enabled
KB owner is System Admin
