Policy & Comp Imp Approach

Question 1

Policy Record Lifecycle

Answer 1

Draft
Review
Awaiting Approval
Published
Retired

Question 2

Who can create a policy?

Answer 2

Compliance Users and above

Question 3

Who can move a policy from review to AA

Answer 3

Named Reviewer or Policy Owner

not Compliance Manager or Admin

Question 4

Who can manually retire a policy?

Answer 4

Compliance Manager or Policy Owner

Question 5

Which record doesn’t have lifecycle

Answer 5

Control Objective (they are also child of policy)

Question 6

Control Lifecycle

Answer 6

Draft
Attest
Review
Monitor
Retire

Question 7

Who can create Controls

Answer 7

Compliance User

Question 8

Who can attest to a control

Answer 8

Person assigned to it

sys admin can by impersonating

Question 9

Who can move control into “Monitor”

Answer 9

Compliance Manager

this ensures that the control and attestation results are reviewed before entering monitor

Question 10

How are Controls retired

Answer 10

• Manually by compliance manager

- automatically when entity becomes inactive

Question 11

Policy Exception Lifecycle

Answer 11

New
Analyze
Review
Awaiting Approval
Approved
Closed

Question 12

Who can request policy exception?

Answer 12

any user with snc_internal role

Question 13

Who handles policy exceptions in the “analyze” state?

Answer 13

Compliance Manager

Question 14

3 locations policy exceptions can be initiated

Answer 14

Within GRC: Policy & Compliance
Service Portal
Other apps added to Integration Registry

Question 15

Policy Acknowledgement Lifecycle

Answer 15

New
Pending Acknowledgement
Closed
Canceled

Question 16

Who can set up a Policy Acknowledgement Campaign?

Who determines the audience

Answer 16

Compliance User sets it up

Compliance Manager or Admin identifies audience

Question 17

Who can cancel a Policy Acknowledgement Campagin?

Answer 17

Compliance Manager or owner of campaign

Question 18

Table Relationship in GRC: Policy and Compliance

Answer 18

Policy [sn_compliance_policy] Control Objective [sn_compliance_policy_statement] Citation [sn_compliance_citation] Authority Document [sn_compliance_authority_document]

(ALL MANY TO MANY RELATIONSHIPS)
(COs related to multiple citations allows “test once satisfy many”)

Question 19

Indicator Template - table name

Answer 19

sn_grc_indicator_template

GRC: Profiles

Question 20

Indicator - table name

Answer 20

sn_grc_indicator

GRC: Profiles

Question 21

Control Objective - table name

Answer 21

sn_compliance_policy_statement

GRC: Policy & Compliance

Question 22

Control - table name

Answer 22

sn_compliance_control

GRC: Policy & Compliance

Question 23

Entity Type - table name

Answer 23

sn_grc_profile_type

GRC: Profiles

Question 24

Entity - table name

Answer 24

sn_grc_profile

GRC: Profiles

Question 25

Issue - table name

Answer 25

sn_grc_issue

GRC: Profile

Question 26

Control Attestation - table name

Answer 26

asmt_assessment_instance

Global

Question 27

Risk - table name

Answer 27

sn_risk_risk

GRC: Risk

Question 28

**Recommend studying page 133

Answer 28

**Recommend studying page 133

Question 29

Policy to Control Objective - table name

Answer 29

sn_compliance_m2m_policy_policy_statement

Question 30

Control Objective to Control Objective - table name

Answer 30

sn_compliance_m2m_policy_stmt_policy_stmt

Question 31

Control Objective to Citation - table name

Answer 31

sn_compliance_m2m_statement_citation

Question 32

Control Objective to Entity Type - table name

Answer 32

sn_compliance_m2m_statement_profile_type

Question 33

**recommend studying page 134

Answer 33

**recommend studying page 134

Question 34

Audience to Audience Filters - table

Answer 34

sn_grc_m2m_audience_filter

Question 35

Audience to User - table name

Answer 35

sn_grc_m2m_audience_user

Question 36

Audience to User Groups - table name

Answer 36

sn_grc_m2m_audience_user_group

Question 37

What table does Acknowledgement Campaign extend from

Answer 37

Task table

Question 38

What table does Acknowledgement extend

Answer 38

It doesn’t extend from a table

Question 39

Assessment Grouping Criteria - table name

Answer 39

[sn_grc_asmt_group_options]

Used to determine grouping criteria for control attestations and risk assessments

Question 40

Change who can edit a Policy in Review State

Answer 40

ComplianceUtils

Question 41

Change how compliance scores roll up

Answer 41

ComplianceScoreCalculator

Question 42

Display # of controls excluded from compliance score

Answer 42

AssessmentStrategy

Question 43

Use a different criteria to create control records

Answer 43

ControlGeneratorStrategy

Question 44

Add the state of X to the Policy Exception Process

Answer 44

PolicyException

Question 45

Modify the Policy Acknowledgement process

Answer 45

PolicyAcknowledgementUtils

Question 46

Policy Form - fields to make visible

Answer 46

Number
Category
Classification
Formatter - activity

Question 47

Control Objective form - fields to make visible

Answer 47

Choice list updates - category, classification, type
Add Fields - Order, Imported
Formatter - Activity

Question 48

Control form - fields to make visible

Answer 48

Add fields - created manually

Question 49

Issue form - fields to make visible

Answer 49

Add fields - watch list
Due date
Created manually
Created by
Created date

Question 50

Two Options for changing/increasing security

Answer 50

ACL Customization

Business Rule Customization

Question 51

Compliance Score Color Scheme

Answer 51

Red <50
Yellow 50-80
Green >80

Question 52

What is an indicator

Answer 52

A filter that looks at a table for evidence

Question 53

Two policy exception flows

Answer 53

• Initial verification (should we consider). Trigger in Substate field. Generates verification based on information in the verification rules record
• Final approval(s) (should we approve this). Triger is in State field changing to AA. Generates approval(s) based on info in Approval Rules record

Question 54

Which tables can SLAs NOT be applied to

note to studier: its easier to remember the ones you can’t than the ones you can

Answer 54

Control
Registered Risk 
Control Objective
Risk Statement
Policy
Risk Framework

Question 55

Baseline Default GRC Knowledgebase

Answer 55

Workflows with GRC KB in baseline
Can Contribute User Criteria for GRC User role
Social Q&A enabled
KB owner is System Admin