Policy & Comp Imp Approach Flashcards

1
Q

Policy Record Lifecycle

A
Draft
Review
Awaiting Approval
Published
Retired
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Who can create a policy?

A

Compliance Users and above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Who can move a policy from review to AA

A

Named Reviewer or Policy Owner

not Compliance Manager or Admin

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Who can manually retire a policy?

A

Compliance Manager or Policy Owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which record doesn’t have lifecycle

A

Control Objective (they are also child of policy)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Control Lifecycle

A
Draft
Attest
Review
Monitor
Retire
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Who can create Controls

A

Compliance User

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Who can attest to a control

A

Person assigned to it

sys admin can by impersonating

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Who can move control into “Monitor”

A

Compliance Manager

this ensures that the control and attestation results are reviewed before entering monitor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How are Controls retired

A
  • Manually by compliance manager

- automatically when entity becomes inactive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Policy Exception Lifecycle

A
New
Analyze
Review
Awaiting Approval
Approved
Closed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Who can request policy exception?

A

any user with snc_internal role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Who handles policy exceptions in the “analyze” state?

A

Compliance Manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

3 locations policy exceptions can be initiated

A

Within GRC: Policy & Compliance
Service Portal
Other apps added to Integration Registry

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Policy Acknowledgement Lifecycle

A

New
Pending Acknowledgement
Closed
Canceled

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Who can set up a Policy Acknowledgement Campaign?

Who determines the audience

A

Compliance User sets it up

Compliance Manager or Admin identifies audience

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Who can cancel a Policy Acknowledgement Campagin?

A

Compliance Manager or owner of campaign

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Table Relationship in GRC: Policy and Compliance

A

Policy [sn_compliance_policy] Control Objective [sn_compliance_policy_statement] Citation [sn_compliance_citation] Authority Document [sn_compliance_authority_document]

(ALL MANY TO MANY RELATIONSHIPS)
(COs related to multiple citations allows “test once satisfy many”)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Indicator Template - table name

A

sn_grc_indicator_template

GRC: Profiles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Indicator - table name

A

sn_grc_indicator

GRC: Profiles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Control Objective - table name

A

sn_compliance_policy_statement

GRC: Policy & Compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Control - table name

A

sn_compliance_control

GRC: Policy & Compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Entity Type - table name

A

sn_grc_profile_type

GRC: Profiles

24
Q

Entity - table name

A

sn_grc_profile

GRC: Profiles

25
Q

Issue - table name

A

sn_grc_issue

GRC: Profile

26
Q

Control Attestation - table name

A

asmt_assessment_instance

Global

27
Q

Risk - table name

A

sn_risk_risk

GRC: Risk

28
Q

**Recommend studying page 133

A

**Recommend studying page 133

29
Q

Policy to Control Objective - table name

A

sn_compliance_m2m_policy_policy_statement

30
Q

Control Objective to Control Objective - table name

A

sn_compliance_m2m_policy_stmt_policy_stmt

31
Q

Control Objective to Citation - table name

A

sn_compliance_m2m_statement_citation

32
Q

Control Objective to Entity Type - table name

A

sn_compliance_m2m_statement_profile_type

33
Q

**recommend studying page 134

A

**recommend studying page 134

34
Q

Audience to Audience Filters - table

A

sn_grc_m2m_audience_filter

35
Q

Audience to User - table name

A

sn_grc_m2m_audience_user

36
Q

Audience to User Groups - table name

A

sn_grc_m2m_audience_user_group

37
Q

What table does Acknowledgement Campaign extend from

A

Task table

38
Q

What table does Acknowledgement extend

A

It doesn’t extend from a table

39
Q

Assessment Grouping Criteria - table name

A

[sn_grc_asmt_group_options]

Used to determine grouping criteria for control attestations and risk assessments

40
Q

Change who can edit a Policy in Review State

A

ComplianceUtils

41
Q

Change how compliance scores roll up

A

ComplianceScoreCalculator

42
Q

Display # of controls excluded from compliance score

A

AssessmentStrategy

43
Q

Use a different criteria to create control records

A

ControlGeneratorStrategy

44
Q

Add the state of X to the Policy Exception Process

A

PolicyException

45
Q

Modify the Policy Acknowledgement process

A

PolicyAcknowledgementUtils

46
Q

Policy Form - fields to make visible

A

Number
Category
Classification
Formatter - activity

47
Q

Control Objective form - fields to make visible

A

Choice list updates - category, classification, type
Add Fields - Order, Imported
Formatter - Activity

48
Q

Control form - fields to make visible

A

Add fields - created manually

49
Q

Issue form - fields to make visible

A
Add fields - watch list
Due date
Created manually
Created by
Created date
50
Q

Two Options for changing/increasing security

A

ACL Customization

Business Rule Customization

51
Q

Compliance Score Color Scheme

A

Red <50
Yellow 50-80
Green >80

52
Q

What is an indicator

A

A filter that looks at a table for evidence

53
Q

Two policy exception flows

A
  • Initial verification (should we consider). Trigger in Substate field. Generates verification based on information in the verification rules record
  • Final approval(s) (should we approve this). Triger is in State field changing to AA. Generates approval(s) based on info in Approval Rules record
54
Q

Which tables can SLAs NOT be applied to

note to studier: its easier to remember the ones you can’t than the ones you can

A
Control
Registered Risk 
Control Objective
Risk Statement
Policy
Risk Framework
55
Q

Baseline Default GRC Knowledgebase

A

Workflows with GRC KB in baseline
Can Contribute User Criteria for GRC User role
Social Q&A enabled
KB owner is System Admin