Policy & Comp Imp Approach Flashcards
Policy Record Lifecycle
Draft Review Awaiting Approval Published Retired
Who can create a policy?
Compliance Users and above
Who can move a policy from review to AA
Named Reviewer or Policy Owner
not Compliance Manager or Admin
Who can manually retire a policy?
Compliance Manager or Policy Owner
Which record doesn’t have lifecycle
Control Objective (they are also child of policy)
Control Lifecycle
Draft Attest Review Monitor Retire
Who can create Controls
Compliance User
Who can attest to a control
Person assigned to it
sys admin can by impersonating
Who can move control into “Monitor”
Compliance Manager
this ensures that the control and attestation results are reviewed before entering monitor
How are Controls retired
- Manually by compliance manager
- automatically when entity becomes inactive
Policy Exception Lifecycle
New Analyze Review Awaiting Approval Approved Closed
Who can request policy exception?
any user with snc_internal role
Who handles policy exceptions in the “analyze” state?
Compliance Manager
3 locations policy exceptions can be initiated
Within GRC: Policy & Compliance
Service Portal
Other apps added to Integration Registry
Policy Acknowledgement Lifecycle
New
Pending Acknowledgement
Closed
Canceled
Who can set up a Policy Acknowledgement Campaign?
Who determines the audience
Compliance User sets it up
Compliance Manager or Admin identifies audience
Who can cancel a Policy Acknowledgement Campagin?
Compliance Manager or owner of campaign
Table Relationship in GRC: Policy and Compliance
Policy [sn_compliance_policy] Control Objective [sn_compliance_policy_statement] Citation [sn_compliance_citation] Authority Document [sn_compliance_authority_document]
(ALL MANY TO MANY RELATIONSHIPS)
(COs related to multiple citations allows “test once satisfy many”)
Indicator Template - table name
sn_grc_indicator_template
GRC: Profiles
Indicator - table name
sn_grc_indicator
GRC: Profiles
Control Objective - table name
sn_compliance_policy_statement
GRC: Policy & Compliance
Control - table name
sn_compliance_control
GRC: Policy & Compliance