Policy & Compliance Implementation Approach Flashcards
What is a control objective?
A control objective is an objective, direction, or standard that acts as guidance for company interactions and operations. Control objectives can be categorized, classified, and related to other GRC components, such as policies and risk statements.
Can reference multiple policies
Can be connected to one or more citations
What is a control?
A control is the implementation of a control objective for a scoped entity.
Once an entity type is associated with a control objective, controls are generated for each entity in an entity type
The entity owner is the default control owner
Fields inherited from the control objective record, such as name and description, are read-only
How are compliance scores calculated?
Compliance scores are captured on individual controls, enabling an organization to proactively monitor and collect evidence at the operational level. Compliance scores roll up to the control objective, allowing an organization to quickly assess compliance posture. Overall areas of compliance and non-compliance are available as well as the granular view of which controls, and therefore which entities, are passing or failing.
Compliance score percentage: Compliance and non-compliance is managed at the control record level. In the baseline, the compliance score for a control objective is based on percentages:
80 or higher in green
80 to 50 in yellow
Below 50 in red
Compliance scoring is the percentage of controls that are compliant for a specific control objective.
What is a citation
A section of an authority document to which an organization must comply
What are Authority documents?
Documents that compile regulatory content that business processes follow for compliance
What is a Framework?
Group of procedures meant to codify and clarify the intent of a law/act/regulation
What is a Regulation?
Law or rule governing the behavior and practices of an industry or market
What is a Standard?
Benchmark circulated by regulatory agency created to enforce the provisions of legislation
Carl is a compliance analyst with the compliance user role. What are his primary responsibilities in policy and compliance?
Send out policy acknowledgement campaigns and monitor progress
Relate policies to control objectives
The policy for personnel health and safety is being reviewed and it is in the Review state. The compliance manager, Colin, is unable to move the policy back to Draft. What could be the reason (s)?
He is not one of the named reviewers
He is not the policy owner
Defining regularly scheduled acknowledgement campaigns reduces the need to manually define campaigns. What are the prerequisite data required to automatically create an acknowledgement campaign for a policy?
In the Acknowledgement setup, details of the frequency, the first acknowledgement date, the number of days to respond and the audience need to be specified.
After controls are generated for entities at Aglow Travel, control owners need to validate that a control is implemented before evaluating its effectiveness. How do they validate this?
A control attestation is sent to the control owner to gather evidence that there is a defined method to measure the control. A completed attestation does not necessarily mean the control is compliant, but rather answers the question “has the control been implemented?” Indicators are used to measure if a control is effective.
What does a Regulatory Change coordinator do?
A Regulatory Change Coordinator, with the role sn_grc_reg_change.user, is responsible for assessing the applicability of regulatory feeds and initiates assessments for regulatory feeds. Additionally, this role creates action tasks for risk and compliance users.
A regulatory change task was created. Which role is required to assign the regulatory change task to an RCM user?
The RCM manager assigns the regulatory change task to an RCM user. The RCM user can only read the regulatory change task record until it is assigned.
When a regulatory feed type of event is marked as applicable, a regulatory change task is automatically created. For a source document type of feed, a source document import task is automatically created.
When a regulatory feed type of event is marked as applicable, a regulatory change task is automatically created. For a source document type of feed, a source document import task is automatically created.
