Quizlet GRC Flashcards
1
Q
Profile/Entity
A
Records that aggregate GRC information related to a specific item
2
Q
Authority Document
A
The regulations, certifications, frameworks, standards, and best practices for compliance with regulations
3
Q
Citations
A
Records with the specific requirements cited by an Authority Document
4
Q
Policy
A
internal practice ensure compliance and reduce Risk exposure
5
Q
Control Objective
A
specific details that a process follows within a Policy
6
Q
Unified Compliance Framework (UCF)
A
Compliance database serving for managing IT compliance requirements from around the world
7
Q
Risk Criteria
A
Quantitative or Qualitative values against which level of Risk is evaluated
8
Q
Residual Score
A
The score of the Risk after any response strategy is implemented
9
Q
Risk Roles
A
Risk Admin, Risk Manager, Risk User, Risk Reader, Survey Reader
10
Q
An entity can belong to more than one Entity Class?
A
false
11
Q
A Profile can be related to one or more multiple profile types?
A
true
12
Q
Issue
A
A GRC task that allows end users to document Control and Risk Issues and track the response to remediate or accept the issue
13
Q
Indicator
A
A metric used to collect data to monitor Controls and Risks, and collect audit evidence
14
Q
Risk Framework
A
A formalized process for managing Risk on an explicit basis
15
Q
Control
A
The actual control activities that are to be performed by an organization
16
Q
Risk Statement
A
A defined consequence that can occur if a threat exploits a vulnerability
17
Q
Risk Register
A
A repository of the key attributes of potential and known Risk issues
18
Q
Risk
A
Any threat or vulnerability that could adversely affect an organization’s business objectives.
19
Q
Calculated Score
A
Derived from the inherent score and the residual score as an overall outcome
20
Q
Inherent Likelihood
A
the likelihood of the identified Risk occurring before any response strategy is implemented
21
Q
Inherent Risk
A
The level of risk before any actions and Controls are in place
22
Q
Inherent Score
A
The score of the risk before any response strategy is implemented
23
Q
Qualitative Impact
A
Calculated by Impact x likelihood
24
Q
Quantitative Impact
A
Calculated by Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO) = Annualized Loss Expectancy (ALE)
25
Residual Likelihood
The likelihood of the identified Risk occurring after any response strategy is implemented
26
Residual Risk
The level of Risk after actions and Controls are in place
27
Compliance Roles
Compliance Developer, Compliance Admin, Compliance Manager, Compliance User, Compliance Reader, Survey Reader
28
GRC Roles
Legacy roles - do not use (GRC Developer, GRC Admin, GRC Manager, GRC User, GRC Reader)
29
What tables extend the Document table (sn_grc_document)?
Risk Framework, Policy, Authority Document
30
What tables extend the Content table (sn_grc_content)?
Risk Statement, Policy Statement, Citation
31
What tables extend the Item table (sn_grc_item)?
Risk, Control
32
Any component (Business Rules, Client Scripts, ACL, etc.) that is defined for the parent table applies to any tables extended from it
true
33
Can a Profile belong to one or more multiple Profile Types?
true
34
What roles can create Profile Classes, Profile Types, and Profiles?
Compliance Manager, Risk Manager
35
What role can create Issues, Indicators, Remediation Tasks, and Policy Exceptions?
Compliance Manager, Risk Manager
36
What roles can view Authority Documents and Citations?
Compliance Managers, Compliance Users
37
What roles can create Policies, Policy Statements, Policy Exceptions, Controls, Authority Documents, and Citations?
Compliance Managers, Compliance Users
38
What roles can view Risk Frameworks, Risk Statements, Assessments, and Risk Response tasks?
Risk Managers, Risk Users
39
What roles can create Risks, Risk Frameworks, and Risk Statements?
Risk Managers
40
What roles can create Risks?
Risk Managers, Risk Users
41
Where can the SOX Content pack be found?
ServiceNow Store
42
What are the 5 states of the Policy Lifecycle?
Draft, Review, Awaiting Approval, Published, Retired
43
What are the 5 states of the Control Lifecycle?
Draft, Attest, Review, Monitor, Retired
44
What are the 5 states of the Issue Lifecycle?
New, Analyze, Respond, Review, Closed
45
What are the 7 states of the Policy Exception Lifecycle?
New, Analyze, Risk Assessment, Review, Awaiting Approval, Approved, Closed
46
Can a Compliance Manager move the Policy from Review to the next state?
False - only the reviewer can move it from the review state to the next
47
While a Policy is in the ___________ state, Approvers receive a ServiceNow Approval task.
Awaiting Approval
48
True/False - If there are no approvers listed on a Policy, the Policy will go straight to the Published state after the review is complete
true
49
________ state indicates that a Control is no longer implemented
Retired
50
Controls automatically move to ------- from the attestation state
Review
51
Issues can get automatically created for what 4 reasons?
1. Indicator fails
2. attestation results are Not Implemented
3. Control Test effectiveness is Ineffective and state of test is closed
4. continuous monitoring results
52
Policy Exceptions can be created from what 4 locations?
Policy Exception module, Issues, Policy Statement, Policy
53
True/False - Risk Assessment and Review states will be skipped if a Risk Assessment has been selected
false
54
True/False - Issues are automatically closed when a control test result failure is remediated
true
55
What are the 2 Risk Scoring Methods?
Quantitative and Qualitative
56
SLE x ARO = ALE
Quantitative calculation
57
Control Failure Factor is ________
the impact of Control Failures on the Calculated score of risks
58
Indicator Failure Factors is _________
the impact or risk indicator failures on the calculated score of risks
59
Calculated Risk Factor is __________
the average impact factor that is actually used to compute the calculated score of risks
60
Calculated ALE formula is ________
(Residual ALE) + {(Inherent ALE - Residual ALE) * [Calculated Risk Factor/100]}
61
How to restrict risk record fields such as risk scoring fields?
Option 1: create a form view with ACLs on the view
Option 2: create READ ACL at the record level or on individual fields
62
True/False - Risk Managers use Profile Types and Profiles to monitor Risk Exposure and perform Risk Assessments
true
63
True/False - Policy and Compliance Managers use EntityTypes and Entities to create a system of internal Controls and monitor compliance
true
64
What are the 6 scoped applications in GRC?
GRC Profiles, GRC: Workbench, Policy and Compliance, Risk, UCF Compliance, GRC: Performance Analytics Integrations
65
How mature are 80% of the customers in GRC?
Between Manual and Basic, starting with Spreadsheets to Semi-automated GRC Processes
66
What are some of the Security Regulations/Framework?
ISO 27001, NIST, PCI DSS
67
How to access all risks?
Risk Register -> All Risks
68
What are the 3 types of packaging available for IRM?
IRM Standard, IRM Professional, IRM Enterprise
69
Which is a standalone application in GRC?
Vendor Risk Management
70
Which GRC Store applications have system plugin dependencies?
Policy and Compliance Management, Risk Management, Audit Management and Vendor Risk Management
71
Which roles can create GRC Attestation metric type?
Attestation Creator
72
Which roles can create GRC Risk Assessment Metric Type?
Risk Assessment Creator
73
What does the Document field reference to?
Risk Framework/Policy/Authority Document
74
What does the Content field reference to?
Risk Statement/Control Objective/Citation
75
What does the Item field reference to?
Risk/Control
76
Who are the customers eligible for Use case accelerators?
Professional and Enterprise Package customers
77
__________________ provides correlation across authority documents and regulations and provide a single consolidated list of Controls into a scalable and efficient compliance framework.
UCF
78
________________ integrates with Policy and Compliance and Risk applications in ServiceNow to provide real time metrics which affect an organizations risk and compliance posture.
Vendor Risk Management
79
_________________ provides pre-packaged reports and widgets organized in GRC dashboards to compliment baseline functionality.
Performance Analytics
80
______________ ensures the data used by Risk and Compliance related applications is maintained properly.
Data Certification
81
Which plugin is important to enable configuration tests?
Configuration Compliance
82
What plugins are needed for Policy & Compliance and Risk Management?
GRC: Policy and Compliance Management (com.sn_compliance)
GRC: Risk Management (com.sn_risk)
83
Data does not get tracked on update sets? True/False
true
84
Which resources should be on a GRC Implementation?
ServiceNow platform Experts
Risk and Compliance Experts
ServiceNow developer
CMDB developer
UI Design team
Org Change Management
85
Table that stores relationships for Entities?
sn_grc_m2m_profile_profile_type
86
Script Includes that play a vital role in GRC: Profiles
GRCUtilsBase, IssueUtilsBase, GRCAssessmentUtilsBase
87
Who can move a control to Monitor state?
Compliance Manager, Compliance Admin
88
What is the default state of the Issue record?
new
89
How can you automate Profile Owner Group Membership?
By using Flow Designer
90
If Risk Statement is reactivated, what state does the risk go to?
draft
91
What is the relationship table that relates Risks to controls?
sn_risk_m2m_risk_control
92
GRC in an "old work' model with unstructured workflows and processes is too inefficient. The Departments are too ______ and they all work independently of each other
siloed
93
Companies looking to implement a GRC program are looking for what 3 results?
Integrated reporting, workflow driven processes, transparency, efficiency
94
What is Governance?
The Policies and oversight necessary to ensure sustainability of internal goals and objectives while understanding inherent risk and adhering to external laws and regulations
95
What is the table name that holds the relationships of risk framework to Profiles?
sn_risk_m2m_framework_profile_type
96
What is the table name that holds the relationships of risk statements to Profiles?
sn_risk_m2m_risk_definition_profile_type
97
What is the table name that holds the relationships of Policies to Profiles?
sn_compliance_m2m_policy_profile_type
98
What is the table name that holds the relationships of Policy Statements to Profiles?
sn_compliance_m2m_statement_profile_type
99
True/False - A Profile can be related to one or more multiple profile classes?
false
100
True/False - SLA's are used to help monitor and report on agreed service levels
true
101
SLE (quantitative) is the same as _________ (qualitative)?
Impact
102
ARO (quantitative) is the same as _________ (qualitative)?
Likelihood
