Quizlet GRC

Question 1

Profile/Entity

Answer 1

Records that aggregate GRC information related to a specific item

Question 2

Authority Document

Answer 2

The regulations, certifications, frameworks, standards, and best practices for compliance with regulations

Question 3

Citations

Answer 3

Records with the specific requirements cited by an Authority Document

Question 4

Policy

Answer 4

internal practice ensure compliance and reduce Risk exposure

Question 5

Control Objective

Answer 5

specific details that a process follows within a Policy

Question 6

Unified Compliance Framework (UCF)

Answer 6

Compliance database serving for managing IT compliance requirements from around the world

Question 7

Risk Criteria

Answer 7

Quantitative or Qualitative values against which level of Risk is evaluated

Question 8

Residual Score

Answer 8

The score of the Risk after any response strategy is implemented

Question 9

Risk Roles

Answer 9

Risk Admin, Risk Manager, Risk User, Risk Reader, Survey Reader

Question 10

An entity can belong to more than one Entity Class?

Answer 10

false

Question 11

A Profile can be related to one or more multiple profile types?

Answer 11

true

Question 12

Issue

Answer 12

A GRC task that allows end users to document Control and Risk Issues and track the response to remediate or accept the issue

Question 13

Indicator

Answer 13

A metric used to collect data to monitor Controls and Risks, and collect audit evidence

Question 14

Risk Framework

Answer 14

A formalized process for managing Risk on an explicit basis

Question 15

Control

Answer 15

The actual control activities that are to be performed by an organization

Question 16

Risk Statement

Answer 16

A defined consequence that can occur if a threat exploits a vulnerability

Question 17

Risk Register

Answer 17

A repository of the key attributes of potential and known Risk issues

Question 18

Risk

Answer 18

Any threat or vulnerability that could adversely affect an organization’s business objectives.

Question 19

Calculated Score

Answer 19

Derived from the inherent score and the residual score as an overall outcome

Question 20

Inherent Likelihood

Answer 20

the likelihood of the identified Risk occurring before any response strategy is implemented

Question 21

Inherent Risk

Answer 21

The level of risk before any actions and Controls are in place

Question 22

Inherent Score

Answer 22

The score of the risk before any response strategy is implemented

Question 23

Qualitative Impact

Answer 23

Calculated by Impact x likelihood

Question 24

Quantitative Impact

Answer 24

Calculated by Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO) = Annualized Loss Expectancy (ALE)

Question 25

Residual Likelihood

Answer 25

The likelihood of the identified Risk occurring after any response strategy is implemented

Question 26

Residual Risk

Answer 26

The level of Risk after actions and Controls are in place

Question 27

Compliance Roles

Answer 27

Compliance Developer, Compliance Admin, Compliance Manager, Compliance User, Compliance Reader, Survey Reader

Question 28

GRC Roles

Answer 28

Legacy roles - do not use (GRC Developer, GRC Admin, GRC Manager, GRC User, GRC Reader)

Question 29

What tables extend the Document table (sn_grc_document)?

Answer 29

Risk Framework, Policy, Authority Document

Question 30

What tables extend the Content table (sn_grc_content)?

Answer 30

Risk Statement, Policy Statement, Citation

Question 31

What tables extend the Item table (sn_grc_item)?

Answer 31

Risk, Control

Question 32

Any component (Business Rules, Client Scripts, ACL, etc.) that is defined for the parent table applies to any tables extended from it

Answer 32

true

Question 33

Can a Profile belong to one or more multiple Profile Types?

Answer 33

true

Question 34

What roles can create Profile Classes, Profile Types, and Profiles?

Answer 34

Compliance Manager, Risk Manager

Question 35

What role can create Issues, Indicators, Remediation Tasks, and Policy Exceptions?

Answer 35

Compliance Manager, Risk Manager

Question 36

What roles can view Authority Documents and Citations?

Answer 36

Compliance Managers, Compliance Users

Question 37

What roles can create Policies, Policy Statements, Policy Exceptions, Controls, Authority Documents, and Citations?

Answer 37

Compliance Managers, Compliance Users

Question 38

What roles can view Risk Frameworks, Risk Statements, Assessments, and Risk Response tasks?

Answer 38

Risk Managers, Risk Users

Question 39

What roles can create Risks, Risk Frameworks, and Risk Statements?

Answer 39

Risk Managers

Question 40

What roles can create Risks?

Answer 40

Risk Managers, Risk Users

Question 41

Where can the SOX Content pack be found?

Answer 41

ServiceNow Store

Question 42

What are the 5 states of the Policy Lifecycle?

Answer 42

Draft, Review, Awaiting Approval, Published, Retired

Question 43

What are the 5 states of the Control Lifecycle?

Answer 43

Draft, Attest, Review, Monitor, Retired

Question 44

What are the 5 states of the Issue Lifecycle?

Answer 44

New, Analyze, Respond, Review, Closed

Question 45

What are the 7 states of the Policy Exception Lifecycle?

Answer 45

New, Analyze, Risk Assessment, Review, Awaiting Approval, Approved, Closed

Question 46

Can a Compliance Manager move the Policy from Review to the next state?

Answer 46

False - only the reviewer can move it from the review state to the next

Question 47

While a Policy is in the ___________ state, Approvers receive a ServiceNow Approval task.

Answer 47

Awaiting Approval

Question 48

True/False - If there are no approvers listed on a Policy, the Policy will go straight to the Published state after the review is complete

Answer 48

true

Question 49

________ state indicates that a Control is no longer implemented

Answer 49

Retired

Question 50

Controls automatically move to ——- from the attestation state

Answer 50

Review

Question 51

Issues can get automatically created for what 4 reasons?

Answer 51

1. Indicator fails
2. attestation results are Not Implemented
3. Control Test effectiveness is Ineffective and state of test is closed
4. continuous monitoring results

Question 52

Policy Exceptions can be created from what 4 locations?

Answer 52

Policy Exception module, Issues, Policy Statement, Policy

Question 53

True/False - Risk Assessment and Review states will be skipped if a Risk Assessment has been selected

Answer 53

false

Question 54

True/False - Issues are automatically closed when a control test result failure is remediated

Answer 54

true

Question 55

What are the 2 Risk Scoring Methods?

Answer 55

Quantitative and Qualitative

Question 56

SLE x ARO = ALE

Answer 56

Quantitative calculation

Question 57

Control Failure Factor is ________

Answer 57

the impact of Control Failures on the Calculated score of risks

Question 58

Indicator Failure Factors is _________

Answer 58

the impact or risk indicator failures on the calculated score of risks

Question 59

Calculated Risk Factor is __________

Answer 59

the average impact factor that is actually used to compute the calculated score of risks

Question 60

Calculated ALE formula is ________

Answer 60

(Residual ALE) + {(Inherent ALE - Residual ALE) * [Calculated Risk Factor/100]}

Question 61

How to restrict risk record fields such as risk scoring fields?

Answer 61

Option 1: create a form view with ACLs on the view

Option 2: create READ ACL at the record level or on individual fields

Question 62

True/False - Risk Managers use Profile Types and Profiles to monitor Risk Exposure and perform Risk Assessments

Answer 62

true

Question 63

True/False - Policy and Compliance Managers use EntityTypes and Entities to create a system of internal Controls and monitor compliance

Answer 63

true

Question 64

What are the 6 scoped applications in GRC?

Answer 64

GRC Profiles, GRC: Workbench, Policy and Compliance, Risk, UCF Compliance, GRC: Performance Analytics Integrations

Question 65

How mature are 80% of the customers in GRC?

Answer 65

Between Manual and Basic, starting with Spreadsheets to Semi-automated GRC Processes

Question 66

What are some of the Security Regulations/Framework?

Answer 66

ISO 27001, NIST, PCI DSS

Question 67

How to access all risks?

Answer 67

Risk Register -> All Risks

Question 68

What are the 3 types of packaging available for IRM?

Answer 68

IRM Standard, IRM Professional, IRM Enterprise

Question 69

Which is a standalone application in GRC?

Answer 69

Vendor Risk Management

Question 70

Which GRC Store applications have system plugin dependencies?

Answer 70

Policy and Compliance Management, Risk Management, Audit Management and Vendor Risk Management

Question 71

Which roles can create GRC Attestation metric type?

Answer 71

Attestation Creator

Question 72

Which roles can create GRC Risk Assessment Metric Type?

Answer 72

Risk Assessment Creator

Question 73

What does the Document field reference to?

Answer 73

Risk Framework/Policy/Authority Document

Question 74

What does the Content field reference to?

Answer 74

Risk Statement/Control Objective/Citation

Question 75

What does the Item field reference to?

Answer 75

Risk/Control

Question 76

Who are the customers eligible for Use case accelerators?

Answer 76

Professional and Enterprise Package customers

Question 77

__________________ provides correlation across authority documents and regulations and provide a single consolidated list of Controls into a scalable and efficient compliance framework.

Answer 77

UCF

Question 78

________________ integrates with Policy and Compliance and Risk applications in ServiceNow to provide real time metrics which affect an organizations risk and compliance posture.

Answer 78

Vendor Risk Management

Question 79

_________________ provides pre-packaged reports and widgets organized in GRC dashboards to compliment baseline functionality.

Answer 79

Performance Analytics

Question 80

______________ ensures the data used by Risk and Compliance related applications is maintained properly.

Answer 80

Data Certification

Question 81

Which plugin is important to enable configuration tests?

Answer 81

Configuration Compliance

Question 82

What plugins are needed for Policy & Compliance and Risk Management?

Answer 82

GRC: Policy and Compliance Management (com.sn_compliance)
GRC: Risk Management (com.sn_risk)

Question 83

Data does not get tracked on update sets? True/False

Answer 83

true

Question 84

Which resources should be on a GRC Implementation?

Answer 84

ServiceNow platform Experts
Risk and Compliance Experts
ServiceNow developer
CMDB developer
UI Design team
Org Change Management

Question 85

Table that stores relationships for Entities?

Answer 85

sn_grc_m2m_profile_profile_type

Question 86

Script Includes that play a vital role in GRC: Profiles

Answer 86

GRCUtilsBase, IssueUtilsBase, GRCAssessmentUtilsBase

Question 87

Who can move a control to Monitor state?

Answer 87

Compliance Manager, Compliance Admin

Question 88

What is the default state of the Issue record?

Answer 88

new

Question 89

How can you automate Profile Owner Group Membership?

Answer 89

By using Flow Designer

Question 90

If Risk Statement is reactivated, what state does the risk go to?

Answer 90

draft

Question 91

What is the relationship table that relates Risks to controls?

Answer 91

sn_risk_m2m_risk_control

Question 92

GRC in an “old work’ model with unstructured workflows and processes is too inefficient. The Departments are too ______ and they all work independently of each other

Answer 92

siloed

Question 93

Companies looking to implement a GRC program are looking for what 3 results?

Answer 93

Integrated reporting, workflow driven processes, transparency, efficiency

Question 94

What is Governance?

Answer 94

The Policies and oversight necessary to ensure sustainability of internal goals and objectives while understanding inherent risk and adhering to external laws and regulations

Question 95

What is the table name that holds the relationships of risk framework to Profiles?

Answer 95

sn_risk_m2m_framework_profile_type

Question 96

What is the table name that holds the relationships of risk statements to Profiles?

Answer 96

sn_risk_m2m_risk_definition_profile_type

Question 97

What is the table name that holds the relationships of Policies to Profiles?

Answer 97

sn_compliance_m2m_policy_profile_type

Question 98

What is the table name that holds the relationships of Policy Statements to Profiles?

Answer 98

sn_compliance_m2m_statement_profile_type

Question 99

True/False - A Profile can be related to one or more multiple profile classes?

Answer 99

false

Question 100

True/False - SLA’s are used to help monitor and report on agreed service levels

Answer 100

true

Question 101

SLE (quantitative) is the same as _________ (qualitative)?

Answer 101

Impact

Question 102

ARO (quantitative) is the same as _________ (qualitative)?

Answer 102

Likelihood