10/18/2018. London Governance, Risk, and Compliance

Transcription

1 10/18/2018 Governance, Risk, and Compliance

2

3 Contents Contents... 4 Applications and integrations supporting GRC workflow... 6 GRC terminology... 7 Domain separation in... 9 Policy and Compliance Management...11 Understanding Policy and Compliance Management Risk Management...95 Understanding Risk Management Audit Management Understanding Audit Management Vendor Risk Management Domain separation and Vendor Risk Management Understanding Vendor Risk Management Index All rights reserved. iii

4 is the methodology created to manage the strict and complex regulatory and industry requirements across corporate environments. The GRC suite contains four main applications: Policy and Compliance Management, Risk Management, Audit Management, and Vendor Risk Management. Who uses GRC? The complete GRC process involves all areas of your organization working together. Board of directors Audit committee IT steering committee Compliance officer Risk officers (conduct risk assessment and identify all that can go wrong in business) All levels of management (assist the risk officers with the identification of what can go wrong in their processes) Audit committee Auditors (an independent body, typically reporting to the board of directors) All rights reserved. 4

5 GRC and the Now Platform Because the GRC application is built on the Now Platform, data and evidence is provided back to GRC allowing you: full access to all asset, configuration, and IT data within the instance automatic evidence and data collection to see if controls are working access to source data from real-time reporting centralized access and management for all authoritative sources, policies, and controls full work flow integration and business process support integrating controls directly into your business processes document management and knowledge base can be used to support Policy Management and control test instructions secure integration to gather evidence and report on controls outside of the instance All rights reserved. 5

6 Applications and integrations supporting GRC workflow The following applications and integrations work together with other GRC applications or applications to maximize your GRC workflow. Table 1: GRC applications Plugin Name Can the plugin be activated by a user with the admin role? Is there demo data? What application is this plugin used with? GRC: Policy Yes and Compliance Management(com.sn_compliance) Yes One of the three GRC products. Although each of the GRC applications is available as a separate subscription, the functionality and features are more robust if all three GRC plugins are activated together. GRC: Risk Management (com.sn_risk) Yes Yes One of the three GRC products. Although each of the GRC applications is available as a separate subscription, the functionality and features are more robust if all three GRC plugins are activated together. GRC:Audit Management (com.sn_audit) Yes Yes One of the three GRC products. Although each of the GRC applications is available as a separate subscription, the functionality and features are more robust if all three GRC plugins are activated together. No GRC: Workbench Paid plugin; sold as (com.sn_grc_workbench)a part of the GRC applications; not installed by default GRC: Risk Management All rights reserved. 6

7 Table 2: GRC integration plugins Plugin Name Can the plugin be activated by a user with the admin role? GRC: Vendor Yes Risk Management (com.sn_vdr_risk_asmt) Is there demo data? What application is this plugin used with? Yes GRC: Policy and Compliance Management (com.sn_compliance) GRC: Risk Management GRC: Compliance UCF Yes (com.sn_comp_ucf) No GRC: Policy and Compliance Management (com.sn_compliance) GRC: Performance Analytics Integration (com.sn_grc_pa) No GRC: Policy and Compliance Management (com.sn_compliance) GRC: Risk Management Yes GRC: SIG Questionnaire Integration (com.sn_sig_asmt) Yes No GRC: Vendor Risk Management (com.sn_vdr_risk_asmt) GRC terminology The following terms are used within GRC applications. Term Definition Additional information Authority documents The regulations, certifications, frameworks, standards, and best practices that an organization chooses or is required for compliance with regulations. Related to controls, risks, policies. IT audits typically rely on the authority documents downloaded from Network Frontiers, Unified Compliance Framework. Citations Citations are records with the specific requirements cited by an authority document. The citation record relates authority documents to its applicable control All rights reserved. 7

8 Term Definition Additional information Policies Policies include policies, standards, and procedures. Policies are related to authoritative documents and control records. Publishing and version control of policies are managed using document and knowledge management capabilities from the Now Platform. Custom workflows ensure all policy changes are routed to the appropriate work owners for final approval. All approved organizational policies are published in the knowledge base. Risks A risk is any threat or vulnerability that could adversely affect your organization s business objectives. All risks are contained in one risk repository. Risks can be related to any item, policy, control, and remediation task. Risks requiring immediate or ongoing attention can be mitigated, prevented, or controlled using the defined controls and related control tests. Controls Controls are the actual control activities performed by your organization. These control records include the basic required information about the control (owner, activity, frequency, etc.) Controls can be related to authoritative source contents, policies, and risks. Control framework The control framework is a single consolidated set of controls which perform and preserve the cross mapping of controls that are critical for audits. Control test definitions Control test definitions specify Remediations are automatically how and when controls are tested, created when control tests fail or when including testing steps, expected audit observations are noted. results, the group or individual responsible for the testing, and the test schedule. Control test instances are automatically generated from the test schedule. Control Test Instances Control test instances are the specific occurrences when a control is tested, including: the assigned person or group, the execution steps and expected results (from the control test definition), and the results of the control test. Includes details from the control test definition. Audit An audit is a coordinated event where the organization identifies all of the controls that they want to test at one time and assigns responsibility of the overall audit to a single person. A single task manages the testing of all the controls. Audits are related to controls and control tests All rights reserved. 8

9 Term Definition Additional information Audit Activities An audit activity is one of the tasks within an audit that is assigned to an individual for execution of the audit. Audit Observations Audit observations are used by internal auditors for identifying control gaps or identifying new risks. Audit observations are related to control gaps and risks. Remediation Remediation tasks are automatically created when a control test fails or when audit observations are noted. Remediation tasks include information about the control test instance and is typically assigned to a remediation group or to the control owner. Remediations are related to controls, control test failures, and control test instances. Domain separation in Governance, Risk, and Compliance (GRC) This is an overview of domain separation and Governance, Risk, and Compliance. Domain separation enables you to separate data, processes, and administrative tasks into logical groupings called domains. You can then control several aspects of this separation, including which users can see and access data. Overview Support: Level 1 Domain separation is supported in this application. Not all applications support domain separation; some include limitations on the data and administrative settings that can be domain separated. To learn more, see Application support for domain separation. Domain separation is best for those customers who: Need to enforce absolute data segregation between business entities (data separation). Customize business process definitions and user interfaces for each domain (delegated administration). Maintain some global processes and global reporting in a single instance. These users can choose to expand or collapse the domain scope to show or hide data from other domains. For example, GRC data for IT can be separated from the GRC data from other departments. Each business area using the GRC application has separate data that cannot be shared with other departments. Note: Users always have access to data from domains that have been explicitly granted to them by domain visibility. How domain separation works in GRC While GRC supports separation of data, separation of logic and process is not fully supported. Many types of records in GRC are automatically generated through user processes. Profiles, controls, risks, indicators, and control tests are all fields that can be generated automatically. For records that are All rights reserved. 9

10 automatically generated (and for any GRC record that is manually generated), the domain of the record is the same as the domain of the user responsible for creating or generating the records. Automatic generation should be kept in mind when working in a domain-separated GRC implementation. Users should be sure that they are creating / generating records at the right domain level so that they are visible to the right set of users. For example, suppose you have domains that look like: Global TOP Domain A Domain B If you have a risk or control that you want to be assessed by users in domains A and B, the risk or control should be generated or manually created at the global level. If the risk or control is created in Domain B, you will not be able to recreate the risk or control in Domain A due to indexing. If you have a risk or control that you want to be assessed by users in TOP and Domain A, you can create the risk or control in Domain A. Unless the risks and controls are in the Global domain, users should not assign risks or controls in a higher domain to users in a lower domain. In the example above, if you have a control in the TOP domain, you should not assign it for attestation to users in Domains A or B since those users would not have access to the control; thus the attestation or assessment questionnaire would not be generated. Similarly, users should not assign policy statements and risk statements in a higher domain to attestations and assessments in a lower domain. Otherwise the attestation or assessment questionnaire would not be generated. Use case GRC data for IT can be separated from the GRC data of other departments. Each business area using the GRC application can have separate data that cannot be shared with other departments. Therefore each department can have its own profiles, policies, controls, risks, and so on. When looking at a control from the IT domain, the user can choose to expand the domain scope to show values from the Finance domain or collapse the domain scope to show only controls that match the IT domain. By default, domain separation adds a domain field to the Task [task]and Configuration Items [cmdb_ci] tables and their extensions. You can extend domain separation to any new tables you create by adding a sys_domain field to the table's dictionary definition. By default, the system only domain-separates platform and baseline application tables where appropriate. Warning: does not recommend domain separating platform tables (any table with the sys_ prefix such as the Dictionary Entry [sys_dictionary]and Dictionary Entry Override [sys_dictionary_override] tables) because it can produce unexpected results. In this use case, client scripts, business rules, workflows, processes, and so on can be domain-separated. While the behavior offered with domain separation provides multi-tenancy support, multi-tenancy is still contained within a single instance. This means that some global properties, some global data, and some global processes are shared across all domains. For example, the system s Remember me option on the login page is global and cannot be specified per domain All rights reserved. 10

11 If you need complete and total separation of all system properties and do not require global reporting or global processes, separate instances are the best option. Policy and Compliance Management The Policy and Compliance Management product provides a centralized process for creating and managing policies, standards, and internal control procedures that are cross-mapped to external regulations and best practices. Additionally, the application provides structured workflows for the identification, assessment, and continuous monitoring of control activities. The GRC: Policy and Compliance Management (com.sn_compliance) plugin is available as a separate subscription and requires activation. Explore Set up Administer Establish profile scoping for policies and controls on page 26 Activate Policy and Compliance Management on page 13 Configure Policy and Compliance Management on page 18 Policy and Compliance Administration on page 18Manage GRC key risk and control indicators on page 181 Use Develop Integrate Upgrade to Developer training Developer documentation Components installed with Policy and Compliance Management on page 14 Use UCF Common Controls Hub to manage compliance frameworks on page 54 Troubleshoot and get help Ask or answer questions in the GRC community Search the HI Knowledge Base for known error articles Contact Support Understanding Policy and Compliance Management The Policy and Compliance Management product provides a centralized process for creating and managing policies, standards, and internal control procedures that are cross-mapped to external regulations and best practices. Additionally, the application provides structured workflows for the identification, assessment, and continuous monitoring of control activities. What is Policy and Compliance Management Policy and Compliance Management centralizes the following activities: Establish controls and controls owners Define control tests and expected results Establish test and control frequencies All rights reserved. 11

12 Identify risks: impact and likelihood Prepare attestations Map authoritative sources to policies, procedures, controls, and risks Who uses Policy and Compliance Management? Policy and Compliance activities involve all levels of management. A key function of good governance involves the establishment of a strong organization structure. Board of directors IT steering committee Audit committee All levels of management All rights reserved. 12

13 Policy and Compliance Management and the Now Platform Activate Policy and Compliance Management The GRC: Policy and Compliance Management (com.sn_compliance) plugin is available as a separate subscription. Role required: admin This plugin includes demo data and activates related plugins if they are not already active. Navigate to System Definition Plugins. Find and click the plugin name. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link. If the plugin depends on other plugins, these plugins are listed along with their activation status All rights reserved. 13

14 4. If the plugin has optional features that depend on other plugins, those plugins are listed under Some files will not be loaded because these plugins are inactive. The optional features are not installed until the listed plugins are installed (before or after the installation of the current plugin). If available, select the Load demo data check box. Some plugins include demo data Sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good practice when you first activate the plugin on a development or test instance. 5. You can also load demo data after the plugin is activated by clicking the Load Demo Data Only related link on the System Plugin form. Click Activate. To use the UCF import application, activate the UCF Import (com.sn_comp_ucf) plugin. Components installed with Policy and Compliance Management Activating the Policy and Compliance Management (com.sn_compliance) plugin adds or modifies several tables, user roles, and other components. Tables installed with Policy and Compliance Management Tables are added with activation of GRC: Policy and Compliance Management. Table Authority Document Extends the Document [sn_grc_document] table and stores all Authority Documents. [sn_compliance_authority_document] Control [sn_compliance_control] Policy [sn_compliance_policy] Article Template [sn_compliance_article_template] Citation [sn_compliance_citation] Policy to Profile Type [sn_compliance_m2m_policy_profile_type] Policy Statement to Citation [sn_compliance_m2m_statement_citation] Policy Statement to Profile Type [sn_compliance_m2m_statement_profile_type] Extends the Item [sn_grc_item] table and stores all controls. Extends the Document [sn_grc_document] table and stores all policies. Used to format the policy text contained in a policy record when publishing the policy to the Knowledge Base (KB). Extends the Content [sn_grc_content] table and stores all citations. Extends Document to Profile Type [sn_grc_m2m_document_profile_type] and is a many-to-many relationship table that is used to manage the relationships between policies and profile types. Is a many-to-many relationship table that is used to manage relationships between policy statements and their related citations. Extends Content to Profile Type [sn_grc_m2m_content_profile_type] and is a many-to-many relationship table that is used to manage the relationships between policy statements and profile types All rights reserved. 14

15 Table Policy Statement Extends the Content [sn_grc_content] table and stores all policy statements. [sn_compliance_policy_statement] Policy exception [sn_compliance_policy_exception] Policy to Policy Statement [sn_compliance_m2m_policy_policy_statement] Note: All additional tables installed by the dependent plugins are also needed for Risk Management. Roles installed with Policy and Compliance Management Roles are added with activation of GRC: Policy and Compliance Management. Role title [name] Contains roles Compliance Reader Contains the reader role in sn_grc scopes. In addition to the inherited permissions, the compliance reader can be assigned profile types, profiles, indicators templates, indicators and issues. sn_grc.reader Contains the reader and user roles in sn_grc scopes, and the reader role in the Policy and Compliance Management application. In addition to the inherited permissions, the compliance user can be assigned controls, and has read-only access to the Risk Management application and modules. sn_grc.reader sn_grc.user sn_compliance.reader Contains the reader, user, and manager roles in sn_grc scopes, and the reader and user roles in thepolicy and Compliance Management application. In addition to the inherited permissions, the compliance manager can create authority documents, citations, policies, policy statements, and controls. sn_grc.reader sn_grc.user sn_grc.manager sn_compliance.reader sn_compliance.user [sn_compliance.reader] Compliance User [sn_compliance.user] Compliance Manager [sn_compliance.manager] All rights reserved. 15

16 Role title [name] Contains roles Compliance Administrator Contains the reader, user, manager, and admin roles in sn_grc scopes, and the reader, user, and manager roles in thepolicy and Compliance Management application. In addition to the inherited permissions, the compliance admin can delete authority documents, citations, policies, policy statements, and controls. sn_grc.reader sn_grc.user sn_grc.manager sn_grc.admin sn_compliance.reader sn_compliance.user sn_compliance.manager Contains the reader, user, manager, admin, and developer roles in sn_grc scopes, and the reader, user, manager, and admin roles in thepolicy and Compliance Management application. In addition to the inherited permissions, the compliance developer can create article templates and edit scripts. sn_grc.reader sn_grc.user sn_grc.manager sn_grc.admin sn_grc.developer sn_compliance.reader sn_compliance.user sn_compliance.manager sn_compliance.admin [sn_compliance.admin] Compliance Developer [sn_compliance.developer] Attestation Creator Role used for creating GRC attestation metric type sn_compliance.attestation_creator Properties installed with Policy and Compliance Management Properties are added with activation of GRC: Policy and Compliance Management. Name States for which the control is active (the first state is the default active state) Compliance administrators can change this setting. sn_compliance.active_states States for which control is inactive (the first state is the default inactive) Compliance administrators can change this setting. sn_compliance.closed_states Type: string Default value: draft, assess, review, monitor Location: Policy and Compliance Administration Properties Type: string Default value: retired Location: Policy and Compliance Administration Properties All rights reserved. 16

17 Name Name of the assessment metric type that is used System administrators can change this setting. for attestations Type: string sn_compliance.default_attestation Default value: GRC Attestation Location: Policy and Compliance Administration Properties sn_compliance.glide.script.block.client.globals Name of the knowledge base used to publish Policy articles Compliance administrators can change this setting. sn_compliance.knowledge_base Type: true or false Default value: false Location: Policy and Compliance Administration Properties Type: string Default value: Governance, Risk, and Compliance Location: Policy and Compliance Administration Properties Supported migration After migrating from the Legacy GRC application, certain relationships between elements are maintained. Relationships for the following elements are maintained. Table 3: Supported GRC migration elements Legacy GRC Migrated GRC Authority Documents [grc_authoritative_source] Authority Documents [sn_compliance_authority_document] Citations [grc_authoritative_src_content] Citations [sn_compliance_citation] Policies [grc_policy] Policies [sn_compliance_policy] Controls [grc_control] Risk Definitions [sn_risk_definition] Risk Statements [sn_risk_definition] Risks [grc_risk] Risks [sn_risk_risk] Control Test Definitions [grc_control_test_definition] - manual type Indicator Template [sn_grc_indicator_template] manual type Risk Criteria Thresholds [grc_risk_criteria_threshold] Risk Criteria [sn_risk_criteria] Controls [sn_compliance_control] Policy Statement [sn_compliance_policy_statement] All rights reserved. 17

18 Configure Policy and Compliance Management System and compliance administrators in the global domain can set properties to determine how the system defines the Policy and Compliance Management application. Role required: admin, sn_compliance.admin, sn_compliance.developer Compliance Administrators can set all the same properties except the Name of the assessment metric type that is used for attestations. Administrators in domains lower than the global domain can view the Properties screen, but cannot modify the settings. Note: A message appears at the top of the form This record is in the Policy and Compliance application, but <scope> is the current application to ensure that you are in the correct application scope. Navigate to Policy and Compliance Administration Properties. Fill in the fields on the form, as appropriate. See Properties installed with Policy and Compliance Management on page 16 for property descriptions. Click Save. Policy and Compliance Administration The Policy and Compliance Management application provides properties associated with article templates, attestation types, and UCF integration. Article Templates Policy and Compliance managers can create templates for policy article publishing. Attestation Types Rather than using the default GRC attestation type, the compliance manager can create a new set of questions for each policy statement. Unified Compliance Integration See Configure the UCF integration on page 6 Manage continuous monitoring between Configuration Compliance and Policy and Compliance Management Continuous monitoring is a feature integration between the GRC: Policy and Compliance Management product and the Security Operations Configuration Compliance products. This feature integrates the scan results from third-party applications, like Qualys to determine the compliance status for each associated control. Continuous monitoring is a pro-active security management approach. Customers monitor and validate compliance and manage risks against authority documents All rights reserved. 18

19 Continuous monitoring workflow The system admin activates the Configuration Compliance and Policy and Compliance Management plugins. The compliance manager maps policy statements or controls to configuration tests, which generate controls, profiles, and indicators related to those configuration tests. The integration ingests the results of the third-party configuration test scan results at defined intervals. 4. If the configuration test scan results of the configuration tests indicate a failure, then the control is noncompliant and an issue is automatically generated. 5. If the next scan results of the configuration tests indicates that the failure has been remediated, then the control is compliant and the issue is automatically closed. Map policy statements or controls to configuration tests The compliance manager maps policy statements or controls to the configuration tests, which generate the controls, profiles, and indicators associated with configuration compliance. Role required: compliance manager The Configuration Compliance plugin must be activated to access this feature and the sn_compliance.auto_create_profile_and_control property must be set to true Navigate to Policy and Compliance Policies and Procedures Policies. Open the policy record, click the Policy Statement related list, and click Edit. Note: The Password Policy is used in this example. Select each policy statement to associate to the policy All rights reserved. 19

20 4. Open a policy statement, and click the Citations related list to view the authority document citation that is associated to this policy statement. Note: The Configure the maximum password age. policy statement is used in this example All rights reserved. 20

21 5. Click the Configuration Tests related list and select one of the following add options: Click Add Click Add from Policies Click Add from Authoritative Sources All rights reserved. 21

22 Note: The Source field for each configuration test identifies the third-party provider of the information. 6. After selection, click Add All rights reserved. 22

23 All the configuration items (controls, profiles, and indicators) are mapped and displayed on the Configuration Tests related list. This make take a few minutes as the results are generated. Interpret configuration compliance scan results If the configuration test scan results of the control indicates any failures, the control is marked noncompliant. If the scan results indicate the control passed all the configuration tests, then the control is marked compliant. Role required: compliance manager The Configuration Compliance plugin must be activated to access this feature and the sn_compliance.auto_create_profile_and_control property must be set to true Navigate to Policy and Compliance Policies and Procedures Policy Statements. Note: The Configure the maximum password age. policy statement is used in this example. Open the policy statement record and click the Controls related list All rights reserved. 23

24 Eleven controls were generated from the configuration compliance test scan. Each control has an associated Profile and because all the controls show a Status of Non Compliant, an equal number of issues have been automatically generated. Open a control record, and click the Indicator related list All rights reserved. 24

25 4. Open the indicator record to see the indicator results All rights reserved. 25

26 5. The configuration test scan results are updated at regular intervals. If the scan results indicate that the failure has been remediated, then the control is marked compliant and the issue is automatically closed. Establish profile scoping for policies and controls Profile scoping is permitted in each of the GRC applications. Policy and compliance managers use profile scoping to create a system of internal controls and monitor compliance. Risk managers use profile scoping to monitor risk exposure and perform risk assessments. Dependencies are created using the dependency map and model or by creating tiers. Profile scoping provides a way to allocate risks and controls at different levels. Profile scoping involves the following elements: Profile Classes Profile classes allow GRC managers to separate profiles for better distinction. For example, Business Service Profiles, Department Profiles, and Business Unit Profiles. Reports can be filtered to define relationships between the different profile classes. A profile class defines what a profile actually is. Profiles can belong to many profile types but a profile can have only one profile class (for example, All rights reserved. 26

27 Business Service). Profile classes can roll up to each other. Profile Types Profiles types are dynamic categories containing one or more profiles. Business logic automates the process of creating and categorizing any profiles in the system that meet the profile type filters. Profile types are associated to policy statements, which generate controls for every profile listed in the profile type. Profiles Profiles are the records that aggregate GRC information related to a specific item. Each profile is associated with a single record from any table in the instance. Profiles cannot be created for items that do not have a record in a table in the platform All rights reserved. 27

28 Example of Profile Scoping In this scoping example, the profile types contain the following profiles: Global Office Locations North American Office Locations Los Angeles Office New York Office Berlin Office Los Angeles Office New York City Office European Union Office Locations Berlin Office All rights reserved. 28

29 How do profiles relate to Policy and Compliance Management? Profile scoping provides a systematic assignment of policy statements to controls and maintains relational and hierarchical connections between those controls. Profiles can be a many to many relationship. Profile types are the high-level categories and profiles are the individual items that can be associated to the profile type. In this Policy and Compliance scoping example: policies and policy statements are assigned to profile types controls are created based on the profiles and associated policy statements Note: Policy statements can be created without a policy, but must be assigned a profile type. Controls can be created without an associated policy or policy statement, but must be assigned to a profile All rights reserved. 29

30 2018. All rights reserved. 30

31 Dependency models and maps In the Jakarta release, the dependency map was aligned with the dependency model for establishing upstream and downstream relationships between profiles. In the london release, tiers establish those relationships. Dependency models Dependency modeling ensures that an organization establishes a uniform definition of risk across the enterprise. The dependency model defines what relationships are allowed between different types of areas in the organization. This enables more effective risk normalization and aggregation by allowing stakeholders to more effectively compare and contrast risk appetite and exposure at various levels of the enterprise. Creating a dependency model involves creating profile classes and defining how classes are structured in relation to each other using the Roll up to field. Dependency maps Once dependency modeling is complete, you can build out a dependency map to define how different parts of the organization are related to each other. The dependency map represents what profile relationships exist. For example, you could specify that certain projects and business services affect the HR department, which in turn affects the enterprise All rights reserved. 31

32 Defining the dependency map involves creating profiles, defining the profile class for each profile, then relating profiles to each other by specifying the upstream/downstream relationship. Tiers In the london release, tiers establish upstream and downstream relationships. Profile tiers are assigned to profile classes. The base system provides: Business, Application, and IT Asset. Administrators can edit or add to the tiers. Create a profile class GRC managers create profile classes representing the types of items in their organization. Reports can be filtered to define relationships between the different profile classes. Role required: sn_grc.manager A profile class defines what a profile actually is. It differs from a profile type (for example, Business Services and Critical Business Services) in that a profile can belong to many profile types but a profile can have only one profile class (for example, Business Service). Navigate to one of the following locations: Policy and Compliance Scoping Profile Classes Risk Scoping Profile Classes Audit Scoping Profile Classes Click New. Fill in the fields on the form, as appropriate All rights reserved. 32

33 Table 4: Authority document Field Value Name Name of the profile class. Roll up to Select dependencies to other profiles. This is useful for reporting how your lower-level operational risks impact corporate-level risks. Is Root Select the check box to indicate that this is the highest level class. Note: Only one root class is allowed and it cannot roll up to another class. Tier Select the tier or category for the profile class Business Application IT Asset Navigate to Policy and Compliance Profile Tiers. Do one of the following actions: Option To create a new tier Click New. To edit a tier Open the profile tier. Fill in the fields on the form, as appropriate. Table 5: Profile type Name Name* The name of the tier. Value Label* The label assigned to the tier. Level* 7. Click Update. Create profile class rules Profiles class rules allow you to assign tables to profile classes. Role required: admin Navigate to one of the following locations: Policy and Compliance Administration Profile Class Rules All rights reserved. 33

34 Risk Administration Profile Class Rules Audit Administration Profile Class Rules Do one of the following actions: Option To create a new profile class rule Click New. To edit a profile class rule Open the profile class rule from the list. Fill in the fields on the form, as appropriate. Table 6: Profile Class Rule 4. Field Value Table The table that contains the records you want to assign the class to. Class The class to assign to the table. Click Submit or Update. Create and edit a profile type Administrators or managers in any of the GRC-related applications, create profiles types from which profiles are generated. Profile types are assigned to policy statements, which generate controls for every profile listed in the profile type. Profile types can also be assigned to risk statements, which generate risks for every profile listed in the profile type, as well. Role required: sn_compliance.admin or sn_compliance.manager, sn_risk.admin or sn_risk.manager, sn_audit.admin or sn_audit.manager Navigate to one of the following locations: Policy and Compliance Scoping Profile Types. Risk Scoping Profile Types. Audit Scoping Profile Types. Do one of the following actions: Option To create a new profile type Click New. To edit a profile type Open the profile type from the list. Fill in the fields on the form, as appropriate, and click Submit. Table 7: Profile type Name Name* The name of the profile type. An explanation of the profile type with any additional information that a user will find helpful All rights reserved. 34

35 Note: * indicates a mandatory field. 4. Once the profile type is created or edited, click the Profile filters tab and fill in the fields on the form, as appropriate. Table 8: Profile filters Name Profile Type Indicates the profile type that the filters belong to. Table* The table that contains the records to be queried. Filter condition Filter conditions for the source table to generate profiles. Owner field The field on the table specifying the person who owns any new profiles generated from the profile type. Identify the user reference field on the source table to automatically identify risk and control owners. Use default owner to assign risks to a single user when the owner field is empty. Empty owner Create Do not create Use default Note: * indicates a mandatory field. 5. Click Update. Create a profile Profiles are generated automatically from profile types in any of the GRC-related applications. Profiles can be created individually, but is not common. Role required: sn_compliance.admin or sn_compliance.manager, sn_risk.admin or sn_risk.manager, sn_audit.admin or sn_audit.manager Navigate to one of the following locations: Policy and Compliance Scoping Profile Types. Risk Scoping Profile Types. Audit Scoping Profile Types. Open a Profile Type record from the list. Add or modify any conditions, as necessary. Changing the Table, changes the number of records matching the condition All rights reserved. 35

36 4. 5. Assign the Owner field. Click Update. A profile is generated for every record that matches the filter condition. Relate profiles to each other Create relationships between profiles to understand how controls and risks affect each other and how they affect the enterprise. Role required: sn_compliance.admin or sn_compliance.manager, sn_risk.admin or sn_risk.manager, sn_audit.admin or sn_audit.manager Navigate using any of these options. Policy and Compliance Scoping All Profiles. Risk Scoping All Profiles. Audit Scoping All Profiles. Open the profile record from the list. Perform one of the following actions: Option To specify that the current profile is downstream of another profile Click the Add button in the Upstream profiles related list. To specify that the current profile is upstream Click the Add button in the Downstream profiles of another profile related list. 4. Select the desired profiles to relate the current profile to and click Create Relationship All rights reserved. 36

37 The profiles displayed after clicking the Add button on the Upstream profiles or Downstream profiles related lists are limited based on the current profile's class and the tier it belongs to. Note: If there are no eligible profiles which can be related to the current profile, then the Add button is not displayed on the Upstream profiles or Downstream profiles related lists. Manage policy statements and policies Organizations import their authority documents from Network Frontiers Unified Compliance Framework (UCF), another third-party provider, or they create them manually. The Policies and Procedures module contains overview and detailed information related to policy approvals, policies, and policy statements. Policies and Procedures Overview The Policies and Procedures Overview is contained in the Policies and procedures module and provides an executive view into compliance requirements, overall compliance, and compliance breakdowns so areas of concern can be identified quickly. Users with the Compliance Administrator and Compliance Manager roles view the Policies and Procedures Overview. Table 9: Policies and Procedures Overview reports in the base system Name Visual Control compliance Donut chart Displays the overall compliance of all the controls in the system. Control details Donut chart Displays a breakdown of controls, grouped by owner, category, or type. Control Overview Column Chart Displays the total number of controls related to each policy. The chart is stacked to display overall control compliance status for each policy. Control Issues by Policy (Opened Date) Line Chart Displays the number of control issues opened each week, grouped by policy. Policy Exceptions List Displays a list of control issues that have been closed with a response value of accept, meaning the issue was not remediated. Total Policy Statements by Policy Bar graph Displays a count of the overall number of policy statements in each policy. The chart is stacked to display policy statements by type All rights reserved. 37

38 Policy Approval Process Policies are part of a strict approval process to ensure compliance and to reduce exposure to risk. Publishing a policy is automatically incorporated in the approval process. Compliance managers set the length of time that policies are valid, ensuring that the team reviews the policy often to affirm its validity. Policies have a type, such as a policy, procedure, standard, plan, checklist, framework, or template. Table 10: Policy approval states State Draft All policies start in Draft state. In this stage, all compliance users can modify the policy and policy statements. Review The owner, owning group, and reviewers can modify the policy and policy statements and send it on to the next state. Awaiting Approval The policy is read only in this state. Approved policies move forward to the Published state. Unapproved policies move back to Review. If no approvers are identified on the policy form, the state is skipped and published without an approval. Published Approved policies are automatically published to a template-defined KB. Once a policy is published, it remains in a read-only state. The Valid to field on the policy form defines how long the policy is valid. When a policy reaches the end of the Review state and is Approved for publishing, it is automatically published to the GRC knowledge base (as defined in the Policy and Compliance Administration Properties. The article template field on the policy form defines the style of the published policy. Retired The KB article is removed when a policy is put into a Retired state. Policies Compliance managers catalog and publish internal policies that define a set of business processes, procedures, and or standards All rights reserved. 38

39 Policy Statements Compliance managers catalog the policy statements and generate controls from those policy statements. Policy statements only reference a single policy, although they can cover multiple citations from different authority documents. They can be organized into Classification, Category, and Type. Note: UCF refers to policy statements as Controls. When UCF is data is imported, controls are imported into the policy statements table. Create a policy A policy is a document which defines an internal practice that processes must follow. Policies are defined as policies, procedures, standards, plans, checklists, frameworks, and templates. Role required: sn_compliance_admin or sn_compliance_manager Navigate to Policy and Compliance Policies and Procedures Policies. Click New. Fill in the fields on the form, as appropriate. Table 11: Policy Field Name The name of the policy. Type List of options: Policy Procedure Standard Plan Checklist Framework Template Owning Group Group that owns the policy. Owner User that owns the policy. Compliance Score Percentage The compliance score percentage assigned to this policy. Parent The policy containing this policy. If you create a policy statement from within a policy, this field is automatically filled All rights reserved. 39

40 Field State The state is a read-only field. Possible choices are: Draft In this state, all compliance users can modify the policy and policy statements. All compliance users can click Ready for Review at the bottom of the form, which sets the state to Review. Review In this state, the owner, owning group, and reviewers can modify the policy and policy statements. The owner, owning group, and reviewers click Request approval, starting the workflow by sending approvals to the users in the Approvers list. The owner, owning group, and reviewers move the policy back to Draft, by clicking Back to draft, as well. Awaiting approval In this state, the policy and policy statements are read- only for all. Approvers can approve the policy by updating the approval state in the Approvals Related List on the policy form, or by viewing My Approvals. If the policy is approved, the policy goes to the Published state. Otherwise, it goes back to the Review state. Published In this state, the policy and policy statements are read-only for all. Admins can click Retire which sets the state of the policy to Retired Retired In this state, the policy is readonly for all. Number Read-only field that is automatically populated with a unique identification number. Valid From The date and time for which the policy becomes valid. Valid To The date and time for which the policy is no longer valid. Approvers The users you want to be included in the approval process. Reviewers Select the users you want to be included in the review process. A general description of the policy. Policy text A detailed description of the policy. Knowledge base The knowledge base article related to this policy All rights reserved. 40

41 4. Field Article template The article template to use for the publication of this policy. KB article The KB article number and link where the policy is published. Continue with one of the following options. Option Action To save and submit the policy Click Submit. To mark the policy ready for review Click Ready for review. Approve and publish policy When a policy is approved, it is automatically published. Role required: sn_compliance_admin or sn_compliance_manager 4. Navigate to Policy and Compliance Policies and Procedures Policies. Open the policy record. Review the policy details, making updates as necessary. Click Approve. Review a policy It is important that the right people in your organization are involved in the review of policies. Role required: sn_compliance_admin or sn_compliance_manager 4. Navigate to Policy and Compliance Policies and Procedures Policies. Open the Policy record. Review the policy details, making updates as necessary. Continue with one of the following actions: Option Action To move the policy back into draft Click Back to draft. To request approval for the policy Click Request approval. Retire a policy Retiring a policy is part of the policy management process. It can be retired any time after being approved and published to the KB. Role required: sn_compliance_admin or sn_compliance_manager Navigate to Policy and Compliance Policies. Open the Policy record. In the top right corner, click Retire All rights reserved. 41

42 This option is available only for policies in a published state. Create a GRC article template Policy and Compliance managers can create templates for policy article publishing. Role required: sn_audit.manager Navigate to Policy and Compliance Administration Article Templates. Click New. Fill in the fields on the form, as appropriate. Table 12: Authority Document 4. Field Value Name Name of the article template. Type Script The script code. This field is dependent on the Type field. HTML The HTML code. This field is dependent on the Type field. XML The XML code. This field is dependent on the Type field. Is default Check box to indicate that this template is used as the default template for all KB articles. Script HTML XML Click Submit. Create a policy statement A policy statement is an objective, direction, or standard that acts as guidance for company interactions and operations. Policy statements can be categorized, classified, and related to policies. Role required: sn_compliance.admin or sn_compliance.manager Navigate to Policy and Compliance Policy Statements. Click New. Fill in the fields on the form, as appropriate. Table 13: Policy Statement Field Name* The name of the policy statement. Source A non-editable field with the source of the policy. For example, if the statement is from the UCF import, the source is UCF All rights reserved. 42

43 Field Source ID The unique identification number used by the source to catalog this authority document. Reference A unique numerical identifier. Parent The policy containing the policy statement. Multiple policies can reference the same policy statement. If you create a policy statement from within a policy, this field is automatically filled. Compliance Score Percentage The compliance score percentage calculated for this policy statement, Scores 80 and higher are indicated in green. Scores 80 to 50 are in yellow and below 50 are indicated in red. Active A policy is marked active if it is not in the Draft or Retired state. Creates controls automatically Check box indicating that controls are automatically created from the policy statement. Note: Select this option if the policy statement can also serve as the control. Category List of options: Acquisition or sale of facilities, technology, and services Audits and risk management Compliance and Governance Manual of Style Human Resources management Leadership and high level objectives Monitoring and measurement Operational management Physical and environmental protection Privacy protection for information and data Records management System hardening through configuration management Systems continuity Systems design, build, and implementation Technical security Third Party and supply chain oversight Root Deprecated All rights reserved. 43

44 Field Classification List of options: Type Attestation Preventive Corrective Detective List of options: Acquisition/Sale of Assets or Services Actionable Reports or Measurements Audits and Risk Management Behavior Business Processes Communicate Configuration Data and Information Management Duplicate Establish Roles Establish/Maintain Documentation Human Resources Management Investigate IT Impact Zone Log Management Maintenance Monitor and Evaluate Occurrences Physical and Environmental Protection Process or Activity Records Management Systems Continuity Systems Design, Build, and Implementation Technical Security Testing Training List of options. 4. GRC Attestation is chosen by default Note: If the user changes the control attestation, the related policy statement attestation type is changed also. Issue group rule The group rule assigned to this policy statement. of the policy statement. Click Submit All rights reserved. 44

45 The policy statement is created and all related lists are visible. A control is created for every policy statement when a policy is associated with a profile. The control attributes default to the same attributes as the related policy statement. Deactivate a policy statement Deactivate policy statements that are no longer relevant to their citation or policy statement. Role required: sn_compliance_admin or sn_compliance_manager 4. Navigate to Policy and Compliance Policies and Procedures Policy Statements. Open a policy statement. In the policy statement, clear the check box marked Active. Click Update. Relate a policy statement to a policy Policy statements can be associated to a policy individually by choosing the policy in the document field on the policy statement, or by editing the policy statements related list. Role required: sn_compliance.admin or sn_compliance.manager Navigate to Policy and Compliance Policies and Procedures Policies. Open the policy record. Click Edit in the Policy Statements related list. The slushbucket contains active policy statements with no associated policy selected. Select the policy statements. Click Save. Those policy statements are listed in the Policy Statement related list. Relate a policy statement to a citation A single policy statement can be mapped to many citations from different authority documents. This function allows you to test a policy statement once while complying with many different citations All rights reserved. 45

46 Role required: sn_compliance_admin or sn_compliance_manager 4. Navigate to Policy and Compliance Compliance Citations. Open a citation. In the Policy statements related list, click New. Fill in the fields on the form, as appropriate. Table 14: Policy Statement Field Name The name of the policy statement. Source A non-editable field with the source of the policy. For example, if the statement is from the UCF import, the source is UCF. Reference A unique numerical identifier. Policy The parent policy statement supported by this policy statement. Parent References the parent content. Active If the policy statement is not in the Draft or Retired states, a policy is marked active. Source ID The unique identification number used by the source to catalog this authority document. Category Select from a list of options: Acquisition or sale of facilities, technology, and services Audits and risk management Compliance and Governance Manual of Style Human Resources management Leadership and high level objectives Monitoring and measurement Operational management Physical and environmental protection Privacy protection for information and data Records management System hardening through configuration management Systems continuity Systems design, build, and implementation Technical security Third Party and supply chain oversight Root Deprecated All rights reserved. 46

47 Field Classification Select from a list of options: Type Preventive Corrective Detective IT Impact Zone Select from a list of options: 5. Acquisition/Sale of Assets or Services Actionable Reports or Measurements Audits and Risk Management Behavior Business Processes Communicate Configuration Data and Information Management Duplicate Establish Roles Establish/Maintain Documentation Human Resources Management Investigate IT Impact Zone Log Management Maintenance Monitor and Evaluate Occurrences Physical and Environmental Protection Process or Activity Records Management Systems Continuity Systems Design, Build, and Implementation Technical Security Testing Training Describe the policy statement and how it supports the goals of the organization. Click Submit. Create a citation Usually, authority documents, citations, and policy statements are downloaded from UCF. However, citations can be created manually from an authority document. Role required: sn_compliance_admin or sn_compliance_manager Navigate to Policy and Compliance Authority Documents. Open an authority document All rights reserved. 47

48 4. In the Citations Related List, click New. Fill in the fields on the form, as appropriate. Table 15: Citation Field Name* User-defined name that identifies this citation. Source A non-editable field with the source of the policy. For example, if the statement is from the UCF import, the source is UCF. Source ID The unique identification number used by the source to catalog this authority document. Reference Content reference. Type Type of citation created. Optional field not used for any processing. Use the value in this field in reports or to query for records of a specific type. Core Topic Process Control Objective Control Supporting information Authority document Name of the parent authority document for this citation. When you create citations from the authority document form, the system completes this field automatically. Active A policy is marked active if it is not in the Draft or Retired state. Parent References the parent content. of the citation. Deactivate a citation The Active option in a citation indicates whether the citation has been retired. Role required: sn_compliance.admin or sn_compliance.manager Navigate to Policy and Compliance Compliance Citations. Open a citation. In the citation, clear the check box marked Active. Deactivate an authority document The Active option in an authority document indicates whether the authority documents has been retired All rights reserved. 48

49 Role required: sn_compliance.admin or sn_compliance.manager Navigate to Policy and Compliance Compliance Authority Documents. Open an authority document. In the authority document, clear the check box marked Active. Manage policy exceptions Policy exceptions provide temporary relief for a non-compliant control. The policy exception captures the rationale, comments, and evidence to support the acceptance or rejection of a policy exception request. The control owner, the compliance manager, and the risk manager may be involved in the policy exception worklow. Policy exception workflow All rights reserved. 49

50 Approved policy exception All rights reserved. 50

51 Request a policy exception Control owners may request a temporary policy exception for controls that are non-compliant. The policy exception request is related to the policy, policy statement, or issue from which it originates. All impacted controls are identified in a related list. After a policy exception is approved, the control owner may ask for an extension using the original policy exception. Role required: control owner Navigate to Policy and Compliance My Policy Exceptions. Click New. Fill in the fields on the form, as appropriate. Table 16: Policy Exception Request Field Value Number Read-only field that is automatically populated with a unique identification number. Requester The person requesting the policy exception, usually the control owner. Approval group The group that is notified for approval. Approver The approver of the request. Short description A description for the policy exception request. Justification Evidence or rationale for the policy exception. State The state of the policy exception within the approval workflow. Substate The approval substate of the policy exception within the approval workflow. Priority The approval priority of this policy exception Watch list Users that will be notified when the request is updated. Source Policy Statement The policy statement associated with this policy exception. Policy The policy associated with this policy exception. Issue The issue associated with this policy exception. Business Impact Analysis Risk description The description of the risk as performed by the risk manager during risk assessment. Residual likelihood The likelihood of this risk occurring All rights reserved. 51

52 Field Value Residual impact The residual impact of this risk. Residual score The calculated possibility of this residual risk occurring. This score is calculated after a residual likelihood and residual impact rating have been selected. Schedule Created The day the policy exception was requested. Valid from The day on which the policy exception begins. Valid to The day on which the policy exception ends. Date approved The day the policy exception was approved. Requested Extension Indicates whether an extension has been requested for this policy exception. Comments 4. Work Notes Information about how to resolve the issue, or steps already taken to resolve it, if applicable. Work notes are visible to users who are assigned to the issue. Additional comments Contains more information, if necessary. Perform one of the following actions: Option Action To add impacted controls to the policy exception Click the Impacted Controls tab. Click Add or Add All. Choose the controls to associate to the policy exception. To view mitigating controls on the policy exception Click the Mitigating Controls tab. To add risks to the policy exception Click the Risks tab. Note: This option is available when Governance, Risk, and Compliance is also activated. To add approvers to the policy exception 5. Click the Approvers tab Click Submit. An notification is sent to the approver group All rights reserved. 52

53 Review the policy exception request After reviewing a policy exception request, a compliance manager can accept or reject the request. However, if the compliance manager does not have enough information to make a decision, they can request a risk assessment by the risk manager. Role required: compliance manager Navigate to Policy and Compliance My Policy Exceptions. Select the policy exception. Review the following fields: Table 17: Policy exception request Business Impact Analysis tab Field Value Risk description Enter a description of the risk. Residual likelihood If it is not None, select the likelihood of this risk occurring: Residual impact If it is not None, select the residual impact of this risk: Residual score 5 - Very High 4 - High 3 - Moderate 2 - Low 1 - Very Low This value is calculated after you select a residual likelihood and residual impact rating: Extremely Likely 4 - Likely 3 - Neutral 2 - Unlikely 1 - Extremely Unlikely 5 - Very High 4 - High 3 - Moderate 2 - Low 1 - Very Low Perform one of the following actions: All rights reserved. 53

54 Option Action To view or add impacted controls to the policy exception Click the Impacted Controls tab. Click Add or Add All. Choose the controls to associate to the policy exception. To view mitigating controls on the policy exception Click the Mitigating Controls tab. To view or add risks to the policy exception Click the Risks tab. Note: This option is available when Governance, Risk, and Compliance is also activated. To view or add approvers to the policy exception 5. Click the Approvers tab. Perform one of the following actions: Option Action To approve the policy exception Click Approve. An notification is sent to the requester that the PER was approved and goes into effect. To reject the policy exception Click Reject. An notification is sent to the requester that the PER was rejected and the request is closed. To request a risk assessment on the policy exception Click Request Risk Assessment. An notification is sent to the risk managers group. Note: This option is available when Risk Management is also activated. To request business owner approval Click Request Business Owner Approval. An notification is sent to the business owner. Use UCF Common Controls Hub to manage compliance frameworks Compliance administrators can download content from Network Frontiers Unified Compliance Framework (UCF) for use as GRC authority documents, citations, controls, and policy statements. The documents can be updated on pre-defined intervals All rights reserved. 54

55 Users must have a UCF Common Controls Hub account to create shared lists and import them into the instance. For more information on Unified Compliance Framework (UCF), see Warning: All data imported from UCF Authority Documents is read-only and must be protected. Do not customize the authority documents, citations, or policy statements on any UCF fields transformed into GRC tables. Getting Started with the UCF Common Controls Hub Network Frontiers released a new method for allowing authenticated users to download content from the UCF Common Controls Hub (CCH) website. Users require a separate subscription to the Network Frontiers Unified Compliance Framework Common Controls Hub (UCF-CCH) to download UCF content. For customers whose GRC entitlement date is before December 1, 2016, you are entitled to a free UCF CCH account for the period of December 1, 2016 through November 30, For customers on Helsinki (Patch 7 and above), or Istanbul, and whose GRC entitlement date is December 1, 2016 or after, you must contact UCF-Common Control Hub to arrange for a subscription, if your organization plans on using Unified Controls Compliance as the provider of your controls library. For more information about establishing a UCF CCH account, see Unified Compliance Framework. Note: A subscription to UCF-CCH is not required for using the GRC Policy & Compliance application. Table 18: If your organization's GRC entitlement date is Tasks BEFORE December 1, 2016 Activate Compliance UCF on page 57. Create HI Request for GRC subscription validation free UCF-CCH account on page 57. Configure the UCF integration on page 6 4. Download a UCF shared list on page 6 Sign up for a UCF CCH account and customize your basic subscription to include API Access. Activate Compliance UCF on page 57. Create HI Request for UCF-CCH account integration information on page Configure the UCF integration on page 6 5. Download a UCF shared list on page 6 AFTER December 1, All rights reserved. 55

56 Authority document and shared list imports Every authority document already imported into the instance must be in any shared list you wish to import from the UCF CCH. This prevents inconsistencies between what is in the UCF CCH (which may have changed) and what you ve already imported. Figure 1: Shared list import successful Figure 2: Shared list import unsuccessful An error is rendered since SOX is not being reimported within this Shared List. UCF and GRC terminology differences Authority documents in the UCF content are organized and mapped to their proper citations, which in turn are mapped to a common set of controls. The terminology between UCF and the GRC applications differ slightly as explained in the following table. Table 19: Terminology differences UCF GRC application Authority Document Authority Document Citation Citation All rights reserved. 56

57 UCF GRC application Control Policy Statement Activate Compliance UCF The GRC: Compliance UCF (com.sn_comp_ucf) plugin is available as a separate subscription. Role required: admin This plugin includes demo data and activates related plugins if they are not already active. Navigate to System Definition Plugins. Find and click the plugin name. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link. If the plugin depends on other plugins, these plugins are listed along with their activation status. If the plugin has optional features that depend on other plugins, those plugins are listed under Some files will not be loaded because these plugins are inactive. The optional features are not installed until the listed plugins are installed (before or after the installation of the current plugin). 4. If available, select the Load demo data check box. Some plugins include demo data Sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good practice when you first activate the plugin on a development or test instance. 5. You can also load demo data after the plugin is activated by clicking the Load Demo Data Only related link on the System Plugin form. Click Activate. For customers whose GRC entitlement date is before December 1, 2016, a free UCF CCH account is included for the period of December 1, 2016 through November 30, See Create HI Request for GRC subscription validation free UCF-CCH account on page 57. For customers on Helsinki (Patch 7 and above), or Istanbul, and whose GRC entitlement date is December 1, 2016 or after, you must contact UCF-Common Control Hub to arrange for a basic account subscription with API access. Note: API access is required to download UCF content from the UCF-CCH. For more information about establishing a UCF CCH account, see Unified Compliance Framework. Create HI Request for GRC subscription validation free UCF-CCH account For customers whose GRC entitlement date is before December 1, 2016, a free UCF CCH accountis included for the period of December 1, 2016 through November 30, Role required: admin After activating the Compliance UCF plugin, sign in to the Hi Service Portal. Click Get Help All rights reserved. 57

58 Click Create an Incident. 4. Select Issue Type Request All rights reserved. 58

59 5. 6. Select Category Hi Administration. Describe the issue and provide the following information: Enter "I have activated the new GRC: Compliance UCF (com.sn_comp_ucf) plugin. I am requesting that you validate my subscription and open a UCF CCH account on my behalf". Include your company name and company account number. Include the requester s name, business address and phone number. Note: By providing your company and requester contact information, you authorize customer service to contact and share that information with Network Frontiers, a third party, in order to complete your UCF CCH account enrollment Attach screen shots, logs, etc., as necessary. Select affected instances. Enter your company's GRC instance. What is the business impact? Select your answer. How many users does this affect? Select your answer. When did you experience this issue? Select today's date. Click Report the issue. HI customer support initiates the UCF-CCH account creation and enrollment process and will contact the requester when the process is complete. Configure the UCF integration on page 61 Create HI Request for UCF-CCH account integration information For customers on Helsinki (Patch 7 and above), or Istanbul, and whose GRC effective contract date is December 1, 2016 or after, you must contact UCF-Common Control Hub to arrange for a subscription, if your organization plans on using Unified Controls Compliance as the provider of your controls library. For more information about establishing a UCF CCH account, see Unified Compliance Framework. Sign up for a UCF CCH account and customize your basic subscription to include API Access. Role required: admin After activating the Compliance UCF plugin, sign in to the Hi Service Portal. Click Get Help. Click Create an Incident All rights reserved. 59

60 4. Select Issue Type Request Select Category Hi Administration. Describe the issue and provide the following information: Enter "I have activated the new GRC: Compliance UCF (com.sn_comp_ucf) plugin. I have already subscribed to the UCF CCH. I am requesting that you provide me with the necessary OAuth information to complete the integration." Include your company name and company account number. Include the requester s name, business address and phone number. Note: By providing your company and requester contact information, you authorize customer service to contact and share that information with Network Frontiers, a third party, in order to complete your UCF CCH account enrollment All rights reserved. 60

61 Attach screen shots, logs, etc., as necessary. Select affected instances. Enter your company's GRC instance. What is the business impact? Select your answer. How many users does this affect? Select your answer. When did you experience this issue? Select today's date. Click Report the issue. HI customer support initiates the OAuth integration process and will contact the requester with the integration information. Configure the UCF integration on page 61 Configure the UCF integration UCF integrates with your instance through an authentication process which validates your subscription. On the UCF Configuration form, select the type of authentication, then enter a UCF-provided API key or a -provided OAuth2 client and secret. Role required: sn_comp_ucf.admin and oauth_admin Note: If you are using Oauth authentication, only the UCF Oauth administrator has access to the system Oauth tables. The user must give the UCF Oauth administrator role to the GRC UCF administrator, so the UCF administrator can set up UCF configuration page. UCF integration requires that GRC is configured and users must be a Common Controls Hub administrator. The configuration page for the global domain is loaded by default. If you are using The configuration page for the global domain is loaded by default. If you are using Domain Separation, delete the default configuration page, and create one specific to your domain. Navigate to Policy and Compliance Administration Unified Compliance Integration. Click the UCF configuration. Fill in the fields on the form, as appropriate. Table 20: UCF Configuration Field Shared List The shared list to be imported. Note: Shared lists appear subscription authentication. Authentication type 4. API Key or Oauth. Perform one of the following actions: Authentication Method Actions For API Key authentication Enter the API key in the API Key field. Select a shared list and click Save Configuration All rights reserved. 61

62 Authentication Method Actions For Oauth authentication Note: If using Oauth authentication, only the UCF Oauth administrator has access to the system Oauth tables. The user must give the UCF Oauth administrator role to the GRC UCF administrator, so the UCF administrator can set up UCF configuration page. Enter the Client ID, provided by HI customer support. See Create HI Request for GRC subscription validation free UCFCCH account on page 57 or Create HI Request for UCF-CCH account integration information on page 59 for information. Note: Configuration information is specific to the instance. Be sure to enter accurate information for any test, development, or production instances you are using. Do not include spaces in the entry. Enter the UCF OAuth Client ID, provided by HI customer support. See Create HI Request for GRC subscription validation free UCF-CCH account on page 57 or Create HI Request for UCF-CCH account integration information on page 59 for information. Note: Configuration information is specific to the instance. Be sure to enter accurate information for any test, development, or production instances you are using. Do not include spaces in the entry. Enter the OAuth2 profile to use for downloading. The default is the United Compliance Framework Default Profile that is installed with the UCF plugin. This field does not typically need to be changed. 4. Enter the Redirect URL, provided by HI customer support. For example, See Create HI Request for GRC subscription validation free UCF-CCH account on page 57 or Create HI Request for UCF-CCH account integration information on page 59 for information. Note: Configuration information is specific to the instance. Be sure to enter accurate information for any test, development, or All rights reserved. production instances you are using. Do not include spaces in the entry. 62

63 If UCF introduces new fields and content, administrators can use staging tables and transform maps to accommodate those changes to UCF data formats. This is an advanced configuration and not required. The following import sets and tables can be configured to customize the UCF download logic. Table 21: Staging table [extends from import set row table: import_set_row] used for UCF integration Staging table UCF Authority Document [sn_comp_ucf_authority_document] The UCF Authority Document staging table is used to store authority documents that are downloaded from the UCF Common Controls Hub UCF Citation [sn_comp_ucf_citation] The UCF Citation staging table is used to store citations that are downloaded from the UCF Common Controls Hub UCF Control [sn_comp_ucf_control] The UCF Control staging table is used to store controls that are downloaded from the UCF Common Controls Hub UCF Citation to Control [sn_comp_ucf_m2m_control_citation] The UCF Citation to Control staging table is used to store citation to controls that are downloaded from the UCF Common Controls Hub Table 22: Transform maps used for UCF integration Transform maps Default Authority document transform Transforms data from the UCF Authority document staging table into the Authority Document table Default Citation Transform Transforms data from the UCF Citation staging table into the Citation table Default Control transform Transforms data from the UCF Control staging table into the Policy Statement table Control to Citation transform map Transforms data from the UCF Citation to Control table into the Policy Statement to Citation table. Download a UCF shared list In order for compliance managers to download UCF authority documents from the UCF CCH, the list must be marked as Shared. When updating Authority Documents or adding new ones, you must update all your authority documents to ensure that the common controls framework remains in sync with the authority documents you are using. Role required: sn_compliance_admin or sn_compliance_manager All rights reserved. 63

64 Note: The current design of UCF supports the downloading of mandated and implied controls. The downloading of implementation controls is not supported. See the Unified Compliance Documentation How do I distribute an authority document list to other accounts? Warning: All data imported from UCF Authority Documents is read-only and must be protected. Do not customize the authority documents, citations, or policy statements on any UCF fields on the GRC tables. 4. Navigate to Policy and Compliance Administration Unified Compliance Integration. Click the UCF configuration. Configure the UCF integration on page 61, if necessary. Click Import Shared List. A progress bar shows the progress of downloading and importing the documents. You may encounter any of the following errors: All rights reserved. 64

65 Table 23: UCF Shared List Errors Error Explanation Resolve If the internet connection is lost for any reason, this message appears. If the selected UCF Shared List that you are downloading does not include all the authority documents you have already downloaded, this message appears. 5. Click Import Shared List to download again. Return to the CCH and verify that the Shared List you are trying to download includes all the Authority Documents from the original import to your instance. Click Import Shared List to download again. Click Review Changed Records to review the list of changed records All rights reserved. 65

66 Authority documents in the UCF content are organized and mapped to their proper citations, which in turn are mapped to a common set of controls. The terminology between UCF and the GRC applications differ slightly as explained in the following table All rights reserved. 66

67 Table 24: Terminology differences UCF GRC application Authority Document Authority Document Citation Citation Control Policy Statement Manage controls Controls are specific implementations of a policy statement. Retired controls do not appear in the list. Before defining controls, take time to rationalize, consolidate, and define the important controls in your organization. Rationalize your controls If you upload all your controls in bulk, you are missing the opportunity to refine and streamline your controls set. How does this control affect my business objective? Is this control actually preventing or detecting risk? Is there a different control you can place that better protects your business? Is there a control you can put in place that reduces process overhead and improves IT performance while also mitigating risk? Can a complicated control be replaced with a simpler more effective control? As your business changes, and your IT data, processes, and technology improve, replace outdated controls and procedures when you implement your GRC application. How does this control affect my business objective? Is this control actually preventing or detecting risk? Is there a different control you can place that better protects your business? Is there a control you can put in place that reduces process overhead and improves IT performance while also mitigating risk? Can a complicated control be replaced with a simpler more effective control? As your business changes, and your IT data, processes, and technology improve, replace outdated controls and procedures. Consolidate your controls Look for opportunities to consolidate controls. Look for common, repeated controls across multiple regulatory authorities of frameworks (e.g., SOX and GLBA and AML). Avoid operating a single control multiple times for each regulation, by cross-mapping controls and eliminating the redundant ones. This process establishes a single consolidated set of controls = control framework, performing and preserving the cross mapping of controls is critical for audits All rights reserved. 67

68 Figure 3: Industry regulations and requirements overlap Define controls and business rules The business rules you define up front, establish the GRC configuration settings later. Be prepared to: Identify controls and control owners Define control tests and expected results Establish test and control frequencies Identify risks: impact and likelihood Prepare attestations, assessments, questionnaires and required evidence Compose likely use-cases (who needs to interact with or view the contents of the GRC system and for what purposes) Map authoritative sources to policies, to procedures, to controls, and to risks Create a control Controls are automatically generated when you associate a policy with a profile type or a profile type with a policy statement. A control is created for each profile listed in the profile type for the policy statement. Controls can also be manually created. Role required: sn_compliance.admin or sn_compliance.manager Navigate to Policy and Compliance Controls All Controls. Click New. Fill in the fields on the form, as appropriate All rights reserved. 68

69 Table 25: Control Field Name The name of the control. Number Read-only field that is automatically populated with a unique identification number. Profile The related profile. Policy Statement The related policy statement. Owning group Group that owns the policy. Owner User that owns the policy. Note: The owner is always added as a respondent. Key control Indicator that the control is a key control. Weighting Used to calculate the control failure factor of a risk. Set the weighting between 1 and 10. Status The control status is a read-only field. Possible choices are: Compliant Non compliant Not applicable All rights reserved. 69

70 Field State The control state is a read-only field. Possible choices are: Draft In this state, all compliance users can modify the control. Only available when creating a one-off control. One-off controls are possible but not recommended. Attest When the control is created from a policy statement, controls are in this state. Note: When a control is set back to draft, the attestation is canceled. Review Controls are automatically moved to review from the attestation phase. Monitor In this state, all compliance managers can move the control from review to monitor. Retired Compliance managers or administrators can move a control from Monitor to Retired. Indicators do not run when the control is in this state. Note: When a control is retired, any attestation associated with it is canceled. Enforcement List of options: Mandated Voluntary All rights reserved. 70

71 Field Category List of options: Acquisition or sale of facilities, technology, and services Audits and risk management Compliance and Governance Manual of Style Human Resources management Leadership and high level objectives Monitoring and measurement Operational management Physical and environmental protection Privacy protection for information and data Records management System hardening through configuration management Systems continuity Systems design, build, and implementation Technical security Third Party and supply chain oversight Root Deprecated All rights reserved. 71

72 Field Type List of options: Classification List of options: Frequency Acquisition/Sale of Assets or Services Actionable Reports or Measurements Audits and Risk Management Behavior Business Processes Communicate Configuration Data and Information Management Duplicate Establish Roles Establish/Maintain Documentation Human Resources Management Investigate IT Impact Zone Log Management Maintenance Monitor and Evaluate Occurrences Physical and Environmental Protection Process or Activity Records Management Systems Continuity Systems Design, Build, and Implementation Technical Security Testing Training Preventive Corrective Detective IT Impact Zone List of options: Event Driven Daily Weekly Monthly Quarterly Semi-Annually Annually A description of the control. Additional Information Additional information about the control All rights reserved. 72

73 Field Attestation Attestation Select from a list of options. Other attestation types can be configured. If this field is populated, then the Attestation Respondents field automatically becomes mandatory, and the owner is made the respondent. Note: If the user changes the attestation type in the policy statement, all the related controls are changed also. Attestation respondents Users assigned to the attestation of this control. Only a user with the sn_grc.user role can be added as a respondent. Note: When both the Attestation and Attestation respondents fields are set, attestations are created when you click Attest. Activity Journal Additional comments 4. Public information about the control. Click Submit. Follow a control Connect integrates with Policy and Compliance Management providing an overlay to the standard interface, allowing users to participate in conversations while they work and collaborate on the control record. Role required: sn_compliance.user or sn_compliance.reader For more information about Connect, see Connect. Navigate to Policy and Compliance Controls All Controls. Open the control record. Click Follow Following and select one of the options from the drop-down. Option Action To add the Connect sidebar Click Open Connect mini. To add the Connect full-screen view Click Open Connect Full All rights reserved. 73

74 Attest a control Attestations are surveys that gather evidence to prove that a control is implemented. If the control attestation and respondents fields are selected, when the control moves from the Draft state to the Attest state, a notification is sent to the attestation respondents. Role required: sn_grc.user Users can create multiple attestation types and set their policy statements to different attestations. A sample attestation called GRC Attestation is also provided as the default attestation. When controls are attested, a new questionnaire is created. As a result, attestations do not appear in the Self-Service My assessments & surveys module. Hundreds of GRC assessment records could be generated at once and should be separated from other assessments in a separate list view. Navigate to Policy and Compliance Controls My Attestations. Open the attestation and review the details. Option If you are unable to answer the questions Reassign the attestation to another user in the Assigned to field. Click Update and close the record. Note: Only a user with the sn_grc.user role can be re-assigned the attestation. The list of attestations refreshes when you reassign an attestation to another user. If you are able to answer the questions Click Take attestation. Answer the questions and attach information, as required. Click Submit. The list of attestations refreshes when you close the Take Assessment pop-up window. Manage control attestations Attestations are surveys that gather evidence to prove that a control is implemented. The attestation designer provides a single interface that users can use to create, and edit attestations, as well as change scoring parameters. If the control s attestation field and respondents fields are set, then when a controls moves from the Draft state to the Attest state, a notification is sent to the attestation respondents. Users can create multiple attestation types and set their policy statements to different attestations. A sample attestation called GRC Attestation is also provided as the default attestation which is composed of the following simple questions: By default, GRC Attestation is used for controls and provides the following assessment questions: Is this control implemented? Attach evidence All rights reserved. 74

75 Explain My Attestations is in the Controls section of the Policy and Compliance application and contains active attestations for which you are the respondent. The attestations appear in a list with a single attestation record per control. All Attestations is contained in the Controls section of the Policy and Compliance application and contains all active attestations. Compliance managers can create new attestation types containing different types of questions to fit their needs. See Create a control attestation using the Attestation Designer on page 75. Compliance managers can create a new set of questions for each policy statement. See Create an attestation type on page 78. Attestation Designer The attestation designer provides a single interface that users can use to create, and edit attestations, as well as change scoring parameters. All attestation records are stored in assessment tables and displayed in Attestation views of those tables. The designer contains the following elements: Table 26: Elements of the Attestation Designer Element Controls Controls for the supported question data types are available in the Controls palette. Drag a control onto the designer canvas to create a question of that type. Header bar The header bar contains tabs that display different views and a menu of various functions. The availability of each option depends on the status of the attestation that is opened in the designer. Design canvas New attestations open in the Design view. The attestation Name field appears above the first category in the canvas. A blank question field appears in the category container. Create a control attestation using the Attestation Designer Use the Attestation Designer to create and edit metric types, use different metric types for different controls, select multiple respondents for an attestation, as well as change scoring parameters. Role required: sn_compliance.attest_creator, sn_compliance.manager, sn_compliance.administrator Navigate to Policy and Compliance Administration Attestation Types. Click Attestation Designer. The designer contains the following elements: All rights reserved. 75

76 4. Element Controls Controls for the supported question data types are available in the Controls palette. Drag a control onto the designer canvas to create a question of that type. Header bar The header bar contains tabs that display different views and a menu of various functions. The availability of each option depends on the status of the attestation that is opened in the designer. Design canvas New attestations open in the Design view. The attestation Name field appears above the first category in the canvas. A blank question field appears in the category container. Enter a name in the Name field. Drag a control onto the designer canvas to create a question of that type. Table 27: Question controls Data type Scored Attachment Question with a Manage Y Attachments icon that allows users to attach one or more files. Boolean Question with a check box or a Yes/No list for user responses. Choice List of predefined options. For more information, see the definition for Choices. Y Date Date field. N Date/Time Date and time field. N Number Number field with predefined N minimum and maximum values. The default is Percentage Percentage field with a prescribed range. N Scale Predefined Likert scale. Answer options appear as radio buttons. Y Numeric Scale Selectable number scale. The default is 1-5. Answer options appear as radio buttons. Y String Single or multi-line text field. N All rights reserved. 76

77 Data type Scored Template Choice list of templates that Y provide a predefined scale of options. Reference Choice list of fields from a specified reference table. This data type does not support reference qualifiers. Image Scale Multiple Selection Ranking Note: Set the correct answer for the metric that you want to be scored. Scored metrics determine the compliance status of the controls Click one of the following tabs to change the view in the canvas: Option Design Add categories and questions, and configure the properties of each. This is the default view of the canvas when you open the designer. Configuration Create introductions and end notes for attestations, and select a signature. Availability Select the recipients for each category in the attestation. Point to the menu icon in the upper right of the Attestation Designer to select one of the following options: Note: The availability of each option depends on the status of the attestation that is opened in the designer. Option Save Save the current attestation. Preview Display a preview to the selected recipients. Publish Distributes the attestation to the selected recipients. Save and Publish Saves and distributes the attestation in one step. New Attestation Opens a fresh canvas for a new attestation. Load Attestation Opens a list of existing attestations that you can select and edit. Unlike other types of assessments, control attestations do not appear in the Self-Service My assessments & surveys module, because hundreds of control attestations could be generated at once. Instead, controls attestations are shown as a list in the Policy and Compliance Controls My Attestations module and All Attestations module All rights reserved. 77

78 Create an attestation type Rather than using the default GRC attestation type, the compliance manager can create a new set of questions for each policy statement. Role required: sn_compliance.attestation_creator or sn_compliance.manager or sn_compliance-admin Navigate to Policy and Compliance Administration Attestation Types. Click New. Fill in the fields on the form, as appropriate. Table 28: Assessment Metric Type Field Name The name of the assessment type. Assessment duration The days for which the assessment is active. Table Scale factor Condition State Enforce condition Roles 4. Click Submit. Manage control indicators Continuous monitoring involves activities related to identifying and creating key risk and controls indicators. The Compliance Overview is available to compliance administrators and compliance managers, providing an executive view into compliance requirements, overall compliance, and compliance breakdowns. Supporting information can be collected for indicators through automatic data collection or manual tasks. Indicator results are then used to create issues for controls, update risk scores, and provide supporting information for audit activities and control testing. Indicators Indicators collect data to monitor controls and risks, and collect audit evidence. Indicators monitor a single control or risk. Indicator templates Indicator templates allow the creation of multiple indicators for similar controls or risks All rights reserved. 78

79 Compliance Overview Table 29: Compliance Overview reports in the base system Name Visual Compliance Requirements Donut chart Select a wedge to focus on a specific compliance area. Overall Compliance Donut chart Displays the overall compliance of all the control requirements in the system. Selecting a specific wedge in the previous widget brings that area into focus. Profile Drop down list Select one or more profiles to view and compare their compliance across multiple items. Control State Check list Select or clear check boxes to view filter reports by control state. Compliance by Authority Document Bar Chart Compare level of compliance depending on the selected profile and/or authority document. Compliance breakdown Multi-level Pivot View a breakdown of control compliance by related authority documents and policies. Non Compliant Profiles Column Chart Count of non-compliant control requirements grouped by profile. Authority Documents Authority documents define policies, risks, controls, audits, and other processes to ensure adherence to the authoritative content. Each authority document is defined in a record and the related lists on that record contain the individual conditions of the authority document. The relationships of these authority document related list items are visible in the GRC Workbench in the Policy and Compliance Management application. Citations Citations contain the provisions of the authority document, which can be interrelated. Citations break down an authority document into manageable themes. You can create citations or import them from UCF authority documents and then create any necessary relationships between the citations All rights reserved. 79

80 Create a control indicator Indicator data for controls, risk, and audit evidence are measured differently depending on the GRC application. Role required: compliance_admin or compliance_manager Navigate to one of the following locations: Policy and Compliance Indicators Indicators. Risk Indicators Indicators. Audit Indicators Indicators. Select New. Fill in the fields on the form, as appropriate. Table 30: Indicator Field Number Read-only field that is automatically populated with a unique identification number. Active Check box that determines whether the indicator is active. Name Name of the indicator. Item The related control or risk. Template The related indicator template. Applies to The profile related to the Item. Owner The indicator owner. Owning group The group that owns the indicator. Override Template Click to override the indicator template associated to this indicator Last result passed Read-only field indicating whether last result passed. Schedule Collection frequency Select the collection frequency for indicator results. Indicator tasks and results are generated automatically based on the indicator schedule. Next run time Read-only field that is automatically populated with the next collection time for indicator results. Method All rights reserved. 80

81 Field Type Results can be gathered manually using task assignment or automatically using basic filter conditions, Performance Analytics, or a script. Manual Basic \ Short If Type is Manual, this field is present. Brief description of the issue. Instructions If Type is Manual, this field is present. Instructions for the collection of indicator results. Value Mandatory If Type is Manual, this field is present. Passed/Failed If Type is Basic, this field is present. Indicator passes or fails. PA Threshold If Type is PA Indicator, this field is present. The associated PA Threshold. Script If Type is Script, this field is present. Script that obtains the desired system information. Supporting Data 4. Table Use supporting data to gather supporting evidence from other applications. Supporting data fields Supporting data fields based on the selected table. Click Submit. Create a GRC indicator template Compliance or risk managers create indicator templates from which many indicators can be created. Role required: compliance_admin or compliance_manager risk_admin or risk_manager audit_admin or audit_manager Navigate to one of the following locations: Policy and Compliance Indicators Indicator Templates. Risk Indicators Indicator Templates. Audit Indicators Indicator Templates. Select New. Fill in the fields on the form, as appropriate All rights reserved. 81

82 Table 31: Indicator template Field Name Name of the indicator. Active Check box that determines whether the indicator template is active. Content The related policy or risk statement. Schedule Collection frequency Select the collection frequency for indicator results. Indicator tasks and results are generated automatically based on the indicator schedule. Next run time Read-only field that is automatically populated with the next collection time for indicator results. Method Type Results can be gathered manually using task assignment or automatically using basic filter conditions, Performance Analytics, or a script. Manual Basic PA Indicator Script Short If Type is Manual, this field is present. Brief description of the issue. Instructions If Type is Manual, this field is present. Instructions for the collection of indicator results. Value Mandatory If Type is Manual, this field is present. Passed/Failed If Type is Basic, this field is present. Indicator passes or fails. PA Threshold If Type is PA Indicator, this field is present. The associated PA Threshold. Script If Type is Script, this field is present. Script that obtains the desired system information. Supporting Data Collect Supporting Data Check to gather supporting evidence from other applications. Table The supporting data table. Supporting Data Fields The fields from the supporting data table to be considered All rights reserved. 82

83 Field Criteria Select filter conditions. Use reference field Select to use the reference field. Reference field Creates a join between the supporting data table and the profile's applies to table. For example, if the profile table is cmdb_ci_computer and the supporting data table is incident, you could have a supporting data query named incident with critical priority. In this example, each indicator execution returns all critical incidents. If you are interested in finding critical incidents linked to the profile CEO s laptop, you already have an indicator on a control related to this profile. In this example: Select the reference field Configuration item from the incident table. The supporting data query: All critical incidents, where the configuration item = CEO s laptop. The indicator is specific to the profile of the control it is attached to. Note: This reference field is useful only when the supporting data table has a reference to the profile s table. Sample size Limits the number of records retrieved from the supporting data table. For example, a basic indicator could query a large table, returning thousands of records with each indicator execution. You do not need to save all of them; just a sample of those records. If you enter a sample size of 100, then only 100 records are saved, even though the query returned thousands. 4. Click Submit All rights reserved. 83

84 Monitor controls using GRC Performance Analytics Indicators You can link Policy and Compliance Management content and items to Performance Analytics indicators, breakdowns and thresholds. You can associate Performance Analytics indicators with policy statements and controls to view scorecards and trends and analyze current conditions and trends. The risks and controls associated with a PA indicator or PA indicator/breakdown/element automatically monitor any PA threshold with the same PA indicator or PA indicator, breakdown, or element relationship. Any PA threshold breach is reported at the risk or control and Performance Analytics indicators relationship level within a breach counter. See Performance Analytics. PA threshold breach impact When a risk or control and Performance Analytics indicators relationship breach counter is different than zero (for example, a PA threshold with the same PA indicator or PA indicator, breakdown, or element relationship has breached), and if no opened issue already exists, then an issue is created which is associated to the risk or control. Additionally for risks, the Indicator failure factor represents the number of risk and Performance Analytics indicators relationships with a breach counter different than zero All rights reserved. 84

85 Reset all PA Indicator breach counters Reset breach counters associated to a risk or control by clicking Reset all PA Indicator breach counters or opening the specific relationship and clicking Reset Breach Counter. GRC PA indicator breach reports There are two reports for the reporting of breaches: Risk PA Indicator Breaches Control PA Indicator Breaches Activate GRC: Performance Analytics Integration The GRC: Performance Analytics Integration plugin provides an integration between Performance Analytics and the Risk Management and Policy and Compliance Management applications, providing more insight into organizational risk and compliance performance. Role required: admin This plugin includes demo data and activates related plugins if they are not already active. Navigate to System Definition Plugins. Find and click the plugin name. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link. If the plugin depends on other plugins, these plugins are listed along with their activation status. 4. If the plugin has optional features that depend on other plugins, those plugins are listed under Some files will not be loaded because these plugins are inactive. The optional features are not installed until the listed plugins are installed (before or after the installation of the current plugin). If available, select the Load demo data check box. Some plugins include demo data Sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good practice when you first activate the plugin on a development or test instance. 5. You can also load demo data after the plugin is activated by clicking the Load Demo Data Only related link on the System Plugin form. Click Activate. After activating the GRC: Performance Analytics Integration plugin on an instance with customized related lists on content (risk or policy statement) or items (risk or control), you may have to manually add the PA Indicator to content relationships and/or the PA indicator to item relationships. Associate a PA indicator with a risk statement or policy statement You can associate Performance Analytics indicators with risk statements and policy statements to analyze trends related to the risk or policy. Role required: sn_risk.manager or sn_compliance.manager Navigate to one of the following locations: Policy and Compliance Policies and Procedures Policy Statements. Risk Risk Library Risk Statements. Open a risk statement or policy statement All rights reserved. 85

86 4. In the PA Indicators related list, click New. Fill in the fields on the form, as appropriate. Table 32: PA Indicators 5. Field PA Indicator* The performance analytics indicator to associate the Risk Statement or Policy Statement with. Click Submit. On the risk statement or policy statement form, in the PA Indicators related list, you see the associated indicator. You can optionally click View Indicator on the desired indicator to see the indicator's Performance Analytics scorecard. The PA Indicator associations are carried over to all risks or controls associated to the original risk statement or policy statement. Additionally, if the indicator has a breakdown that matches the risk or control's profile (for example a Business Service breakdown), the Breakdown and Element fields for the relationship are automatically filled in. Associate a PA indicator with risks and controls You can associate Performance Analytics indicators with risks and controls to analyze trends related to the profile that risk or control belongs to. Role required: sn_risk.manager or sn_compliance.manager Navigate to one of the following locations: 4. Policy and Compliance Controls All Controls. Risk Risk Register All Risks. Open a risk or control. In the PA Indicators related list, click New. Fill in the fields on the form, as appropriate. Table 33: PA Indicators Field PA Indicator* The performance analytics indicator to associate the Risk or Control with. Breakdown Select a breakdown to view a specific trend based on the breakdown element. Element Select the breakdown element to view a particular trend and scorecard. Note: This field is dependent on the Breakdown field is populated. When visible, it is mandatory. 5. Click Submit All rights reserved. 86

87 On the Risk or Control form, in the PA Indicators related list, you see the associated indicator. You can optionally click View Indicator on the desired indicator to see the indicator's Performance Analytics scorecard. Update associated GRC indicators for a set of items You can update all of the items belonging to a GRC content record so each item is individually related to the PA indicator. Role required: sn_risk.manager or sn_compliance.manager Navigate to one of the following locations: Policy and Compliance Policies and Procedures Policy Statements. Risk Risk Library Risk Statements. Open a Risk Statement or Policy Statement that has an associated Performance Analytics Indicator. Click the Update PA Relationships related link. All of the risks or controls related to the risk statement or policy statement are automatically associated with all of the risk statement or policy statement's indicators. Additionally, if the indicator has a breakdown that matches the risk or control's profile (for example a Business Service breakdown), the Breakdown and Element fields for the relationship are automatically filled in. Manage compliance issues and remediation Issues can be created manually to document audit observations, remediations, or to accept any problems. They are automatically generated from indicator results, attestation results, or control test effectiveness. Various types of issues are created under the following conditions: Issue Created when an indicator fails Control issue Created when a control attestation is completed indicating that the control is Not implemented Control test issue Created when a control test is closed complete with the control effectiveness set to Ineffective Other issue Created by the user manually Remediating an issue marks an intention to fix the underlying issue causing the control failure or risk exposure. Accepting an issue marks an intention to create an exception for a known control failure or risk. Controls that are Accepted remain in a non-compliant state until the control is reassessed. In this way, the issue can be used to document observations during audits. Create a GRC issue manually Manually create issues to document audit observations, the intention of remediations, or to accept any problems. Role required: (per product) In GRC: compliance_admin, compliance_manager, or sn_compliance.user In Risk Management: risk_admin, risk_manager, or sn_risk.user In Audit Management: audit_admin, audit_manager, audit_admin, or sn_audit.user Navigate to one of the following locations: Policy and Compliance Issues Create New All rights reserved. 87

88 Risk Issues Create New. Audit Issues Create New. Fill in the fields on the form, as appropriate. Table 34: Issue Field Number Read-only field that is automatically populated with a unique identification number. Assignment group The group to which this issue has been assigned. Each member will receive a notification when activity has occurred on this issue. Assigned to The member of the group assigned to resolve the issue. Configuration item The item associated with this issue. State Priority Priority for this issue: New Analyze Respond Review Closed 1 - Critical 2 - High 3 - Moderate 4 - Low 5 - Planning Issue group rule The group rule assigned to this issue. Parent Issue The parent issue this issue belongs to. Location The location where the issue occurred. Short description Brief description of the issue. Details Profile The related profile. Item The related control or risk. Content The content of the issue. A more detailed explanation of the issue. Recommendation The recommended action to resolve this issue. Dates All rights reserved. 88

89 Field Planned start date Date and time that work on the issue is expected to begin. Planned end date Date and time that work on the issue is expected to end. Planned duration Estimated amount of work time. Calculated using the Planned state date and Planned end date. Actual start date Time when work began on this issue. Actual end date Time when work on this issue was completed. Actual duration Amount of work time. Calculated using the Actual state date and Actual end date. Activity Work notes Information about how to resolve the issue, or steps already taken to resolve it, if applicable. Work notes are visible to users who are assigned to the issue. Additional comments (Customer visible) Public information about the issue. Engagement Engagement The related engagement. Click Submit. Out-of-the-box GRC: Policy and Compliance Management Performance Analytics Solutions Performance Analytics Solutions contain preconfigured best practice dashboards. These dashboards contain actionable data visualizations that help you improve your business processes and practices. Note: To evaluate the functionality, you can activate Performance Analytics solutions and inform analytics on instances that have not licensed Performance Analytics. However, you have the following limitations: You cannot create new indicators. You cannot collect data older than 180 days. For full functionality, license Performance Analytics. For more information, see Get licensed Performance Analytics. Performance Analytics Solutions Use the Performance Analytics widgets on the dashboard to visualize data over time, analyze your business processes, and identify areas of improvement. With solutions, you can get value from Performance Analytics for your application with minimal setup All rights reserved. 89

90 Note: Solutions include some dashboards that are inactive by default. You can activate these dashboards to make them visible to end users according to your business needs. To enable the solution plugin for Policy and Compliance Management, an admin can navigate to System Definitions Plugins and activate the Performance Analytics - Content Pack - GRC:Policy and Compliance Management plugin. GRC Compliance Overview dashboard The Compliance Overview dashboard provides an executive view into compliance requirements, overall compliance, and compliance breakdowns so areas of concern can be identified quickly. Because this dashboard uses interactive filtering, the licensed version of Performance Analytics is required. End users End user and goal Required role Audit Manager: Needs clear visibility into the overall state and volume of vulnerabilities within the organization. sn_compliance.manager Audit Administrator: Needs to pinpoint areas of concern quickly sn_compliance.admin Audit Analyst: Needs to quickly prioritize which risks/tasks to focus on based upon criticality to the organization. sn_compliance.user All rights reserved. 90

91 Compliance Overview dashboard - PA Premium The Compliance Overview dashboard provides views into the source of compliance requirements, the level of compliance, and All rights reserved. 91

92 Reports The Compliance Overview dashboard contains the following reports: Name Type Compliance Breakdown Multilevel Pivot Citations are records with the specific requirements cited by an authority document. Compliance by Authority Document Horizontal bar The regulations, certifications, frameworks, standards, and best practices that an organization chooses or is required for compliance with regulations. Compliance Requirements Donut The number of open requirements by authority document Compliance score by department Bar Overall (average) compliance score by assignment group/ department Compliance score trends Box Overall compliance by Authority Document Overall Compliance Donut Overall compliance percentage of Citation Authority Document GRC Policy Exception Overview dashboard The Policy Exception Overview dashboard provides views into the number, severity, and source of policy exceptions. It also shows exempted controls All rights reserved. 92

93 2018. All rights reserved. 93

94 End users End user and goal Required role Audit Manager: Needs clear visibility into the overall state and volume of vulnerabilities within the organization. sn_policy.manager Audit Administrator: Needs to pinpoint areas of concern quickly sn_policy.admin Audit Analyst: Needs to quickly prioritize which risks/tasks to focus on based upon criticality to the organization. sn_policy.user Reports The Policy Exception Overview dashboard contains the following policies: Name Type Active Policy Exceptions Bar Number of active exceptions against open policies Approved Policy Exceptions List Number of total approved policy exceptions Exempted Controls List List of controls that have exempt status Exempted Controls Risks List List of control risks that have exempt status Policy Exceptions List Policies are related to authoritative documents and control records. Publishing and version control of policies are managed using document and knowledge management capabilities from the Now Platform. Custom workflows ensure all policy changes are routed to the appropriate work owners for final approval. All approved organizational policies are published in the knowledge base. Policy Exceptions by Department Bar Total number of policy exceptions broken down by department Policy Exceptions by Policy Bar Total number of policy exceptions broken down by policy All rights reserved. 94

95 Name Type Policy Exceptions by Policy Statement Horizontal bar Total number of policy exceptions broken down by policy statement Policy Exceptions by Priority Donut Total number of policy exceptions broken down by priority Policy Exceptions by Profile Horizontal bar Total number of policy exceptions broken down by profile Risk Management The Risk Management application provides a centralized process to identify, assess, respond to, and continuously monitor Enterprise and IT risks that may negatively impact business operations. The application also provides structured workflows for the management of risk assessments, risk indicators, and risk issues. Explore Set up Administer Upgrade to Use Activate Risk Management on page 97 Configure Risk Management on page 102 Develop Manage profile and risk dependencies using the GRC Workbench on page 133 Manage risks, risk statements, and risk frameworks on page 115 Risk Management Administration on page 102 Integrate Developer training Developer documentation Components installed with Risk Management on page 98 Troubleshoot and get help Ask or answer questions in the GRC community Search the HI Knowledge Base for known error articles Contact Support Understanding Risk Management The Risk Management product provides a centralized process to identify, assess, respond to, and continuously monitor Enterprise and IT risks that may negatively impact business operations. The application also provides structured workflows for the management of risk assessments, risk indicators, and risk issues All rights reserved. 95

96 Who uses Risk Management? The complete risk process involves all areas of your organization working together. Audit committee IT steering committee Risk officers (conduct risk assessment and identify all that can go wrong in business) All levels of management (assist the risk officers with the identification of what can go wrong in their processes) Key activities for Risk Management Once key roles are identified, work together to identify the following items: Determine what level of risk the organization is willing to accept? Get risk data in place and then determine what is acceptable. Develop a risk management policy, through risk frameworks and risk statements. Develop risk assessment and response procedures. Implement controls to reduce your organization's exposure to risk. Repeat on a regular interval. Measure your risk exposure and improvements All rights reserved. 96

97 Risk Management and the NowPlatform Because the Risk Management application is built on the Now Platform, data and evidence is provided back to Risk Management. Activate Risk Management The GRC: Risk Management (com.sn_risk) plugin is available as a separate subscription. Role required: admin This plugin includes demo data and activates related plugins if they are not already active. Navigate to System Definition Plugins. Find and click the plugin name. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link. If the plugin depends on other plugins, these plugins are listed along with their activation status All rights reserved. 97

98 4. If the plugin has optional features that depend on other plugins, those plugins are listed under Some files will not be loaded because these plugins are inactive. The optional features are not installed until the listed plugins are installed (before or after the installation of the current plugin). If available, select the Load demo data check box. Some plugins include demo data Sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good practice when you first activate the plugin on a development or test instance. 5. You can also load demo data after the plugin is activated by clicking the Load Demo Data Only related link on the System Plugin form. Click Activate. Components installed with Risk Management Activating the GRC: Risk Management (com.sn_risk) plugin adds or modifies several tables, user roles, and other components. Tables installed with Risk Management Tables are added with activation of GRC: Risk Management. Table Risk Extends Item table [sn_grc_item] and stores specific risks associated with profiles [sn_risk_risk] Risk Statement [sn_risk_definition] Risk Framework [sn_risk_framework] Risk Framework to Profile Type [sn_risk_m2m_framework_profile_type] Profile Type to Risk Statement [sn_risk_m2m_risk_definition_profile_type] Risk Tasks [sn_risk_m2m_risk_task] Extends Content table [sn_grc_content] and stores definitions of risks. Extends Document table [sn_grc_document] and stores all risk frameworks, a collection of risk statements Extends Document to Profile Type table [sn_grc_m2m_document_profile_type] and is a many-to-many relationship table that is used to manage the relationships between risk frameworks and profile types Extends Content to Profile Type table [sn_grc_m2m_content_profile_type] and is a many-to-many relationship table that is used to manage the relationships between profile types and risk statements Stores many-to-many relationships between risks and tasks Risk Response Task [sn_risk_response_task] Risk Transfer [sn_risk_transfer_task] Color Setting [sn_risk_color_setting] All rights reserved. 98

99 Table Risk Avoidance [sn_risk_avoidance_task] Risk Acceptance [sn_risk_acceptance_task] Risk Mitigation [sn_risk_mitigation_task] Note: All additional tables installed by the dependent plugins are also needed for GRC: Risk Management. Properties installed with Risk Management Properties are added with activation of GRC: Risk Management. Name States for which the risk is active (the first state is the default active state) Type: string Default value: draft, assess, review, monitor Location: Risk Administration Properties Type: string Default value: retired Location: Risk Administration Properties Name of the assessment metric type that is used for risk assessment sn_risk.default_assessment Type: string Default value: Risk Assessment Location: Risk Administration Properties sn_risk.glide.script.block.client.globals Type: true or false Default value: False Location: Risk Administration Properties Use qualitative impact scores as input Type: true false Default value: false sn_risk.active_states States for which risk is inactive (the first state is the default inactive state) sn_risk.closed_states sn_risk.qualitative_impact Note: If upgrading from Geneva (or earlier) or Helsinki (or later) and the value was previously set to true, this value is set to true after upgrading. Location: Risk Administration Properties All rights reserved. 99

100 Name Use qualitative likelihood scores as input sn_risk.qualitative_likelihood Type: true false Default value: false Location: Risk Administration Properties Roles installed with Risk Management Roles are added with activation of GRC: Risk Management. Role title [name] Contains roles Risk User Contains the reader and user roles in sn_grc scope, and the reader role in the Risk Management application. In addition to the inherited permissions, the risk user can view profile types, profiles, risks, and remediation tasks. The risk user can be assigned risks and has read-only access to the Policy and Compliance Management application and modules. sn_grc.reader sn_grc.user sn_risk.reader Inherits the following roles if the GRC: Policy and Compliance Management plugin is activated. Contains the reader role in sn_grc scope. In addition to the inherited permissions, the risk reader has read-only access rights to the Risk application and modules and can be assigned risks. [sn_risk.user] Risk Reader [sn_risk.reader] grc_compliance_reader grc_user grc_audit_reader grc_control_test_reader task_editor sn_grc.reader All rights reserved. 100

101 Role title [name] Contains roles Assessment Creator [sn_risk.asmt_creator] sn_grc.reader sn_grc.user sn_grc.manager sn_risk.reader sn_risk.user Inherits the following roles if the GRC: Policy and Compliance Management plugin is activated. Risk Manager [sn_risk.manager] Contains the reader, user, and manager roles in sn_grc scope, and the reader and user roles in therisk Management application. In addition to the inherited permissions, the risk manager can create risk frameworks, risk statements, and risks. sn_grc.reader sn_grc.user sn_grc.manager sn_risk.reader sn_risk.user Inherits the following roles if the GRC: Policy and Compliance Management plugin is activated. grc_audit_reader task_editor certification_admin grc_test_definition_admin grc_control_test_reader assessment_admin certification grc_compliance_reader certification_filter_admin grc_user grc_audit_reader task_editor certification_admin grc_test_definition_admin grc_control_test_reader assessment_admin certification grc_compliance_reader certification_filter_admin grc_user All rights reserved. 101

102 Role title [name] Contains roles Risk Admin Contains the reader, user, manager, and admin roles in sn_grc scopes, and the reader, user, and manager roles in therisk Management application. In addition to the inherited permissions, the risk admin can delete risk frameworks, risk statements, and risks, and modify admin properties and risk criteria. sn_grc.reader sn_grc.user sn_grc.manager sn_grc.admin sn_risk.reader sn_risk.user sn_risk.manager Inherits the following roles if the GRC: Policy and Compliance Management plugin is activated. [sn_risk.admin] grc_audit_reader task_editor certification_admin grc_test_definition_admin grc_control_test_reader assessment_admin certification grc_compliance_reader certification_filter_admin grc_admin grc_user Configure Risk Management Administrators in the global domain can set properties to determine how the system defines the Risk Management application. Role required: sn_risk.admin Note: Administrators in domains lower than the global domain can view the Properties screen, but cannot modify the settings. Navigate to Risk Administration Properties. Fill in the fields on the Risk Management Properties form. See Properties installed with Risk Management on page 99 for property descriptions. Click Save. Risk Management Administration Using the Risk Management application, administrators can customize risk categories, risk criteria, risk management properties, and risk assessment types All rights reserved. 102

103 Risk Criteria Risk Criteria are the scoring values attributed to the likelihood that a risk will occur, and the impact to your organization if the risk does occur. Risk criteria thresholds define a high/likely or low/unlikely score as shown: Table 35: Risk Criteria Thresholds Likelihood Significance Scores 1 = Extremely Unlikely 1 = Very Low 0-5 = Very Low 2 = Unlikely 2 = Low 6-10 = Low 3 = Neutral 3 = Moderate = Moderate 4 = Likely 4 = High = High 5 = Extremely Likely 5 = Very High = Very High Table 36: Risk properties Name Maximum value for Significance Sets the maximum value (1-10) for significance on the risk criteria table. Decimals cannot be used, and are rounded if input. Maximum value for Likelihood Sets the maximum value (1-10) for likelihood on the risk criteria table. Decimals cannot be used, and are rounded if input. A list of tables that are available in the Applies to If this field is blank, all tables are available on field on forms the various forms for Profile Types, Profiles, and Risks. Defines a comma-separated list of tables that are available in the Applies to field on the Profile Type, Profile, and Risk form. Add.extended after the table name to include all extended tables. Assessment Types Risk managers can create a new set of questions for each risk assessment. See Create an assessment type on page 127. Establish profile scoping for risks Profile scoping is permitted in each of the GRC applications. Policy and compliance managers use profile scoping to create a system of internal controls and monitor compliance. Risk managers use profile scoping to monitor risk exposure and perform risk assessments. Dependencies are created using the dependency map and model or by creating tiers All rights reserved. 103

104 Profile scoping provides a way to allocate risks and controls at different levels. Profile scoping involves the following elements: Profile Classes Profile classes allow GRC managers to separate profiles for better distinction. For example, Business Service Profiles, Department Profiles, Business Unit Profiles, and the like. Reports can be filtered to define relationships between the different profile classes. A profile class defines what a profile actually is. Profiles can belong to many profile types but a profile can have only one profile class (for example, Business Service). Profile classes can roll up to each other, leading to the development of the dependency model. Profile Types Profiles types are dynamic categories containing one or more profiles. Business logic automates the process of creating and categorizing any profiles in the system that meet the profile type conditions. Profile types are assigned to policy statements, which generate controls for every profile listed in the profile type. Profiles Profiles are the records that aggregate GRC information related to a specific item. Each profile is associated with a single record from any table in the instance. Profiles cannot be created for items that do not have a record in a table in the platform All rights reserved. 104

105 Example of Profile Scoping In this scoping example, the profile types contain the following profiles: Global Office Locations North American Office Locations Los Angeles Office New York Office Berlin Office Los Angeles Office New York City Office European Union Office Locations Berlin Office All rights reserved. 105

106 How do profiles relate to Risk Management? Profile scoping provides a systematic assignment of policy statements to controls and maintains relational and hierarchical connections between those controls. Profiles and profile types can be a many to many relationship. Profile types are the high-level categories and profiles are the individual items that can be associated to the profile type. In this Policy and Compliance scoping example: policies and policy statements are assigned to profile types controls are created based on the profiles and associated policy statements Note: Policy statements can be created without a policy, but must be assigned a profile type. Controls can be created without an associated policy or policy statement, but must be assigned to a profile All rights reserved. 106

107 2018. All rights reserved. 107

108 Dependency models and maps In the Jakarta release, the dependency map was aligned with the dependency model for establishing upstream and downstream relationships between profiles. In the london release, tiers establish those relationships. Dependency models Dependency modeling ensures that an organization establishes a uniform definition of risk across the enterprise. The dependency model defines what relationships are allowed between different types of areas in the organization. This enables more effective risk normalization and aggregation by allowing stakeholders to more effectively compare and contrast risk appetite and exposure at various levels of the enterprise. Creating a dependency model involves creating profile classes and defining how classes are structured in relation to each other using the Roll up to field All rights reserved. 108

109 Dependency maps Once dependency modeling is complete, you can build out a dependency map to define how different parts of the organization are related to each other. The dependency map represents what profile relationships exist. For example, you could specify that certain projects and business services affect the HR department, which in turn affects the enterprise. Defining the dependency map involves creating profiles, defining the profile class for each profile, then relating profiles to each other by specifying the upstream/downstream relationship All rights reserved. 109

110 Tiers In the london release, tiers establish upstream and downstream relationships. Profile tiers are assigned to profile classes. The base system provides: Business, Application, and IT Asset. Administrators can edit or add to the tiers. Create a profile class GRC managers create profile classes representing the types of items in their organization. Reports can be filtered to define relationships between the different profile classes. Role required: sn_grc.manager A profile class defines what a profile actually is. It differs from a profile type (for example, Business Services and Critical Business Services) in that a profile can belong to many profile types but a profile can have only one profile class (for example, Business Service). Navigate to one of the following locations: Policy and Compliance Scoping Profile Classes Risk Scoping Profile Classes Audit Scoping Profile Classes Click New. Fill in the fields on the form, as appropriate. Table 37: Authority document Field Value Name Name of the profile class All rights reserved. 110

111 Field Value Roll up to Select dependencies to other profiles. This is useful for reporting how your lower-level operational risks impact corporate-level risks. Is Root Select the check box to indicate that this is the highest level class. Note: Only one root class is allowed and it cannot roll up to another class. Tier Select the tier or category for the profile class Business Application IT Asset Navigate to Policy and Compliance Profile Tiers. Do one of the following actions: Option To create a new tier Click New. To edit a tier Open the profile tier. Fill in the fields on the form, as appropriate. Table 38: Profile type Name Name* The name of the tier. Value Label* The label assigned to the tier. Level* 7. Click Update. Create profile class rules Profiles class rules allow you to assign tables to profile classes. Role required: admin Navigate to one of the following locations: Policy and Compliance Administration Profile Class Rules Risk Administration Profile Class Rules Audit Administration Profile Class Rules Do one of the following actions: All rights reserved. 111

112 Option To create a new profile class rule Click New. To edit a profile class rule Open the profile class rule from the list. Fill in the fields on the form, as appropriate. Table 39: Profile Class Rule 4. Field Value Table The table that contains the records you want to assign the class to. Class The class to assign to the table. Click Submit or Update. Create and edit a profile type Administrators or managers in any of the GRC-related applications, create profiles types from which profiles are generated. Profile types are assigned to policy statements, which generate controls for every profile listed in the profile type. Profile types can also be assigned to risk statements, which generate risks for every profile listed in the profile type, as well. Role required: sn_compliance.admin or sn_compliance.manager, sn_risk.admin or sn_risk.manager, sn_audit.admin or sn_audit.manager Navigate to one of the following locations: Policy and Compliance Scoping Profile Types. Risk Scoping Profile Types. Audit Scoping Profile Types. Do one of the following actions: Option To create a new profile type Click New. To edit a profile type Open the profile type from the list. Fill in the fields on the form, as appropriate, and click Submit. Table 40: Profile type Name Name* The name of the profile type. An explanation of the profile type with any additional information that a user will find helpful. Note: * indicates a mandatory field. 4. Once the profile type is created or edited, click the Profile filters tab and fill in the fields on the form, as appropriate All rights reserved. 112

113 Table 41: Profile filters Name Profile Type Indicates the profile type that the filters belong to. Table* The table that contains the records to be queried. Filter condition Filter conditions for the source table to generate profiles. Owner field The field on the table specifying the person who owns any new profiles generated from the profile type. Identify the user reference field on the source table to automatically identify risk and control owners. Use default owner to assign risks to a single user when the owner field is empty. Empty owner Create Do not create Use default Note: * indicates a mandatory field. 5. Click Update. Create a profile Profiles are generated automatically from profile types in any of the GRC-related applications. Profiles can be created individually, but is not common. Role required: sn_compliance.admin or sn_compliance.manager, sn_risk.admin or sn_risk.manager, sn_audit.admin or sn_audit.manager Navigate to one of the following locations: Policy and Compliance Scoping Profile Types. Risk Scoping Profile Types. Audit Scoping Profile Types. Open a Profile Type record from the list. Add or modify any conditions, as necessary. Changing the Table, changes the number of records matching the condition All rights reserved. 113

114 4. 5. Assign the Owner field. Click Update. A profile is generated for every record that matches the filter condition. Relate profiles to each other Create relationships between profiles to understand how controls and risks affect each other and how they affect the enterprise. Role required: sn_compliance.admin or sn_compliance.manager, sn_risk.admin or sn_risk.manager, sn_audit.admin or sn_audit.manager Navigate using any of these options. Policy and Compliance Scoping All Profiles. Risk Scoping All Profiles. Audit Scoping All Profiles. Open the profile record from the list. Perform one of the following actions: Option To specify that the current profile is downstream of another profile Click the Add button in the Upstream profiles related list. To specify that the current profile is upstream Click the Add button in the Downstream profiles of another profile related list. 4. Select the desired profiles to relate the current profile to and click Create Relationship All rights reserved. 114

115 The profiles displayed after clicking the Add button on the Upstream profiles or Downstream profiles related lists are limited based on the current profile's class and the tier it belongs to. Note: If there are no eligible profiles which can be related to the current profile, then the Add button is not displayed on the Upstream profiles or Downstream profiles related lists. Manage risks, risk statements, and risk frameworks The risk library contains all risk frameworks and risk statements. Risk frameworks are used to group risk statements into manageable categories, while risk statements group the individual risks. The risk register is the central repository for all potential risks that could occur at anytime, anywhere in the organization. Asses risks and develop risk statements Assessing risk means identifying and analyzing the threats and vulnerabilities that could adversely affect your organization s business objectives. Risk is a function of the likelihood of a given threat exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. By identifying your risks and the impact and likelihood of those risks occurring, your organization can prioritize control testing and remediation activities. It also helps you understand the true business impact when a control fails. A good risk statement should answer: What could happen? How could it happen? Why do we care? Create a risk framework and associate risk statements to it Risk managers create risk frameworks to group risk statements into manageable categories. Role required: sn_risk.manager Navigate to Risk Risk Library Frameworks. Click New. Fill in the fields on the form, as appropriate. Table 42: Risk Framework 4. Field Number Read-only field that is automatically populated with a unique identification number. Active Check box that determines whether the risk framework is active. Name* The name of the risk framework. A description of the risk framework. Additional information Additional information for this risk framework. Click Submit All rights reserved. 115

116 Select the risk framework from the list to reopen it. In the Risk Statements related list, select Edit to add the risk statements to the risk framework. Click Save. Create a risk statement Risk managers create risk statements to group risks into manageable categories. Role required: sn_risk.manager Navigate to Risk Risk Library Risk Statements. Click New. Fill in the fields on the form, as appropriate. Note: When any of the following statement fields changes: Name,, Reference, Category, Type, Classification, and Attestation, all the associated controls and risks are updated, and their state is set back to Draft. Table 43: Risk Statement Field Name* The name of the risk statement. Framework Select the framework this risk statement is associated with. Category Choose a category. Legal Financial Operational Reputational Legal/Regulatory Credit Market IT A description of the risk statement. Additional information Additional information for this risk statement. Inherent impact Select a number indicating how much impact the risk poses. 5 - Very High 4 - High 3 - Moderate 2 - Low 1 - Very Low All rights reserved. 116

117 Field Inherent likelihood Select a number indicating the likelihood of the identified risk occurring. Residual impact Select a number indicating how much impact the risk poses with all mitigation strategies in place Residual likelihood 5 - Extremely Likely 4 - Likely 3 - Neutral 2 - Unlikely 1 - Extremely Unlikely 5 - Very High 4 - High 3 - Moderate 2 - Low 1 - Very Low Select a number indicating the likelihood of the identified risk occurring with all mitigation strategies in place. 5 - Extremely Likely 4 - Likely 3 - Neutral 2 - Unlikely 1 - Extremely Unlikely Note: Accurate default scoring selections are important for normalizing risk across the organization. 4. Click Submit. Associate a risk framework or risk statement with a profile type to generate risks Making associations between risk frameworks or risk statements and profile types automatically generates risks. Role required: sn_risk.admin and sn_risk.manager 4. Navigate to Risk Scoping Profile types. Open the profile type record. In the Risk Framework or Risk Statement related list, click Edit. Select the risk frameworks or risk statements to associate to the profile, and click Save. All risk frameworks (or risk statements) are associated to the profile type and a risk is created for every risk statement against every profile in the profile type. Generate a risk from a risk framework Making associations with risk frameworks automatically creates risks All rights reserved. 117

118 Role required: sn_risk.admin and sn_risk.manager 4. Navigate to Risk Risk Library Risk Framework. Open the risk framework record. In the Profile Type related list, click Edit. Select the profile types to associate to the risk framework, and click Save. All risk statements are associated to the profile type and a risk is created for every risk statement against every profile in the profile type. Generate a risk from a risk statement Making associations with risk statements automatically creates risks. Role required: sn_risk.admin and sn_risk.manager 4. Navigate to Risk Risk Library Risk Statement. Open the risk statement record. In the Profile Type Related List, click Edit. Select the profile types to associate to the risk statement, and click Save. One risk is generated for each profile in the profile type based on the risk statement. Relate risks to each other Create relationships between risks to better understand how risks affect each other and how they affect the enterprise. Role required: sn_risk.manager or sn_risk.admin Navigate to Risk Risk Register All Risks. Open a risk. Perform one of the following actions: Option To specify that the current risk is downstream Click the Add button in the Upstream Risks of another risk related list. To specify that the current risk is upstream of Click the Add button in the Downstream Risks another risk related list Select the desired risks to relate to the current risk and click Create Relationship. In the pop-up window, check all the desired risks to relate to the current risk, and click Create Relationship. Create a risk manually Risk administrators can create risk records when they see a potential for a gain or loss of value. Role required: sn_risk.admin and sn_risk.manager Navigate to Risk Risk Register Create New. Fill in the fields on the form, as appropriate All rights reserved. 118

119 Table 44: Risk Field Name Enter a name for the risk. Field is autopopulated if the risk is generated from a risk statement, but can be changed without affecting the relationship between the risk and risk statement. Number Read-only field that is automatically populated with a unique identification number. State The risk state is a read-only field. Possible choices are: Draft In this state, all risk users can modify the risk. Only available when creating a one-off control. Oneoff controls are possible but not recommended. Attest When the risk is created from a risk statement, controls are in this state. Note: When a risk is set back to draft, the assessment is canceled. Review Risks are automatically moved to review from the assessment phase. Monitor In this state, all risk managers can move the risk from review to monitor. Retired Risk managers or administrators can move a risk from Monitor to Retired. Indicators do not run when the risk is in this state. Note: When a risk is retired, any assessment associated with it is canceled. Owning group Select an owning group for the risk All rights reserved. 119

120 Field Category Choose a category of risk which applies to the profile. Legal Financial Operational Reputational Legal/Regulatory Credit Market IT Field is auto-populated if risk is generated from a risk statement. Owner Select an owner for the risk. Note: The owner is always added as a respondent. Statement Select the statement this risk is associated with. Profile* Relate the risk to a specific profile. Note: Only active profiles are shown. Describe the Risk and how it is a threat to the organization. Additional Information Include any details which will help others understand the risk record. Note: * indicates a mandatory field. 4. Click the Assessment tab. Fill in the fields on the form, as appropriate. Table 45: Risk Scoring Field Assessment The assessment to attach to this risk. Assessment respondents Users assigned to the assessment of this risk. Note: Only a user with the sn_grc.user role can be added as a respondent All rights reserved. 120

121 5. 6. When both the Assessment and Assessment respondents fields are set, assessments are created when you click Assess. Click the Scoring tab. Fill in the fields on the form, as appropriate. Table 46: Risk Scoring Field Inherent SLE Monetary value of a risk if it occurs before any mitigation strategies are in place. Residual SLE Monetary value of a risk if it occurs after all mitigation strategies are in place. Inherent ARO Probability that a risk will occur in any given year before any mitigation strategies are in place. Residual ARO Probability that a risk will occur in any given year after all mitigation strategies are in place. Inherent ALE Annualized loss expectancy ALE = SLE x ARO before any mitigation strategies are in place. Residual ALE Annualized loss expectancy ALE = SLE x ARO after all mitigation strategies are in place. Inherent score The score of the risk before any mitigation strategies are in place. Residual score The score of the risk after all mitigation strategies are in place. Calculated ALE Annualized loss expectancy based off all calculations. Calculated score The corresponding score for the calculated ALE. Click the Response tab. Fill in the fields on the form, as appropriate. Table 47: Risk Response Field Response Accept Avoid Mitigate Transfer All rights reserved. 121

122 9. Field Justification Enter a reasonable justification for the selected response Click the Monitoring tab. Note: The fields on the Risk Monitoring tab are read-only. Table 48: Risk Monitoring Field Control compliance Percentage of compliant controls Control non-compliance Percentage of non-compliant controls Control failure factor Sum of failed controls weighting divided by total controls weighting Indicator failure factor Uses the last result of each associated indicator. Number of last results failed divided by total number of indicators associated. Calculated risk factor This value is calculated from (Indicator failure factor + Control failure factor) / 10. Click the Activity Journal tab. 1 Enter additional comments, as necessary. 1 Click Submit. Follow a risk Connect integrates with Risk Management providing an overlay to the standard interface, allowing users to participate in conversations while they work and collaborate on the risk record. Role required: sn_risk.user For more information about Connect, see Connect. Navigate to Risk Risk Register All Risks. Open the risk record from the list. Click the Follow tab and perform one of the following actions: Option Action To add the Connect sidebar Click Open Connect mini. To add the Connect full-screen view Click Open Connect Full. Add an indicator to a risk Indicators collect data to monitor controls and risks, and collect audit evidence. Indicators monitor a single control or risk. When adding indicators to a risk, templates must be associated to the risk statements All rights reserved. 122

123 Role required: sn_risk.admin and sn_risk.manager Navigate to Risk Risk Register All Risks. Open the risk record from the list. Continue with one of the following options. Option Select an indicator from the indicator templates In the Indicators related list, click Add. Select the indicator templates to associate to the risk. Click Save. In the Indicators related list, click New. Fill in the fields on the form, as appropriate. Click Submit. Add a new indicator All indicators are associated to the risk. Add a control to a risk Controls are added to risks for the on-going review of processes. Role required: sn_risk.admin and sn_risk.manager Navigate to Risk Risk Register All Risks Open the risk record from the list. Continue with one of the following options. Option Add an existing control In the Controls related list, click Add. Select the controls that are associated with the risk profile. Click Add relationship. Note: The controls displayed after clicking the Add relationship button are limited to controls that have the same profile as the current risk. If there are no eligible controls that can be related to the risk, the Add button is not displayed on the Controls related list. Add a new control In the Controls related list, click New. Fill in the fields on the form, as appropriate. Click Submit All rights reserved. 123

124 Assess a risk Risks start in a Draft state then move to Assess, during which a notification is sent to the assessment respondents. Role required: sn_grc.user Risk assessments do not appear in the Self-Service My assessments & surveys module, because hundreds of GRC assessment records could be generated at once. Instead, risk assessments are shown in a separate list view. Navigate to Risk Risk Register My Assessments. Open the assessment and review the details. Option If you are unable to answer the questions Reassign the assessment to another user in the Assigned to field. Click Update and close the record. Note: Only a user with the sn_grc.user role can be re-assigned the assessment. The list of assessments refreshes when you reassign an assessment to another user. If you are able to answer the questions Click Take assessment. Answer the questions and attach information, as required. Click Submit. The list of assessments refreshes when you close the Take Assessment pop-up window. Risk assessments Assessments are surveys that gather evidence to determine risk. Risks start in a Draft state then move to Assess, which sends a notification to the Assessment respondents. By default, GRC Assessment is used for risks and provides the following assessment questions: Is this control implemented? Attach evidence Explain My Assessments is contained in the Risk Register module and contains active assessments for which you are the respondent. The assessments appear in a list with a single assessments record per risk. All Assessments is contained in the Risk Register module and contains all active assessments. The assessments appear in a list with a single assessments record per risk. Compliance managers can create a new set of questions for each policy statement. Create an risk assessment using the Risk Assessment Designer Use the Risk Assessment Designer to create and edit metric types, use different metric types for different risks, select multiple respondents for a risk assessment, as well as change scoring parameters All rights reserved. 124

125 Role required: sn_risk.attest_creator, sn_risk.manager, sn_risk.administrator 4. Navigate to Risk Administration Assessment Types. Click Risk Assessment Designer. The designer contains the following elements: Element Controls Controls for the supported question data types are available in the Controls palette. Drag a control onto the designer canvas to create a question of that type. Header bar The header bar contains tabs that display different views and a menu of various functions. The availability of each option depends on the status of the assessment that is opened in the designer. Design canvas New assessment open in the Design view. The assessment Name field appears above the first category in the canvas. A blank question field appears in the category container. Enter a name in the Name field. Drag a control onto the designer canvas to create a question of that type. Table 49: Question controls Data type Scored Attachment Question with a Manage Y Attachments icon that allows users to attach one or more files. Boolean Question with a check box or a Yes/No list for user responses. Choice List of predefined options. For more information, see the definition for Choices. Y Date Date field. N Date/Time Date and time field. N Number Number field with predefined N minimum and maximum values. The default is Percentage Percentage field with a prescribed range. N Scale Predefined Likert scale. Answer options appear as radio buttons. Y All rights reserved. 125

126 Data type Scored Numeric Scale Selectable number scale. The default is 1-5. Answer options appear as radio buttons. Y String Single or multi-line text field. N Template Choice list of templates that Y provide a predefined scale of options. Reference Choice list of fields from a specified reference table. This data type does not support reference qualifiers. Image Scale Multiple Selection Ranking Note: Set the correct answer for the metric that you want to be scored. Scored metrics determine the compliance status of the risk Click one of the following tabs to change the view in the canvas: Option Design Add categories and questions, and configure the properties of each. This is the default view of the canvas when you open the designer. Configuration Create introductions and end notes for attestations, and select a signature. Availability Select the recipients for each category in the attestation. Point to the menu icon in the upper right of the designer to select one of the following options: Note: The availability of each option depends on the status of the assessment that is opened in the designer. Option Save Save the current assessment. Preview Display a preview to the selected recipients. Publish Distributes the assessment to the selected recipients. Save and Publish Saves and distributes the assessment in one step. New Attestation Opens a fresh canvas for a new assessment. Load Attestation Opens a list of existing assessment that you can select and edit All rights reserved. 126

127 Unlike other types of assessments, risk assessments do not appear in the Self-Service My assessments & surveys module, because hundreds of control attestations could be generated at once. Instead,risk assessments are shown as a list in the Risk Risk Register My Assessments and Risk Risk Register All Assessments module. Risk assessment designer The risk assessment designer provides a single interface that users can use to create, edit, and distribute assessment, as well as change scoring parameters. All assessment records are stored in assessment tables and displayed in assessment views of those tables. The designer contains the following elements: Table 50: Elements of the Assessment Designer Element Controls Controls for the supported question data types are available in the Controls palette. Drag a control onto the designer canvas to create a question of that type. Header bar The header bar contains tabs that display different views and a menu of various functions. The availability of each option depends on the status of the assessment that is opened in the designer. Design canvas New assessments open in the Design view. The assessment Name field appears above the first category in the canvas. A blank question field appears in the category container. Create an assessment type The risk manager can create a new set of questions for each risk assessment. Role required: sn_risk.asmt_creator or sn_risk.manager or sn_risk.administrator Navigate to Risk Administration Assessment Types. Click New. Fill in the fields on the form, as appropriate. Table 51: Assessment Metric Type Field Name The name of the assessment type. Assessment duration Amount of time assessors have to complete their assigned questionnaires, starting from the time the assessment is generated All rights reserved. 127

128 Field Table [Required] Table that contains the records you want to evaluate. The system creates assessable records for records on this table that meet the conditions you specify, if any. The number of matching records appears as a link by the Condition field. The link dynamically updates if you change the table selection. Click the link to open the list of matching records in a new tab or window. Note: Additional roles are required to view the records on certain tables. If you select a table that you do not have access to, a warning message appears by the Condition field where the number of matching records would be. You cannot generate assessable records for tables you do not have sufficient roles for. Scale factor [Required] Number to represent the best possible score for assessment results. All results for assessments of this type are scaled to this number. 10 is generally a good scale factor. Note: This field becomes readonly when it contains a value and you save the metric type. Choose a scale factor you are satisfied with before you save the metric type. Condition Condition builder that defines specific records to assess from the selected table. If you do not specify any conditions, the system creates assessable records for all records on the selected table. Click the refresh icon to update the adjacent record count. Note: If you change the table or conditions, you must click Generate Assessable Records to create new assessable records. Helpful information about this type. Enter a clear description of the type and its purpose. State [Read-Only] Status of the assessment: Draft or Published All rights reserved. 128

129 Field Enforce condition Check box that determines what happens to assessable records when you change the selected table or conditions. Roles Additional user roles that can view the results and access records associated with this type. Users with the specified roles have read access to this type record as well as to associated categories, metrics, assessable records and scorecards, category users, stakeholders, and decision matrices. Note: Users with these roles do not have access to Assessments modules unless they are also assessment administrators. Users with these roles can navigate to the records by other means, such as from reference fields on assessment instances. This field provides the option to easily grant certain users access to specific assessment data in special cases. For example, the Vendor metric type provides access to users with the vendor_manager role so they can view results and compare assessable records when they open scorecards or decision matrices in the Vendor Performance application. 4. Click Submit. Manage policy exceptions Policy exceptions provide temporary relief for a non-compliant control. The policy exception captures the rationale, comments, and evidence to support the acceptance or rejection of a policy exception request. The control owner, the compliance manager, and the risk manager may be involved in the policy exception worklow All rights reserved. 129

130 Policy exception workflow All rights reserved. 130

131 Approved policy exception All rights reserved. 131

132 Assess the risk for the policy exception After the review of a policy exception request and before deciding to approve or reject a request, the compliance manager may choose to request a risk assessment by the risk manager. Role required: compliance manager 4. Navigate to Policy and Compliance My Policy Exceptions. Select the policy exception. Review the form details, as necessary. Click the Business Impact Analysis tab and update the following fields: Table 52: Policy exception request Business Impact Analysis tab Field Value Risk description Enter a description of the risk. Residual likelihood If it is not None, select the likelihood of this risk occurring: Residual impact If it is not None, select the residual impact of this risk: Residual score 5 - Very High 4 - High 3 - Moderate 2 - Low 1 - Very Low This value is calculated after you select a residual likelihood and residual impact rating: Extremely Likely 4 - Likely 3 - Neutral 2 - Unlikely 1 - Extremely Unlikely 5 - Very High 4 - High 3 - Moderate 2 - Low 1 - Very Low Perform one of the following actions: All rights reserved. 132

133 Option Action To view or add impacted controls to the policy exception Click the Impacted Controls tab. Click Add or Add All. Choose the controls to associate to the policy exception. To view mitigating controls on the policy exception Click the Mitigating Controls tab. To view or add risks to the policy exception Click the Risks tab. Note: This option is available when Governance, Risk, and Compliance is also activated. 6. To view or add approvers to the policy exception Click the Approvers tab. To view or add task service level agreements to the policy exception Click the Task SLAs tab. Click Update. Manage profile and risk dependencies using the GRC Workbench The GRC Workbench utilizes CMBD information to show the upstream and downstream relationships across all applications. These relationships enable consistent risk mapping and modeling across the enterprise. The GRC Workbench does not work with Legacy GRC. The GRC Manager [sn_grc.manager] uses the GRC Workbench to: Create profile classes Define the upstream/downstream relationships between profile classes. These relationships make up the dependency model and they help ensure that risks are defined and evaluated consistently across the enterprise. Create profile types, create profiles, and classify profiles Create relationships between profiles, which makes up the dependency map. Note: The GRC Manager cannot view the GRC Workbench from Risk GRC Workbench. The GRC Manager [sn_grc.manager] enters /$grc_workbench.do after their instance name in the url to access the GRC Workbench. The Risk Manager [sn_risk.manager] uses the GRC Workbench to: perform all the same tasks as the GRC Manager Create Risk frameworks, risk statement,s and risks define risk relationships All rights reserved. 133

134 Model Setup Tab The Model Setup tab contains links to perform the following tasks. Link Action Dependency Model Create profile classes and develop the organizational relationship model Profile Types Create and edit profile types Dependency Map Create and visualize profile relationships Risk Dependencies tab The Risk Dependencies tab contains links to perform the following tasks. Link Action Risk Frameworks Create and edit risk frameworks Risk Statements Create and edit risk statements Relationships Create and visualize risk relationships Activate GRC Workbench The GRC: Workbench plugin is not activated by default, it is available as a separate subscription within the GRC Suite. Role required: admin To create profile classes, profile dependencies, and risk dependencies using the GRC Workbench, activate the GRC: Risk Management plugin [com.sn_risk] and the GRC: Profiles plugin [com.sn_grc]. This plugin includes demo data and activates related plugins if they are not already active. Navigate to System Definition Plugins. Find and click the plugin name. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link. If the plugin depends on other plugins, these plugins are listed along with their activation status. 4. If the plugin has optional features that depend on other plugins, those plugins are listed under Some files will not be loaded because these plugins are inactive. The optional features are not installed until the listed plugins are installed (before or after the installation of the current plugin). If available, select the Load demo data check box. Some plugins include demo data Sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good practice when you first activate the plugin on a development or test instance. 5. You can also load demo data after the plugin is activated by clicking the Load Demo Data Only related link on the System Plugin form. Click Activate All rights reserved. 134

135 Create profile class using the GRC workbench GRC managers create profile classes representing the types of things that will be part of the dependency model. Reports can be filtered to define relationships between the different profile classes. A profile class defines what a profile actually is. It differs from a profile type (for example, Business Services and Critical Business Services), in that a profile can belong to many profile types but a profile can have only one profile class (for example, Business Service). Role required: sn_grc_manager Navigate to On the left, in the Profile classes section, click Add Class. Enter a profile class name and click the plus (+) icon The newly created profile class is added to the list on the left. Create relationships between profile classes using the GRC workbench on page 135. Create relationships between profile classes using the GRC workbench Managers create relationships between profile classes using the GRC workbench to build out the dependency map and better understand how profiles relate to one another. Role required: sn_grc.manager Create profile class using the GRC workbench on page 135, before creating relationships between profile classes. Profile classes can roll up to each other, leading to the development of the dependency model. Figure 4: Profile classes dependency model 4. Navigate to Select the Model Setup tab at the top, and select the Dependency Model tab below. If needed, create profile classes. Do one of the following actions: All rights reserved. 135

136 Option If there are no relationships between profile classes Drag a profile class from the left to the center and drop it. If there are relationships between profile classes Drag additional profile classes from the list on the left and drop them on the top or bottom of any profile class in the tree. Note: Dragging to the top of a profile class makes the target profile class roll up to the class that is dropped. Dragging to the bottom of a profile class makes the class that is being dropped roll up to the target class. Note: As long as you remain on the GRC workbench, click Undo after creating a relationship between profile classes to roll back the change. Leaving the GRC Workbench causes the undo history to be lost. After modeling out profiles, define the risks in your organization: Generate a risk from a risk framework on page 117 Generate a risk from a risk statement on page 118 Associate a risk framework or risk statement with a profile type to generate risks on page 117 After generating risks, Relate risks to each other on page 118. Visualize and edit profile dependencies using the GRC Workbench The GRC Workbench gives GRC administrators a graphical interface to create profile dependencies. These relationships enable consistent profile and risk mapping and modeling across the enterprise. Role required: sn_grc.manager Navigate to Select the Model Setup tab at the top, then select the Dependency tab below it. Search for and select a profile from the list on the left. Profiles are organized hierarchically by profile class, then by profile types. After selecting a profile from the left, the profile is displayed in the center with its direct upstream and downstream dependencies. On the right, eligible profiles that can be added as upstream or downstream dependencies are listed. Perform one of the following actions: Option To add an upstream profile dependency Drag an eligible upstream profile from the list of eligible profiles on the right and drop it on the top half of the profile in the center of the page. To add a downstream profile dependency Drag an eligible downstream profile from the list of eligible profiles on the right and drop it on the bottom half of the profile in the center of the page. The profiles are removed from the right menu when moved to the center of the page All rights reserved. 136

137 Delete profile dependencies using the GRC Workbench When deleting profile dependencies, only the relationship between the profiles is deleted. The profiles themselves remain unmodified. Role required: admin Navigate to Select the Model Setup tab at the top, then select the Dependency Map tab below it. Search for and select the desired profile from the list on the left. After selecting a profile from the left, the profile is displayed in the center with its direct upstream and downstream dependencies. In the center tree, point to the upstream or downstream risk that should be disassociated from the selected center risk. As you point to the risk, a delete icon appears, click the delete icon. Click Delete in the confirmation dialog to confirm the deletion of the relationship. Note: Only the relationship between the profiles is deleted. The profiles themselves remain unmodified. Delete a profile class using the GRC workbench Deleting a profile class, deletes all of the relationships below it. Role required: admin Navigate to Select the Model Setup tab at the top, and select the Dependency Model tab below. Select the desired profile class from the list on the left. After selecting a profile from the left, the profile is displayed in the center with its direct upstream and downstream dependencies. Click the delete icon to the right of the profile class name. In the deletion confirmation popup, click Delete. Deleting the profile class deletes all of the relationships below it. Create a risk using the GRC Workbench Risk managers can create risks directly from the GRC workbench. Role required: sn._risk.admin or sn.risk.manager 4. Navigate to Select the Risk Dependencies tab at the top, then select the Relationships tab below it. On the left, in the Risks section, click Create Risk. Fill in the fields on the form, as appropriate. Table 53: Risk Field Name Enter a name for the risk. Field is autopopulated if the risk is generated from a risk statement, but can be changed without affecting the relationship between the risk and risk statement All rights reserved. 137

138 Field Number Read-only field that is automatically populated with a unique identification number. State The risk state is a read-only field. Possible choices are: Draft In this state, all risk users can modify the risk. Only available when creating a one-off control. Oneoff controls are possible but not recommended. Attest When the risk is created from a risk statement, controls are in this state. Note: When a risk is set back to draft, the assessment is canceled. Review Risks are automatically moved to review from the assessment phase. Monitor In this state, all risk managers can move the risk from review to monitor. Retired Risk managers or administrators can move a risk from Monitor to Retired. Indicators do not run when the risk is in this state. Note: When a risk is retired, any assessment associated with it is canceled. Owning group Select an owning group for the risk. Category Choose a category of risk which applies to the profile. Legal Financial Operational Reputational Legal/Regulatory Credit Market IT Field is auto-populated if risk is generated from a risk statement. Owner Select an owner for the risk. Note: The owner is always added as a respondent All rights reserved. 138

139 Field Statement Select the statement this risk is associated with. Profile* Relate the risk to a specific profile. Note: Only active profiles are shown. Describe the Risk and how it is a threat to the organization. Additional Information Include any details which will help others understand the risk record. Note: * indicates a mandatory field Click the Assessment tab. Fill in the fields on the form, as appropriate. Table 54: Risk Scoring Field Assessment The assessment to attach to this risk. Assessment respondents Users assigned to the assessment of this risk. Note: Only a user with the sn_grc.user role can be added as a respondent When both the Assessment and Assessment respondents fields are set, assessments are created when you click Assess. Click the Scoring tab. Fill in the fields on the form, as appropriate. Table 55: Risk Scoring Field Inherent SLE Monetary value of a risk if it occurs before any mitigation strategies are in place. Residual SLE Monetary value of a risk if it occurs after all mitigation strategies are in place. Inherent ARO Probability that a risk will occur in any given year before any mitigation strategies are in place All rights reserved. 139

140 Field Residual ARO Probability that a risk will occur in any given year after all mitigation strategies are in place. Inherent ALE Annualized loss expectancy ALE = SLE x ARO before any mitigation strategies are in place. Residual ALE Annualized loss expectancy ALE = SLE x ARO after all mitigation strategies are in place. Inherent score The score of the risk before any mitigation strategies are in place. Residual score The score of the risk after all mitigation strategies are in place. Calculated ALE Annualized loss expectancy based off all calculations. Calculated score The corresponding score for the calculated ALE. 9. Click the Response tab. 10. Fill in the fields on the form, as appropriate. Table 56: Risk Response Field Response Justification Enter a reasonable justification for the selected response Accept Avoid Mitigate Transfer 1 Click the Monitoring tab. Note: The fields on the Risk Monitoring tab are read-only. Table 57: Risk Monitoring Field Control compliance Percentage of compliant controls Control non-compliance Percentage of non-compliant controls Control failure factor Sum of failed controls weighting divided by total controls weighting All rights reserved. 140

141 Field Indicator failure factor Uses the last result of each associated indicator. Number of last results failed divided by total number of indicators associated. Calculated risk factor This value is calculated from (Indicator failure factor + Control failure factor) / 1 Click the Activity Journal tab. 1 Enter additional comments, as necessary. 14. Click Submit. The risk is created and centered in the middle of the page. Additionally, the risk is selected on the right. Visualize and edit risk dependencies using the GRC Workbench The GRC Workbench gives GRC administrators a graphical interface to create risk dependencies. These relationships enable consistent profile and risk mapping and modeling across the enterprise. Role required: sn_risk.manager Navigate to Select the Risk Dependencies tab at the top, then select the Relationships tab below it. Search for and select a risk from the list on the left. Risks are organized hierarchically by profile class, then by profile. After selecting a risk from the left, the risk is displayed in the center with its direct upstream and downstream dependencies. On the right, eligible risks that can be added as upstream or downstream dependencies are listed. Perform one of the following actions: Option To add an upstream risk dependency Drag an eligible upstream risk from the list of eligible risks on the right and drop it on the top half of the risk in the center of the page. To add a downstream risk dependency Drag an eligible downstream risk from the list of eligible risks on the right and drop it on the bottom half of the risk in the center of the page. Delete risk dependencies using the GRC Workbench When deleting risk dependencies, only the relationship between the risks is deleted. The risks themselves remain unmodified. Role required: sn_risk.manager 4. Navigate to Select the Risk Dependencies tab at the top, then select the Relationships tab below it. Search for and select a risk from the list on the left. Risks are organized hierarchically by profile class, then by profile. In the center tree, point to the upstream or downstream risk that should be disassociated from the selected center risk. As you point to the risk, a delete icon appears, click the delete icon All rights reserved. 141

142 5. Click Delete in the confirmation dialog to confirm the deletion of the relationship. Note: Only the relationship between the risks is deleted. The risks themselves remain unmodified. Manage risk indicators Continuous monitoring involves activities related to identifying and creating key risk and control indicators. Supporting information can be collected for those indicators through automatic data collection or manual tasks. Indicator results are then used to create issues for controls, update risk scores, and provide supporting information for audit activities and control testings. Indicators Indicators collect data to monitor controls and risks, and collect audit evidence. Indicators monitor a single control or risk. Indicator templates Indicator templates allow the creation of multiple indicators for similar controls or risks. View the Risk Overview The Risk Overview is contained in the Risk Management application and provides an executive view, allowing risk managers to quickly identify areas of concern by pinpointing profiles with known high risk. The Risk overview contains the following reports in the base system. Table 58: Risk Overview Name Visual Profile Drop down list Select one or many profiles to view and compare their risks. GRC - Risk States Check boxes Select one or many risk states to view and compare. Very High Risk Single Score Displays the number of very high risks. High Risk Single Score Displays the number of high risks. Inherent Risk Residual Risk Inherent Annual Loss Exposures Residual Annual Loss Exposures Risk Issues by Framework (Opened Date) Risks by Response Risk Expectations Risks by Category All rights reserved. 142

143 Name Visual Moderate Risk Single Score Displays the number of moderate risks. Low Risk Single Score Displays the number of low risks. Very Low Risk Single Score Displays the number of very low risks. Inherent Risk Heatmap Residual Risk Heatmap Create a risk indicator Indicator data for controls, risk, and audit evidence are measured differently depending on the GRC-related application. Role required: risk_admin or risk_manager Navigate to Risk Indicators Indicators Select New. Fill in the fields on the form, as appropriate. Table 59: Indicator Field Number Read-only field that is automatically populated with a unique identification number. Active Check box that determines whether the indicator is active. Name Name of the indicator. Item The related control or risk. Template The related indicator template. Applies to The profile related to the Item. Owner The indicator owner. Owning group The group that owns the indicator. Override Template Click to override the indicator template associated to this indicator Last result passed Read-only field indicating whether last result passed. Schedule Collection frequency Select the collection frequency for indicator results. Indicator tasks and results are generated automatically based on the indicator schedule All rights reserved. 143

144 Field Next run time Read-only field that is automatically populated with the next collection time for indicator results. Method Type Results can be gathered manually using task assignment or automatically using basic filter conditions, Performance Analytics, or a script. Manual Basic Script Short If Type is Manual, this field is present. Brief description of the issue. Instructions If Type is Manual, this field is present. Instructions for the collection of indicator results. Value Mandatory If Type is Manual, this field is present. Passed/Failed If Type is Basic, this field is present. Indicator passes or fails. PA Threshold If Type is PA Indicator, this field is present. The associated PA Threshold. Script If Type is Script, this field is present. Script that obtains the desired system information. Supporting Data 4. Table Use supporting data to gather supporting evidence from other applications. Supporting data fields Supporting data fields based on the selected table. Click Submit. Create a GRC indicator template Compliance or risk managers create indicator templates from which many indicators can be created. Role required: compliance_admin or compliance_manager risk_admin or risk_manager audit_admin or audit_manager Navigate to one of the following locations: Policy and Compliance Indicators Indicator Templates. Risk Indicators Indicator Templates. Audit Indicators Indicator Templates All rights reserved. 144

145 Select New. Fill in the fields on the form, as appropriate. Table 60: Indicator template Field Name Name of the indicator. Active Check box that determines whether the indicator template is active. Content The related policy or risk statement. Schedule Collection frequency Select the collection frequency for indicator results. Indicator tasks and results are generated automatically based on the indicator schedule. Next run time Read-only field that is automatically populated with the next collection time for indicator results. Method Type Results can be gathered manually using task assignment or automatically using basic filter conditions, Performance Analytics, or a script. Manual Basic PA Indicator Script Short If Type is Manual, this field is present. Brief description of the issue. Instructions If Type is Manual, this field is present. Instructions for the collection of indicator results. Value Mandatory If Type is Manual, this field is present. Passed/Failed If Type is Basic, this field is present. Indicator passes or fails. PA Threshold If Type is PA Indicator, this field is present. The associated PA Threshold. Script If Type is Script, this field is present. Script that obtains the desired system information. Supporting Data Collect Supporting Data Check to gather supporting evidence from other applications. Table The supporting data table All rights reserved. 145

146 Field Supporting Data Fields The fields from the supporting data table to be considered. Criteria Select filter conditions. Use reference field Select to use the reference field. Reference field Creates a join between the supporting data table and the profile's applies to table. For example, if the profile table is cmdb_ci_computer and the supporting data table is incident, you could have a supporting data query named incident with critical priority. In this example, each indicator execution returns all critical incidents. If you are interested in finding critical incidents linked to the profile CEO s laptop, you already have an indicator on a control related to this profile. In this example: Select the reference field Configuration item from the incident table. The supporting data query: All critical incidents, where the configuration item = CEO s laptop. The indicator is specific to the profile of the control it is attached to. Note: This reference field is useful only when the supporting data table has a reference to the profile s table. Sample size Limits the number of records retrieved from the supporting data table. For example, a basic indicator could query a large table, returning thousands of records with each indicator execution. You do not need to save all of them; just a sample of those records. If you enter a sample size of 100, then only 100 records are saved, even though the query returned thousands. 4. Click Submit All rights reserved. 146

147 Monitor risks using GRC Performance Analytics Indicators You can link Risk Management risk statement and risks to Performance Analytics indicators, breakdowns and thresholds. You can associate Performance Analytics indicators with risk statements, and risks to view scorecards and trends and analyze current conditions and trends. The risks and controls associated with a PA indicator or PA indicator/breakdown/element automatically monitor any PA threshold with the same PA indicator or PA indicator, breakdown, or element relationship. Any PA threshold breach is reported at the risk or control and Performance Analytics indicators relationship level within a breach counter. See Performance Analytics. PA threshold breach impact When a risk or control and Performance Analytics indicators relationship breach counter is different than zero (for example, a PA threshold with the same PA indicator or PA indicator, breakdown, or element relationship has breached), and if no opened issue already exists, then an issue is created which is associated to the risk or control. Additionally for risks, the Indicator failure factor represents the number of risk and Performance Analytics indicators relationships with a breach counter different than zero. Reset all PA Indicator breach counters Reset breach counters associated to a risk or control by clicking Reset all PA Indicator breach counters or opening the specific relationship and clicking Reset Breach Counter. GRC PA indicator breach reports There are two reports for the reporting of breaches: Risk PA Indicator Breaches Control PA Indicator Breaches Activate GRC: Performance Analytics Integration The GRC: Performance Analytics Integration plugin provides an integration between Performance Analytics and the Risk Management and Policy and Compliance Management applications, providing more insight into organizational risk and compliance performance. Role required: admin This plugin includes demo data and activates related plugins if they are not already active. Navigate to System Definition Plugins. Find and click the plugin name. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link. If the plugin depends on other plugins, these plugins are listed along with their activation status. 4. If the plugin has optional features that depend on other plugins, those plugins are listed under Some files will not be loaded because these plugins are inactive. The optional features are not installed until the listed plugins are installed (before or after the installation of the current plugin). If available, select the Load demo data check box. Some plugins include demo data Sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good practice when you first activate the plugin on a development or test instance All rights reserved. 147

148 5. You can also load demo data after the plugin is activated by clicking the Load Demo Data Only related link on the System Plugin form. Click Activate. After activating the GRC: Performance Analytics Integration plugin on an instance with customized related lists on content (risk or policy statement) or items (risk or control), you may have to manually add the PA Indicator to content relationships and/or the PA indicator to item relationships. Associate a PA indicator with a risk statement or policy statement You can associate Performance Analytics indicators with risk statements and policy statements to analyze trends related to the risk or policy. Role required: sn_risk.manager or sn_compliance.manager Navigate to one of the following locations: 4. Policy and Compliance Policies and Procedures Policy Statements. Risk Risk Library Risk Statements. Open a risk statement or policy statement. In the PA Indicators related list, click New. Fill in the fields on the form, as appropriate. Table 61: PA Indicators 5. Field PA Indicator* The performance analytics indicator to associate the Risk Statement or Policy Statement with. Click Submit. On the risk statement or policy statement form, in the PA Indicators related list, you see the associated indicator. You can optionally click View Indicator on the desired indicator to see the indicator's Performance Analytics scorecard. The PA Indicator associations are carried over to all risks or controls associated to the original risk statement or policy statement. Additionally, if the indicator has a breakdown that matches the risk or control's profile (for example a Business Service breakdown), the Breakdown and Element fields for the relationship are automatically filled in. Associate a PA indicator with risks and controls You can associate Performance Analytics indicators with risks and controls to analyze trends related to the profile that risk or control belongs to. Role required: sn_risk.manager or sn_compliance.manager Navigate to one of the following locations: 4. Policy and Compliance Controls All Controls. Risk Risk Register All Risks. Open a risk or control. In the PA Indicators related list, click New. Fill in the fields on the form, as appropriate All rights reserved. 148

149 Table 62: PA Indicators Field PA Indicator* The performance analytics indicator to associate the Risk or Control with. Breakdown Select a breakdown to view a specific trend based on the breakdown element. Element Select the breakdown element to view a particular trend and scorecard. Note: This field is dependent on the Breakdown field is populated. When visible, it is mandatory. 5. Click Submit. On the Risk or Control form, in the PA Indicators related list, you see the associated indicator. You can optionally click View Indicator on the desired indicator to see the indicator's Performance Analytics scorecard. Update associated GRC indicators for a set of items You can update all of the items belonging to a GRC content record so each item is individually related to the PA indicator. Role required: sn_risk.manager or sn_compliance.manager Navigate to one of the following locations: Policy and Compliance Policies and Procedures Policy Statements. Risk Risk Library Risk Statements. Open a Risk Statement or Policy Statement that has an associated Performance Analytics Indicator. Click the Update PA Relationships related link. All of the risks or controls related to the risk statement or policy statement are automatically associated with all of the risk statement or policy statement's indicators. Additionally, if the indicator has a breakdown that matches the risk or control's profile (for example a Business Service breakdown), the Breakdown and Element fields for the relationship are automatically filled in. Manage risk issues and remediation Issues can be created manually to document audit observations, remediations, or to accept any problems. They are automatically generated from indicator results, attestation results, or control test effectiveness All rights reserved. 149

150 Various types of issues are created under the following conditions: Issue Created when an indicator fails Control issue Created when a control attestation is completed indicating that the control is Not implemented Control test issue Created when a control test is closed complete with the control effectiveness set to Ineffective Other issue Created by the user manually Remediating an issue marks an intention to fix the underlying issue causing the control failure or risk exposure. Accepting an issue marks an intention to create an exception for a known control failure or risk. Controls that are Accepted remain in a non-compliant state until the control is reassessed. In this way, the issue can be used to document observations during audits. Create a GRC issue manually Manually create issues to document audit observations, the intention of remediations, or to accept any problems. Role required: (per product) In GRC: compliance_admin, compliance_manager, or sn_compliance.user In Risk Management: risk_admin, risk_manager, or sn_risk.user In Audit Management: audit_admin, audit_manager, audit_admin, or sn_audit.user Navigate to one of the following locations: Policy and Compliance Issues Create New. Risk Issues Create New. Audit Issues Create New. Fill in the fields on the form, as appropriate. Table 63: Issue Field Number Read-only field that is automatically populated with a unique identification number. Assignment group The group to which this issue has been assigned. Each member will receive a notification when activity has occurred on this issue. Assigned to The member of the group assigned to resolve the issue. Configuration item The item associated with this issue All rights reserved. 150

151 Field State Priority Priority for this issue: New Analyze Respond Review Closed 1 - Critical 2 - High 3 - Moderate 4 - Low 5 - Planning Issue group rule The group rule assigned to this issue. Parent Issue The parent issue this issue belongs to. Location The location where the issue occurred. Short description Brief description of the issue. Details Profile The related profile. Item The related control or risk. Content The content of the issue. A more detailed explanation of the issue. Recommendation The recommended action to resolve this issue. Dates Planned start date Date and time that work on the issue is expected to begin. Planned end date Date and time that work on the issue is expected to end. Planned duration Estimated amount of work time. Calculated using the Planned state date and Planned end date. Actual start date Time when work began on this issue. Actual end date Time when work on this issue was completed. Actual duration Amount of work time. Calculated using the Actual state date and Actual end date. Activity All rights reserved. 151

152 Field Work notes Information about how to resolve the issue, or steps already taken to resolve it, if applicable. Work notes are visible to users who are assigned to the issue. Additional comments (Customer visible) Public information about the issue. Engagement Engagement The related engagement. Click Submit. Out-of-the-box GRC: Risk Management Performance Analytics Solution Performance Analytics Solutions contain preconfigured best practice dashboards. These dashboards contain actionable data visualizations that help you improve your business processes and practices. Note: To evaluate the functionality, you can activate Performance Analytics solutions and inform analytics on instances that have not licensed Performance Analytics. However, you have the following limitations: You cannot create new indicators. You cannot collect data older than 180 days. For full functionality, license Performance Analytics. For more information, see Get licensed Performance Analytics. Performance Analytics Solutions Use the Performance Analytics widgets on the dashboard to visualize data over time, analyze your business processes, and identify areas of improvement. With solutions, you can get value from Performance Analytics for your application with minimal setup. Note: Solutions include some dashboards that are inactive by default. You can activate these dashboards to make them visible to end users according to your business needs. To enable the solution plugin for Risk Management, an admin can navigate to System Definitions Plugins and activate the Performance Analytics - Content Pack - GRC:Risk Management plugin. GRC Risk Overview dashboard The Risk Overview dashboard provides an executive view into the status and workflows of inherent and residual enterprise and IT risks. The user can drill down into risks by framework, response, and exception. There are two versions of this dashboard. The Premium version utilizes interactive filters and requires the licensed version of Performance Analytics. The Risk Overview dashboard has two views, one with inherent risk reports and one with residual risk reports. The Premium version of the dashboard, which uses interactive filters, is shown. The All rights reserved. 152

153 other version of the dashboard has a third tab with static filtered reports instead of the interactive All rights reserved. 153

154 End users End user and goal Required role Audit Manager: Needs clear visibility into the overall state and volume of vulnerabilities within the organization. sn_risk.manager Audit Administrator: Needs to pinpoint areas of concern quickly sn_risk.admin Audit Analyst: Needs to quickly prioritize which risks/tasks to focus on based upon criticality to the organization. sn_risk.user Reports The Risk Overview dashboard contains the following reports: Name Type High Inherent Risk Single Score Number of risks with High Inherent Risk status High Residual Risk Single Score Number of risks with High Residual Risk status Inherent Annual Loss Exposures Box Calculation of the inherent Annualized Loss Expectancy (ALE) Inherent Risk Bubble Calculation of the inherent risk score from the likelihood and significance of a risk. Inherent Risk Heatmap Heatmap Inherent risk heatmap providing total number of risks by very high risk, high risk, moderate risk, low risk and very low risk Low Inherent Risk Single Score Displays the number (count) of low inherent risks. Low Residual Risk Single Score Displays the number (count) of low residual risks. Moderate Inherent Risk Single Score Displays the number (count) of moderate inherent risks. Moderate Residual Risk Single Score Displays the number (count) of moderate residual risks. Residual Annual Loss Exposures Box Calculation of the residual Annualized Loss Expectancy (ALE) Residual Risk Bubble Calculation of the residual risk score from the likelihood and significance of a risk All rights reserved. 154

155 Name Type Residual Risk Heatmap Heatmap Total number of residual risks by very high risk, high risk, moderate risk, low risk, very low risk Risk by Profile Bar Number of total active risks broken down by profile. Risk Exceptions List Listing of all risk exceptions Risk Issues by Framework (Opened Date) Line Total number of open risks over time broken down by framework Risks by Category Horizontal bar Total number of open risks broken down by category Risks by Response Horizontal bar Total number of open risks broken down by response Very High Inherent Risk Single Score Displays the number (count) of very high inherent risks. Very High Residual Risk Single Score Displays the number (count) of very high residual risks. Very Low Inherent Risk Single Score Displays the number (count) of very low inherent risks. Very Low Residual Risk Single Score Displays the number of very low residual risks. Audit Management The Audit Management application involves a set of activities related to planning audit engagements, executing engagements, and reporting findings to the audit committee and executive board. Engagement reporting assures key stakeholders that the organization's risk and compliance management strategy is effective. The GRC: Audit Management product enables users to schedule internal audits, conduct resource planning, scope engagements, conduct audit activities, review continuous monitoring results, and report findings. Explore Set up Upgrade to Use Administer Activate Audit Management on page 157 Develop Establish profile types, profile classes, and profiles on page 161 Use the Audit Engagement Workbench to visually manage engagements on page 180 Engagement Overview on page 182 Integrate Developer training Developer documentation Components installed with Audit Management on page All rights reserved. 155

156 Manage test templates and test plans on page 166 Troubleshoot and get help Ask or answer questions in the GRC community Search the HI Knowledge Base for known error articles Contact Support Understanding Audit Management The Audit Management automates the work streams of internal audit teams, optimizing resources and productivity, and eliminating recurring audit findings. Audit Management uses compliance and risk data to scope, plan, and prioritize audit engagements. The on-going review of policies and procedures, risks, and control breakdowns provide an opportunity for fixing issues before they become audit failures. Who uses Audit Management? Auditors (an independent body, typically reporting to the board of directors) Key activities for Audit Management Auditors are responsible for the following: Review policies and procedures Review risks Review control design Review control test design Review control test results Test controls Issue observations All rights reserved. 156

157 Audit Management and the platform Activate Audit Management The GRC: Audit Management (com.sn_audit) plugin is available as a separate subscription. Role required: admin This plugin includes demo data and activates related plugins if they are not already active. Navigate to System Definition Plugins. Find and click the plugin name. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link. If the plugin depends on other plugins, these plugins are listed along with their activation status All rights reserved. 157

158 4. If the plugin has optional features that depend on other plugins, those plugins are listed under Some files will not be loaded because these plugins are inactive. The optional features are not installed until the listed plugins are installed (before or after the installation of the current plugin). If available, select the Load demo data check box. Some plugins include demo data Sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good practice when you first activate the plugin on a development or test instance. 5. You can also load demo data after the plugin is activated by clicking the Load Demo Data Only related link on the System Plugin form. Click Activate. Components installed with Audit Management Activating the GRC: Audit Management (com.sn_audit) plugin adds or modifies several tables, user roles, and other components. Tables installed with Audit Management Tables are added with activation of GRC: Audit Management. Table Activity Extends Audit Task [sn_audit_task] and stores audit activities [sn_audit_activity] Audit Task [sn_audit_task] Base Audit Test Extends Planned Task [planned_task] and is a generic table for all tasks associated with an audit Base table for Test Templates and Test Plans [sn_audit_base_test] Control Test [sn_audit_control_test] Control to Engagement [sn_audit_m2m_control_engagement] Engagement [sn_audit_engagement] Interview [sn_audit_interview] Profile to Engagement [sn_audit_m2m_profile_engagement] Risk to Engagement [sn_audit_m2m_risk_engagement] Test Plan [sn_audit_test_plan] Extends Audit Task [sn_audit_task] and stores control tests Stores many-to-many relationships between controls and engagements Extends Planned Task [planned_task] and stores engagements Extends Audit Task [sn_audit_task] and stores interviews Stores many-to-many relationships between profiles and engagements Stores many-to-many relationships between risks and engagements Extends Base Audit Test [sn_audit_base_test] and stores test plans All rights reserved. 158

159 Table Test plan to Engagement Stores many-to-many relationships between test plans and engagements [sn_audit_m2m_test_plan_engagement] Test Template Extends Base Audit Test [sn_audit_base_test] and stores test templates [sn_audit_test_template] Walkthrough Extends Audit Task [sn_audit_task] and stores walkthroughs [sn_audit_walkthrough] Audit Report Template [sn_audit_report_template] Note: All additional tables installed by the dependent plugins are also needed for GRC: Audit Management. Properties installed with Audit Management Properties are added with activation of GRC: Audit Management. Name Defines the workflow that will be used for control test approval Type: string Default value: Control Test Approval Type: string Default value: Engagement Approval sn_audit.control_test_approval_workflow Defines the workflow that will be used for engagement approval sn_audit.engagement_approval_workflow Roles installed with Audit Management Roles are added with activation of GRC: Audit Management. Role title [name] Contains roles Audit User In addition to the inherited permissions, the audit user can be assigned audit tasks and create test templates and test plans. The audit user has read-only access to the Risk Management application and modules and the Policy and Compliance Management application and modules. sn_grc.reader sn_grc.user In addition to the inherited permissions, the audit manager can create authority documents, citations, policies, policy statements, and controls. sn_grc.reader sn_grc.user sn_grc.manager sn_audit.user [sn_audit.user] Audit Manager [sn_audit.manager] All rights reserved. 159

160 Role title [name] Contains roles Audit Admin In addition to the inherited permissions, the audit admin can delete engagements, audit tasks, test templates, and test plans. sn_grc.reader sn_grc.user sn_grc.manager sn_grc.admin sn_audit.user sn_audit.manager In addition to the inherited permissions, the audit developer can add and delete audit report templates. sn_grc.reader sn_grc.user sn_grc.manager sn_grc.admin sn_audit.user sn_audit.manager sn_audit.admin [sn_audit.admin] Audit Developer [sn_audit.developer] External Auditor External auditors can be assigned as auditors for an engagement and can be assigned to audit tasks. They can view closed engagements, audit tasks that are assigned to them, and closed audit tasks. If the Policy and Compliance Management plugin or Risk Management plugins are installed, they can also view published policies and controls and risks in the Monitor state. [sn_audit.external_auditor] Create an audit report template Audit developers manage the audit report templates. Role required: sn_audit.developer Navigate to Audit Administration Audit Report Templates. Click New. Fill in the fields on the form, as appropriate. Table 64: Authority Document Field Value Name Name of the audit report template. Type Script HTML XML All rights reserved. 160

161 4. Field Value Is default Check box to indicate that this template is used as the default template for all KB articles. Script The script code. This field is dependent on the Type field. HTML The HTML code. This field is dependent on the Type field. XML The XML code. This field is dependent on the Type field. Click Submit. Establish profile types, profile classes, and profiles The Scoping module contains profiles and profile types for use in all GRC-related applications. They can be created for any record on any table. Only one profile can exist for a record. That profile, however, can belong to many profile types. Profile types and profiles are used differently depending on the application. Policy and compliance managers use profile types and profiles to create a system of internal controls and monitor compliance. Risk managers use profile types and profiles to monitor risk exposure and perform risk assessments. Create a profile class GRC managers create profile classes representing the types of items in their organization. Reports can be filtered to define relationships between the different profile classes. Role required: sn_grc.manager A profile class defines what a profile actually is. It differs from a profile type (for example, Business Services and Critical Business Services) in that a profile can belong to many profile types but a profile can have only one profile class (for example, Business Service). Navigate to one of the following locations: Policy and Compliance Scoping Profile Classes Risk Scoping Profile Classes Audit Scoping Profile Classes Click New. Fill in the fields on the form, as appropriate. Table 65: Authority document Field Value Name Name of the profile class. Roll up to Select dependencies to other profiles. This is useful for reporting how your lower-level operational risks impact corporate-level risks All rights reserved. 161

162 Field Value Is Root Select the check box to indicate that this is the highest level class. Note: Only one root class is allowed and it cannot roll up to another class. Tier Select the tier or category for the profile class Business Application IT Asset Navigate to Policy and Compliance Profile Tiers. Do one of the following actions: Option To create a new tier Click New. To edit a tier Open the profile tier. Fill in the fields on the form, as appropriate. Table 66: Profile type Name Name* The name of the tier. Value Label* The label assigned to the tier. Level* 7. Click Update. Create profile class rules Profiles class rules allow you to assign tables to profile classes. Role required: admin Navigate to one of the following locations: Policy and Compliance Administration Profile Class Rules Risk Administration Profile Class Rules Audit Administration Profile Class Rules Do one of the following actions: Option To create a new profile class rule Click New. To edit a profile class rule Open the profile class rule from the list All rights reserved. 162

163 Fill in the fields on the form, as appropriate. Table 67: Profile Class Rule 4. Field Value Table The table that contains the records you want to assign the class to. Class The class to assign to the table. Click Submit or Update. Create and edit a profile type Administrators or managers in any of the GRC-related applications, create profiles types from which profiles are generated. Profile types are assigned to policy statements, which generate controls for every profile listed in the profile type. Profile types can also be assigned to risk statements, which generate risks for every profile listed in the profile type, as well. Role required: sn_compliance.admin or sn_compliance.manager, sn_risk.admin or sn_risk.manager, sn_audit.admin or sn_audit.manager Navigate to one of the following locations: Policy and Compliance Scoping Profile Types. Risk Scoping Profile Types. Audit Scoping Profile Types. Do one of the following actions: Option To create a new profile type Click New. To edit a profile type Open the profile type from the list. Fill in the fields on the form, as appropriate, and click Submit. Table 68: Profile type Name Name* The name of the profile type. An explanation of the profile type with any additional information that a user will find helpful. Note: * indicates a mandatory field. 4. Once the profile type is created or edited, click the Profile filters tab and fill in the fields on the form, as appropriate All rights reserved. 163

164 Table 69: Profile filters Name Profile Type Indicates the profile type that the filters belong to. Table* The table that contains the records to be queried. Filter condition Filter conditions for the source table to generate profiles. Owner field The field on the table specifying the person who owns any new profiles generated from the profile type. Identify the user reference field on the source table to automatically identify risk and control owners. Use default owner to assign risks to a single user when the owner field is empty. Empty owner Create Do not create Use default Note: * indicates a mandatory field. 5. Click Update. Create a profile Profiles are generated automatically from profile types in any of the GRC-related applications. Profiles can be created individually, but is not common. Role required: sn_compliance.admin or sn_compliance.manager, sn_risk.admin or sn_risk.manager, sn_audit.admin or sn_audit.manager Navigate to one of the following locations: Policy and Compliance Scoping Profile Types. Risk Scoping Profile Types. Audit Scoping Profile Types. Open a Profile Type record from the list. Add or modify any conditions, as necessary. Changing the Table, changes the number of records matching the condition All rights reserved. 164

165 4. 5. Assign the Owner field. Click Update. A profile is generated for every record that matches the filter condition. Relate profiles to each other Create relationships between profiles to understand how controls and risks affect each other and how they affect the enterprise. Role required: sn_compliance.admin or sn_compliance.manager, sn_risk.admin or sn_risk.manager, sn_audit.admin or sn_audit.manager Navigate using any of these options. Policy and Compliance Scoping All Profiles. Risk Scoping All Profiles. Audit Scoping All Profiles. Open the profile record from the list. Perform one of the following actions: Option To specify that the current profile is downstream of another profile Click the Add button in the Upstream profiles related list. To specify that the current profile is upstream Click the Add button in the Downstream profiles of another profile related list. 4. Select the desired profiles to relate the current profile to and click Create Relationship All rights reserved. 165

166 The profiles displayed after clicking the Add button on the Upstream profiles or Downstream profiles related lists are limited based on the current profile's class and the tier it belongs to. Note: If there are no eligible profiles which can be related to the current profile, then the Add button is not displayed on the Upstream profiles or Downstream profiles related lists. Manage test templates and test plans An audit engagement may include control testing activities during which controls are evaluated for design and operational effectiveness. Test Templates and Test Plans To conduct control testing, before an engagement starts, audit managers create test plans for the relevant controls. Audit managers can use test templates to create multiple test plans for similar controls at one time. During the Validate state of an audit engagement, the test plans that are associated with the controls in the engagement's scope are automatically associated with the engagement. Audit managers can generate control tests from those associated test plans and create individual control tests as needed. Create a test template Test templates allow audit managers to quickly create many test plans using much of the same testing criteria. Role required: sn_audit.admin, sn_audit.manager, or sn_audit.user Navigate to Audit Audit Testing Test Templates. Click New. Fill in the fields on the form, as appropriate. Table 70: Test template form Field Number Read-only field that is automatically populated with a unique identification number. Duration Duration of the test. Short description A brief and general description of the test template. Design Test* Design expectations Expectations of how a control is designed. Design assessment procedures Document how to assess if a control is designed effectively. Operation Test* Operation expectations Expectations of how a control operates. Operation assessment procedures Document how to assess if a control is operating effectively All rights reserved. 166

167 4. Click Submit. Relate a test template to a policy statement Audit owners can create generic control test templates for a policy statement, avoiding the creation of individual control test plans for every control. Role required: sn_audit.admin or sn_audit.manager Navigate to Audit Audit Testing Test Templates. Open the test template record. Select a policy statement and click Update. Create an audit test plan Test plans can be created from scratch or based on test templates and describe how a feature is to be tested. Role required: admin Navigate to Audit Audit Testing Test Plans. Click New. Fill in the fields on the form, as appropriate. Table 71: Test template form Field Number Read-only field that is automatically populated with a unique identification number. Control The control that this test plan covers. Note: This field is only visible when the Policy and Compliance Management plugin is activated. Duration The expected duration of the test. Test Template The related test template. Short description A brief and general description of the test plan. Design Test* Design expectations Expectations of how a control is designed. Design assessment procedures Document how to assess if a control is designed effectively. Operation Test* Operation expectations Expectations of how a control operates. Operation assessment procedures Document how to assess if a control is operating effectively All rights reserved. 167

168 4. Click Submit. Create multiple test plans from a test template If GRC: Policy and Compliance Management is installed, a test template can be used to create test plans for all of the controls associated with the test plan s policy statement. Role required: sn_audit.manager or sn_audit.admin Navigate to Audit Audit Testing Test Templates. Select the test template from which to generate test plans. Click the Create Test Plans for All Controls related link. Note: This link is only visible if there are controls associated with the test plan's policy statement that have not yet had a test plan generated from the current test template. Manage engagements The audit engagement process involves creating, planning, scoping, and conducting engagements as well as reporting on engagement findings. Engagement process The base system audit engagement process includes steps for scoping, validating, conducting, and approving engagement results. It also contains steps for following up on open audit tasks and issues, and finally closing out the audit engagement. Table 72: States of the engagement process State Scope During the Scope state, audit managers define which profiles will be involved in the audit engagement. For example, for a financial audit, one may include all business services that the finance department relies on and the finance department itself. See Add profiles to an engagement scope on page All rights reserved. 168

169 State Validate After an engagement has moved to the Validate state, all of the risks, controls, and test plans associated with the profiles in the engagement's scope will be associated with the audit. Indicator results that were collected during the engagement's audit period will also be associated with the audit. Audit managers can review the risks, controls, test plans, and indicator results, and update the engagement's scope, if necessary. Audit managers can also begin creating and planning audit tasks for the engagement. To move an engagement into the Validate state, click Validate on any engagement currently in the Scope state. Fieldwork Auditors complete their assigned audit tasks during the Fieldwork state. These tasks include control testing, interviews, walkthroughs, and other activities. Issues that are found during control testing are associated with the engagement. Auditors can also create general issues associated with the engagement. Audit managers can create additional audit tasks as needed. When the audit is done, audit managers specify the result of the engagement, whether it's satisfactory, adequate or inadequate, and provide details on their opinion. To move an engagement into the Fieldwork state, click Advance to Fieldwork on any engagement currently in the Validate state. See Audit task management on page 170. Awaiting Approval During the "Awaiting Approval" state, the approvers specified in the engagement's Approvers field review the results of the audit tasks conducted and the issues that were created. After reviewing the results of the engagements, approvers approve or reject the engagement. To move an engagement into the Awaiting Approval state, click Request approval on any engagement currently in the Fieldwork state. See Approve or reject an engagement on page All rights reserved. 169

170 State Follow Up After an engagement has been approved, if there are any remaining open tasks or issues associated with the engagement, the engagement automatically goes into the Follow Up state. During this stage, auditors most close out all remaining issues and tasks before the engagement will be marked as complete. Closed Engagements move into the "Closed" state under one of three conditions: The engagement is closed as incomplete during the Scope, Validate, or Fieldwork states. There are no open audit tasks or issues after the engagement is approved. In this case, the engagement automatically moves from the Awaiting Approval state to the Closed state. All of the follow up issues and tasks are closed out. In this case, the engagement automatically moves from the Follow Up state to the Closed state. Audit task management Audit tasks are completed throughout an engagement and provide documented evidence that the organization is complying with external regulations and internal policies. When audit tasks are created or reassigned, a notification is sent to the assigned user. A notification is also sent when the task reaches 75% of its planned duration. Create an engagement Audit managers create engagements to manage audit information and collect profiles, controls, and control tests that are relevant to the audit. Role required: sn_audit.admin or sn_audit.manager Navigate to Audit Engagements Create New. Fill in the fields on the form, as appropriate. Table 73: Engagement form Field Number Read-only field that is automatically populated with a unique identification number. State New Analyze Respond Review Closed All rights reserved. 170

171 Field Name The name of the engagement. Percent complete Read-only field that is automatically populated with a number representing the percentage of the engagement that has been completed. Assigned to The user assigned to the engagement. Auditors The auditors assigned to the engagement. Audit period start Date that work on the engagement is expected to begin. Approvers The approvers assigned to the engagement. Audit period end Date that work on the engagement is expected to end. A general description of the engagement. Objectives The stated objectives of the engagement. Schedule Planned start date The intended date the activity should begin. Planned end date The intended date the activity should end. Planned duration The expected duration of this activity. As with actual duration, the planned duration shows total activity time and takes the activity schedule into consideration. Actual start date The date that this activity actually began. Actual end date The date that this activity actually ended. Actual duration The actual duration of the project from project start to project closure. Results Result Opinion Justification for the selected result. Satisfactory Adequate Inadequate Report Report template The template to be used to generate the knowledge base article reporting the engagement results. KB article The most recently generated knowledge base article containing the engagement results Activity Journal Additional comments Customer-viewable comments All rights reserved. 171

172 Field Work notes Comments that are viewable by the admin, audit manager. Click Submit. Create an engagement from a previous engagement Audit managers can create engagements from previous engagements to reduce the need to redefine the scope, auditors, and approvers for similar engagements that are conducted throughout the year. Role required: sn_audit.admin or sn_audit.manager 4. Navigate to Audit Engagement All Engagements. If necessary, clear the search filter criteria. Open the engagement to copy from. Right-click the header of the engagement and click Copy Engagement. Create a control test from an engagement After defining a control, audit managers create control tests that run periodically and provide documented evidence of whether the associated control is operating correctly. Role required: sn_audit.admin and sn_audit.manager Navigate to Audit Engagements All Engagements. Open the engagement for the audit task you want to create. Assign audit tasks to engagement in one of the following states: Validate Fieldwork Awaiting approval In the Audit Tasks Related List, click New. In the Audit Tasks Interceptor, click Control Test. Fill in the fields on the form, as appropriate. Table 74: Control test form Field Number Read-only field that is automatically populated with a unique identification number. State Parent The parent audit task. Open Work in Progress Review Closed Complete Closed Incomplete Closed Skipped All rights reserved. 172

173 Field Control effectiveness The effectiveness of the control. Assigned to The user assigned to this control test. Issue The issue related to this control test. Test plan The test plan associated with this control test. Short description A brief and general description of the control test. Schedule Planned start date The intended date the control test should begin. Planned end date The intended date the control test should end. Planned duration The expected duration of this control test. As with actual duration, the planned duration shows total activity time and takes the control test schedule into consideration. Actual start date The date that this control test actually began. Actual end date The date that this control test actually ended. Actual duration The actual duration of the control test from control test start to control test closure. Design Test Design effectiveness Effective Ineffective Effective Ineffective Design expectations Design assessment procedures Design results Operation Test Operation effectiveness Operation expectations Operation assessment procedures Operation results Activity Journal Work notes Comments that are viewable by the audit manager and audit manager All rights reserved. 173

174 6. Field Additional comments Customer-viewable comments. Click Submit. Create an activity After defining a control, audit managers create activities that explore and provide documented evidence of whether the associated control is operating correctly. Role required: sn_audit.admin and sn_audit.manager Navigate to Audit Engagements All Engagements. Open the engagement for the audit task you want to create. Assign audit tasks to engagement in one of the following states: Validate Fieldwork Awaiting approval In the Audit Tasks Related List, click New. In the Audit Tasks Interceptor, click Activity. Fill in the fields on the form, as appropriate. Table 75: Activity form Field Number Read-only field that is automatically populated with a unique identification number. State Parent The parent audit task. Assigned to The user assigned to this activity. Short description A brief and general description of the activity. A more detailed explanation of the activity. Open Work in Progress Review Closed Complete Closed Incomplete Closed Skipped Schedule Planned start date The intended date the activity should begin. Planned end date The intended date the activity should end All rights reserved. 174

175 Field Planned duration The expected duration of this activity. As with actual duration, the planned duration shows total activity time and takes the activity schedule into consideration. Actual start date The date that this activity actually began. Actual end date The date that this activity actually ended. Actual duration The actual duration of the project from project start to project closure. Activity 6. Additional comments Customer-viewable comments. Work notes Comments that are viewable by the audit manager and audit manager. Click Submit. Create an interview After defining a control, audit managers create interviews with control owners to discuss and provide documented evidence of whether the associated control is operating correctly. Role required: sn_audit.admin and sn_audit.manager Navigate to Audit Engagements All Engagements. Open the engagement for the audit task you want to create. Assign audit tasks to engagement in one of the following states: Validate Fieldwork Awaiting approval In the Audit Tasks Related List, click New. In the Audit Tasks Interceptor, click Interview. Fill in the fields on the form, as appropriate. Table 76: Interview form Field Number Read-only field that is automatically populated with a unique identification number. State Parent The parent audit task. Open Work in Progress Review Closed Complete Closed Incomplete Closed Skipped All rights reserved. 175

176 Field Assigned to The user assigned to this interview. Short description A brief and general description of the interview. A more detailed explanation of the interview. Schedule Planned start date The intended date the interview should begin. Planned end date The intended date the interview should end. Planned duration The expected duration of this interview. As with actual duration, the planned duration shows total activity time and takes the interview schedule into consideration. Actual start date The date that this interview actually began. Actual end date The date that this interview actually ended. Actual duration The actual duration of the interview from interview start to interview end. Assignment Primary Contact The user to contact for this interview. Other Contacts Other users to contact for this interview, if the primary contact is unavailable. Notes Additional notes about the interview contacts. Activity Additional comments Customer-viewable comments. Work notes Comments that are viewable by the audit administrator and audit manager. Create a walkthrough After defining a control, audit managers create walk throughs that will be conducted to observe and provide documented evidence of whether the associated control is operating correctly. Role required: sn_audit.admin and sn_audit.manager Navigate to Audit Engagements All Engagements. Open the engagement for the audit task you want to create. Assign audit tasks to engagement in one of the following states: 4. Validate Fieldwork Awaiting approval In the Audit Tasks Related List, click New. In the Audit Tasks Interceptor, click Walkthrough All rights reserved. 176

177 5. Fill in the fields on the form, as appropriate. Table 77: Walkthrough form Field Number Read-only field that is automatically populated with a unique identification number. State Parent The parent audit task. Assigned to The user assigned to this walkthrough. Short description A brief and general description of the walkthrough. A more detailed explanation of the walkthrough. Open Work in Progress Review Closed Complete Closed Incomplete Closed Skipped Schedule Planned start date The intended date the walkthrough should begin. Planned end date The intended date the walkthrough should end. Planned duration The expected duration of this walkthrough. As with actual duration, the planned duration shows total activity time and takes the walkthrough schedule into consideration. Actual start date The date that this walkthrough actually began. Actual end date The date that this walkthrough actually ended. Actual duration The actual duration of the walkthrough from walkthrough start to walkthrough end. Walkthrough Primary Contact The user to contact for this walkthrough. Other Contacts Other users to contact for this walkthrough, if the primary contact is unavailable. Execution Steps Detail the activities to be performed during the walkthrough. Explanation Intended purpose of the walkthrough All rights reserved. 177

178 Field Additional Information Additional information the user conducting the walkthrough needs to be aware of. Results Details of what transpired during the walkthrough. Activity 6. Additional comments Customer-viewable comments. Work notes Comments that are viewable by the audit manager and audit manager. Click Submit. Generate a KB article from an engagement Audit managers can generate a KB article that summarizes the findings of an engagement so report findings can be communicated to executives. Role required: sn_audit_manager KB articles can be generated for engagements in the Awaiting approval, Follow up, and Closed complete states. Navigate to Audit All Engagements. Open the engagement record. Fill in the fields on the Reports tab, as appropriate. Table 78: Reports tab on engagement form 4. Field Report template Select the report template to use for this KB article. KB article Read-only field that is automatically populated with a unique identification number. Click Generate report. Approve or reject an engagement Audit users that are assigned as approvers for an engagement can approve or reject engagements in the Awaiting Approval state. Role required: sn_audit.user Navigate to Audit My Audit Approvals. Open the approval record associated with the engagement. Click Approve or Reject One of the following actions occurs: If the engagement is approved and there are remaining open tasks or issues, it automatically moves into the Follow Up state All rights reserved. 178

179 If the engagement is approved and there are no remaining open tasks or issues, it automatically moves into the Closed state. If the engagement is rejected, it automatically moves back to the Fieldwork state Add profiles to an engagement scope Audit managers define which profiles will be involved in the audit engagement. Role required: sn_audit.manager or sn_audit.admin Navigate to Audit Engagements All Engagements. Open an engagement in the Scope or Validate state. In the Profiles related list, click Add. Select the desired profiles that will be included in the audit engagement. Click Add All rights reserved. 179

180 Use the Audit Engagement Workbench to visually manage engagements The Engagement Workbench provides a timeline view from which you can select an audit engagement to view details or create a new engagement. Figure 5: Audit Engagement All rights reserved. 180

181 Create an engagement from Audit Workbench The Engagement Workbench provides a timeline view from which you can select an audit engagement to view details or create a new engagement. Audit managers create engagements directly from the Workbench to manage audit information and collect profiles, controls, and control tests that are relevant to the audit. Role required: sn_audit.admin or sn_audit.manager Navigate to Audit Engagements Workbench. Click Create Engagement. Fill in the fields on the form, as appropriate. Table 79: Engagement form 4. Field Name The name of the engagement. Assigned to The user assigned to the engagement. A general description of the engagement. Objectives The stated objectives of the engagement. Planned start date The intended date the activity should begin. Planned duration The expected duration of this activity. As with actual duration, the planned duration shows total activity time and takes the activity schedule into consideration. Audit period start Date that work on the engagement is expected to begin. Audit period end Date that work on the engagement is expected to end. Auditors The auditors assigned to the engagement. Approvers The approvers assigned to the engagement. Click Create. Manage GRC key risk and control indicators Continuous monitoring involves activities related to identifying and creating key risk and controls indicators. Supporting information can be collected for those indicators through automatic data collection or manual tasks. Indicator results are then used to create issues for controls, update risk scores, and provide supporting information for audit activities and control testing. Indicators collect data to monitor controls and risks, and collect audit evidence. Indicators monitor a single control or risk. Indicator templates Indicator templates allow the creation of multiple indicators for similar controls or risks All rights reserved. 181

182 Engagement Overview The Engagement Overview is contained in the Audit Management application and provides an executive view into audit results, engagement breakdowns by task, and allows areas of concern to be identified quickly. The Engagement Overview module displays audit information that is tailored to the role of the user. Audit Engagement Overview Users with the Audit Administrator, Audit User, and Audit Manager roles view the Audit Engagement Overview. It contains the following reports in the base system. Table 80: Audit Engagement Overview reports Name Visual Engagement Results Column Chart Displays an overall count of audit engagements conducted for each profile. The chart is stacked to display the overall audit results for each profile. Profiles by Engagement Donut chart Displays the total number of profiles included in the scope of each audit engagement. Controls by Engagement Donut chart Displays the total number of controls included in scope of each audit engagement. Profile Drop down list Select one or many profiles to view and compare their audit findings. Select Engagement Drop down list Select one or many engagements to view and compare their audit findings. Satisfactory Engagements Single Score Displays the number of engagements closed with a satisfactory result. Adequate Engagements Single Score Displays the number of engagements closed with an adequate result. Inadequate Engagements Single Score Displays the number of engagements closed with an inadequate result. Control Test Results Donut chart The number of completed control tests, broken down by overall control effectiveness rating. Issue Breakdown Bar Chart Count of issues grouped by Engagement, State, or Response All rights reserved. 182

183 Name Visual Audit Task Breakdown Bar Chart Count of audit tasks grouped by Task Type, Assigned to, Top Task and State. Stacked by Task Type, Assigned to, Top Task, and State. Overdue Audit Tasks List List of open audit tasks that have exceeded the planned end date. Create a GRC indicator Indicator data for controls, risk, and audit evidence are measured differently depending on the GRC-related application. Role required: compliance_admin or compliance_manager, risk_admin or risk_manager, audit_admin or audit_manager Navigate to one of the following locations: Policy and Compliance Indicators Indicators. Risk Indicators Indicators. Audit Indicators Indicators. Select New. Fill in the fields on the form, as appropriate. Table 81: Indicator Field Number Read-only field that is automatically populated with a unique identification number. Active Check box that determines whether the indicator is active. Name Name of the indicator. Item The related control or risk. Template The related indicator template. Applies to The profile related to the Item. Owner The indicator owner. Owning group The group that owns the indicator. Override Template Click to override the indicator template associated to this indicator Last result passed Read-only field indicating whether last result passed. Schedule All rights reserved. 183

184 Field Collection frequency Select the collection frequency for indicator results. Indicator tasks and results are generated automatically based on the indicator schedule. Next run time Read-only field that is automatically populated with the next collection time for indicator results. Method Type Results can be gathered manually using task assignment or automatically using basic filter conditions, Performance Analytics, or a script. Manual Basic Script Short If Type is Manual, this field is present. Brief description of the issue. Instructions If Type is Manual, this field is present. Instructions for the collection of indicator results. Value Mandatory If Type is Manual, this field is present. Passed/Failed If Type is Basic, this field is present. Indicator passes or fails. PA Threshold If Type is PA Indicator, this field is present. The associated PA Threshold. Script If Type is Script, this field is present. Script that obtains the desired system information. Supporting Data 4. Table Use supporting data to gather supporting evidence from other applications. Supporting data fields Supporting data fields based on the selected table. Click Submit. Create a GRC indicator template Compliance or risk managers create indicator templates from which many indicators can be created. Role required: compliance_admin or compliance_manager risk_admin or risk_manager audit_admin or audit_manager Navigate to one of the following locations: All rights reserved. 184

185 Policy and Compliance Indicators Indicator Templates. Risk Indicators Indicator Templates. Audit Indicators Indicator Templates. Select New. Fill in the fields on the form, as appropriate. Table 82: Indicator template Field Name Name of the indicator. Active Check box that determines whether the indicator template is active. Content The related policy or risk statement. Schedule Collection frequency Select the collection frequency for indicator results. Indicator tasks and results are generated automatically based on the indicator schedule. Next run time Read-only field that is automatically populated with the next collection time for indicator results. Method Type Results can be gathered manually using task assignment or automatically using basic filter conditions, Performance Analytics, or a script. Manual Basic PA Indicator Script Short If Type is Manual, this field is present. Brief description of the issue. Instructions If Type is Manual, this field is present. Instructions for the collection of indicator results. Value Mandatory If Type is Manual, this field is present. Passed/Failed If Type is Basic, this field is present. Indicator passes or fails. PA Threshold If Type is PA Indicator, this field is present. The associated PA Threshold. Script If Type is Script, this field is present. Script that obtains the desired system information. Supporting Data All rights reserved. 185

186 Field Collect Supporting Data Check to gather supporting evidence from other applications. Table The supporting data table. Supporting Data Fields The fields from the supporting data table to be considered. Criteria Select filter conditions. Use reference field Select to use the reference field. Reference field Creates a join between the supporting data table and the profile's applies to table. For example, if the profile table is cmdb_ci_computer and the supporting data table is incident, you could have a supporting data query named incident with critical priority. In this example, each indicator execution returns all critical incidents. If you are interested in finding critical incidents linked to the profile CEO s laptop, you already have an indicator on a control related to this profile. In this example: Select the reference field Configuration item from the incident table. The supporting data query: All critical incidents, where the configuration item = CEO s laptop. The indicator is specific to the profile of the control it is attached to. Note: This reference field is useful only when the supporting data table has a reference to the profile s table. Sample size Limits the number of records retrieved from the supporting data table. For example, a basic indicator could query a large table, returning thousands of records with each indicator execution. You do not need to save all of them; just a sample of those records. If you enter a sample size of 100, then only 100 records are saved, even though the query returned thousands All rights reserved. 186

187 4. Click Submit. Manage audit issues and remediation Issues can be created manually to document audit observations, remediations, or to accept any problems. They are automatically generated from indicator results, attestation results, or control test effectiveness. Various types of issues are created under the following conditions: Issue Created when an indicator fails Control issue Created when a control attestation is completed indicating that the control is Not implemented Control test issue Created when a control test is closed complete with the control effectiveness set to Ineffective Other issue Created by the user manually Remediating an issue marks an intention to fix the underlying issue causing the control failure or risk exposure. Accepting an issue marks an intention to create an exception for a known control failure or risk. Controls that are Accepted remain in a non-compliant state until the control is reassessed. In this way, the issue can be used to document observations during audits. Create a GRC issue manually Manually create issues to document audit observations, the intention of remediations, or to accept any problems. Role required: (per product) In GRC: compliance_admin, compliance_manager, or sn_compliance.user In Risk Management: risk_admin, risk_manager, or sn_risk.user In Audit Management: audit_admin, audit_manager, audit_admin, or sn_audit.user Navigate to one of the following locations: Policy and Compliance Issues Create New. Risk Issues Create New. Audit Issues Create New. Fill in the fields on the form, as appropriate. Table 83: Issue Field Number Read-only field that is automatically populated with a unique identification number. Assignment group The group to which this issue has been assigned. Each member will receive a notification when activity has occurred on this issue. Assigned to The member of the group assigned to resolve the issue All rights reserved. 187

188 Field Configuration item The item associated with this issue. State Priority Priority for this issue: New Analyze Respond Review Closed 1 - Critical 2 - High 3 - Moderate 4 - Low 5 - Planning Issue group rule The group rule assigned to this issue. Parent Issue The parent issue this issue belongs to. Location The location where the issue occurred. Short description Brief description of the issue. Details Profile The related profile. Item The related control or risk. Content The content of the issue. A more detailed explanation of the issue. Recommendation The recommended action to resolve this issue. Dates Planned start date Date and time that work on the issue is expected to begin. Planned end date Date and time that work on the issue is expected to end. Planned duration Estimated amount of work time. Calculated using the Planned state date and Planned end date. Actual start date Time when work began on this issue. Actual end date Time when work on this issue was completed. Actual duration Amount of work time. Calculated using the Actual state date and Actual end date. Activity All rights reserved. 188

189 Field Work notes Information about how to resolve the issue, or steps already taken to resolve it, if applicable. Work notes are visible to users who are assigned to the issue. Additional comments (Customer visible) Public information about the issue. Engagement Engagement The related engagement. Click Submit. Out-of-the-box GRC: Audit Management Performance Analytics Solution Performance Analytics Solutions contain preconfigured best practice dashboards. These dashboards contain actionable data visualizations that help you improve your business processes and practices. Note: To evaluate the functionality, you can activate Performance Analytics solutions and inform analytics on instances that have not licensed Performance Analytics. However, you have the following limitations: You cannot create new indicators. You cannot collect data older than 180 days. For full functionality, license Performance Analytics. For more information, see Get licensed Performance Analytics. Performance Analytics Solutions Use the Performance Analytics widgets on the dashboard to visualize data over time, analyze your business processes, and identify areas of improvement. With solutions, you can get value from Performance Analytics for your application with minimal setup. Note: Solutions include some dashboards that are inactive by default. You can activate these dashboards to make them visible to end users according to your business needs. To enable the solution plugin for Audit Management, an admin can navigate to System Definitions Plugins and activate the Performance Analytics - Content Pack - GRC:Audit Management plugin. GRC Audit Engagement Overview dashboard The Audit Engagement Overview dashboard provides an executive view into audit results and engagement breakdowns by task, allowing areas of concern to be identified quickly. Because this dashboard uses interactive filtering, the licensed version of Performance Analytics is required All rights reserved. 189

190 The Audit Engagement Overview dashboard has one view, with reports on engagement results and various drilldowns, with interactive All rights reserved. 190

191 End users End user and goal Required role Audit Manager: Needs clear visibility into the overall state and volume of vulnerabilities within the organization. sn_audit.manager Audit Administrator: Needs to pinpoint areas of concern quickly sn_audit.admin Audit Analyst: Needs to quickly prioritize which risks/tasks to focus on based upon criticality to the organization. sn_audit.user Reports The Audit Engagement Overview dashboard contains the following reports: Name Type Adequate Engagements Single Score Displays the number of engagements closed with an adequate result. Audit Task Breakdown Horizontal bar Total number of active audit tasks broken down by type, state and assigned to Control Test Results Donut The number of completed control tests, broken down by overall control effectiveness rating. Controls by Engagement Donut Breakdown of the number of open controls by audit engagement Engagement Results Bar Displays an overall count of audit engagements conducted for each profile. The chart is stacked to display the overall audit results for each profile. Inadequate Engagements Single Score Displays the number of engagements closed with an inadequate result. Issue Breakdown Horizontal bar Count of issues grouped by Engagement, State, or Response Overdue Audit Tasks List List of open audit tasks that have exceeded the planned end date All rights reserved. 191

192 Name Type Profiles by Engagement Donut Select one or many profiles to view and compare their audit findings. Satisfactory Engagements Single Score Displays the number of engagements closed with a satisfactory result. Vendor Risk Management The Vendor Risk Management application provides a centralized process for managing your vendor portfolio, assessing vendor risk and tiering, and for completing the remediation life cycle. Explore Set up Administer Domain separation and Vendor Risk Management on page 192 Activate Vendor Risk Management on page 194 Components installed with Vendor Risk Management on page 195 Use Develop Set up third-party vendor security scores on page 227 Create an automatic scoredbased risk assessment on page 248 Configure vendor risk assessment notifications on page 234 Set up different types of vendor assessments on page 249 Developer training Developer documentation Troubleshoot and get help Ask or answer questions in the community Search the HI knowledge base for known error articles Contact Support Domain separation and Vendor Risk Management This is an overview of domain separation and Vendor Risk Management. Domain separation enables you to separate data, processes, and administrative tasks into logical groupings called domains. You can then control several aspects of this separation, including which users can see and access data. Overview Support: Data only All rights reserved. 192

193 Domain separation in this application is supported at the Data only level, meaning it supports the data security model of separating visibility of data from one domain to another. To learn more, see Application support for domain separation. Domain separation is best for those customers who: Need to enforce absolute data segregation between business entities (data separation). Customize business process definitions and user interfaces for each domain (delegated administration). Maintain some global processes and global reporting in a single instance. These users can choose to expand or collapse the domain scope to show or hide data from other domains. For example, vendor data for Workday can be separated from the vendor data of other vendors. Each vendor using the VRM application can have separate data that cannot be shared with other vendors. Note: Users always have access to data from domains that have been explicitly granted to them by domain visibility. How domain separation works in VRM While VRM supports separation of data, separation of logic and process is not fully supported. Many types of records in VRM are automatically generated through user processes. Profiles, controls, risks, indicators, control tests are all fields that can be generated automatically. For these records that are automatically generated (and for any VRM record that is manually generated), the domain of the record will be the same as the domain of the user responsible for creating or generating the records. When working in a domain-separated VRM implementation, this should be kept in mind. Users should be sure that they are creating / generating records at the right domain level so that it is visible to the right set of users. For example, suppose you have domains that look like: Global TOP Domain A Domain B If you have a risk or control that you want to be assessed by users in domains A and B, the risk or control should be generated or manually created at the global level. If the risk or control is created in Domain B, you will not be able to recreate the risk or control in Domain A due to indexing. If you have a risk or control that you want to be assessed by users in TOP and Domain A, you can create the risk or control in Domain A. Unless the risks and controls are in the Global domain, users should not assign risks or controls in a higher domain to users in a lower domain. Using the example above, if you have a control in the TOP domain, you should not assign it for attestation to users in Domains A or B since those users would not have access to the control; thus the attestation or assessment questionnaire would not be generated. Similarly, users should not assign policy statements and risk statements in a higher domain to attestations and assessments in a lower domain otherwise the attestation or assessment questionnaire would not be generated All rights reserved. 193

194 Use case: domain separation in Vendor Risk Management Vendor data for Workday can be separated from the vendor data of other vendors. Each vendor using the VRM application can have separate data that cannot be shared with other vendors. Each vendor can have their own vendor contacts, vendor risk assessments, issues, tasks, and so on. When looking at a vendor risk assessment from Workday domain, the user can choose to expand the domain scope to show assessments from the Amazon domain or collapse the domain scope to show only assessments that match the Workday domain. By default, domain separation adds a domain field to the Task [task] and Configuration Items [cmdb_ci] tables and their extensions. You can extend domain separation to any new tables you create by adding a sys_domain field to the table's dictionary definition. By default, the system-only domain separates platform and baseline application tables where appropriate. Warning: does not recommend domain-separating platform tables (any table with the sys_ prefix such as the Dictionary Entry [sys_dictionary] and Dictionary Entry Override [sys_dictionary_override]tables) as this can produce unexpected results. In this use case, client scripts, business rules, workflows, processes and so on can be domain-separated. While the behavior offered with domain separation provides multi-tenancy support, multi-tenancy is still contained within a single instance. This means that some global properties, some global data, and some global processes are shared across all domains. For example, the system s Remember me option on the login page is global and cannot be specified per domain. If a complete and total separation of all system properties is needed and does not require global reporting or global processes, separate instances are the best option. Understanding Vendor Risk Management The Vendor Risk Management application provides a centralized process for managing your vendor portfolio and completing the vendor assessment and remediation life cycle. Also, integrating with other GRC applications, provides traceability for compliance with controls and risks. Who uses Vendor Risk Management? Risk analysts Vendor risk manager Functional department heads responsible for vendor compliance. For example: Account Executives Corporate Counsel Information Security HR Operations Information Technology Activate Vendor Risk Management The GRC: Vendor Risk Management (com.sn_vdr_risk_asmt) plugin is available as a separate subscription All rights reserved. 194

195 Role required: admin This plugin includes demo data and activates related plugins if they are not already active. Navigate to System Definition Plugins. Find and click the plugin name. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link. If the plugin depends on other plugins, these plugins are listed along with their activation status. 4. If the plugin has optional features that depend on other plugins, those plugins are listed under Some files will not be loaded because these plugins are inactive. The optional features are not installed until the listed plugins are installed (before or after the installation of the current plugin). If available, select the Load demo data check box. Some plugins include demo data Sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good practice when you first activate the plugin on a development or test instance. 5. You can also load demo data after the plugin is activated by clicking the Load Demo Data Only related link on the System Plugin form. Click Activate. Components installed with Vendor Risk Management Several types of components are installed with activation of the Vendor Risk Management plugin, including tables, user roles, and scheduled jobs. Activating the Vendor Risk Management plugin also installs the Explicit Roles plugin. Note: To view all other components installed with this plugin, see the Application Files table. For instructions, see Find components installed with an application. Demo data is available for this feature. Vendor Risk Management and the Explicit Roles plugin Activating the Vendor Risk Management plugin also installs the Explicit Roles plugin. Administrators assign the snc_internal and snc_external roles to provide internal and external users access to the instance. When vendor contacts are created, they are automatically assigned the snc_external role, giving them access to resources related to the vendor portal. Various tables provide role-based access to record by setting the Roles field. If the Roles field is empty, then all users have access to that record. For example, if the Roles field for a Service Catalog item has an empty Roles field, then all users have access to that Service Catalog item. However, when the Explicit Roles plugin is installed, the Roles field is updated to snc_internal. Additionally, all users are given the snc_internal role. Continuing with the previous example: before installing the Explicit Roles plugin, if a Service Catalog item had an empty Roles field, it was accessible to every user. after installing the Explicit roles plugin, that Service Catalog item s Roles field is updated to snc_internal and all existing users are given the snc_internal role, making the catalog item is accessible to those users. After that, when new users are created, they must have the snc_internal role, or they will not have access to that Service Catalog item All rights reserved. 195

196 Table Changes Access Control For all existing and newly created ACLs without a role requirement, the snc_internal role is assigned. [sys_security_acl] Catalog item [sc_cat_item] Page [content_page] For all records where the Roles field is empty, the snc_internal role is added. If the glide.sc.use_user_criteria property is set to false, newly created catalog items are automatically assigned the snc_internal role. If the property is set to true, the SNC External user criteria is added to all newly created catalog items, excluding external users from viewing the record. For sites that have a login page, where the Read roles field is empty, the snc_internal role is added. For sites that have no login page or that have automatically created content pages, the public role is added. Overview Help Panel [sys_ui_overview_help_panel] For all records where the Roles field is empty, the snc_internal role is added. Newly created overview panels with an empty Roles field are also assigned the snc_internal role. Navigation Menu [sys_app_application] For all records where the Roles field is empty, the snc_internal role is added. Newly created navigation menus with an empty Roles field are also automatically assigned the snc_internal role. Report [sys_report] For all records where the Roles field is empty, snc_internal is added. Newly created reports that have an empty Roles field when sharing are also automatically assigned the snc_internal role. Portal Page [sys_portal_page] For all records where the Read roles field is empty, the snc_internal role is added. Newly created portal pages with an empty Read roles field are also automatically assigned the snc_internal role. Processor [sys_processor] For all records where the Roles field is empty, the snc_internal role is added. Newly created processors with an empty Roles field are also automatically assigned the snc_internal role All rights reserved. 196

197 Roles installed Role title [name] Contains roles Vendor risk assessor Manages vendors, vendor contacts, vendor risk [sn_vdr_risk_asmt.vendor_assessor] assessments, and issues, and completes vendor risk assessment requests. sn_vdr_risk_asmt.vendor_assessment_rev vendor_editor vendor_reader compliance reader Vendor risk manager Manages vendors, vendor contacts, vendor assessment [sn_vdr_risk_asmt.vendor_risk_manager] templates, questionnaire templates, documentation request templates, and scheduled assessments. assessment_admin sn_vdr_risk_asmt.vendor_assessment_rev sn_vdr_risk_asmt.vendor_assessor vendor_assessment_reviewer sn_compliance.reader sn_risk.reader vendor reader task editor [sn_vdr_risk_asmt.vendor_assessment_reviewer] Vendor contact Answers questionnaires regarding risk. Primary contacts can also manage other contacts for the vendor. None Scheduled jobs installed Scheduled job Clean vendor security scores Deletes all vendor security score entries that are more than 90 days old. Tables installed Table Tier Based Assessment Submission Rules [sn_vdr_risk_asmt_vendor_assessment_rule] Vendor Tiering Assessment to Questionnaire [sn_vdr_risk_asmt_m2m_tiering_asmt_questionnaire] Security Score Providers [sn_vdr_risk_asmt_tpss_provider] All rights reserved. 197

198 Table Repeating Assessment [sn_vdr_risk_asmt_repeating_assessment] Questionnaire [sn_vdr_risk_asmt_m2m_asmt_questionnaire_template] Tiering Assessment [sn_vdr_risk_asmt_vdr_tiering_assessment] Associated Questionnaire [sn_vdr_risk_asmt_doc_assessment] Assessment Template [sn_vdr_risk_asmt_template] Score Based Assessment Submission Rules [sn_vdr_risk_asmt_tpss_rule] Assessment template to Questionnaire template [sn_vdr_risk_asmt_m2m_asmt_template_questionnaire_template] Assessment template to Questionnaire template [sn_vdr_risk_asmt_m2m_asmt_template_questionnaire_template] Vendor Risk Assessment [sn_vdr_risk_asmt_assessment] Document request [sn_vdr_risk_asmt_m2m_asmt_doc_request] Vendor Risk Task [sn_vdr_risk_asmt_task] Security Scores [sn_vdr_risk_asmt_security_score] Vendor Risk Issue [sn_vdr_risk_asmt_issue] Default Vendor Tiering Scale [sn_vdr_risk_asmt_def_tier_scale] Default Risk Rating Scale [sn_vdr_risk_asmt_def_rating_scale] All rights reserved. 198

199 Table Business Service to Vendor [sn_vdr_risk_asmt_m2m_vendor_service] Vendor Tiering Scale [sn_vdr_risk_asmt_tiering_scale] Business Service Rating Scale [sn_vdr_risk_asmt_bs_weight_config] Vendor Assessment to Questionnaire [sn_vdr_risk_asmt_m2m_assessment_instance] Risk Rating Scale [sn_vdr_risk_asmt_score_mapping] Vendor Risk overview reports You can view Vendor Risk reports and other visualizations to the Overview All rights reserved. 199

200 Report Total Vendors The total number of vendors. Vendors Performing Tiering Assessment The number of vendors with active tiering assessments open. Vendors Performing Risk Assessment The number of vendors with active risk assessments open. Vendors Past Tiering Assessment The number of vendors that have not completed the tiering assessment within the assessment timeframe. Vendors Performing Risk Assessment Based on Tiering The number of vendors with active tiering-based risk assessments. Vendor Classification by Tier A donut report showing the number of vendors assigned to each vendor tier. Vendors Performing Risk Assessment Based on Tiering The number of vendors with active tiering-based risk assessments divided by vendor risk. Open Issues by Priority All vendor risk open issues divided by priority All rights reserved. 200

201 Report Vendors by Risk Rating The number of vendors divided by vendor tier. Upcoming Vendor Risk Assessments The number of vendor risk assessments scheduled. Vendor-related Policy Exceptions All policy exceptions generated from vendor risk issues. Vendor risk ratings and scoring calculations Within a vendor risk assessment, multiple ratings and scored are calculated. Risk Rating Scale Every time a questionnaire is created, a default risk rating is applied. The risk rating scale (categories, minimum, and maximum values) is configurable and can vary per assessment. Note: The default scale factor of a questionnaire is All rights reserved. 201

202 2018. All rights reserved. 202

203 Score Calculation Mechanism The score calculation mechanism for each vendor risk assessment uses the platform assessment score calculation engine. The calculations are performed using a series of related equations that are dynamically recalculated. Multiple user-defined parameters affect the calculated assessment rating: Questions (metrics) Metric Scale Definition Categories Weights Risk Rating Scale Business Service Rating Scale For more information, see View a metric result All rights reserved. 203

204 Equation 1 questionrating The questionrating calculation defines the relative degree of significance of the individual assessment metric, especially when compared to other metrics. This variable is one of the key variables in calculating the normalized value later in the process. The Scale definition is stated within an individual Assessment Metric. High means that large numerical values indicate a positive result. If the rating is high, the following formula is used: Low means that small numerical values indicate a positive result. If the rating is low, the following equation is used: The value used in the formula is taken from the vendor s response to the question. The configuration of the metric defines the correct answer (value) and the values that are associated with other (incorrect or less desirable) answers All rights reserved. 204

205 Equation 2 questionpercentcontribution The questionpercentcontribution defines the degree of significance of the assessment metric, within the category where it is included. This variable is one of the key variables in calculating the normalized value later in the process. The Category represents a theme for evaluating assessable records in a given metric type. The category is user-defined with examples being ROI, risk, performance, security, personal data, and so on. The Weight is a numerical value that represents the metric importance relative to other metrics. A higher weight in proportion to the overall weight of the category has a stronger bearing on the final score All rights reserved. 205

206 Equation 3 questionnormalizedvalue The questionnormalizedvalue calculates a value so questions with different weights and ratings can be compared equally on the same scale. Each answer to every question (assessment metric) has a normalized value. This normalized value conducts a more meaningful comparison which is later rolled up to the category and the overall assessment results All rights reserved. 206

207 Equation 4 categoryrating Now that there are normalized values for each metric within the category, the categoryrating calculates a value for the entire category which can then be normalized using Equation 5 categorynormalizedvalue to facilitate inter-category comparisons. The category Rating is the sum of all normalized values for the metrics within the category All rights reserved. 207

208 The stated Risk Rating for each category is derived from the associated Risk Rating Scale. Equation 5 categorynormalizedvalue With the Category Ratings established, the categorynormalizedvalue formula uses this rating and the Category Weight to normalize the result across all categories. This calculated Normalized value conducts a more meaningful comparison which is later rolled up to the overall assessment results. A higher category Weight has a stronger influence on the normalized value the category All rights reserved. 208

209 Equation 6 questionnairequantitativescore With all of the categories normalized, the overall quantitative score for the assessment is calculated. The output from the questionnairequantitativescore formula is the sum of the normalized category scores. It is presented as the Risk Score on the record for the questionnaire All rights reserved. 209

210 Qualitative Score for Documents Document Requests have a risk rating that is a qualitative score. The preliminary risk rating is based on the answer to the default question Do you have document document name? All rights reserved. 210

211 The document risk rating uses the following scale: Response Risk Rating Yes Low No or unanswered High N/A Moderate Once the document is reviewed, it may be found to be deficient, so the analyst can override the default rating. The assessment retains the current Risk Rating and the Original Risk Rating. As always, the stated Risk Rating for each category is derived from the associated Risk Rating Scale All rights reserved. 211

212 Equation 7 assessmentrating The risk rating from all questionnaires and document requests is rolled up to the parent vendor risk assessment providing an overall assessmentrating Finally, the assessment rating with the risk rating scale determines the risk rating for the assessment All rights reserved. 212

213 getbusinessservicecriticality finds the most critical business service and finds a record in the business service rating scale table that best matches that critical business service. The weight from that rating scale record is used All rights reserved. 213

214 Vendor tiering scale and scoring calculations After assessors have responded to the questionnaire, the tiering score is calculated from an average of all scores. This tiering score is measured against the vendor teiring scale and when the assessment is closed, the tier is assigned to the vendor. Figure 6: Vendor tiering process The tiering assessment initiates one assessment instance for each assigned assessor. The assessor sees only the sections assigned to them based on their role All rights reserved. 214

215 The response scores from all assessment instances are averaged to provide the tiering score. The tiering score is mapped to the vendor tiering scale providing the vendor tier. 4. This tier is assigned to the vendor when the tiering assessment is closed. Update vendor information Most organizations import their vendor portfolio through an excel spreadsheet or an integration with another onboarding solution. Vendor risk managers make on-going updates to the vendor information, including risk security scores and vendor tiering scores. Role required: vendor risk manager Contact your sys admin for the creation of your vendor portfolio, before making any updates. 4. Navigate to Vendor Risk All Vendors. Select the vendor record. Fill in the fields on the form, as appropriate. Table 84: Vendor Field Value Name Vendor name. Website URL for the vendor. Industry Type of industry. Vendor type Type of vendor. Security Score The third-party provided secuity score. Score provider The company providing the normalized security score. Status Status of the vendor. Risk rating Risk rating calculated by the vendor risk assessment responses. Rank tier Type of supplier. Vendor tier Vendor tier calculated by mapping the tiering score against the vendor tiering scale. Note: Assigned when the tiering assessment is closed. Vendor manager The employee assigned as the manager to this vendor. Business owner The employees using this vendor in the course of daily business. Notes Additional information. Contact All rights reserved. 215

216 Field Value Street Street address of vendor. City City of vendor. State / Providence State or Providence of the vendor. Zip / Postal code Zip code of postal code of the vendor. Country Country of the vendor. Phone Phone number for the vendor. Fax phone Fax number for the vendor. Profile 5. Publicly traded Is the vendor publically traded? Stock symbol Stock symbol of the vendor. Revenue per year Revenue per year of the vendor. Number of employees Number of employees employed by the vendor. Banner image Banner image for the vendor. Banner text Banner text for the vendor. If Vendor Risk Management is integrated with other GRC applications, the related lists on the Vendor form can include: Vendor Contacts Business Services Tiering Assessments Repeating Assessments Assessments Issues Tasks Profile Types Risks Controls Security Scores Manage vendor tiering assessments Organizations use vendor tiering to classify their vendors into categories of potential risk posed at the time of on-boarding. The vendor tier is based on a pre-defined scale from the tiering assessment score. The standard tiers are None, Critical, High, Moderate, Low, and Minor. Each tier has different assessment questions and document requests associated to them. Vendor Tiering Assessment workflow Most organizations import their vendor portfolio through an excel spreadsheet or an integration with another onboarding solution. Vendor risk managers make on-going updates to the vendor information, including risk security scores and vendor tiering scores All rights reserved. 216

217 The vendor risk manager or vendor risk assessor determines the risk tier, or categories of risk exposure for the vendor. The vendor risk manager selects the vendor, assigns the tiering questionnaire template and assigns the internal assessor that is required to complete the assessment. Figure 7: Vendor tiering assessment table relationship Note: Various assessors can be assigned specific sections of the questionnaire All rights reserved. 217

218 Figure 8: Vendor tiering questionnaire template table relationships for designated assessors 4. Internal stakeholders navigate to Self-service My Assessments and Surveys to complete and submit the assessment. 5. The responses to these tiering assessments are calculated and the risk tier is assigned. The vendor risk manager can initiate the risk assessment or one can be automatically sent using a configured business rule All rights reserved. 218

219 Figure 9: Vendor tier calculation based on the responses Create tiering questionnaire template A questionnaire template must have at least one category and that category must contain at least one question. Vendor risk managers can copy an existing tiering questionnaire template to use as a basis for other templates. Role required: vendor risk manager Navigate to Vendor Risk Tiering Setup Tiering Questionnaire Templates. Click New or New (Designer). The designer contains the following elements: Element Controls Controls for the supported question data types are available in the Controls palette. Drag a control onto the designer canvas to create a question of that type All rights reserved. 219

220 4. Element Header bar The header bar contains a menu of various functions. The availability of each option depends on the status of the assessment that is opened in the designer. Design canvas New assessment open in the Design view. The questionnaire Name field appears above the first category in the canvas. A blank question field appears in the category container. Enter a name in the Name field. Drag a control onto the designer canvas to create a question of that type. Table 85: Question controls Data type Scored Attachment Question with a Manage Attachments icon for users to attach one or more files. Y Boolean Question with a check box or a Yes/No list for user responses. Choice List of predefined options. For more information, see the definition for Choices. Y Date Date field. N Date/Time Date and time field. N Number Number field with predefined N minimum and maximum values. The default is Percentage Percentage field with a prescribed range. N Scale Predefined Likert scale. Answer options appear as radio buttons. Y Numeric Scale Selectable number scale. The default is 1 5. Answer options appear as radio buttons. Y String Single or multi-line text field. N Template Choice list of templates that Y provide a predefined scale of options All rights reserved. 220

221 Data type Scored Reference Choice list of fields from a specified reference table. This data type does not support reference qualifiers. Image Scale Multiple Selection Ranking Note: Set the correct answer for the metric that you want to be scored. Scored metrics determine the compliance status of the risk. 5. Point to the menu icon in the upper right of the designer to select one of the following options: Note: The availability of each option depends on the status of the questionnaire that is opened in the designer. Option Save Save the current questionnaire. Preview Display a preview of the questionnaire. New Questionnaire Open a fresh canvas for a new questionnaire. Open Questionnaire Open a list of existing questionnaire that you can select and edit. Copy Questionnaire Create a new questionnaire based on the existing questionnaire. Configure risk tiering notifications notifications communicate the status of items within the vendor risk tiering assessment cycle. notifications are useful when tiering assessment records are created or updated, so analysts and assessors are informed throughout the tiering assessment process. Creating an notification involves specifying when to send it, who receives it, and what it contains. Role required: vendor risk manager Navigate to System Notifications Notifications. Go to Category, Vendor Risk Assessment. Select the notification record to open details associated with that notification or click New, to create a new notification. Note: Click Preview Notificationto preview the notification while configuring the details. Notification Applied to All rights reserved. 221

222 Notification Applied to For detailed instructions, see Create an notification. Create a vendor risk tiering assessment and initiate the life cycle The vendor risk assessor creates a tiering assessment from the vendor record, initiating the vendor tiering assessment life cycle. Additionally, vendor risk managers can select multiple vendors at a time and trigger multiple vendor tiering assessments. Role required: vendor risk assessor 4. Navigate to Vendor Risk All Vendors. Select the vendor record to which you want to add the tiering assessment. Select the Tiering Assessment related list, and click New. Fill in the fields on the form, as appropriate. Table 86: Vendor Tiering Assessment Field Number Read-only field that is automatically populated with a unique identification number. State Assigned to The vendor risk manager assigned to this tiering assessment. Vendor Tier The vendor risk tier for this vendor. Draft Awaiting Response Tiering Assignment Closed Critical High Moderate Low Minor The results of the vendor tiering assessment and the vendor risk assessment help to determine this value. The vendor risk can override this value. Vendor The vendor being assessed. Tiering Assessors The internal assessors responsible for completing the vendor tier assessment. Name The name of the tiering assessment All rights reserved. 222

223 Field Short description A more detailed description for the tiering assessment. Tiering Assessment Schedule Duration Estimated duration period of the assessment Actual duration The amount time it took to complete the vendor tiering assessment. This field is calculated using the Actual state date and Actual end date. Planned start date Date and time that work on the vendor tiering assessment is expected to begin. Actual start date Date and time that work on the vendor tiering assessment began. Planned end date Date and time that work on the vendor tiering assessment is expected to end. Actual end date Date and time that work on the vendor tiering assessment was completed. Notes and Comments Work notes Information about the vendor risk assessment. Work notes are visible to users who are assigned to the issue. Additional comments (Customer visible) Public information about the vendor risk assessment. Click Submit. Select the Tiering Questionnaires related list, and click Edit. Note: A basic Preliminary Vendor Tiering Questionnaire is provided in the default system. See Create tiering questionnaire template on page All rights reserved. 223

224 2018. All rights reserved. 224

225 Create an automated risk assessment based on the assigned vendor tier Use the tier-based assessment submission rule to trigger a risk assessment from any changes to the vendor tier. Role required: sn_vdr_risk_asmt.vendor_manager Navigate to Assessment Submission Rules Tier Based Submission. Select a rule record or click New. Fill in the fields on the form, as appropriate. Table 87: Security Score Providers Field Value Vendor Name of the vendor to apply the rule. Note: Leave this field empty to apply the rule to all vendors. Tier Select the tier scale which will automatically generate the risk assessment. Choices are: 4. None Critical High Moderate Low Minor Assessment Template The template that will be sent when the risk tier scale changes to the tier specified in the rule. Auto submit to vendor Automatically submit the risk assessment to the vendor after it has been generated. If this is not selected, the assessment stays in Draft after being created. Click Update All rights reserved. 225

226 Any changes to the vendor tier will automatically create the associated tiering assessment. Review the stakeholder's vendor tiering assessment responses The vendor assessor can view vendor tiering assessment responses after the internal stakeholders have submitted their assessment. Role required: sn_vdr_risk_asmt.vendor_assessor Navigate to Vendor Risk Tiering Assessments My Open Assessments. Review, add comments or change responses, as necessary. Manage third-party security scores Third-party security scores help you normalize the security risk posed by doing business with particular vendors. The companies that provide the vendor metrics are referred to as providers. Providers can have its different score ranges and varying weights of consideration. Also, you can use your company's own internally generated security metrics All rights reserved. 226

227 Vendor Third-Party Security Score workflow Security scores reflect a company's security posture. Third-party security score providers use different scales (between ) with a higher score indicating better cybersecurity performance. A lower score correlates to a higher risk of a data breach. The score is calculated using various factors, like application security, network security, patching cadence, vulnerability, hacker chatter, and exposed passwords. Most organizations import their vendor portfolio through an excel spreadsheet or an integration with another onboarding solution. Vendor risk managers make on-going updates to the vendor information, including security scores and vendor tiering scores. The security score provider table contains the security provider's information. The vendor risk manager monitors the scores generated by the provider for the vendors they are interested in. 4. The vendor risk manager uses these scores when determining a vendor's tier. 5. The vendor risk manager can initiate the vendor risk assessment or it is automatically sent using a configured business rule. Consider the following example: Workfast's vendor tier is High. The third-party security score is 800, which indicates that Workfast's risk preparedness is fairly high. Based on my analysis of the vendor tier and the security score, as the vendor risk manager, I change the tier to Medium. I can send the risk assessment to the vendor, or it can be sent automatically. Note: In this example, the score changed from and reflecting a 20% drop in score. The business rule is triggered and the risk assessment is sent to Workfast. Set up third-party vendor security scores You can add multiple providers and change the scoring scales for those providers. When changes are made to the provider score, those changes are also calculated into the security score. Role required: sn_vdr_risk_asmt.vendor_assessor Navigate to Security Score Setup Providers. Select a provider record or click New. Fill in the fields on the form, as appropriate. Table 88: Security Score Providers Field Value Provider Name of the third party score provider. Order The weighting assigned to this vendor when calculating the security score. The lower the number, the higher weighting is applied. Note: When there are multiple provider's scores, the order is applied accordingly All rights reserved. 227

228 4. Field Value Range from The lowest end of the provider's scoring range. Range to The highest end of the provider's scoring range. Click Submit. Figure 10: Security Score Providers Navigate to Security Score Setup Scores Select a security record or click New. Fill in the fields on the form, as appropriate. Table 89: Security Scores Field Value Provider Name of the third party score provider. Vendor The vendor being scored. Provider score The score provided by the third party provider All rights reserved. 228

229 8. Field Value Security score The normalized security score for this vendor based on the order and weightings of the third party providers. URL Link to additional information about the origin of this score, from the security score provider. Score generated on The date and time that the score was updated. Click Submit. Figure 11: Security Scores Update a vendor's security score When changes are made to a vendor's security score (from an established third party score update or the inclusion of another third-party provider score to the calculation), notifications are sent to interested stakeholders. Role required: sn_vdr_risk_asmt.vendor_assessor Navigate to Security Score Setup Providers. Select a provider record or click New. Fill in the fields on the form, as appropriate. Table 90: Security Score Providers Field Value Provider Name of the third party score provider All rights reserved. 229

230 Field Value Order The weighting assigned to this vendor when calculating the security score. The lower the number, the higher weighting is applied. Note: When there are multiple provider's scores being applied, the order is applied accordingly. Range from The lowest end of the provider's scoring range. Range to The highest end of the provider's scoring range. Create an automatic scored-based risk assessment You can create rules to automate the vendor risk assessment functionality based on a change to the vendor's security score. Role required: sn_vdr_risk_asmt.vendor_assessor Navigate to Assessment Submission Rules Score Based Submission. Select a rule record or click New. Fill in the fields on the form, as appropriate. Table 91: Score Based Assessment Submission Rules Field Value Name Name of the score based assessment submission rules. Basis The basis for the change. Choices are: Extent of change The extent of the change. Choices are: Security score Percentage Score Increases by Decreases by Automatically submit the risk assessement to the vendor after it has been generated. Score provider and vendor settings Score Provider The score provider for this rule. Apply to vendor The vendor to apply the rule to All rights reserved. 230

231 Field Value Apply to vendor tier Select the tier scale which will automatically generate the risk assessment. Choices are: None Critical High Moderate Low Minor Assessment template and auto submit Assessment template The template that will be sent when the security score changes as specified in the rule. Auto submit to vendor Automatically submit the risk assessment to the vendor after it has been generated. Manage vendor risk assessments The vendor primary contact uses the Vendor Portal to view all assessments. Before the vendor risk manager closes the assessment, issues and tasks are created on-demand, usually during the Generating Observations state. The vendor risk analyst assigns vendors as needed and communicates using comment streams to achieve closure on non-compliance. Vendor Risk Assessment workflow Most organizations import their vendor portfolio through an excel spreadsheet or an integration with another onboarding solution. Vendor risk managers make on-going updates to the vendor information, including risk security scores and vendor tiering scores. If Vendor Risk Management is integrated with other GRC applications, the vendor risk manager maps controls to the assessment questions. The vendor risk manager creates internal and external assessment templates, questionnaire templates, document request templates, and creates the notifications associated with the workflow. 4. The vendor risk manager prepares and sends the vendor risk tiering assessment to internal stakeholders. 5. Internal stakeholders navigate to Self-service My Assessments and Surveys to complete and submit the assessment. 6. After receiving the completed vendor tiering assessments, the vendor risk assessor updates and closes the tiering assessment. 7. Next, the vendor risk manager sends out vendor risk assessments to the primary contact assigned to that vendor. Vendor risk assessments can be sent automatically based on changes to a risk score or vendor tier. 8. The vendor signs into the Vendor Portal to complete the risk assessment All rights reserved. 231

232 9. The Vendor Portal provides a list of assessments and the status of each. From the Vendor Portal, the primary contact can invite other collaborators to complete portions of the assessments. Once complete, the primary contact submits the assessment. The Vendor Risk analyst reviews the results of the vendor risk assessments and closes each vendor assessment, creating issues for remediation, as necessary. Remediating an issue means the underlying issue causing the control failure or risk exposure will be fixed. Accepting an issue means you will create an exception for a known control failure or risk. Controls that are Accepted remain in a non-compliant state until the control is reassessed. In this way, the issue can be used to document observations during audits. Vendor Assessment Portal The vendor assessment portal is a web interface providing a primary point of interaction for vendors and risk assessors, with a centralized workflow for those involved in the assessment. All remediations that result from those assessments are also coordinated through the Vendor Portal. To customize this portal, navigate to Service Portal Portals, and click Vendor Portal. See Service Portalfor more information. Change the sn_vdr_risk_asmt.company.name property to display your company name in the portal All rights reserved. 232

233 2018. All rights reserved. 233

234 Role Purpose Vendors Uses the Vendor Assessment Portal to: Vendor risk assessor View and respond to current assessments. Delegate responses to other contacts. View or update contact information. Update notification preferences. Change a password or request a new password. Uses the Vendor Risk Management instance to: Create a login for a new contact. Enable or disable a contact login. Reset a password for a contact. Assign a user role to a contact. Assign a contact to an assessment. View and update customer contact information. Access completed assessments. Configure vendor risk assessment notifications notifications communicate the status of items within the vendor risk management product. notifications are useful when assessment records are created or updated, so analysts and assessors are informed throughout the assessment process. Creating an notification involves specifying when to send it, who receives it, and what it contains. Role required: vendor risk manager Navigate to System Notifications Notifications. Go to Category, Vendor Risk Assessment. Select the notification record to open details associated with that notification or click New, to create a new notification. Note: Click Preview Notificationto preview the notification while configuring the details. Notification Applied to Vendor Risk Issue Assigned (External) Vendor Tiering Assessment to Assessor Vendor Risk Task Assigned (Internal) Table: defaults to Vendor Risk Issue [sn_vdr_risk_asmt_issue] Category: Vendor Risk Assessment Table: defaults to Tiering Assessment [sn_vdr_risk_asmt_vdr_tiering_assessment] Category: Vendor Risk Assessment Table: defaults to Vendor Risk Task [sn_vdr_risk_asmt_task] Category: Vendor Risk Assessment All rights reserved. 234

235 Notification Applied to Vendor Risk Assessment Assigned Vendor Risk Request Assigned Vendor Risk Issue Assigned (Internal) Vendor Assessment Submitted to Vendor Vendor Assessment Responses Overdue Vendor Risk Task Assigned (External) Vendor Assessment Responses Received Vendor Assessment Responses Due 1 Week Vendor Assessment New Request to Vendor Vendor Contact Invited Table: defaults to Vendor Risk Assessment [sn_vdr_risk_asmt_assessment] Category: Vendor Risk Assessment Table: defaults to Assessment Instance [asmt_assessment_instance] Category: Vendor Risk Assessment Table: defaults to Vendor Risk Issue [sn_vdr_risk_asmt_issue] Category: Vendor Risk Assessment Table: defaults to Vendor Risk Assessment [sn_vdr_risk_asmt_assessment] Category: Vendor Risk Assessment Table: defaults to Vendor Risk Assessment [sn_vdr_risk_asmt_assessment] Category: Vendor Risk Assessment Table: defaults to Vendor Risk Task [sn_vdr_risk_asmt_task] Category: Vendor Risk Assessment Table: defaults to Vendor Risk Assessment [sn_vdr_risk_asmt_assessment] Category: Vendor Risk Assessment Table: defaults to Vendor Risk Assessment [sn_vdr_risk_asmt_assessment] Category: Vendor Risk Assessment Table: defaults to Vendor Risk Assessment [sn_vdr_risk_asmt_assessment] Category: Table: defaults to Vendor Contact [vm_vdr_contact} Category: All rights reserved. 235

236 Notification Applied to Vendor Manager (based on risk tier rule) Vendor Assessment Responses Due 3 Days Vendor Manager (based on change in third-party score) Table: Vendor Risk Assessment [sn_vdr_risk_asmt_assessment] Category: Table: Vendor Risk Assessment [sn_vdr_risk_asmt_assessment] Category: Table: Vendor Risk Assessment [sn_vdr_risk_asmt_assessment] Category: For detailed instructions, see Create an notification. Create a vendor risk assessment and initiate the lifecycle The vendor risk assessor creates an assessment, initiating the vendor risk assessment life cycle. Vendor risk assessments can be created on-demand or from a repeating assessment. When creating an ondemand vendor risk assessment, select the vendor, questionnaire template, and document request template. Additionally, vendor risk managers can select multiple vendors at a time and trigger vendor risk assessments. Role required: vendor risk assessor Navigate to Vendor Risk Assessments All Assessments. Do any of the following actions: Option To associate any existing document requests or questionnaires. Click Edit. To create on-demand document requests or questionnaires for the assessments. Click New. To associate any existing document requests or questionnaires from the assessment template. Click New. In the Assessment template field, select the document requests or questionnaires. Fill in the fields on the form, as appropriate. Table 92: Vendor Risk Assessment Field Number Read-only field that is automatically populated with a unique identification number All rights reserved. 236

237 Field State Vendor The vendor that is being assessed. Risk rating The overall risk rating for this vendor. Draft Submitted to vendor Closed Cancelled Critical High Moderate Low Minor Note: The Risk rating is determined by finding a risk rating scale range in which the risk score falls. It defines how a minimum and maximum range of assessment scores maps to a qualitative risk score. Repeating assessment The assessment that is used to create the current assessment. Created by The person who created this assessment. Assessment template The template used to create the current assessment. Assigned to The vendor contact assigned to this vendor risk assessment. Note: Primary contacts can reassign requests, issues, and tasks to other vendor contacts. Updated Watch list Name The name of the vendor risk assessment. A more detailed explanation of the issue. Notes and Comments Work notes Information about the vendor risk assessment. Work notes are visible to users who are assigned to the issue. Additional comments (Customer visible) Public information about the vendor risk assessment. Assessment Schedule All rights reserved. 237

238 Field Planned duration (days) Estimated duration period of the assessment Actual duration The amount time it took to complete the vendor risk assessment. This field is calculated using the Actual state date and Actual end date. Planned start date Date and time that work on the vendor risk assessment is expected to begin. Actual start date Date and time that work on the vendor risk assessment began. Planned end date Date and time that work on the vendor risk assessment is expected to end. Actual end date Date and time that work on the vendor risk assessment was completed. Questionnaire Schedule Planned duration (days) The amount of time given to the vendor for completing the vendor risk assessment. This field is calculated using the Planned state date and Planned end date. Submitted to vendor The date that questionnaires are sent to vendor Due date deadline for vendor to answer all the questionnaires Review duration (days) The review duration given to customer to review all the questionnaires Completion date The actual date when vendor completed all the questionnaires Responses expected by The date the vendor is expecting the responses Click Submit to vendor. The primary vendor contact is notified, and the state of assessment changes to Submitted to vendor. The vendor responds to the notification through the Vendor Risk Portal, changing the state of assessment to Response received. All the risk scores are calculated automatically. The vendor assessor moves the state of the assessment to Generating Observations. During this time, the vendor assessor can click the View Response link in the document requests/questionnaires related list to view the response and provide comments or change responses, as necessary. For any problems that rise, the vendor assessor creates an issue to track the remediation process (Finalizing with vendor). The vendor assessor moves the assessment to Closed state. The vendor risk assessor works with the vendor through the vendor portal to close the assessment All rights reserved. 238

239 7. Review the vendor's assessment responses The vendor assessor can view assessment responses after the vendor has submitted an assessment. The status of all controls are updated when the vendor completes the assessment. Role required: sn_vdr_risk_asmt.vendor_assessor Navigate to Vendor Risk Assessments My Open Assessments. Click the assessment in the Response received state. In the Questionnaires/Document Requests related list, click View Response All rights reserved. 239

240 4. Add comments or change responses, as necessary. Note: Changing a response, may affect the risk rating of the vendor All rights reserved. 240

241 2018. All rights reserved. 241

242 Use the SIG questionnaire for risk assessment The Santa Fe Group's Standardized Information Gathering Questionnaire (SIG) is used to obtain required assessment documentation from a vendor. The vendor contact can upload the pre-filled SIG spreadsheet or take a form-based questionnaire that gets imported to the instance. Activate the GRC: SIG Questionnaire Integration (com.sn_sig_asmt) plugin to use this feature. Role required: vendor contact SIG version 2017 or later, is considered to be the latest version. If a vendor uploads a version prior to the 2017 SIG, all responses for matching questions are imported and any unmatching questions are imported with blank responses for the vendor to answer later. Note: Only 2014 and later versions of the SIG are supported. Log into the vendor assessment portal through All rights reserved. 242

243 Click Import All rights reserved. 243

244 2018. All rights reserved. 244

245 Create a vendor risk issue Issues are created to document audit observations and remediations, or to accept any problems. Issues and tasks can be assigned directly to vendor contacts without the need for a vendor risk assessment. Role required: vendor risk assessor Navigate to Vendor Risk Issues Create New. Fill in the fields on the form, as appropriate. Table 93: Vendor Risk Issue Field Number Read-only field that is automatically populated with a unique identification number. State Vendor The vendor with the issue. Priority Priority for this issue: New Analyze Respond Review Closed 1 - Critical 2 - High 3 - Moderate 4 - Low 5 - Planning Assessment Assessment group A group assigned to the issue. Visible in portal Indicates if issues is visible to the vendor in the Vendor Portal. Assigned to The user assigned to the issue. Vendor Contact The vendor contact associated with this issue. Created by Created Updated Watch list Short description Brief description of the issue. Notes and Comments All rights reserved. 245

246 Field Work notes Information about how to resolve the issue, or steps already taken to resolve it, if applicable. Work notes are visible to users who are assigned to the issue. Additional comments (Customer visible) Public information about the issue. Recommendations Recommendation The recommended action to resolve this issue. Explanation An explanation of the recommended action. Issue Schedule Duration Estimated amount of work time. Calculated using the Planned state date and Planned end date. Actual duration Estimated amount of work time. Calculated using the Actual state date and Actual end date. Planned start date Date and time that work on the issue is expected to begin. Actual start date Time when work began on this issue Planned end date Date and time that work on the issue is expected to end. Actual end date Time when work ended on this issue. Click Submit All rights reserved. 246

247 Open assessment in the Vendor Portal The vendor primary contact logs into the Vendor Portal to view all assessments. Role required: vendor contact Log into the vendor assessment portal through Click through each questionnaire and provide a response to each question. Review assessment responses on the Vendor Portal After submitting an assessment, the vendor contact can view all responses in read-only mode on the Vendor Portal. Role required: vendor contact Log into the vendor assessment portal through Click through each questionnaire and view the responses All rights reserved. 247

248 Note: All responses are read-only since the assessment has already been sent back to the customer. Create an automatic scored-based risk assessment You can create rules to automate the vendor risk assessment functionality based on a change to the vendor's security score. Role required: sn_vdr_risk_asmt.vendor_assessor Navigate to Assessment Submission Rules Score Based Submission. Select a rule record or click New. Fill in the fields on the form, as appropriate. Table 94: Score Based Assessment Submission Rules Field Value Name Name of the score based assessment submission rules. Basis The basis for the change. Choices are: Extent of change The extent of the change. Choices are: Security score Percentage Score Increases by Decreases by Automatically submit the risk assessement to the vendor after it has been generated. Score provider and vendor settings Score Provider The score provider for this rule. Apply to vendor The vendor to apply the rule to. Apply to vendor tier Select the tier scale which will automatically generate the risk assessment. Choices are: None Critical High Moderate Low Minor Assessment template and auto submit Assessment template The template that will be sent when the security score changes as specified in the rule All rights reserved. 248

249 Field Value Auto submit to vendor Automatically submit the risk assessment to the vendor after it has been generated. Set up different types of vendor assessments Internal stakeholders complete the tiering assessment to determine the vendor tier. External vendor contacts complete the risk assessment to determine the risk rating. Both types of assessments, risk assessments and risk tiering assessments, are created from templates which define the regular questionnaire, document request questionnaire, and tiering assessment questionnaire. Define vendor assessment templates When defining an assessment template, the vendor risk manager provides scheduling information for the vendor risk assessment. Role required: [sn_vdr_risk_admin] Navigate to Vendor Risk Assessment Setup Assessment Templates. Click New. Fill in the fields on the form, as appropriate. Table 95: Vendor Assessment Template 4. Field Name The name of the assessment template. Assessment duration (days) The time provided for the entire vendor risk assessment to be completed. Questionnaire duration (days) The time allocated for the assessor to complete the questionnaire portion of the assessment. Questionnaire review duration (days) The time allocated for the vendor risk admin to review the responses provided to questionnaire. Created by Read-only. User who created the template. Created Read-only. Time when the template was created. Updated Read-only. Time when the template was last updated. A more detailed description of the assessment. Click Submit All rights reserved. 249

250 Create vendor questionnaire templates Vendor risk managers use the Questionnaire Template Designer to create and edit questionnaire templates which can be used as a basis for other templates. Role required: vendor risk manager Note: A questionnaire template must have at least one category and that category must contain at least one question. Navigate to Vendor Risk Assessment Setup Assessment Templates. Click New or New (Designer). The designer contains the following elements: Element Controls Controls for the supported question data types are available in the Controls palette. Drag a control onto the designer canvas to create a question of that type All rights reserved. 250

251 4. Element Header bar The header bar contains a menu of various functions. The availability of each option depends on the status of the assessment that is opened in the designer. Design canvas New assessment open in the Design view. The questionnaire Name field appears above the first category in the canvas. Enter a name in the Name field. Drag a control onto the designer canvas to create a question of that type. Table 96: Question controls Data type Scored Attachment Question with a Manage Attachments icon for users to attach one or more files. Y Boolean Question with a check box or a Yes/No list for user responses. Choice List of predefined options. For more information, see the definition for Choices. Y Date Date field. N Date/Time Date and time field. N Number Number field with predefined N minimum and maximum values. The default is Percentage Percentage field with a prescribed range. N Scale Predefined Likert scale. Answer options appear as radio buttons. Y Numeric Scale Selectable number scale. The default is 1 5. Answer options appear as radio buttons. Y String Single or multi-line text field. N Template Choice list of templates that Y provide a predefined scale of options. Reference Choice list of fields from a specified reference table. This data type does not support reference qualifiers All rights reserved. 251

252 Data type Scored Image Scale Multiple Selection Ranking Note: Set the correct answer for the metric that you want to be scored. Scored metrics determine the compliance status of the risk. 5. Point to the menu icon in the upper right of the designer to select one of the following options: Note: The availability of each option depends on the status of the questionnaire that is opened in the designer. Option Save Save the current questionnaire. Preview Display a preview of the questionnaire. New Questionnaire Open a fresh canvas for a new questionnaire. Open Questionnaire Open a list of existing questionnaire that you can select and edit. Copy Questionnaire Create a copy of the questionnaire that you can edit All rights reserved. 252

253 Create vendor document request templates Risk managers use the Document Request Template Designer to create and edit questionnaire templates which can be used as a basis for other templates. Role required: vendor risk manager Note: Three default questions are created automatically for each new document request templates. Navigate to Vendor Risk Assessment Setup Assessment Templates. Click New or New (Designer). The designer contains the following elements: Element Controls Controls for the supported question data types are available in the Controls palette. Drag a control onto the designer canvas to create a question of that type All rights reserved. 253

254 4. Element Header bar The header bar contains a menu of various functions. The availability of each option depends on the status of the assessment that is opened in the designer. Design canvas New assessments open in the Design view. The questionnaire Name field appears above the first category in the canvas. A blank question field appears in the category container. Enter a name in the Name field. Drag a control onto the designer canvas to create a question of that type. Table 97: Question controls Data type Scored Attachment Question with a Manage Attachments icon for users to attach one or more files. Y Boolean Question with a check box or a Yes/No list for user responses. Choice List of predefined options. For more information, see the definition for Choices. Y Date Date field. N Date/Time Date and time field. N Number Number field with predefined N minimum and maximum values. The default is Percentage Percentage field with a prescribed range. N Scale Predefined Likert scale. Answer options appear as radio buttons. Y Numeric Scale Selectable number scale. The default is 1 5. Answer options appear as radio buttons. Y String Single or multi-line text field. N Template Choice list of templates that Y provide a predefined scale of options All rights reserved. 254

255 Data type Scored Reference Choice list of fields from a specified reference table. This data type does not support reference qualifiers. Image Scale Multiple Selection Ranking Note: Set the correct answer for the metric that you want to be scored. Scored metrics determine the compliance status of the risk. 5. Point to the menu icon in the upper right of the designer to select one of the following options: Note: The availability of each option depends on the status of the questionnaire that is opened in the designer. Option Save Save the current questionnaire. Preview Display a preview of the questionnaire. New Questionnaire Open a fresh canvas for a new questionnaire. Open Questionnaire Open a list of existing questionnaire that you can select and edit. Copy document request Copy the document request and edit. Create repeating vendor risk assessments Vendor risk assessors can create repeating vendor assessments to monitor the vendor risk continuously. Role required: vendor risk assessor Navigate to Vendor Risk Assessments Repeating Assessments. Click New. Fill in the fields on the form, as appropriate. Table 98: Repeating Assessment Field Number Created by Vendor The vendor that is being assessed. Created Assessment template The template used to create the current assessment All rights reserved. 255

256 Field Updated Next assessment creation (months) Next assessment will be created in specific number of months after the previous assessment is closed Next assessment end date (months) The end date for the new assessment after the previous assessment is closed Active Indicates if the current repeating assessment is active. Name The name of the repeating assessment. A more detailed description of the repeating assessment. Click Submit. The Assessment Occurrences related list displays the status of all assessments and its associated risk rating All rights reserved. 256