Activate Policy and Compliance Management

The GRC: Policy and Compliance Management (com.sn_compliance) plugin is available as a separate subscription.

Before you begin

Role required: admin

This plugin includes demo data and activates related plugins if they are not already active.

Procedure

  1. Navigate to System Definition > Plugins.
  2. Find and click the plugin name.
  3. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link.

    If the plugin depends on other plugins, these plugins are listed along with their activation status.

    If the plugin has optional features that depend on other plugins, those plugins are listed under Some files will not be loaded because these plugins are inactive. The optional features are not installed until the listed plugins are installed (before or after the installation of the current plugin).

  4. (Optional) If available, select the Load demo data check box.

    Some plugins include demo data—Sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good practice when you first activate the plugin on a development or test instance.

    You can also load demo data after the plugin is activated by clicking the Load Demo Data Only related link on the System Plugin form.

  5. Click Activate.

What to do next

To use the UCF import application, activate the UCF Import (com.snc.ucf_import_add_on) plugin.

Components installed with Policy and Compliance Management

Activating the Policy and Compliance Management (com.sn_compliance) plugin adds or modifies several tables, user roles, and other components.

Tables installed with Policy and Compliance Management

Policy and Compliance Management adds the following tables.

Table Description
Article Template

[sn_compliance_article_template]

Used to format the policy text contained in a policy record when publishing the policy to the Knowledge Base (KB).
Authority Document

[sn_compliance_authority_document]

Extends the Document [sn_grc_document] table and stores all Authority Documents.
Citation

[sn_compliance_citation]

Extends the Content [sn_grc_content] table and stores all citations.
Control

[sn_compliance_control]

Extends the Item [sn_grc_item] table and stores all controls.
Policy

[sn_compliance_policy]

Extends the Document [sn_grc_document] table and stores all policies.
Policy Statement

[sn_compliance_policy_statement]

Extends the Content [sn_grc_content] table and stores all policy statements.
Policy Statement to Assessment Metric

[sn_comp_asmt_m2m_statement_metric]

Policy Statement to Citation

[sn_compliance_m2m_statement_citation]

Is a many-to-many relationship table that is used to manage relationships between policy statements and their related citations.
Policy Statement to Profile Type

[sn_compliance_m2m_statement_profile_type]

Extends Content to Profile Type [sn_grc_m2m_content_profile_type] and is a many-to-many relationship table that is used to manage the relationships between policy statements and profile types.
Policy to Profile Type

[sn_compliance_m2m_policy_profile_type]

Extends Document to Profile Type [sn_grc_m2m_document_profile_type] and is a many-to-many relationship table that is used to manage the relationships between policies and profile types.
Note: All additional tables installed by the dependent plugins are also needed for Risk Management.

Properties installed with Policy and Compliance Management

Policy and Compliance Management adds the following properties.

Name Description
States for which the control is active (the first state is the default active state)

sn_compliance.active_states

Compliance administrators can change this setting.
  • Type: string
  • Default value: draft, assess, review, monitor
  • Location: Policy and Compliance > Administration > Properties
States for which control is inactive (the first state is the default inactive)

sn_compliance.closed_states

Compliance administrators can change this setting.
  • Type: string
  • Default value: retired
  • Location: Policy and Compliance > Administration > Properties
Name of the assessment metric type that is used for attestations

sn_compliance.default_attestation

System administrators can change this setting.
  • Type: string
  • Default value: GRC Attestation
  • Location: Policy and Compliance > Administration > Properties
sn_compliance.glide.script.block.client.globals
  • Type: true or false
  • Default value: false
  • Location: Policy and Compliance > Administration > Properties
Name of the knowledge base used to publish Policy articles

sn_compliance.knowledge_base

Compliance administrators can change this setting.
  • Type: string
  • Default value: Governance, Risk, and Compliance
  • Location: Policy and Compliance > Administration > Properties

Roles installed with Policy and Compliance Management

GRC: Policy and Compliance Management adds the following roles.
Role title [name] Description Contains roles
Compliance Reader

[sn_compliance.reader]

Contains the reader role in sn_grc scopes. In addition to the inherited permissions, the compliance reader can be assigned profile types, profiles, indicators templates, indicators and issues.
  • sn_grc.reader
Compliance User

[sn_compliance.user]

Contains the reader and user roles in sn_grc scopes, and the reader role in the Policy and Compliance Management application. In addition to the inherited permissions, the compliance user can be assigned controls, and has read-only access to the Risk Management application and modules.
  • sn_grc.reader
  • sn_grc.user
  • sn_compliance.reader
Compliance Manager

[sn_compliance.manager]

Contains the reader, user, and manager roles in sn_grc scopes, and the reader and user roles in thePolicy and Compliance Management application. In addition to the inherited permissions, the compliance manager can create authority documents, citations, policies, policy statements, and controls.
  • sn_grc.reader
  • sn_grc.user
  • sn_grc.manager
  • sn_compliance.reader
  • sn_compliance.user
Compliance Administrator

[sn_compliance.admin]

Contains the reader, user, manager, and admin roles in sn_grc scopes, and the reader, user, and manager roles in thePolicy and Compliance Management application. In addition to the inherited permissions, the compliance admin can delete authority documents, citations, policies, policy statements, and controls.
  • sn_grc.reader
  • sn_grc.user
  • sn_grc.manager
  • sn_grc.admin
  • sn_compliance.reader
  • sn_compliance.user
  • sn_compliance.manager
Compliance Developer

[sn_compliance.developer]

Contains the reader, user, manager, admin, and developer roles in sn_grc scopes, and the reader, user, manager, and admin roles in thePolicy and Compliance Management application. In addition to the inherited permissions, the compliance developer can create article templates and edit scripts.
  • sn_grc.reader
  • sn_grc.user
  • sn_grc.manager
  • sn_grc.admin
  • sn_grc.developer
  • sn_compliance.reader
  • sn_compliance.user
  • sn_compliance.manager
  • sn_compliance.admin
Attestation Creator

sn_compliance.attestation_creator

Role used for creating GRC attestation metric type

Script includes installed with Policy and Compliance Management

GRC: Policy and Compliance Management adds the following script includes.

Script include Description
AssessmentEngine Engine for generating assessments.
AssessmentEngineBase Engine for generating assessments.
AssessmentStrategy Creates controls for assessments.
AssessmentStrategyBase Shared processor utility for evaluating assessments
ComplianceAjax AJAX utilities for compliance
ComplianceMigrationUtils Utilities for migrating authority documents, citations, policies, controls/policy statements, and control test definitions from previous instances.
ComplianceUtils Utilities for Policy and Compliance Management
ComplianceUtilsBase Utilities for Policy and Compliance Management
ControlGeneratorStrategy Creates controls for profile.
ControlGeneratorStrategyBase Generates controls when relationships between profiles, profile types, policies, and policy statements are made.
GRCPolicyCompAssessment Contains the APIs for policy statement and compliance assessments.
GRCPolicyCompAssessmentAjax AJAX utilities for policy statement and compliance assessment
GRCPolicyCompAssessmentBase Contains the APIs for policy statement and compliance assessments.

Client scripts installed with Policy and Compliance Management

GRC: Policy and Compliance Management adds the following client scripts.
Client script Table Description
Force positive weighting Control

[sn_compliance_control]

Enforces that the weighting field is greater than or equal to 0.
Populate fields from policy statement Control

[sn_compliance_control]

Populates the name, description, type, category, and classification from the policy statement.

Business rules installed with Policy and Compliance Management

GRC: Policy and Compliance Management adds the following business rules.

Business rule Tables Description
Add processing document Policy to Profile Type

[sn_compliance_m2m_policy_profile_type]

Add processing statement Policy Statement to Profile Type

[sn_compliance_m2m_statement_profile_type]

Allow only one default Article Template

[sn_compliance_article_template]

Ensures that only one template record has the default check box checked.
Associate Metric Type to Record Control

[sn_compliance_control]

[sn_comp_asmt_m2m_statement_metric]

Associate Metric Type to Record Policy Statement to Assessment Metric

[sn_comp_asmt_m2m_statement_metric]

Auto business rule for Assessments Control

[sn_compliance_control]

Automatically creates an Assessable Record when controls are created
Auto deletion rule for Assessments Control

[sn_compliance_control]

Automatically deletes the associated Assessable Record when a control is deleted
Cannot Insert Duplicates Policy Statement to Assessment Metric

[sn_comp_asmt_m2m_statement_metric]

Cascade Changes Policy Statement

[sn_compliance_policy_statement]

Copies changes made to policy statement name, description, reference, category, type, and classification fields to the associated controls
Create issue for non-compliant control Control

[sn_compliance_control]

If no issues exist, creates an issue when a control status changes to non-compilant. Otherwise, a worknote is added to the existing issue.
Deactivate retired policy Policy

[sn_compliance_policy]

Sets the Active field to false when a policy state changes to Retired.
Enforce Evaluation Method Allowed Policy Statement to Assessment Metric

[sn_comp_asmt_m2m_statement_metric]

Enforce fields Policy

[sn_compliance_policy]

Ensures that the Valid to and Article template fields are populated before moving to the Awaiting Approval or Published states.
Enforce positive weighting Control

[sn_compliance_control]

Ensures that the weighting of a control is greater than or equal to 0.
Issue close rollup response to control Issue

[sn_grc_issue]

Sets a control status to Compliant when all issues are closed.
Mark control as non-compliant Issue

[sn_grc_issue]

Sets a control status to non-compliantwhen a related issue is created.
No item gen while generating profiles Policy to Profile Type

[[sn_compliance_m2m_policy_profile_type]]

No item gen while generating profiles Policy Statement to Profile Type

[sn_compliance_m2m_statement_profile_type]

Prevent adding inactive policy Policy to Profile Type

[sn_compliance_m2m_policy_profile]

Prevents relating inactive policies with profile types.
Prevent adding inactive policy statement Policy Statement to Profile Type

[sn_compliance_m2m_statement_profile_type]

Prevents relating inactive policy statements with profile types.
Prevent generation during retirement Policy Statement to Profile Type

[sn_compliance_m2m_statement_profile_type]

Prevent generation during retirement Policy to Profile Type

[sn_compliance_m2m_policy_profile_type]

Publish to KB Policy

[sn_compliance_policy]

Creates a knowledge article and publishes it to the default Knowledge Base once a policy state changes to Published
Retire KB Article Policy

[sn_compliance_policy]

Retires the associated knowledge article when a policy is retired or re-published.
Set active Policy Statement

[sn_compliance_policy_statement]

Sets a policy statement to be active if the policy statement Policy field is populated with an active policy.
Set Content Policy Statement to Profile Type

[sn_compliance_m2m_statement_profile_type]

Sets the Content field to the same value as the Policy statement field.
Set Document Policy to Profile Type

[sn_compliance_m2m_policy_profile]

Sets the Document field to the same value as the Policy field.
Set popup scratchpad Policy Statement

[sn_compliance_policy_statement]

Start policy approval workflow Policy

[sn_compliance_policy]

Starts the approval workflow for a policy when it moves to the Awaiting Approval state.
Start policy review workflow Policy

[sn_compliance_policy]

Starts the review workflow for a policy when it moves to the Published state.
Update control status Assessment Instance Question

[asmt_assessment_instance_question]

Update controls for adhoc questionnaires Assessment Instance

[asmt_assessment_instance]

Update risks control failure factor Control

[sn_compliance_control]

Updates the control failure factor for associated risks when the controls Status field changes.