Manage control attestations

Attestations are surveys that gather evidence to prove that a control is implemented. If the control’s attestation field and respondents fields are set, then when a controls moves from the Draft state to the Attest state, a notification is sent to the attestation respondents.

Users can create multiple attestation types and set their policy statements to different attestations. A sample attestation called GRC Attestation is also provided as the default attestation which is composed of the following simple questions:

By default, GRC Attestation is used for controls and provides the following assessment questions:
  • Is this control implemented?
  • Attach evidence
  • Explain

My Attestations is in the Controls section of the Policy and Compliance application and contains active attestations for which you are the respondent. The attestations appear in a list with a single attestation record per control.

All Attestations is contained in the Controls section of the Policy and Compliance application and contains all active attestations.

Compliance managers can create new attestation types containing different types of questions to fit their needs. See Create a control attestation using the Attestation Designer.

Compliance managers can create a new set of questions for each policy statement. See Create an attestation type.

Attestation designer

The attestation designer provides a single interface that users can use to create, and edit attestations, as well as change scoring parameters.

All attestation records are stored in assessment tables and displayed in Attestation views of those tables.

The designer contains the following elements:

Table 1. Elements of the Attestation Designer
Element Description
Controls Controls for the supported question data types are available in the Controls palette. Drag a control onto the designer canvas to create a question of that type.
Header bar The header bar contains tabs that display different views and a menu of various functions. The availability of each option depends on the status of the attestation that is opened in the designer.
Design canvas New attestations open in the Design view. The attestation Name field appears above the first category in the canvas. A blank question field appears in the category container.

Create a control attestation using the Attestation Designer

Use the Attestation Designer to create and edit metric types, use different metric types for different controls, select multiple respondents for an attestation, as well as change scoring parameters.

Before you begin

Role required: sn_compliance.attest_creator, sn_compliance.manager, sn_compliance.administrator

Procedure

  1. Navigate to Policy and Compliance > Administration > Attestation Types.
  2. Click Attestation Designer.
    The designer contains the following elements:
    Element Description
    Controls Controls for the supported question data types are available in the Controls palette. Drag a control onto the designer canvas to create a question of that type.
    Header bar The header bar contains tabs that display different views and a menu of various functions. The availability of each option depends on the status of the attestation that is opened in the designer.
    Design canvas New attestations open in the Design view. The attestation Name field appears above the first category in the canvas. A blank question field appears in the category container.
  3. Enter a name in the Name field.
  4. Drag a control onto the designer canvas to create a question of that type.
    Table 2. Question controls
    Data type Description Scored
    Attachment Question with a Manage Attachments icon that allows users to attach one or more files. Y
    Boolean Question with a check box or a Yes/No list for user responses.
    Choice List of predefined options. For more information, see the definition for Choices. Y
    Date Date field. N
    Date/Time Date and time field. N
    Number Number field with predefined minimum and maximum values. The default is 1-10. N
    Percentage Percentage field with a prescribed range. N
    Scale Predefined Likert scale. Answer options appear as radio buttons. Y
    Numeric Scale Selectable number scale. The default is 1-5. Answer options appear as radio buttons. Y
    String Single or multi-line text field. N
    Template Choice list of templates that provide a predefined scale of options. Y
    Reference Choice list of fields from a specified reference table. This data type does not support reference qualifiers.
    Image Scale
    Multiple Selection
    Ranking
    Note: Set the correct answer for the metric that you want to be scored. Scored metrics determine the compliance status of the controls.
  5. Click one of the following tabs to change the view in the canvas:
    OptionDescription
    Design Add categories and questions, and configure the properties of each. This is the default view of the canvas when you open the designer.
    Configuration Create introductions and end notes for attestations, and select a signature.
    Availability Select the recipients for each category in the attestation.
  6. Point to the menu icon in the upper right of the Attestation Designer to select one of the following options:
    Note: The availability of each option depends on the status of the attestation that is opened in the designer.
    OptionDescription
    Save Save the current attestation.
    Preview Display a preview to the selected recipients.
    Publish Distributes the attestation to the selected recipients.
    Save and Publish Saves and distributes the attestation in one step.
    New Attestation Opens a fresh canvas for a new attestation.
    Load Attestation Opens a list of existing attestations that you can select and edit.
    Unlike other types of assessments, control attestations do not appear in the Self-Service > My assessments & surveys module, because hundreds of control attestations could be generated at once. Instead, controls attestations are shown as a list in the Policy and Compliance > Controls > My Attestations module and All Attestation module.

Create an attestation type

Rather than using the default GRC attestation type, the compliance manager can create a new set of questions for each policy statement.

Before you begin

Role required: sn_compliance.attest_creator or sn_compliance.manager or sn_compliance-admin

Procedure

  1. Navigate to Policy and Compliance > Administration > Attestation Types.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Table 3. Assessment Metric Type
    Field Description
    Name The name of the assessment type.
    Assessment duration The days for which the assessment is active.
    Table
    Scale factor
    Condition
    Description
    State
    Enforce condition
    Roles
  4. Click Submit.