Create a control

Controls are automatically generated when you associate a policy with a profile type or a profile type with a policy statement. A control is created for each profile listed in the profile type for the policy statement. Controls can also be manually created.

Before you begin

Role required: sn_compliance.admin or sn_compliance.manager

Procedure

  1. Navigate to Policy and Compliance > Controls > All Controls.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Table 1. Control
    Field Description
    Name The name of the control.
    Number Read-only field that is automatically populated with a unique identification number.
    Profile The related profile.
    Policy Statement The related policy statement.
    Owning group Group that owns the policy.
    Owner User that owns the policy.
    Note: The owner is always added as a respondent.
    Key control Marks the control as a key control.
    Weighting Set the weighting between 1 and 10. Used to calculate the control failure factor of a risk.
    Status

    The control status is a read-only field. Possible choices are:

    • Compliant
    • Non compliant
    • Not applicable
    State The control state is a read-only field. Possible choices are:
    • Draft In this state, all compliance users can modify the control. Only available when creating a one-off control. One-off controls are possible but not recommended.
    • Attest When the control is created from a policy statement, controls are in this state.
      Note: When a control is set back to draft, the attestation is canceled.
    • Review Controls are automatically moved to review from the attestation phase.
    • Monitor In this state, all compliance managers can move the control from review to monitor.
    • Retired Compliance managers or administrators can move a control from Monitor to Retired. Indicators do not run when the control is in this state.
      Note: When a control is retired, any attestation associated with it is canceled.
    Enforcement

    Select from a list of options:

    • Mandated
    • Voluntary
    Category

    Select from a list of options:

    • Acquisition or sale of facilities, technology, and services
    • Audits and risk management
    • Compliance and Governance Manual of Style
    • Human Resources management
    • Leadership and high level objectives
    • Monitoring and measurement
    • Operational management
    • Physical and environmental protection
    • Privacy protection for information and data
    • Records management
    • System hardening through configuration management
    • Systems continuity
    • Systems design, build, and implementation
    • Technical security
    • Third Party and supply chain oversight
    • Root
    • Deprecated
    Type

    Select from a list of options:

    • Acquisition/Sale of Assets or Services
    • Actionable Reports or Measurements
    • Audits and Risk Management
    • Behavior
    • Business Processes
    • Communicate
    • Configuration
    • Data and Information Management
    • Duplicate
    • Establish Roles
    • Establish/Maintain Documentation
    • Human Resources Management
    • Investigate
    • IT Impact Zone
    • Log Management
    • Maintenance
    • Monitor and Evaluate Occurrences
    • Physical and Environmental Protection
    • Process or Activity
    • Records Management
    • Systems Continuity
    • Systems Design, Build, and Implementation
    • Technical Security
    • Testing
    • Training
    Classification

    Select from a list of options:

    • Preventive
    • Corrective
    • Detective
    • IT Impact Zone
    Frequency

    Select from a list of options:

    • Event Driven
    • Daily
    • Weekly
    • Monthly
    • Quarterly
    • Semi-Annually
    • Annually
    Description A description of the control.
    Additional Information Additional information about the control.
    Attestation
    Attestation

    Select from a list of options.

    • Other attestation types can be configured.
    • If this field is populated, then the Attestation Respondents field automatically becomes mandatory, and the owner is made the respondent.
    Note: If the user changes the attestation type in the policy statement, all the related controls are changed also.
    Attestation respondents
    • Users assigned to the attestation of this control.
    • Only a user with the sn_grc.user role can be added as a respondent.
    Note: When both the Attestation and Attestation respondents fields are set, attestations are created when you click Attest.
    Activity Journal
    Additional comments
  4. Click Submit.