GRC policies - Legacy

A policy is a document which defines an internal practice that processes must follow. The Policy [grc_policy] table extends Knowledge [kb_knowledge], so each policy is stored in the Knowledge Base and can be accessed in the same way as any other published article.

Standards and Standard Operating Procedures

GRC offers two additional policy classes called Standards and Standard Operating Procedures, that are used to define specific practices at different levels within an organization.

Associations

To manage elements of the policy, the policy can be associated with:
  • Scopes that define the level for which a policy class applies.
  • Authority documents and citations to which a policy class applies.
  • Risks associated with compliance failures.
  • Controls that enforce the policy class and mitigate identified risks.

GRC Policy enforcement

After policies are defined, there are two processes available for ensuring that their provisions are followed:
  • Risk Managing: After risks are defined, they can be managed using Controls and Control Tests to protect against the consequences of breaching policies.
  • Audits: After all the processes for policies have been defined, audits can be performed to confirm that they are being performed properly.