Manage controls

Controls are specific implementations of a policy statement. Retired controls do not appear in the list. Before defining controls, take time to rationalize, consolidate, and define the important controls in your organization.

Rationalize your controls

If you upload all your controls in bulk, you are missing the opportunity to refine and streamline your controls set. How does this control affect my business objective? Is this control actually preventing or detecting risk? Is there a different control you can place that better protects your business? Is there a control you can put in place that reduces process overhead and improves IT performance while also mitigating risk? Can a complicated control be replaced with a simpler more effective control? As your business changes, and your IT data, processes, and technology improve, replace outdated controls and procedures when you implement your GRC application.
  • How does this control affect my business objective?
  • Is this control actually preventing or detecting risk?
  • Is there a different control you can place that better protects your business?
  • Is there a control you can put in place that reduces process overhead and improves IT performance while also mitigating risk?
  • Can a complicated control be replaced with a simpler more effective control?

As your business changes, and your IT data, processes, and technology improve, replace outdated controls and procedures.

Consolidate your controls

Look for opportunities to consolidate controls. Look for common, repeated controls across multiple regulatory authorities of frameworks (e.g., SOX and GLBA and AML). Avoid operating a single control multiple times for each regulation, by cross-mapping controls and eliminating the redundant ones. This process establishes a single consolidated set of controls = control framework, performing and preserving the cross mapping of controls is critical for audits.
Figure 1. Industry regulations and requirements overlap

Define controls and business rules

The business rules you define up front, establish the GRC configuration settings later. Be prepared to:
  • Identify controls and control owners
  • Define control tests and expected results
  • Establish test and control frequencies
  • Identify risks: impact and likelihood
  • Prepare attestations, assessments, questionnaires and required evidence
  • Compose likely use-cases (who needs to interact with or view the contents of the GRC system and for what purposes)
  • Map authoritative sources to policies, to procedures, to controls, and to risks

Create a control

Controls are automatically generated when you associate a policy with a profile type or a profile type with a policy statement. A control is created for each profile listed in the profile type for the policy statement. Controls can also be manually created.

Before you begin

Role required: sn_compliance.admin or sn_compliance.manager

Procedure

  1. Navigate to Policy and Compliance > Controls > All Controls.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Table 1. Control
    Field Description
    Name The name of the control.
    Number Read-only field that is automatically populated with a unique identification number.
    Profile The related profile.
    Policy Statement The related policy statement.
    Owning group Group that owns the policy.
    Owner User that owns the policy.
    Note: The owner is always added as a respondent.
    Key control Indicator that the control is a key control.
    Weighting Used to calculate the control failure factor of a risk. Set the weighting between 1 and 10.
    Status

    The control status is a read-only field. Possible choices are:

    • Compliant
    • Non compliant
    • Not applicable
    State The control state is a read-only field. Possible choices are:
    • Draft In this state, all compliance users can modify the control. Only available when creating a one-off control. One-off controls are possible but not recommended.
    • Attest When the control is created from a policy statement, controls are in this state.
      Note: When a control is set back to draft, the attestation is canceled.
    • Review Controls are automatically moved to review from the attestation phase.
    • Monitor In this state, all compliance managers can move the control from review to monitor.
    • Retired Compliance managers or administrators can move a control from Monitor to Retired. Indicators do not run when the control is in this state.
      Note: When a control is retired, any attestation associated with it is canceled.
    Enforcement

    List of options:

    • Mandated
    • Voluntary
    Category

    List of options:

    • Acquisition or sale of facilities, technology, and services
    • Audits and risk management
    • Compliance and Governance Manual of Style
    • Human Resources management
    • Leadership and high level objectives
    • Monitoring and measurement
    • Operational management
    • Physical and environmental protection
    • Privacy protection for information and data
    • Records management
    • System hardening through configuration management
    • Systems continuity
    • Systems design, build, and implementation
    • Technical security
    • Third Party and supply chain oversight
    • Root
    • Deprecated
    Type

    List of options:

    • Acquisition/Sale of Assets or Services
    • Actionable Reports or Measurements
    • Audits and Risk Management
    • Behavior
    • Business Processes
    • Communicate
    • Configuration
    • Data and Information Management
    • Duplicate
    • Establish Roles
    • Establish/Maintain Documentation
    • Human Resources Management
    • Investigate
    • IT Impact Zone
    • Log Management
    • Maintenance
    • Monitor and Evaluate Occurrences
    • Physical and Environmental Protection
    • Process or Activity
    • Records Management
    • Systems Continuity
    • Systems Design, Build, and Implementation
    • Technical Security
    • Testing
    • Training
    Classification

    List of options:

    • Preventive
    • Corrective
    • Detective
    • IT Impact Zone
    Frequency

    List of options:

    • Event Driven
    • Daily
    • Weekly
    • Monthly
    • Quarterly
    • Semi-Annually
    • Annually
    Description A description of the control.
    Additional Information Additional information about the control.
    Attestation
    Attestation

    Select from a list of options.

    • Other attestation types can be configured.
    • If this field is populated, then the Attestation Respondents field automatically becomes mandatory, and the owner is made the respondent.
    Note: If the user changes the attestation type in the policy statement, all the related controls are changed also.
    Attestation respondents
    • Users assigned to the attestation of this control.
    • Only a user with the sn_grc.user role can be added as a respondent.
    Note: When both the Attestation and Attestation respondents fields are set, attestations are created when you click Attest.
    Activity Journal
    Additional comments Public information about the control.
  4. Click Submit.

Follow a control

Connect integrates with Policy and Compliance Management providing an overlay to the standard interface, allowing users to participate in conversations while they work and collaborate on the control record.

Before you begin

Role required: sn_compliance.user or sn_compliance.reader

Procedure

  1. Navigate to Policy and Compliance > Controls > All Controls.
  2. Open the control record.
  3. Click the Follow tab and select one of the options.
    OptionAction
    To add the Connect sidebar
    • Click Open Connect mini.
    To add the Connect full-screen view
    • Click Open Connect Full.

Attest a control

Attestations are surveys that gather evidence to prove that a control is implemented. If the control attestation and respondents fields are selected, when the control moves from the Draft state to the Attest state, a notification is sent to the attestation respondents.

Before you begin

Role required: sn_grc.user

Users can create multiple attestation types and set their policy statements to different attestations. A sample attestation called GRC Attestation is also provided as the default attestation.

About this task

When controls are attested, a new questionnaire is created. As a result, attestations do not appear in the Self-Service > My assessments & surveys module. Hundreds of GRC assessment records could be generated at once and should be separated from other assessments in a separate list view.

Procedure

  1. Navigate to Policy and Compliance > Controls > My Attestations.
  2. Open the attestation and review the details.
    OptionDescription
    If you are unable to answer the questions
    1. Reassign the attestation to another user in the Assigned to field.
    2. Click Update and close the record.
    Note: Only a user with the sn_grc.user role can be re-assigned the attestation.

    The list of attestations refreshes when you reassign an attestation to another user.

    If you are able to answer the questions
    1. Click Take attestation.
    2. Answer the questions and attach information, as required.
    3. Click Submit.

    The list of attestations refreshes when you close the Take Assessment pop-up window.