||The name of the control.
||Read-only field that is automatically populated with a
unique identification number.
||The related profile.
||The related policy statement.
||Group that owns the policy.
||User that owns the
owner is always added as a respondent.
Used to calculate the control failure factor of a risk.
the weighting between 1 and 10.
The control status is a read-only field. Possible choices
- Non compliant
- Not applicable
||The control state is a read-only field. Possible choices
- Draft In this state, all
compliance users can modify the control. Only
available when creating a one-off control. One-off
controls are possible but not recommended.
- Attest When the control is
created from a policy statement, controls are in
Note: When a control is set back to
draft, the attestation is canceled.
- Review Controls are
automatically moved to review from the attestation
- Monitor In this state, all
compliance managers can move the control from review
- Retired Compliance managers
or administrators can move a control from Monitor to
Retired. Indicators do not run when the control is
in this state.
Note: When a control is retired, any
attestation associated with it is
- Acquisition or sale of facilities, technology,
- Audits and risk management
- Compliance and Governance Manual of Style
- Human Resources management
- Leadership and high level objectives
- Monitoring and measurement
- Operational management
- Physical and environmental protection
- Privacy protection for information and data
- Records management
- System hardening through configuration
- Systems continuity
- Systems design, build, and implementation
- Technical security
- Third Party and supply chain oversight
- Acquisition/Sale of Assets or Services
- Actionable Reports or Measurements
- Audits and Risk Management
- Business Processes
- Data and Information Management
- Establish Roles
- Establish/Maintain Documentation
- Human Resources Management
- IT Impact Zone
- Log Management
- Monitor and Evaluate Occurrences
- Physical and Environmental Protection
- Process or Activity
- Records Management
- Systems Continuity
- Systems Design, Build, and Implementation
- Technical Security
- IT Impact Zone
- Event Driven
||A description of the control.
||Additional information about the control.
Select from a list of options.
- Other attestation types can be configured.
- If this field is populated, then the
field automatically becomes mandatory, and the owner
is made the respondent.
Note: If the user changes the attestation type in the
policy statement, all the related controls are
- Users assigned to the attestation of this
- Only a user with the sn_grc.user role can be
added as a respondent.
Note: When both the Attestation
and Attestation respondents
fields are set, attestations are created when you
information about the control.