Establish profile scoping for policies and controls

Profile scoping is permitted in each of the GRC applications. Policy and compliance managers use profile scoping to create a system of internal controls and monitor compliance. Risk managers use profile scoping to monitor risk exposure and perform risk assessments. Dependencies are created using the dependency map and model or by creating tiers.

Profile scoping provides a way to allocate risks and controls at different levels. Profile scoping involves the following elements:
Profile Classes
Profile classes allow GRC managers to separate profiles for better distinction. For example, Business Service Profiles, Department Profiles, and Business Unit Profiles. Reports can be filtered to define relationships between the different profile classes. A profile class defines what a profile actually is. Profiles can belong to many profile types but a profile can have only one profile class (for example, Business Service). Profile classes can roll up to each other.
Profile Types
Profiles types are dynamic categories containing one or more profiles. Business logic automates the process of creating and categorizing any profiles in the system that meet the profile type filters. Profile types are associated to policy statements, which generate controls for every profile listed in the profile type.
Profiles
Profiles are the records that aggregate GRC information related to a specific item. Each profile is associated with a single record from any table in the instance. Profiles cannot be created for items that do not have a record in a table in the platform.

Example of Profile Scoping

In this scoping example, the profile types contain the following profiles:
  • Global Office Locations
    • Los Angeles Office
    • New York Office
    • Berlin Office
  • North American Office Locations
    • Los Angeles Office
    • New York City Office
  • European Union Office Locations
    • Berlin Office

How do profiles relate to Policy and Compliance Management?

Profile scoping provides a systematic assignment of policy statements to controls and maintains relational and hierarchical connections between those controls. Profiles can be a many to many relationship. Profile types are the high-level categories and profiles are the individual items that can be associated to the profile type.
In this Policy and Compliance scoping example:
  • policies and policy statements are assigned to profile types
  • controls are created based on the profiles and associated policy statements
Note: Policy statements can be created without a policy, but must be assigned a profile type. Controls can be created without an associated policy or policy statement, but must be assigned to a profile.

Dependency models and maps

In the Jakarta release, the dependency map was aligned with the dependency model for establishing upstream and downstream relationships between profiles. In the Kingston release, tiers establish those relationships.

Dependency models

Dependency modeling ensures that an organization establishes a uniform definition of risk across the enterprise. The dependency model defines what relationships are allowed between different types of areas in the organization. This enables more effective risk normalization and aggregation by allowing stakeholders to more effectively compare and contrast risk appetite and exposure at various levels of the enterprise.

Creating a dependency model involves creating profile classes and defining how classes are structured in relation to each other using the Roll up to field.

Dependency maps

Once dependency modeling is complete, you can build out a dependency map to define how different parts of the organization are related to each other. The dependency map represents what profile relationships exist. For example, you could specify that certain projects and business services affect the HR department, which in turn affects the enterprise.

Defining the dependency map involves creating profiles, defining the profile class for each profile, then relating profiles to each other by specifying the upstream/downstream relationship.

Tiers

In the Kingston release, tiers establish upstream and downstream relationships. Profile tiers are assigned to profile classes. The base system provides: Business, Application, and IT Asset. Administrators can edit or add to the tiers.

Create a profile class

GRC managers create profile classes representing the types of items in their organization. Reports can be filtered to define relationships between the different profile classes.

Before you begin

Role required: sn_grc.manager

About this task

A profile class defines what a profile actually is. It differs from a profile type (for example, Business Services and Critical Business Services), in that a profile can belong to many profile types but a profile can have only one profile class (for example, Business Service).

Procedure

  1. Navigate to one of the following locations:
    • Policy and Compliance > Scoping > Profile Classes
    • Risk > Scoping > Profile Classes
    • Audit > Scoping > Profile Classes
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Table 1. Authority document
    Field Value
    Name Name of the profile class.
    Roll up to Select dependencies to other profiles. This is useful for reporting how your lower-level operational risks impact corporate-level risks.
    Is Root Select the check box to indicate that this is the highest level class.
    Note: Only one root class is allowed and it cannot roll up to another class.
    Tier Select the tier or category for the profile class.
    • Business
    • Application
    • IT Asset
  4. Navigate to Policy and Compliance > Profile Tiers.
  5. Do one of the following actions:
    OptionDescription
    To create a new tier Click New.
    To edit a tier Open the profile tier.
  6. Fill in the fields on the form, as appropriate.
    Table 2. Profile type
    Name Description
    Name* The name of the tier.
    Value
    Label* The label assigned to the tier.
    Level*
  7. Click Update.

Create profile class rules

Profiles class rules allow you to assign tables to profile classes.

Before you begin

Role required: admin

Procedure

  1. Navigate to one of the following locations:
    • Policy and Compliance > Administration > Profile Class Rules
    • Risk > Administration > Profile Class Rules
    • Audit > Administration > Profile Class Rules
  2. Do one of the following actions:
    OptionDescription
    To create a new profile class rule Click New.
    To edit a profile class rule Open the profile class rule from the list.
  3. Fill in the fields on the form, as appropriate.
    Table 3. Profile Class Rule
    Field Value
    Table The table that contains the records you want to assign the class to.
    Class The class to assign to the table.
  4. Click Submit or Update.

Create and edit a profile type

Administrators or managers in any of the GRC-related applications, create profiles types from which profiles are generated. Profile types are assigned to policy statements, which generate controls for every profile listed in the profile type. Profile types can also be assigned to risk statements, which generate risks for every profile listed in the profile type, as well.

Before you begin

Role required: sn_compliance.admin or sn_compliance.manager, sn_risk.admin or sn_risk.manager, sn_audit.admin or sn_audit.manager

Procedure

  1. Navigate to one of the following locations:
    • Policy and Compliance > Scoping > Profile Types.
    • Risk > Scoping > Profile Types.
    • Audit > Scoping > Profile Types.
  2. Do one of the following actions:
    OptionDescription
    To create a new profile type Click New.
    To edit a profile type Open the profile type from the list.
  3. Fill in the fields on the form, as appropriate, and click Submit.
    Table 4. Profile type
    Name Description
    Name* The name of the profile type.
    Description An explanation of the profile type with any additional information that a user will find helpful.
    Note: * indicates a mandatory field.
  4. Once the profile type is created or edited, click the Profile filters tab and fill in the fields on the form, as appropriate.
    Table 5. Profile filters
    Name Description
    Profile Type Indicates the profile type that the filters belong to.
    Table* The table that contains the records to be queried.
    Filter condition Filter conditions for the source table to generate profiles.
    Owner field The field on the table specifying the person who owns any new profiles generated from the profile type.

    Identify the user reference field on the source table to automatically identify risk and control owners. Use default owner to assign risks to a single user when the owner field is empty.

    Empty owner
    • Create
    • Do not create
    • Use default
    Note: * indicates a mandatory field.
  5. Click Update.

Create a profile

Profiles are generated automatically from profile types in any of the GRC-related applications. Profiles can be created individually, but is not common.

Before you begin

Role required: sn_compliance.admin or sn_compliance.manager, sn_risk.admin or sn_risk.manager, sn_audit.admin or sn_audit.manager

Procedure

  1. Navigate to one of the following locations:
    • Policy and Compliance > Scoping > Profile Types.
    • Risk > Scoping > Profile Types.
    • Audit > Scoping > Profile Types.
  2. Open a Profile Type record from the list.
  3. Add or modify any conditions, as necessary.
    Changing the Table, changes the number of records matching the condition.
  4. Assign the Owner field.
  5. Click Update.
    A profile is generated for every record that matches the filter condition.

Relate profiles to each other

Create relationships between profiles to understand how controls and risks affect each other and how they affect the enterprise.

Before you begin

Role required: sn_compliance.admin or sn_compliance.manager, sn_risk.admin or sn_risk.manager, sn_audit.admin or sn_audit.manager

Procedure

  1. Navigate using any of these options.
    • Policy and Compliance > Scoping > All Profiles.
    • Risk > Scoping > All Profiles.
    • Audit > Scoping > All Profiles.
  2. Open the profile record from the list.
  3. Perform one of the following actions:
    OptionDescription
    To specify that the current profile is downstream of another profile Click the Add button in the Upstream profiles related list.
    To specify that the current profile is upstream of another profile Click the Add button in the Downstream profiles related list.
  4. Select the desired profiles to relate the current profile to and click Create Relationship.

Result

The profiles displayed after clicking the Add button on the Upstream profiles or Downstream profiles related lists are limited based on the current profile's class and the tier it belongs to.
Note: If there are no eligible profiles which can be related to the current profile, then the Add button is not displayed on the Upstream profiles or Downstream profiles related lists.