ServiceNow Certified Implementation Specialist - Integrated Risk Management preparation video series

ServiceNow CIS IRM is a very good exam to test your knowledge of ServiceNow IRM related modules, in this youtube playlist I have covered the notes that I have created as part of exam preparation.

I have also created a set of bookmarks for quick reference of various useful content that helps in exam preparation.

Link to Youtube playlist

Bookmarks

Notes

**************************ServiceNow CIS IRM Certification Notes**************************

Document, content and item

DRA-PuReA DRAcula that only likes to drink PuRe blood

DRA-PuRe

1. ServiceNow store releasesVersion numbers 16.0.3 Feb 20232. Exam Prepirm fundamentalsirm implementationclassic risk fundamentalsaudit management implementation3. GRC labels and namesLabel| Classentity class -> sn_grc_profile_classentity type -> sn_grc_profile_typeentity -> sn_grc_profile

control objective -> sn_compliance_policy_statement

servicenow term -> Alternate termsControl objective -> Control , control template, requirement, policy statemententity -> scope def, scope object, target, profileentity Type -> entity groupControl -> control instanceRisk Statement -> risk template

Issue -> findings

GRC maturity level and usecases1. 0 - Manual -> spreadsheets2. 1- Basic -> semi automated IRM process, adoption limited to IRM Orgs, mostly bottom up, documented centrally managed policy and compliance.3. 2- Repeatable -> visibility and performance -> Expand IRM to 2-3 usecases, Adoption expansion to process and control / risk owners, monitoring on point in time basisvisibility through dashboards & PAstart top-down leveraging entity engine.4. 3-Managed -> predict and prioritize -> IRM implemented in 4-5 usecasesMature existing usecases with further automated capabilitycross-functional process automationcontinous rel-time monitoring of control performance, risk scoping, reduction in admin overhead etc.5. 4- Optimized ->integrated enterprise wideIRM fully adopted in 4-5 usecasesrisk aware enterprise and embedded controlsmanagement by the riskscontinous control monitoring & continous risk assessment across multiple platforms

single Risk & control framework across the enterprise available at all stakeholders (LoBs, management, etc)

Usecase :

4-6 weeks to hear response from management

Roles : Technical consultantsRisk and compliance expertsPrimary Stake holder -> compliance /RCM project team -> Project lead (head of compliance), compliance Manager, Compliance analyst-> Risk project team -> Project lead (head of risk)-> Risk manager -> Risk analyst-> Platform admin -> platform dev -> cmdb + foundation data owners -> internal auditfrequently used tables for import or integration -> Authority DocumentCitationControl Objective -> customers control matrix or Risk registerRisk StatementEvaluate current stateNow createprioritize journeyaction itemsuse case examplesGreefield project -> Private to publicReplace legacy systems -> build from existingucfmapper.com

https://www.pwc.co.uk/services/risk/governance-risk-and-compliance.html

Sample Implementation Approach******************************1. Phase 1 -> Regulatory Guidance, Policy lifecycle management, Control mapping, control attestation, data setup2. Phase 2 -> control testing, issues management, policy exceptions3. phase 2/3 -> risk register, risk framework4. phase 3 -> risk assessment, continuous monitoring

5. phase 4 -> risk (loss) events

Now on Now**********835K savings annually via automated workflows$2.6M Saved annually automating end-to-end GRC processes160 policies managed and published via portal66% reduction in quarterly control certification50% reduction in time to perform control testing with continuous monitoring85% reduction in the time needed to track status, thanks to real-time reporting and dashboards90% reduction in coordination efforts with external auditors now using ServiceNow GRC to gain direct,

transparent access to all our GRC data

Minimum role requirement to see GRC apps and modules -> sn_grc.business_user earlier versions 14.x snc_internal

GRC Role matrix :Compliance Developer [ GRC Developer(sn_grc.developer)] -> Compliance Admin (sn_compliance.admin) [GRC Admin (sn_grc.admin)] -> Compliance Manager (sn_compliance.manager) [GRC Manager sn_grc.manager]Compliance User (sn_compliance.user) [GRC user sn_grc.user]

Compliance Reader (sn_compliance.reader) [GRC Reader sn_grc.reader]

Risk Admin (sn_risk.admin) [GRC Admin (sn_grc.admin)]Risk Manager (sn_risk.manager) [GRC Manager sn_grc.manager]Risk User (sn_risk.user) [GRC user sn_grc.user]

Risk Reader (sn_risk.reader) [GRC Reader sn_grc.reader]

RCM Regulatory Change Management Adminsn_grc_reg_change.admin -> contains sn_grc_reg_change.it_admin and sn_grc_reg_change.manager

sn_grc_reg_change.it_admin -> Doesnt contain RCM manager role

Application administrators (Technical / Tactical) ->Compliance AdminRCM Admin

Risk Admin (contains sn_risk_advanced.ara_admin)

sn_grc.x shouldnt be directly assigned to anyone except for developersAttestation creator -> used for creating GRC attestation metric type (contains assessment admin role)Risk assessment creator -> used for creating grc risk assessment metric type (contains assessment admin role)

GRC admins can do everything that GRC managers for their area can do

Compliance team (Low technical / medium non-technical / medium strategic / low tactical)compliance manager

compliance user

RCM team (Low technical / medium non-technical / medium strategic / low tactical)

RCM manager , RCM user

Risk team (Low technical / medium non-technical / medium strategic / low tactical)

Risk manager, Risk user

Enable Intrusion -> trigger is bypassed and user has to provide the starting record.

GRC business user role (sn_grc.business_user)Issue ownerissue triage submission and requestevidence request tasksevidence request manager approvalsobservation respondentapprover and assessor of advanced risk assessment

read access on risk statement, risk assessment, scope, rating criteria, ARA, risk event config

how its assignedcustomers (upgrading)auto applied to all users performed grc operation in last 90 daysadding future users will require process.customers (initial install)

all users need a process to get a role

integration scenarios between GRC and other Now products

Ex: Vulnerabilty user with sn_grc.business_user role can request a policy exception from GRC:Policy and compliance management

Implementation stakeholdersBoard of directorsIT steering committeeCISCO or CROAudit committeeall levels of managementfull-time teamImplementertech consultantbusiness process analystclientservicenow dev teampart-time teamImplementerrisk and compliance expertsOCMarchitectClientRisk and compliance expertsCMDB process ownerFoundation data process owners

Internal audit experts

GraphMl Image of various modules

ARA RolesRisk Admin (sn_risk.admin)Risk manager (sn_risk.manager)Risk User (sn_risk.user)Risk reader (sn_risk.reader)ARA Reader (sn_risk_advanced.ara_reader)ARA creator (sn_risk_advanced.ara_reader)GRC Business userARA Assessor (sn_risk_advanced.ara_assessor)ARA Approver (sn_risk_advanced.ara_approver)

ARA Admin (sn_risk_advanced.ara_admin)

workspace rolescompliance workspacesn_compliance_ws.corporate_compliance_managersn_compliance.managersn_compliance_ws.coporate_compliance_analystsn_audit.managersn_compliance_ws.coporate_compliance_analystsn_compliance.user

sn_audit.user

risk workspacesn_risk_workspace.it_risk_manager, sn_risk_workspace.operational_risk_manager, sn_risk.managersn_compliance.managersn_audit.managersn_risk.workspace.business_op_risk_managersn_risk.usersn_audit.user

sn_compliance.user

Loading dataManual entryManualHTMLImportTransform MapsMultisource TYpesJDBCHTTP/FTPExcelCSVXMLcustomer provided spreadsheets, data sources like SAP etcContent providerssubscription to 3rd party providersREST / SOAPProvide both primary and relationship recordsGRC: content UCFEdgile ARCRisk spotlight OpRisk LibraryLexisNexisAcceleratorscontent and functionality for activities performed on provided contentimplementer can config post installationGRC:NIST CSF usecase acceleratorGRC:Technology Controls Monitoring acceleratorGRC:Cybersecurity controls acceleratorGRC:SOX content packGRC:Continuous authorization monitoringGRC Policy and Compliance Integrator Applicationcommon framework to import content from 3rd party to GRC policy and compliance managementon storestaging tables and transformation

sn_grc_cim.admin role

SLAs (Service level agreements)GRC: Profiles & GRC :Advanced Core -> Incident task, issue, issue triage, remediation task, evidence requestGRC: Policy & compliance : Policy exception, Acknowledgement campaignGRC:Risk Management, GRC :Advanced risk -> Risk response task (acceptance, avoidance, mitigation or transfer), risk mitigation task, risk eventrisk event task

GRC:Regulatory change management : Regulatory task, regulatory change task, action task

NotificationsPolicy acknowledgment campaign remindersGRC mobile application notifications on pending approval requestsPolicy exceptions notifications

Issue notifications (triage issues and issues)

Security and visibility considerations1. Employees sn_compliance.user role outside of compliance team shouldnt be able to see our NIST compliance.2. Managers and above should see cost of specific risks occurring to business, only senior execs should be able to see aggregated risk reports.3. clearly identify compliance issues that require followup or investigation.OptionsACL customizationnew filetered list viewsnew modules with specific role accessgenerated read ACL for appropriate tablesBusiness rule customizationbefore query business rulerestrict row accessshould be used in conjunction with ACL rule to restrict field level account

ex: return only certain records if you are member of a group x or have group x role.

User hierarchy*************Managers can see records of those users who report to them.System properties to be configuredGRC Profiles : sn_grc.enable_user_hierarchy_access_controlsn_grc.user_hierarchy_sync_frequencysn_grc.batch_size_to_sync_user_hierarchySupported tablessn_grc_user_hierarchy

sn_grc_user_hierarchy_configuration

List layout changesUser hierarchy 1, user hierarchy 2, hierarchy status are 3 fields tat get added example : issue table.status of user hierarchy -> awaiting processing, processedprocessed if issue manager is listedonce proecssed any one in User hierarchy 1 can see, user hierarchy 2 can see.Business rule : Set issue usr hrchy status and raise eventsn_grc.business_user_rolesn_grc.business_user_lite

user hierarchy -> sn_grc_user_hierarchy table, field Hierarchy contains list of users who are in users hierarchy

Confidentiality***************enable sn_grc.enabled_record_confidentiality once enabled cant be turned offModule -> GRC Confidential recordsAll Risk events, Enagements, All Audit tasks, observations, issues, remediation tasks, evidence request tasks, policy exceptions.

sn_grc.confidential_user role can see all modules

Confidentiality tab on formsinclude allowed users and allowed groupswrite access required to mark record Confidentialnotifications are sentauto-population of allowed usersuser that sets the Confidentiality flag is added to allowed users groupadditional users are automatically added depending on the tableTO enable Confidentiality **system administrator** should navigate to policy and compliance -> administration -> GRC propertiesApplication scope : GRC:Profiles

Check system property enable system level Confidentiality

Entity scoping**************Entity type -> grouping of entities and each type has its own owner.Departments and vendors, applications & business services, Databases & serversUse entity filters to create entity typesWhen entity type is applied to control objective controls are created, control owner will be same as entity owner.

When entity type is applied to risk statement risks are created, risk owner will be same as entity owner.

Entity classes ->How to get risk and compliance posture for all my business applications across all divisions in the businessEntity classes are used to tag entitiesWay to tag entities across different entity typesclasses can roll up into one anotherDepartment, Business app, business services, servers, databases

Use GRC Workbench

TiersRisk posture for most important items across all divisions in the businessHierarchy levelsAssociated to several classesApplies to all entities in that classHow lower tier entities are affecting higher tier entities

Any tier 1 class or entity will be upstream to the T2 classes (entities)

Business tier 1, application tier 2, IT asset tier 3, etc

Creation sequenceCreate TiersCreate class rules and classes

associate classes with Tiers

Create types

Create entity filters (automatically create entities)

Newly created entities get automatically tagged with the right class and tier (can also be done manually)

Identify data sources for entitiesdocument tiers, classes and types

run your entity scoping workshop

Entity scope definition (Entity type) is related to specific risk statement and control objective relevant to their unique condition.Entity types1. Contains financial data2. Is Internet facing

3. Contains Customer Data

Starting points1. Review regulations applicable to customer2. Places, people, things need to be compliant3. role /teams /business units are responsible4. describe existing framework used for controls and risks5. review existing risk register and control Library

6. define areas to audit/ current gaps and existing auditable units

approaches1. Operational-> scoping is done at specific CI level, individual user, project2. Strategic

-> scoping is done at services / business processes

Entity generation to entity ownership1. Determine which tables you should use when scoping

2. research source table data for accuracy and integrity

Entity filters Entity type entities1. Core_company vendors hotels2. cmn_department Department HR, Accounts3. cmn_location Travel branches Travel branch locations4. cmdb_ci_service business services payment handling5. cmdb_ci_db_instance CTA databases CTA primary, CTA replication6. sys_user_group senior travel consultant employees involved in pilotcmdb_ci_groupsysapproval_group

7. cmdb_ci_business_process Customer support payment handling

which tables are core tables1. cmn_2. sys_

3. core_

system property -> frequency of syncing the entity owner to source record

Entity filter and entity ownership syncDefault owner, use owner field, source field for owner, auto-update owner, empty ownerReference existing servicenow tablesentity class is a requirement when using an entity filterwhen record matches filter condition entities will be createdwhen a record no longer match filter conditions one of the two will happen1. entities related to single entity typeAll controls, risks and other related records will be set to retired.2. entities related to multiple entity typesOnly the records related to the entity type where the entity is no longer valid will be retired.the entity will not be inactivated.multiple filters can be defined for an entity typeScheduled job : GRC Cleanup Invalid Entities -> Delete entities tat are no longer active and will delete any and all related recordson entity record select auto-update entity owner to keep it in sync with source record owner.Entity classesCreate entity classes to show relationships between tables or objects you are tracking that otherwise dont exist elsewhere in ServiceNow similar to tags stored in a field on entitycan be setup in a hierarchynot related to entity typescan be setup later in implementation process.entity management -> Define roll up of entities, controls, risksregulatory change -> entity classes determine which entities can be assigned an impact assessmentimpact assessment help determine if an event is applicable to the organizationrisk assessment -> RAM (templates) are defined for an entity class.Taxanomy -> categorizationCompany organization structureCost center structurebusiness capabilitiesbusiness strategies -> executionbusiness servicesinternal services providedservices provided to customersbusiness processesgeo organizationEntity class configurationSetup classesentity class rule -> Run only on new entitiesmanual updateGRC workbench depedency model -> only available in classic UIbuilds relationship between entity classesnot all business services will roll up to all Departmentsuse depedency map to create specific relationshipEntity classes are used to create upstream and downstream relationships

entity type doesnt allow data to be rolled up into different structure.

In order to enable ARA enable system property -> migrate to advanced risk assessments -> YesAdvanced risk assessments -> administration -> PropertiesClass rule :Risk -> Administration -> Class rulesTable and Class are fields on class ruleClass rule assigns class to entitiesAfter class rule is created run Scheduled job GRC Profile Generation

Risk -> Scoping -> All Entities

How to bulk update entity class

Policy and compliance -> Administration -> Bulk Update Entity Class

Table structure

GRC: ProfilesGRC: Policy and ComplianceGRC: Risk ManagementGRC : Profiles GRC : Policy and compliance GRC: Risk ManagementDocument (sn_grc_document) Authority Document Risk framework

Policy

Content Control Objective Risk Statement

sn_grc_content Citation

item Control Risk

sn_grc_item

Any objects such as BRs, client scripts defined for parent table applies to child tablesDocument, content and item are tables in GRC: Profiles scope tables in Policy and compliance, risk management extend tables

from GRC Profiles

Entity Type sn_grc_profile_type entity filtersn_grc_enrichment_queryentity type to entity sn_grc_m2m_profile_profile_typeEntitysn_grc_profile

Entity Class

Common tablesGLobal GRC : Profiles task indicator taskbase indicator sn_grc_base_indicatorindicator

planned task issue

GRC : Policy and compliance SetupSetup users, groups and rolesSet propertiesConfigure policy and policy exception workflow states, forms, user access and automationConfigure policy acknowledgment campaigns, define response captures, audiences and frequenciesConfigure control workflow states, forms, user access and automation for attestation outcomescreate policies, control objectives and control indicatorsconfigure workspaces and reportsPrimary Table relationshipsContent (sn_grc_content)Authority document -----> Citationsn_compliance_authority_document 1:M sn_compliance_citationM:MPolicy M:M Control Objective ---> (1:M) Item (sn_grc_item)

sn_compliance_policy sn_compliance_policy_statement Control (sn_compliance_control)

Policies, control objectives, citations can be nested to parent-childsingle control objective can be related to multiple Policiessingle control objective can be related to multiple citations -> Test once and satisfy manyauthority documents and citations are optional

authority documents and controls cant be nested into parent and child relationship

Entity type(sn_grc_profile_type) -> EntitiesM:M Risk statement (sn_risk_definition) (GRC:Risk)1:M Risk (sn_grc_risk)M:M Control Objective (sn_compliance_policy_statement) (GRC: Policy and compliance)M:M Indicator template (sn_grc_indicator_template) (GRC: Profiles)1:M Indicator (sn_grc_indicator)1:M Control (sn_compliance_control) M:M Indicatorcontrol attestationasmt_assessment_instance (Global)

Issues (sn_grc_profile) grc:profiles

control table is primary table where most of the daily compliance work happenscontrol must be related to entityentity can be scoped with multiple controlsissues, control attestation, risks provide supporting documentation about control

control can be related to multiple issues, control attestations and risks

Control objective to control objective -> sn_compliance_m2m_policy_stmt_policy_stmtcontrol objective to citation -> sn_compliance_m2m_statement_citationcontrol objective to entity type -> sn_compliance_m2m_statement_profile_type

control objective to indicator template -> sn_grc_m2m_ind_temp_count

Review script includesAssessmentStrategyPolicyAcknowledgmentUtilComplianceUtilsControlGeneratorStrategy

ComplianceScoreCalculator

Policy record life cycleDraft, (sn_compliance.user)Review, (sn_compliance.manager)Awaiting Approval (approval) (all approvers must approve)Published,

retired (sn_compliance.manager)

Policy types ->policy, procedure, standard, plan, checklist, framework, template

Control Objective recordCategory -> Classification -> Type

Source / Source ID

Policy life cycle : exceeds valid to dateDefault 30 days after the valid to date (sn_compliance.policy_expire_to_review_timer)

If no reviewers are on the policy it gets set to draft

Policy authoring workflow using Office 365architectureActivate microsoft onedrive pluginsmicrosoft onedrive spoke for document service frameworkmicrosoft onedrive spokemicrosoft Azure AD spokemultiprovider document services frameworkNew tablesGRC document versionssn_irm_shared_cmn_document_versionDocument accesssn_irm_shared_cmn_document_accessUpdated tablesPolicy (sn_compliance_policy)system propertiesselect a file sharing service to host documents and attachmentsOne Drive, None..Setup connection recordConnection name, url, credential informationAssign required role

mp_document_user

policy and compliance -> administration -> GRC PropertiesTotal number of questions allowed in a same response type grouped assessment + number of questions in one assessment * number of assessments.policy and compliance -> administration -> Propertiesno of days after reaching a policy valid to date in which the expired policy will automatically move from published state value to draft/review statedefault = 30 daysDefault duration for which policy exception can be requesteddefault = 30 daysHow to limit policy approvers to a specific group ?Create script include tat returns group members

Apply reference qualifier to only query users that are returned by the script include

Policy acknowledgment campaign life cycleNew -> Pending acknowledgment -> closed -> canceledconfigurationcreate audience -> Compliance Managersetup campaign -> Compliance userset properties -> compliance adminrespond to requests

view responses & status -> compliance reader

create audience -> user , groups, user filtersTable architecturePolicy (sn_compliance_policy) -> Extends Document tableAcknowledgement campaign -> Extends task table(sn_compliance_policy_acknowledgement)Acknowledgement -> doesnt extend any table(sn_compliance_policy_acknowledgement_instance) audience(sn_compliance_audience)audience to user -> User (sys_user)(sn_grc_m2m_audience_user)audience to groups -> Group (sys_user_group)(sn_grc_m2m_audience_user_group)audience to audience filters(sn_grc_m2m_audience_filter)audience filter(sn_grc_audience_filter)Policy Exceptionstart -> Request a policy exception -> Verification rule -> Approval rule(sn_grc.business_user) approve / reject / one time extensionFrom self-service ->employee centercompliance workspacepolicy exceptions modulecontrol objective recordissue record -> Issues in draft or retired cant be selectedEnable other apps by registeringthem with integration registrytablesGRC-based exceptions Non-GRC app exceptions integration registry no integration needed requiredtarget tableentity mappingexception questionnaireException questionnaire not available optionalquestionsconditionsveritifcation rules optional optionalby applicationuser and or groupsapproval rules optional requiredby applicationconditional

user and or groups

policy exception flowsGenerate initial approvals for policy exceptionTrigger is based on substate fieldsubstate is set based on BR -> Set Policy exception Substategeneration verification based on info in verification rule recordexception requests submitted via service portal bypass this approvalworkflow -> Policy Exception runs to set controls associated to exception as exempt80% of exception period -> generates an event for notification -> Exception period passed 80%requestor can submit extension

if valid to date is reached workflow sets the state of exception to closed.

Generate final approvals for policy exception

If policy exception is raised from within GRC and there are no verification rules or approver rules setup then the exception will be processed

using only the approval flow. there is step in the flow to identify the approvers by getting the owners of CIs tat are impacted on the exception

Policy exception can also be raised from non-grc apps such as HR - case, vul response - vulnerable item, PPM - riskLife cycle -> Newintegration registry users can require policy exceptions directly from SN apps which are routed to compliance manager.any user with sn_grc.business_user can request a policy exception from employee centersubstate: Pending verification -> verification rules to verify accuracy and completeness of policy exception request.AnalyzeRisk rating determined during analyze statecompliance manager can choose to add impacted controls, approve, request review, request more info or request approvalReviewrequester or risk manager can submit more info in comments tabcompliance manager reviews request if more info is addedawaiting approvalpolicy exception request is set to control owners and requesters manager unless approval ruls were createdapprovedexceptions can be approved by compliance managercontrol owner can request for an extensionclosed

compliance manager can manually move exception to closed

Control ObjectiveInactive -> ActiveFollows policy record lifecyclecan be associated with more than one policycan scope with entity types /entities only when Activecreate controls automatically when enabled.serves as template for generating control records.can be related to other template recordsTest templatesIndicator templates

performance analytics templates

Compliance score calculationExternal AuthorityAuthority document Citation PolicyControl ObjectiveEntity A Entity B Entity CControl A Control B Control CFail Pass Pass[Sum of (Weight of compliant controls) / Sum of (weight of all controls)]* 100

Draft controls are not part of calculation

All entities dont have same weight

all controls are not in same state at same time

Control recordLife cycleDraft - Role : sn_complianceuser to modify / edit controls and move into attest state.Attest - control owners are assigned by default to attest tat a control is implemented.Only designated owner should attest, its not recommended for admin to impersonate and attest, if owner is not available return control and reassign.Review - moves to review after attestation, require sn_compliance.manager role to move from review to monitor or return to draftMonitor - Indicators may be scheduled in monitor state.Controls are not edited in monitor stateupdates are made based on indicator activityRetired - controls retire when compliance is no longer needed, indicators wont run in retire state.if scoped entity becomes inactive control is retired

compliance Manager can retire a control manually

in attest an attestation is active and sent to control owner**when attestation is completed the control remains in review state until the compliance member reviews the attestation resultsif control is moved back to draft the attestation is canceledin monitor indicators monitor the control status and evaluate an organisations complianceCreate multiple controls for same entityby default only one control per entity from a given control objectiveThis feature allows for granularity at control level while keeping control objective associattion.create new controls with unique names, scoped with existing entitycan assign different control owner for granular controlsunique controls are included in compliance scorefollows item generation logic : if entity is retired both auto created and manually created controls get retired.Name of control must be unique when creating multiple controls for same entity.Consolidated attestationGlobal scopeAssessment instanceFields added by GRCGrouped assessment nameRelated control or riskProcess statusGroup type - same or different responsesGRC: Profiles scopeAssessment grouping criteriaScript includesGRCAssessmentUtilsBasecreates the groupGRCAssessmentClientUtilsGroup PreviewBusiness rulesGlobal scopehandle assessment group reassignmentGRC: Profiles scopeRemove from group if canceled

update children when parent is complete

Issue group rules policy and compliance -> administration -> Issue group rulesset is default to true / falseChange default attestation

perform dictionary override on control objective -> Attestation field

Evidence collectionprimarily supports audit but available in complianceassigned users can provide evidence from service portalaudit functionality is more robust than compliance functionalitydiffers from indicator templateevidence collection usecasecan be created adhocdoesnt automatically impact control statussupports a control Testcan be a multi-group effortincludes baseline process flow with validation that the request has been fulfilledmanual indicator usecaseoccurs on a set schedule and frequencyresults could change the control status to compliant or non-complianttypically sent to control ownercontrol owner marks an indicator task as complete and closes it without outside party validationEvidence collection for a controlPrepare evidence requeststep-by-stepstart -> open a control in any statenew from evidence request related list and answer questionsrequest management record createdplace holder record with prefix = EVR created in draft state

each individual request is added as a collection detail with prefix ECD

Process evidence requestOpen EVR record in draft stateselect request evidence UI actionevidence tasks are generated with prefix EVDEVD records appear in the evidence related list on the control once generated

Evidence request allows the control owner to view the status of all connected evidence tasks (EVD) records in one place.

Evidence collection lifecycleAfter EVD is created control owner can provide information or request approval from someone in their orgRequest can request for more info after they receive completed EVD or accept evidence which will close EVD record.Two personas Control Owner -> send infoauthority docs, policies, citations, controls, control objectives, control tests, entities, issuesAudit Entity Owner -> send info

authority docs, policies, citations, controls, control objectives, control tests, entities, issues

Table architectureevidence request (sn_grc_advanced_evidence_request) ------ > Evidence (sn_grc_advanced_evidence_response)GRC:Advanced Core GRC:Advanced CoreEVR EVD -> Evidence for field has reference to control, control test, control objective etcEvidence detailsn_grc_advanced_evidence_collection_detailsGRC:Advanced Core

Evidence for field has reference to control, control test, control objective etc

Regulatory change management****************************management of regulatory, policy and / or procedural changes that apply to an organization.$342 billion in banking fines and $850 B erased in profits.Process flowchange identificationchange implementationchange communicationcompliance source monitoringapplicability assessment

assessment impact

GRC integration with RSS feedsexternal feed 1 -> feed registry -> transformation -> get internal Taxanomy -> regulatory alertexternal feed 2 -> feed registry -> transformation -> get internal Taxanomy -> regulatory alertPCI website

news room -> industry bulletins

processing RSS feedsRCM manager assigned incoming regulatory alert record to RCM coordinatorstate : newanalyzed by rcm coordinatornew impect assessment -> Yes -> state : impact assessmentto Entity owner-> Nostate : in progress -> is alert applicable by rcm coordinator-> No -> state : canceled-> yes -> relate citation, change task auto generated -> assign change task to RCM manager-> RCM coordinator respond to change task and create action tasks -> compliance teams completes and closes action tasks -> closes change task-> risk team completes and closes action tasks -> closes change task

action task is generated for each related control objective automatically generated

RCM architecture1.Provider [sn_grc_reg_change_provider] Connection & Credential alias [sys_alias]RSS feed integration to regulatory changeFeed source [sn_grc_rss_feed_source]flow designer flow [pull rss feed to regulatory change]

regulatory change management [sn_grc_reg_change_regulatory_feed]

Primary table relationships --- processing a feedstate : newneeds impact assessment -> Yes -> state : impact assessment entity owner completes impact assessment-> regulatory event impact context [sn_grc_reg_change_regulatory_event_impact_context]->regulatory impact assessment [sn_risk_advanced_risk_assessment_instance]where table = RCM contextstate : In progress regulatory alert [sn_grc_reg_change_regulatory_feed]is alert applicable -> Yes -> change task auto generates regulatory change task [sn_grc_reg_change_regulatory_task]-> assign change task to the RCM coordinator-> responds to change task and creates action tasks

-> action task for each related control objective auto generated action task [sn_grc_reg_change_regulatory_action_task]

RCM config feed processTaxanomy configuration5 categorization classes provided in baselineregulatory bodiescontent typesjurisdictionsthemessectorsto assign and manage feedscan be used to auto assign feedsadditional categorization classes can be addedvalue should be Updatedhierarchicalrelated to a providermultiple values within each category can be assigned to a providerincoming RSS records are assigned the Taxanomy valueslexisnexis, regology, Thomson ReutersConfigure the assessmentrequires admin or risk admin roleleverages RAM available in advanced risk assessment -> risk assessment methodologyRAM is an object-based assessment-> factors, weightings, qualitative rating criteria are configurableevent impact context

-> single inherent assessment -> legal, reputational, financial, business

Risk OverviewClassic vs advancedClassic risk assessment advanced risk assessmentarea GRC:Risk management GRC:Advanced RiskStatement Hierarchy Single Level Multi Level Risk rollup None assessment risk score rollupassessments No impact to risk score determines risk score and customer controls the formula to calculaterisk scoreonly scoped risks can be assessed scoped risk and objects can be assessedall assessment questions must be either allows mixture of question types

qualitative or qualitative integrates with other servicenow applications

It is possible to leverage advanced risk multi-level hierarchy with classic risk assessments.

Configuration steps1. review and update properties -> dev team / admin team responsibility2. review and update categories -> risk team provides content, dev team / admin team responsibility3. create import template for risk statements from existing risk register -> risk team provides content, dev team / admin team responsibility4. identity / create indicator templates and associate to risk statements -> risk team provides content, dev team / admin team responsibility5. identity and associate mitigating control objectives to risk statements -> risk team provides content6. Scope entity types with risk statements -> risk team provides content

7. setup risk assessment methodologies and relate to entity classes -> risk team provides content, dev team / admin team responsibility

Risk analogy1. inherent risk -> risk without mitigation actions2. mitigation actions -> actions taken to decrease risk

3. residual risk -> risk tat remains after mitigation action is taken

Primary tables

GRC:Risk management

Document sn_grc_document (GRC:Profiles) Content sn_grc_content (GRC:Profiles) Risk Framework sn_risk_framework (GRC:Risk Management) risk statement sn_risk_definition (GRC:Risk Management)(Risk Framework Not relevant when using advanced risk, risk values dont rollup to framework)Item sn_grc_item (GRC:Profiles)

Risk sn_risk_risk (GRC: Risk Management)

indicator template sn_grc_indicator_template ---M:M ---- indicator sn_grc_indicator Issue11 Risk assessment instance (GRC:Advanced Risk)M 1: :M M1 risk response task sn_risk_response_task (GRC:Risk)1risk statement sn_risk_definition ----0:M -- Risk sn_risk_risk (GRC:Risk)11 M:M 11

entity type sn_grc_profile_type ---M:M ---- entity sn_grc_profile control

When you dont migrate to advanced risk then the record life cycle for risk will appear in risk record.

After migration the lifecycle appears in the risk assessment record.

Classic risk score methodology:measurement of risklikelyhood impactscoring methodsqualitative (Low - High)impact and likelyhoodquantiative ($200K - $600K)SLE and AROALE and Risk scoreALE = Impact X Likelihoodif there are no controls or indicators then calculated ALE = residual ALENon-compliant controls and failed indicatorsclassic risk score calculation

(residual ALE + {[inherent ALE - Residual ALE] * [ calculated risk factor / 100]})

risk criteria matrix -> used to map qualitative to quantitative

navigation : Risk -> Administration -> Risk criteria

Configuration ->Assessment types

-> Risk -> Administration -> assessement types

classic risk assessment with GRC: advanced risk features

by default scoring method is quantitative, can be set to qualitative by system properties

Type of riskinherentresidual

Calculated

tolerance statustolerance management configAdminmax number of levels for risk hierarchydefault = 5compare risk tolerancedefault = sumcontent - risk teamacceptable and max ALE valuesrisk statementsentitiesclassic risk assessmentcan only assess a scoped risksingle assessment method : qualitative or quantiativedepends on a single risk rating scalequalitative assessment still depends on relating the value to currency

evaluating risk tolerance is currently only available with classic risk assessments in Utah is available for advanced risk

Primary tablesGRC:Advanced Riskfactor sn_risk_advanced_factorgroup factor sn_risk_advanced_group_factorRisk assessment methodology sn_risk_advanced_assessment_methodology 1:1 child factor sn_risk_advanced_sub_factor1:M assessment type sn_risk_advanced_assessment_type ------M:M ------- Manual factor sn_risk_advanced_manual_factor inherent assessment sn_risk_inherent_assessment Base automated factor sn_risk_advanced_automated_factorcontrol assessment sn_risk_control_assessment Automated scriped factor sn_risk_advanced_automated_script_factorresidual assessment sn_risk_residual_assessment Automated query factor sn_risk_advanced_automated_query_factor

sn_risk_advanced_asmt_type_m2m_factor

Key personas for workspaces

GRC: Risk workspace application

operational risk manager (sn_risk_workspace.operational_risk_manager)contains sn_risk.manager,sn_compliance.manager, sn_audit.managerperforms risk assessments, view heatmaps of risk assessments, view risk events related dataIT risk manager (sn_risk_workspace.it_risk_manager)contains sn_risk.manager,sn_compliance.manager, sn_audit.manageridentifies risks to assess, create key risk indicators, manages risk responsesBusiness operational risk manager (sn_risk_workspace.business_op_risk_manager)contains sn_risk.user,sn_compliance.user, sn_audit.user

manage risk posture of their specific BUs

Risk Heatmap workbenchPrimary tool for risk reporting & analysisPrimary personas

risk managers, analysts, risk owners / business managers

Options for finding uncertainities1. identify and automate risk generationDevelop a holistic enterprise risk programidentify and analyze threats and vulnerabilities -IT and operational risk

risk statements are related to entity types, which generate scoped risks ->create hierarchical relationships for management

2. gather information from entity owners / stake holderscan some risks get missedwho can provide more insight when new entities are generatedwhat if an entity has a unique set of risks not relevant for its entity typeis there a case for standard riskspossible use case for risk identification questionnaire

to discover risks that dont derive from a regulation or are unique to an entity use risk identification questionnaire

risk identiificationcan be used for entity onboarding to identify risksrisk identification questionnairestored in assessment metric typessetup metric categories, metrics and weightingselect table and conditions for assessable records

application assessment questionnaire included in baseline

**risk identification configurationset configuraiton level as entity class or tableset the target tableselect identification questionnaire and respondent type

determine additional properties

Advanced Risk assessment

ARA Admin (sn_risk_advanced.ara_admin)

In order to add ARA roles during upgrade enable system property : glide.ui_schedule_slushbucket_save_for_group_roles

Implementation team uses risk register spreadsheet to build risk assessment methodology for operational risk assessment

RAM uses qualitative scoring

Factor typesManual factors -> requires human responses because questions are subjective and diffucult to determine based on data.Automated factors -> automatically fetch data from servicenow tables or databases and from publicly available dataautomated scripted factors -> use scripts to define how factor will fetch data, which is then used to fill in assessment responsesGroup factors -> are manual or automated factors that are grouped to create a combined score.Each assessment is comprised of individual questions defined in RAM called factors and each has its own contribution.

factors can contribute to either numerical risk score (qualitative contribution) or could be used for calculating annual loss expectancy (ALE) values (quantiative contribution)

factor contribution type can be qualitative, quantiative or both

factors cannot be grouped until they are published

Configure RAMs beyond factors

Enable advanced risk assessmentIn order to enable ARA enable system property -> migrate to advanced risk assessments -> YesAdvanced risk assessments -> administration -> Propertiesmigration affects following formsriskentityrisk statementInstalling GRC: Advanced risk assessment doesnt automatically enable ARA.Class rule :Risk -> Administration -> Class rulesTable and Class are fields on class ruleClass rule assigns class to entitiesAfter class rule is created run Scheduled job GRC Profile Generation

Risk -> Scoping -> All Entities

Risk form classic vs advancedClassic -> contains assessment, scoring, response sections, Calculated score fieldAdvanced -> assessment summary (a new section will be available)When migrated to ARA assessment, scoring, response sections, Calculated score field are removedassessment summary (a new section will be available), in this section assessment scores are displayed along with the risk responseif multiple methodologies are used for risk assessment system picks default methodology from selected entity class.

primary risk assessment methodology can be defined on the entity class.

Risk form classic vs advancedClassic -> assessment field, default scores section and risk rollup and tolerance section are removed with ARA

Advanced -> related links options removed. New related list, aggregate risk added

RAM confiugration set Assessment contextAssessan assessment can assess a risk scoped with an entity or any servicenow recordapplication entity classesif assessing a risk, select entity classes to use this RAMprimary RAM is set on entity class records.Table

appears when assess field is set to Object

RAM configuration select assessment types1. Inherent riskrisk levels without controls or mitigating actions2. control effectivenessassessment effectiveness of mitigating controls to prevent, detect or correct the risk3. residual risk

leftover risk after implementation of controls

when RAM template is defined it can include a single assessment type or any combination of the three available assessment types.

During ARA assessor can assess three different assessment types, these are inherent risk, control effectiveness and residual risk.

RAM configuration reference informationthis section appears only if the assess field has the value Riskenabling these options shows the reference information in the risk assessment instance.show related risk eventsshow related risk indicatorsshow open issuesshow related risk indicatorsOther configurationsRAM configurationAllow override of results: option to enable users to override the computed scores and ALE during risk assessment.Show previous assessments: option to show the previous assessments on risk assessment instance.advanced reminder (days): the number of days before the due date in which assessor gets a notification.Risk identification : method to identify risks in the risk assessment scopeCopy of previous reponses: option to copy factor responses and comments whenever a reassessment is performed.Enable risk response: optinon to enable the risk response tab on risk assessment instance for risk based assessments

overdue reminder (Days) : number of days after due date during which reminder emails will be sent

Rollup configurationrisk statement aggregation : how should multiple assessments of same RAM roll up ?quantiative -> Sum, Average, Max, MinimumQualitative -> Average, Max, MinimumAssociate factors to assessment typesRAM configuration on each assessment type record configuration optionsinherent assessment -> assessment contributionqualitativequantiativescoring logiccalculated method to derive risk score from factor answersqualitative rating criteriatranslate the risk score to a risk ratingcontrol effectiveness -> control assessment optionsgeneral or specificcontrol identification (applies when assessing specific controls)from library & ad-hoc optionsconsequencesqualitative rating criteriaresidual assessment -> calculation basisresidual factor responsescalculation based on inherent risk and control effectivenessoptions - matrix, substract or divide

matrix

Builiding a RAMdetermine factors and contributionCreate RAM in DraftBuild out assessment types

complete configuration

Baseline IT risk assessment methodology details this applies to business apps, hardware, software IT assets

inherent risk + Impact + likelihood

impactinsignificantminormoderatemajor

catastrophic

likelihoodrareunlikelypossiblelikelyalmost certainrating criteria conversion0-2 -> very low3-4 -> low5-9 -> moderate10-16 -> High

17-25 -> Very High

Control assessmentcontrol effectivenessineffectiveneeds improvementeffectiveoverall control effectiveness0-1 -> effective1.1 - 2 -> partially effective

2.1 -3 -> Effective

Residual risk

matrix of inherent and control

RAM maintenance

RAM rules and notes maintenance type rule noteschange RAM components components that dont imact risk score are editable example RAM changesthat dont impact risk scoring even when RAM is published reference info, other config optionsexample factor changesfactor guidance can be Updatedchoice field display values can be edited change RAM components published RAMs with assessments in monitor or closed in non-prod that impact risk scoring state cant be edited assessment instances should be deleted if in monitor or retired stateassessments in other states shud be canceledin proda new RAM should be developed when old RAM is retiredassessment instances will be closedassessment instances can only be canceled if not in cancel from my assessable entities - related listmonitor stateassessments are closed when new assessments in baseline assessments cant be manually closed

are intiated

Setting the primary RAMprimary field on entity class fieldan entity can be assessed in conjunction with a number of riskseach of those risks can be assessed using different RAMsto determine which summary appears on the entity record system looks at the primary field on entity class recordan entity class can have only one primary RAMprimary risk assessment methodology also controls lifecycle of risks linked to entity, this is essentially main methodology used to report risk posturesince risk rating is a subjective assessment different stake holders may have different perspective, its important to capture that through use of multiple RAMsauditors assessment of risk may be different from enterprise risk management perspective

in workspace users can toggle between different RAMs to see different view points

Risk roll up configurationrollup by entity and by risk statementrisk rollup is displayed as aggregate and its displays in format defined in RAMsummary info can be found n set of aggregated risk reports

detailed info can be found on risk statement and on entity records

RAM configurationObject-based assessmentevent-driven adhocusers can perform the assessment users can perform the assessment through a UI actionbased on some event. 1. set RAM assessment context to Objectrequires setting up of APIs 2. identify table for objectcreateRiskAssessment 3. create UI action on table getRiskAssessmentResults 4. configure UI actionrecommended to use either flow designer 5. assessment can then be initiated from UI action button the record

or a business rule to leverage APIs

It is also possible on a risk-based assessment through trigger-based risk assessment

Risk evaluation and treatment

advanced risk assessment life cycleassessment type states match RAM definitionready to assess -> when assessment is scoped for a risk or an object the first state is ready to assessA delegate can be assigned for the risk assessor for a specific amount of timerequires sn_risk_advanced.ara_creator role to initiate an assessment and assign the assessorrequires sn_risk_advanced.ara_assessor role to assessassessment types -> depending on RAM def, states: inherent assessment, control assessment, residual assessment are included in lifecyclerequires sn_compliance.user role to create controls and add controls ad-hoc or from library during control assessment state Respond -> respond is optional state tat is configured in RAMawaiting approval -> optional, requires sn_risk_advanced.ara_approver role to approvemonitor -> risk assessment is automatically moved to this state after assessment is approvedRoles needed to perform ARA taskssn_risk_advanced.ara_creatorsn_risk_advanced.ara_readersn_risk_advanced.ara_approver

sn_risk_advanced.ara_assessor

Riak record workflow with advanced risk assessmentrisk progresses through states based on risk assessment outcomes from primary RAMDraft -> risk is created in draft state, objective in this state is to map and identify the risk pertaining to your orgif you modify the entity or the primary RAM for a risk the state of risk gets updated based on primary RAMs latest assessment.assess -> state of risk when advanced risk assessment is intiated and being performed.respond -> state of risk when risk response task is in progress, once risk response task is closed then risk is automatically moved to monitor statemonitor -> state of risk when risk has been assessed and the response task is closedif KRIs are defined through GRC: Metrics they are executed to monitor the risk

retired -> state of the risk when risk is no longer valid but the org wants to keep a system of record for audit purposes.

Risk treatmentready to assess -> assessment types -> respond -> awaiting approval -> monitorresponse value determines the type of task that gets assigned to risk response taskrisk response records are manually created while risk is in respond state accept -> risk acceptancemitigate -> risk mitigrationavoid -> risk avoidance

transfer -> risk transfer

risk response lifecycle

draft, wip, review, closed

risk response workflow is not available for object assessmentbaseline my approvals module is only available for users with approver_user role.

4 risk tables extend sn_risk_advanced_task table.

RISK Integrations******************leveraging advanced risk assessment engineGRC:Privacy management GRC:Regulatory change managementIdentify assets that pose the highest risks assess impact of a Regulatory change with an impact assessment (RAM)and ensure appropriate levels of controls

are implemented to mitigate those risks

Perform ARAs with limited set of features

privacy management users can only have two active risk assessment methodologies

with limited ARA

Project risk managementPPM + Advanced Risk

APM + Advanced Risk

APM integration(Application owner) business app is created -> auto creates entity in GRC-> initiates the questionnaire to application owner-> respond to questionnaire (app owner)-> review responses (risk manager) -> review and signoff inherent risks (business owner)-> based on inherent rating, additional controls are mapped-> executes recommendation engine to suggest policies, risk and citations->maps corresponding risks, policies and citations (risk manager)->auto maps corresponding controls-> maps baseline control which needs to be implemented-> works with stake holders to implement the controls (app owner)-> attest the controls implementation (app owner)-> responds to manual control indicators (app owner)

-> monitor app risk and compliance with OOB dashboards (risk manager)

continuous monitoring designDetermine monitoring scenariosconfigure indicator templates-> associate indicator templates with control objectives and or risk statements to generate control and or risk indicators when scoped

-> execute indicators for real-time monitoring results of controls / risks

Monitoring usecases1. customer service-> Data subject rights requests-> market conduct research2. employee experiences-> ethical compliance-> workforce resilience3. digital / IT transformation-> cyber risk & security controls-> continuously monitor IT compliance-> continuous monitor IT risk-> ensure devops app compliance4. legal & finance-> financial compliance monitoring-> manage privacy Risk & complianceTechnology controls content pack1. continously monitor 109 CIS & ISO 27002 - based control points in now productscontainsauthority documents for CIS controlsassoicate citations policy and control objectives for 191 CIS controls191 indicator templates both basic and manual mapped to UCF IDs

meant to improve cyber-hygiene and successful operation of information security management system (ISMS)

Compliance data source registry (CDSR)policy as a Code Engine (PaCE)ability to associate control objectives with equivalents policy / check from other SN appsability to generate entities and controls based on association to understand compliance postureability to request policy exceptions from other SN appsautomated reviews and compliance monitoring due to automated checks and controls = reduction in manual reviewsautomated audit evidence collectionreal-time risk and compliance visibilityincreased velocity of employee workflowsconfiguration compliancecontinuous controls monitoring for config complianceconfiguration compliancesecure configuration assessment applicationthis app aggregates scan results from integrations with configuration scanning apps -> Qualys, Tenable, Rapid7 etcRiskcontinously monitor the imported scan results from 3rd party apps to validate compliance and manage risk against various standardscontinuous compliance monitoringbetter together confiugration compliance and security operationsproperty sn_compliance_auto_create_profile_and_controlif user closes an issue on GRC side it may reflect an invalid compliance state since the issue state depends on scan resultscoming in from config complianceif an entity is already created the integration will use existig entity. if an entity does not exist one is auto created from Qualys (or other monitoring tool)continuous risk monitoringlower first line burden through automated control testingauto test operational effectiveness on periodic basisuse data from across the SN ecosystem to systematically gather and store evidenceescalate issues to control owners when a failure condition is detectedreuse CCM results for audit testingbetter together with vulnerability response and security operationscontinuous monitoring

better together with HRSD

indicator architecture and config3 typesmanualBasic scriptindicator templates will be associated with one or more control obj or risk statementsa template cant be related to both control obj and risk statementbasic indicators can leverage servicenow tables in non-grc scoped apps

when levraging non-grc tables indicator template must identify a cross reference field back to entities

GRC: MetricsFuture of risk continuous monitoring1. enables threshold based monitoring of key risks and controls and alerts respective owners on changes to risks and controls.2. automate mundane metric data collection tasks which saves employee time.

3. efficently monitors and shares risk info across the org

indicators vs metrics

indicators -> primarily used for automated continuous control assessments and not risk and control monitoringprimarily designed & needed for continuous control assessments & hence not part of metrics

metrics -> unique features and aligns to risks & control monitoring

key types of metricsKRIsKCIs

KPIs

Explore and configure issuesissue overview and architectureissue managementissue intake and triageissues can include operational risk events, regulatory compliance violations, security breaches etcissues can be identified by any of the 3 lines of defense, as well as by external sources such as consumer complaints or regulatory examplesLife cycleNew -> Analyze -> Review (Optional) -> closedsingle point of entry for end users to report a compliance / risk issue from employee center based on various questions, an issue can be identified

as compliance / risk issue or risk event, if capability is installed.

GRC business user role is contained by other roles such tat it is ultimately included in compliance and risk user and manager and admin rolesTriage userTriage Manager-> admin -> issue ratingGRC Business User

GRC admin -> admin -> properties

Primary Table relationships**************************

GRC: Advanced Core and GRC: Profiles

Task (Global) Triage (GRC: Advanced Core) Planned Task (Global)sn_grc_advanced_triage sn_grc_issueIssue Triage Issue (GRC Profiles)

sn_grc_advanced_issue_triage sn_grc_issue

Issue managementIssue triage -> significant data driven optionsClassificationissue type->->significant number of notifications in baselineIssue-> minimal record life cycle in baseline-> no approval processrules associated with issue groupingsome notifications in baselineoptional : setup evidence collectionIssue configurationGRC: Profiles scopepolicy and compliance -> administration -> GRC Propertiesdue date auto population based on issue ratingsn_grc.auto_populate_due_date_based_on_issue_ratingAuto close when all remedation tasks are closedsn_grc.automatically_close_issue_when_all_tasks_closedGRC: Advanced Core ScopeIssue Triage -> Administration -> Propertiessn_grc_advanced.enable_my_issues_hide_my_reported_issuesdefault : YesSetting to Noskips issue triage processusers can create issues directlyimpacts both service portal and employee centerself-reported triage issue configurationtriage issue assignment rulesguideline to customize self-reported issue triage1. issue types drive where the triage issue appears2. portal form - record producer -report issue (GRC: Advanced Core)modify questions presented to userinitial assignment at Classification

3. client script - on change action for issue type

Issue configuration-> Smart issue assignmentconfiguration stepsInstall GRC: Predictive intelligence [sn_grc_pred_intel]train the solution def set the issue assignee suggestion based on property to similarity analysis[sn_grc_pred_intel:issue_assignee_suggest]machine learning solution for prediction of issue assignee[sn_grc_pred_intel.mi_solution_for_issue_assigned_to]default value : ml_x_sn_grc_pred_intel_global_similarity_solution_definition_for_assigned_to_for_issue

navigation : predictive intelligence -> similarity -> solution definitions

Regulatory change management - To Do************************************Classic Risk fundamentals*************************

covered above in risk section

Audit management essentials****************************

An audit provides a “window” into GRC data, specific to the engagement the auditor is reviewing.

The objectives of audit management are to ensure that:

risks are appropriately identified and quantifiedcontrols are designed in a way that effectively reduces the identified riskscontrols are properly monitored for operating effectivenesscontrol deficiencies are identified and remediatedThe Audit Management and Advanced Audit Management applications allow users to plan and schedule audits,

conduct resource planning, scope engagements, conduct audit activities, review continuous monitoring results, and report findings.

During Audit entity will be picked and not entity type

when audit is scoped to a specific entity then all the risk and compliance data is leveraged Audit report to share the findings

Advanced auditaudit plansauditable unitsmilestonesobservations

PPM integration for resource planning

Audit Plans and Engagements

An audit plan helps to manage different types of audits in a periodic manner and group engagements in a logical manner.

An audit engagement is an audit project that may include audit tasks that accomplish a set of objectives or goals.

Audit engagement -> scoped with auditable unit or entityselecting an entity automatically associates allrisk related to entity to Enagementcontrols related to entity to engagementtest plans related to controls to engagementindicator results related to controls to engagementaudit tasksprovide documented evidence that the associated control is operating correctly.possible types of taskscontrol testsinterviewswalkthroughsactivitiestest templates and planstest plan is audit test tat applies to controldesign test

operation test

audit engagement lifecyclescopevalidate and planfield workawaiting approvalfollow-up

closed

personasaudit manager (sn_audit.manager) -> sn_grc.manager + sn_audit.useraudit user sn_audit.user -> sn_grc.user + sn_compliance.user + sn_risk.readerExternal Auditor - sn_audit.external_auditorfinance manager (auditee)audit admin (sn_audit.admin) -> sn_audit.manager + sn_grc.adminaudit developer (sn_audit.developer) -> sn_audit.admin + sn_grc.developerengagement project manager (sn_audit_advanced.engagement_project_manager ) -> sn_audit.manager + resource_manager + it_project_manager

Auditor - sn_audit_ws.auditor -> sn_audit.user role

Audit supervisor - sn_audit_ws.supervisor -> sn_audit_ws.auditor + sn_audit.manager

common configuration request for external auditors

grant external auditors direct access to audit management

auditable units -> sn_audit_advanced_auditable_unitEntities are automatically created from the Entity Filter for the sn_audit_advanced_auditable_unit tabledata can be imported to audit units via data loadrisk assessments -> Advanced risk assessment can further enhance audit processescommon controls -> common control feature was introduced to reduce the proliferation of the shared controls and allow the

inheritance of the control test results or the results of the control compliance by other entities.

Primary and Reliant Entities

A common control has a primary entity associated with it. Other entities associated with this common control are then

referred to as the reliant entities.

However, the primary entity of that common control is not scoped into the engagement automatically just because the reliant entity was.

When audit tasks, such as an interview, are created or reassigned, a notification is sent to the assigned user. A notification is also sent when the task reaches 75% of its planned duration.

These are the only base system notifications for audit management.

Milestones

Milestones are created for an engagement to track the progress of the engagement.part of advance audit

Pending Patch

There could be many risks associated with a pending patch update. Instead of opening an issue for each risk, all of these risks could be

related to one issue.

Issue Relationship Configuration

If a risk is related to an issue, then the entity of that risk will automatically be associated to that issue. Through GRC Administration > Issue Relationship Configuration, administrators can control which items will be automatically related to an issue.

Audit Report Templates

To access the audit report templates, navigate to Audit > Audit Report Templates

Enable Record Confidentiality

Enable the sn_grc.enable_record_confidentiality system property in the GRC: Profiles application scope.

GRC regulatory change management essentials******************************************On average, an organization adheres to three to ten regulations. Regulations are stored in the Authority document [sn_compliance_authority_document] and Citation [sn_compliance_citation] tables. Relationships are mapped between citations and an organizations policies and control objectives,

which are stored in the Policy [sn_compliance_policy] and Control objective [sn_compliance_policy_statement] tables.

GRC fundamentals

****************

Authority document -> Name, version, date-> paragraphs are called citationPCI citation -> Authorizing visitors where card holder data is maintained.Control Objective -> Policy-> some are driven by one or multiple regulations-> Org culture-> To be related to citiation that it addresses-> compliance is measured at control objectiveRisk framework -> Risk-> wat risk to manageEntity types -> entities-> locations-> vendor-> entity classescontrol / risk are generatedscoping -> control objective scoped with entity type -> locationrisk and control owners -> monitor and review-> test plans and indicators-> monitor controlsindicator templatesindicator-> manual-> automatedissueassessments -> Control attestation-> Risk assessmentrisk response task-> manage, mitigate, avoid, acceptOrgs relate controls to risks

control effectiveness allows owners to identify areas tat have risks.

audit management -> select entities not entity types

scoped with specific entities

Advanced audit-> audit plan

-> PPM integration for resource planning

Compliance teamCompliance adminsn_compliance.admincompliance managersn_compliance.managercompliance user

sn_compliance.user

Regulatory change managementregulatory change adminsn_grc_reg_change.adminregulatory change managersn_grc_reg_change.managerregulatory change user

sn_grc_reg_change.user

Risk teamrisk adminsn_grc_risk.adminrisk managersn_grc_risk.managerrisk user

sn_grc_risk.user

Audit teamaudit adminsn_audit.adminaudit managersn_audit.manageraudit user

sn_audit.user

GRC business userscomplete activities that compliance and risk teams need to do.application owner, head of government sales, application owner

sn_grc.business_user

workspacescompliance workspace -> compliance managerRisk workspace -> risk manageraudit workspace -> audit manager

360 degreee view of control objective

Create an entity frameworkpeople, place or objects that need to be monitored in order to manage risk, track control compliance and reviewed as

part of audit Enagements.

Relationship b/w entities, entity types and entity classesentity types and entities are used to scope an organization.entity types are dynamic categories containing one or more entities.they are associated to policies, control objectives, risk frameworks and risk statementsentities can belong to more than one entity type.entity classesentity can be part of many entity types but can be part of only entity classentity types can have entities that belong to various entity classescan have their own hierarchyentity tiersway to logically group entity classes and then filter reporst by those groupings.Entity typesIts recommended to use core tables while creating entity typescmn_ , sys_ , cmdb_ci , core_

values of class, owner and other fields that are defined in entity filter will be passed to respective entities generated via that entity filter.