Policy and Compliance 25% Flashcards

1
Q

Which of the following tables are in the GRC: Policy and Compliance scope? (Select all that apply)

a. Issue
b. Control
c. Risk
d. Citation

A

b. Control

d. Citation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Can you nest or stack Policy records?

a. True
b. False

A

a. True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Can you nest or stack Control Objectives?

a. True
b. False

A

b. True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

GRC Knowledge articles are used by employees to understand the company policies. What GRC record generates the Knowledge article once it is approved?

a. Authority document
b. Citation
c. Policy
d. Control Objective
e. Risk
f. Risk statement / Risk template

A

c. Policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

If an Entity record is inactivated, which of the following happens?

a. Entity records are deleted
b. Controls associated with the Entity are deleted
c. Controls associated with the Entity are retired
d. There is no change to Test Plans
e. There is no change to Risks

A

c. Controls associated with the Entity are retired

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following is not a table in the Policy and Compliance scope?​

a. Policy
b. Authority Document
c. Issue
d. Control

A

c. Issue

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Multiple Citations can be satisfied and measured once by relating multiple citations to what Table/record?​

a. Controls
b. Policy
c. Control Objective

A

c. Control objective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What table does not have a state lifecycle?

a. Policy
b. Control Objective
c. Policy Exception
d. Control

A

b. Control objective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the name of the Control Objective table?​

a. sn_compliance_control_objective
b. sn_compliance_statement
c. sn_compliance_policy_statement
d. sn_grc_policy_statement

A

c. sn_compliance_policy_statement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Service Level Agreements can easily be set up against all the major tables in the GRC applications.​

a. True
b. False

A

d. False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following Roles can move a policy from Review into Awaiting Approval? Select all that apply.

a. Policy Owner
b. Compliance Manager
c. Named Reviewer
d. Admin

A

a. Policy Owner

c. Named Reviewer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following records has a life cycle? Select all that apply.

a. Policy Exception
b. Policy
c. Policy Acknowledgement
d. Control
e. Control Objective
f. Issue

A

a. Policy Exception
b. Policy
c. Policy Acknowledgement
d. Control
f. Issue

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When is attestation is completed, the Control remains in Review until a compliance officer reviews the attestation results.

a. Yes
b. No

A

a. Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

If a Control is set back to Draft, the attestation is canceled

a. Yes
b. No

A

a. Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Issues can be related to which of the following? Select all that apply.

a. Entities
b. Entity Types
c. Controls
d. Control Objectives
e. Risk Statements
f. Controls
g. Risks

A

a. Entities
c. Controls
d. Control Objectives
e. Risk Statements
f. Controls
g. Risks

Does not apply to Entity Types

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Any GRC user can move an Issue into the Analyze state

a. Yes
b. No

A

a. Yes

17
Q

Which of the following triggers Issue creation? Select all that apply.

a. Indicator Results
b. Attestations
c. Control Tests
d. Manual
e. Continuous Monitoring

A

All of the above:

a. Indicator Results - Failed or Not Passed
b. Attestations - if result is Not Implemented
c. Control Tests - if Ineffective
d. Manual - created by any compliance risk, or audit user
e. Continuous Monitoring - based on Configuration Test scanning

18
Q

Which of the following has a lifecycle that does not use buttons to move from one state to the next. The user selects states from a dropdown list instead.

a. Policy Exception
b. Policy
c. Control Objective
d. Issue
e. Policy Exception

A

d. Issue

19
Q

Which of the following is a child of the parent Document table? Select all that apply.

a. Risk Statement
b. Control Objective
c. Authority Document
d. Risk
e. Control
f. Citation
g. Risk Framework
h. Policy

A

c. Authority Document
g. Risk Framework
h. Policy

20
Q

Which of the following is a child of the parent Content table? Select all that apply.

a. Risk Statement
b. Control Objective
c. Authority Document
d. Risk
e. Control
f. Citation
g. Risk Framework
h. Policy

A

a. Risk Statement
b. Control Objective
f. Citation

21
Q

Which of the following is a child of the parent Item table? Select all that apply.

a. Risk Statement
b. Control Objective
c. Authority Document
d. Risk
e. Control
f. Citation
g. Risk Framework
h. Policy

A

d. Risk

e. Control

22
Q

A single Control Objective can be related to multiple policies.

a. Yes
b. No

A

a. Yes

23
Q

United Compliance Framework (UCF) can be used as a Policy and Compliance Management Integration. Which of the following can be imported from UCF using transform maps:

a. Control Objectives
b. Policies
c. Citations
d. Controls
e. Authority Documents

A

a. Control Objectives
c. Citations
e. Authority Documents

24
Q

Service Level Agreements (SLA) can be used with Attestations.

a. Yes
b. No

A

b. No

SLAs cannot be used with Attestations or Assessments because these tables don’t extend from a Task. Creation of a workflow is required.

25
Q

Attestations capture the answer to the question, “ Have you implemented a process/procedure that can be used to measure this control?”

a. Yes
b. No

A

a. Yes

26
Q

Which of the following is correct regarding Compliance Scores? Select all that apply.

a. If a Control Objective has no children (downstream controls) then the score is the total number of compliant controls divided by the total number of controls.
b. By default all controls have an equal weight of 10
c. The weight of a control can be changed in the Monitor state
d. Scores above 75 are displayed in green
e. The weight of a control is only used on the compliance side

A

a. If a Control Objective has no children (downstream controls) then the score is the total number of compliant controls divided by the total number of controls.
b. By default all controls have an equal weight of 10

Explanations:

c. Control weights can only be changed in the Review state
d. Scores about 80 are green, between 50 and 80 are yellow, below 50 are red
e. The weight of a control is used in two separate calculations: compliance percentage and Risk Score in Risk Management

27
Q

The compliance score can be calculated at various levels including the following? Select all that apply.

a. Policies
b. Policy Exceptions
c. Entities
d. Entity Types
e. Controls
f. Control Objectives
g. Authority Documents

A

a. Policies
c. Entities
d. Entity Types
f. Control Objectives
g. Authority Documents

NOT Policy Exceptions or Controls
The Compliance Score is calculated at various levels, including Authority Documents, Policies, Control Objective, Entity Types, and Entities

28
Q

Indicators are not weighted.

a. Yes
b. No

A

a. Yes

29
Q

An Indicator is a filter created by the customer that looks at a table for evidence.

a. Yes
b. No

A

a. Yes

30
Q

The difference between Workflow editor and Flow Designer is that the Workflow editor is used to create and modify workflows by arranging and connecting activities while the Flow Designer enables process owners to automate approvals, tasks, notifications with natural language without having to use code or Workflow

a. Yes
b. No

A

a. Yes

31
Q

Entity Owners are defined at the Entity Type level.

a. Yes
b. No

A

b. No

Entity Owners are defined at the Entity level.

32
Q
  • SLA definitions extend from the Issue table.
    a. Yes
    b. No
A

b. No. SLA definitions extend from the Task table.

An SLA is a record that specifies the time within service must be provided.

33
Q
  • SLA can be applied to all tables in Service Now.
    a. Yes
    b. No
A

b. No

34
Q
  • Which of the following are actions to begin a GRC implementation? Select as many as apply.
    a. Allocate time for training after deployment
    b. Uncover siloed areas that have Policies, Controls, and Risks to include.
    c. Consider what existing data can be entered as Policies, Controls, and Risks
    d. Understand how the customer is currently organizing their GRC processes and procedures
    e. All of the above
A

e. All of the above