CIS - IRM Fundamentals Flashcards
Integrated risk management
is a set of practices, supported by a risk-aware culture and enabling technologies, that improve decision making and performance through an integrated view of how well an organization manages its unique set of risks.
2 workspaces for IRM
Compliance Workspace
Risk Workspace
360 degree view
displaying upstream, downstream, and related records are available for many types of records.
sn_audit.manager
a manager of the internal audit team and is responsible for creating audit engagements and monitoring the status of audit tasks and issues.
citation
a breakdown of the authority document.
control objective
the breakdown of a policy
Controls
test plans are related to
Entities
people, places, or objects that need to be monitored in order to manage risks, track control compliance, and reviewed as part of audit engagements.
i.e. organization’s assets, vendors, business services, and business units.
Entity types
dynamic categories containing one or more entities.
They are associated to policies, control objectives, risk frameworks, and risk statements.
Entity classes
Top-level organizational structure used to tag entities across different entity types.
An entity can belong to many entity types, but it can have only one entity class.
One entity type can have entities that belong to different entity classes.
Entity tiers
a way for an organization to logically group entity classes and then filter reports by those groupings. They are used for building entity hierarchy between various entity classes.
entity scoping
when an organization defines what people, places, or objects, such as processes, vendors, and departments, should be monitored for compliance and included in risk management.
benefits of entities
- Scalable - leverages other ServiceNow data
- Repeatable - dynamically creates new entities that inherit controls and risks
- visibility - provides visibility on multiple levels of the organization
Commonly leveraged tables often begin with
- cmn - for common tables
- sys - for system tables
- cmdb_ci - for cmdb tables
- core - for core tables
When entities are created and associated individually, a control is only created for that entity.
true
risks can be automatically generate for all entities associated with the entity type
when entity type is created, populated and associated with risk statements
Cascading updates
if an entity is deactivated, all associated controls, risks, indicators, and test plans are retired. If the entity ever gets reactivated again, the associated controls and risks revert to the Draft state.
corporate compliance
means having internal policies and procedures in place to prevent and detect violations of applicable laws, regulations, and ethical standards.
regulations
a law or rule governing the behavior and practices of an industry or market that is set and maintained by a constituted authority or regulatory body.
are issued by regulatory bodies for many diverse reasons, such as to regulate the way business is conducted to ensure ethical practices and fair competition.
General Data Protection Regulation (GDPR)
Regulation protecting the data of individuals residing in the European Union (E.U.) and the European Economic Area, regardless of where the data is stored or processed.
Applicable to any company storing or processing data
Sarbanes-Oxley (SOX) Act of 2002
Law passed by U.S. Congress to help protect investors from fraudulent financial reporting by corporations.
Applicable to all publicly traded companies in the United States and wholly owned subsidiaries and foreign companies that are publicly traded and do business in the United States.
Health Insurance Portability and Accountability of 1996 (HIPAA)
Federal U.S. law requiring the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
Applicable to healthcare providers if they transmit health information electronically in connection with covered transactions
standard
benchmark circulated by a regulatory agency and created to enforce the provisions of legislation.
standards example
- Payment card industry data security standard
- National Institute of standards and technology 800-53
- ISO/IEC 27001
- Criminal Justice Information Services (CJIS) compliance standard
framework
a group of underlying and interrelated procedures, policies, regulations, guidelines, codes of conduct, and other regulatory documents sourced from legislation and meant to codify and clarify the intent of a law/act/regulation.
Broad overview or outline of interlinked items that supports a particulate approach to meet a specific objective and serves as a guide to be modified as required
examples of framework
- FedRAMP (Federal Risk and Authorization Management Program)
- Center of Internet Security (CIS)
- Control Objectives for information and related technology (COBIT)
- HITRUST Common Security Framework
Compliance Admin (sn_compliance.admin)
Set up the policy and compliance application
Coordinate and facilitate configuration requests
Delete authority documents, citations, policies, policy statements, and controls
Compliance Manager (sn_compliance.manager)
Manage the compliance library
Relate control objectives to citations and policies
Create and manage entity types and entity filters
Leverage entity types and entities for scoping
Approve and retire policies and track policy exceptions
Manage policy acknowledgement campaigns and related audiences
Triage, monitor, and review compliance issues
Monitor control testing and control performance
Compliance User (sn_compliance.user)
Create policies and manage the policy lifecycle
Relate policies to control objectives
Send out policy acknowledgement campaigns and monitor progress
Schedule and follow-up with attestations for control validation
Respond to an indicator task
Create, manage, and review issues
Request evidence for controls, policies, and issues
GRC business user (sn_grc.business_user)
Leveraged across GRC applications. This role is targeted at users that support the GRC process.
Respond to issues and evidence requests
Perform indicator tasks
Perform remediation tasks
Control Owner (sn_compliance.user)
Respond to control tests and evidence requests on the controls they own
Respond to indicator tasks assigned by the compliance team
Create and manage control issues
Corporate compliance analyst (sn_compliance_ws.corporate_compliance_analyst)
tracks compliance activities and helps compliance managers to ensure that the organization is compliant with various regulations and policies.
Analyze and update the existing policies and related documents.
Implement policies and controls when assigned.
Monitor the performance of controls.
Schedule and follow up attestations.
Corporate compliance manager (sn_compliance_ws.corporate_compliance_manager)
manages internal standards, policies, and control processes that match the external regulatory standards.
Ensure that all policies and regulations are being followed.
Create and maintain policies up to the level of defining and applying controls.
Approve and track policy exceptions and issues.
Manage the team appropriately.
IT compliance manager (sn_compliance_ws.it_compliance_manager)
IT compliance manager manages internal standards, policies, and control processes that are exclusively IT-related to comply with the external regulatory standards.
Authority documents
compile the regulatory content that business processes follow for compliance.
Citation
defines a section of an authority document to which an organization must comply.
A citation maps to one authority document
Citations can be part of hierarchical, parent-child relationships
Citations can be mapped to one or many control objectives.
Citations are mapped to control objectives so that compliance is measured as a control is tested.
Policy
defines an internal practice that an organization or business process must follow to ensure compliance and reduce risk exposure.
can be categorized and related to control objectives.
policy defines an internal practice that an organization or business process must follow to ensure compliance and reduce risk exposure.
Control objective
is an objective, direction, or standard that acts as guidance for company interactions and operations. Many times, based on citations
frequently referred to as internal compliance requirements.
control
is the implementation of a control objective for a scoped entity.
Compliance score percentage
80 or higher in green
80 to 50 in yellow
Below 50 in red
things about Policies
- can be created manually or imported using a ServiceNow transform map.
- can be arranged in parent-child hierarchical relationships with other policies and with control objectives.
- can be sorted into manageable, reportable groups through type and category fields.
- can be related to multiple control objectives.
Procedure
Fixed, step-by-step sequence of activities or course of action that must be followed to correctly perform a task
Standard
Documentation of requirements, specifications, guidelines, or characteristics that can be used consistently to ensure that materials, products, processes, and services are fit for their purpose
Plan
Written account of an intended future course of action aimed to achieve specific goal(s) or objective(s) within a specific timeframe
Checklist
List of items required to be done to perform a specific task or set of tasks
Template
Design, mold, or pattern of an item or group of items that serves as a basis or guide for designing or constructing similar items
Policy record lifecycle
- Draft - default state upon creation
- Review
- Awaiting approval - all approvers must approve. if there’s no approvers, policy automatically gets published
- Published - a KB article gets published
- Retired - the KB article also gets retired
who can create policies
compliance users and above
who can move policies into review state
compliance users and above
who can move a policy from Review to the next state?
any of the named Reviewers or the Policy Owner
when do approvers receive notification?
after policy goes to Awaiting Approval state
who can manually retire a policy?
compliance manager or policy owner
Policy acknowledgement campaigns
allow customers to define a policy and present that policy for review and acknowledgement by employees in a company
Controls are automatically generated when
an entity type is associated with a control objective and the “Creates controls automatically” checkbox is checked.
Controls can also be manually created when
associated with an entity from the All Controls module or from the Controls related list on a control objective.
When Inherit from control objective option is enabled
the control automatically inherits the name and description of the control objective.
A control is considered implemented if we have a way to measure it.
True
Control attestations
surveys that gather evidence to prove that a control is implemented. The attestation provides documentation that the control owner has a defined method to measure the control.
Indicators
Indicators are used to measure if a control is effective or not and are powerful data collectors.
Control tests
can be part of an audit or compliance process used to validate if the control method is effectively designed and is operationally effective.
answers the question, “Has the control been implemented?”
Control attestations
answers the question, “Is the control effective?”
Indicators
answers the question, “Is the control effective from a design and operation standpoint?”
Control tests
control record lifecycle
Draft (default state upon creation) > Attest > Review > Monitor > Retire
all compliance users can modify the control in Draft state
Draft stage of control
control owners are assigned the control by default
only assigned to user can complete
Attest stage of control
controls are automatically moved to review after attestation is completed
Compliance manager can review
Review stage of control
in this stage, controls cannot be edited,
indicators are scheduled and updates are made by indicators
monitor stage of control
Compliance manager can manually retire control
when control is no longer relevant
automatically set to this stage when entity becomes inactive
retire stage of control
Policy exception management
allows an organization to assess the impact that a policy exception can have on related entities, with a related workflow for approving or rejecting an exception request.
who may be involved in the policy exception workflow?
the control owner,
the compliance manager,
the risk manager
Policy extension
can be requested before the policy exception expires.
how can policy exception be created?
- policy exception module
- from issue record
- from control objective record
- service portal
- integration registry
policy exception record lifecycle
New > Pending Verification (optional) > Analyze > Review > Awaiting Approval > Approved > Closed
who can request a policy exception?
snc_internal users
who can modify a policy exception during analyze stage?
compliance manager
who can submit more info of policy exception during review stage?
requester or risk manager
who reviews the policy exception
compliance manager
who approves the policy exception
compliance manager
who closes the policy exception
compliance manager
Issues
a task that allows end users to track the response to remediate or accept the issue.
issue triage record lifecycle
New > Analyze > Review > Close
who reviews the triage issue?
compliance manager
risk manager
triage manager
who can close the triage issue?
triage manager
triage team
