GRC Part 1 Flashcards
(445 cards)
1
Q
What is the database table name for Control Objectives starting with Orlando?
A
sn_compliance_policy_statement
2
Q
Can you nest or stack policy records?
A
Yes
3
Q
Can you nest or stack control objectives?
A
Yes
4
Q
What GRC record generates a KB article when approved
A
Policy
5
Q
What must be set up for controls to be generated?
A
The Control Objective has the checkbox for “Create Controls Automatically” checked and Entity Type is applied to the Control Objective,
6
Q
Attestations are generated when a control is moved from draft to what?
A
Attest
7
Q
What can you do with the Policy Acknowledgement feature?
A
Send out policies for review & acknowledgement, Track responses on the campaign record, designate the campaign audience for acknowledgement.
8
Q
What can you NOT do with the Policy Acknowledgement feature
A
Enable employees to ask for more info about the policy.
9
Q
A control attestation can be used to measure the level of compliance - T or F
A
False
10
Q
How many entity types can an entity belong to?
A
None, 1 or multiple
11
Q
Entities can be added to an entity type via what methods?
A
Manually, from the All Entities module or using a filter defined on the Entity Type record.
12
Q
Entities can be added to an entity type on a Policy Related List - True or False
A
False
13
Q
An entity must always relate to a record in a ServiceNow table - True or False
A
False
14
Q
What records are generated when an entity type is related to a risk statement/template?
A
Risks, Risk Indicators (if there is an indicator template related to the risk statement)
15
Q
Risk Frameworks are required records in Risk Framework Process - T or F
A
False
16
Q
What’s another name for Risk Statement Records
A
Risk Templates
17
Q
Risk statements can be nested or created in a hierarchy - T or F
A
True
18
Q
Risk Events always involve a loss - T or F
A
False
19
Q
Customers may refer to Risk Events as Loss Events - T or F
A
True
20
Q
Risk Events are the same as Risk Statements - T or F
A
False
21
Q
Risk Events can be related to Risks - T or F
A
True
22
Q
What is the module name for all Registered Risks?
A
Risk->Risk Register->All Risks
23
Q
Entity Types can be applied at what level to generate risks?
A
Risk Framework and Risk Statement/Template
24
Q
Default Risk Scoring Method in SN baseline is ___
A
Quantitative
25
What does ALE refer to in Risk Scoring
Annualized Loss Expectancy - Expected loss in a single year - SLE (Single Loss Expectancy) x ARO (Annual Rate of Occurrence)
26
What is equivalent to SLE in Qualitative Risk Scoring?
Single Loss Expectancy - Impact - $$$$
27
What is equivalent to ARO in Qualitative Risk Scoring?
Annual Rate of Occurrence - Likelihood - %
28
Which type of risk is "worst case scenario" according to ServiceNow?
Inherent (not residual or calculated)
29
Calculated Risk Scoring values are impacted by Controls and Indicators. Can you configure one control to have more weight than another control?
Yes
30
Risk Responses are generated after Risk Assessments are complete - T or F
True
31
Which fields cover the duration covered by the audit? (not the dates that the audit occurred)
Audit Period (start and end)
32
When creating an audit engagement record, what record is used to scope the audit?
Entity
33
Control Test Records are set up to control the Design of the Control and the Effectiveness of the Control. When is a control set to ineffective?
When either the design effectiveness or the operational effectiveness of the control are set to ineffective.
34
When an audit engagement is created and an entity is related to it, what records are automatically related to the engagement when it moves to Validate?
Risks, Controls, Test Plans, Indicator Results
35
When an audit engagement is created and an entity is related to it, what records are NOT automatically related to the engagement?
Policies, Control Objectives
36
A control objective in SN GRC is often called what by people in the GRC industry? (3)
Control Objective, Requirement, Control Template
37
If an entity type has 5 entities related to it, then when the entity type is related to a control objective, 5 controls will ALWAYS be generated - T or F
False - Depends on whether the "Create Controls automatically" checkbox is checked on the control objective.
38
Can you nest or stack Risk Statements?
Yes, but only with Advanced Risk (and post NY)
39
Can a Risk Manager update Entity Types and Entities?
Yes (requires grc.manager and risk manager inherits it)
40
Entity Types can be applied at what level to generate Registered Risks
Risk Framework or Risk Statement
41
Alternative Terms for a Control Objective (4)
Control, Control Template, Requirement, Policy Statement
42
Alternative Terms for an Entity (4)
Scope definition, Scope Object, Target, Profile
43
Alternative Terms for an Entity Type (1)
Entity Group
44
Alternative Term for a Control (1)
Control Instance
45
Alternative Term for a Risk Statement
Risk Template
46
Alternative Term for an Issue
Finding
47
NY onward - table name for Entity Class
sn_grc_profile_class
48
NY onward - table name for Entity Type
sn_grc_profile_type
49
NY onward - table name for Entity
sn_grc_profile
50
NY onward - table name for Control Objectives
sn_compliance_policy_statement
51
What are compliance related roles in order of inheritance
Compliance Developer, Admin, Manager, User, Reader
52
What are Risk related roles in order of inheritance
Risk Admin, Manager, User, Reader
53
What roles do you get with GRC Developer?
Compliance Developer
54
What roles do you get with GRC Admin?
Risk Admin and Compliance Admin
55
What roles inherit Survey Reader?
Compliance User and Risk User
56
What role will Compliance Managers group get?
sn_compliance.manager
57
What can Compliance Managers with sn_compliance.manager role do?
Create authority, docs and citations, relate control objectives to citations, retirenpolicies, return policies, to review, create rules for exceptions, updates on properties, create indicator templates, create entity, types and classes, manually initiate an acknowledgment campaign, create acknowledgment audiences, process compliance, triage issues, create remediation tasks,
58
What role will Compliance Analysts group get?
sn_compliance.user
59
What can Compliance Analysts with sn_compliance.user role do?
Create policies, control, objectives, and controls, process and approve policies, respond to control, attestations, respond to indicator tasks, create policy, exceptions, read, authority, docs and citations, request evidence, create an Group issues, create a policy, acknowledgment, campaign, respond to remediation tasks
60
What can Compliance Managers do that Analysts cannot?
1) Create Entity Classes, Entity Types and Entities 2) Create Issues, Indicators and Remediation Tasks 3) Create Authority Documents, Citations
61
What role will Risk Managers get?
sn_risk.manager
62
What can Risk Managers do with the sn_risk.manager role?
1) Create Entity Classes, Entity Types and Entities 2) Create Issues, Indicators and Remediation Tasks 3) Create Policy Exceptions 4) View Risk Frameworks, RIsk Statements, Assessments, Risk Response Tasks 5) Create Risks, Risk Frameworks, Risk Statements 6) View GRC Workbench
63
What role will Risk Analysts get?
sn_risk.user
64
What can Risk Analysts do with the sn_risk.user role?
1) Create Policy Exceptions 2) View Risk Frameworks, Risk Statements, Assessments, Risk Response Tasks, Risks
65
What role is needed to answer a risk assessment?
No role
66
What role is needed to create a risk assessment
Risk Assessment Creator (sn_risk.asmt_creator)
67
What role is needed to answer a control attestation?
No role
68
What role is needed to create policies?
Compliance User (Analyst)
69
What role is needed to approve policies?
Compliance User (Analyst)
70
What role is needed to Submit a control for attestation?
Compliance User (Analyst)
71
What role is needed to create an issue for Risk?
Risk User
72
What role is needed to Create an indicator template for Risk?
Risk Manager
73
What role is needed to Create a Policy Exception from Control Issue?
Compliance User (Analyst)
74
What role is needed to retire policies
Compliance Manager
75
An entity can only be related to a single entity class - T or F
True
76
What tables are frequently used on the Entity Type filter to generate Entities
Department, Group, Service (not Control or Indicator)
77
Entity Owner is derived from Managed by field on the Service record for the Critical Service Entity Type - T or F
True
78
What tables are extended from the Document table?
Risk Framework, Policy, Authority Document
79
What tables are extended from the Content table?
Risk Statement, Control Objective, Citation
80
What tables are extended from the Item table?
Risk, Control
81
What is the Policy Lifecycle?
Draft, Review, Awaiting Approval, Published, Retired
82
Who can create a Policy?
Compliance Users/Analysts and above
83
Who can set a Policy to Review state?
Compliance managers, the policy owner, members of the policy owning group, admins.
84
Who can move a Policy from Review to its next state?
Policy owners, members of the owning group, users with the compliance manager role, or the admin role.
85
Compliance admins can move a Policy from Review to its next state - T or F
false
86
A policy waiting for apporval will be published when at least 1 approver approves it - True or False
False - all approvers must approve it.
87
What happens when a Policy is published?
A KB article is created
88
Who can retire a policy?
Compliance Manager or Policy Owner
89
What is the Control lifecycle?
Draft, Attest, Review, Monitor, Retire
90
Who can modify a Draft control?
Compliance users/analysts
91
Who can complete an attestation?
The person to whom it is assigned (usually control owner)
92
Can a system admin complete an attestation for someone?
Only via impersonation
93
What is best practice when an attestation cannot be completed by its assignee?
Return the control to Draft state.
94
Who moves a control to the Review state?
It happens automatically when the attestation is done
95
Who can move a control from Review to Monitor?
Compliance Manager
96
When a control is in Monitor state, Indicators can be scheduled - T or F
True
97
Who edits the control in a Monitor state?
Controls are usually not edited when in Monitor. Updates happen via Indicators.
98
When does a control go to the Retire state?
Compliance is no longer required or relevant to the business (manually retired) or if the Entity becomes inactive (auto-retired)
99
When a control is in Retired state, Indicators will run - T or F
False
100
Who can manually retire a control?
Compliance Manager
101
What is the Issue lifecycle?
New, Analyze, Respond, Review, Closed
102
Who can create a new issue?
Compliance, Risk or Audit User
103
An issue can be related to what other things? (6)
Entities, Control Objectives, Risk Statements, Controls, Risks, other Issues
104
Who can move issue to Analyze?
Any GRC user
105
Who can move issue to Respond?
Any GRC User
106
What things will auto-trigger an issue creation? (4)
1) Indicator Result=Failed or Not Passed, 2) Control Attestation result is Not Implemented, 3) Control Test with state Closed Complete and Control effectiveness=Ineffective, 4) Continuous monitoring based on Configuration Test scanning results
107
What is the Policy Exception Lifecycle?
New, Analyze, Review, Awaiting Approval, Approved, Closed
108
Who can request a Policy Exception from Employee Center?
GRC Business user
109
How does a Policy Exception go from New to Analyze?
Requester uses Request Approval UI Action/button.?? ??
110
Who performs the Analyze phase of the Policy Exception?
Compliance Manager
111
How does a Policy Exception get to the Risk Assessment state? (OBS)
Compliance Manager requests a risk assessment. ??? Is this valid ??? OBS
112
What happens when a Compliance Manager requests a risk assessment for a Policy Exception? (OBS)
A notification goes to the Risk Manager's group and a risk manager performs the assessment. (OBS??)
113
How does a Policy Exception get to the Review state?
Compliance Manager requests a review.
114
What happens when a Policy Exception is set to Review by the Risk Manager? (OBS)
Notification goes to the Compliance Manager.
115
What happens after a compliance manager is notified that a Policy Exception needs a Review? (OBS)
Compliance manager can either 1) Approve the Policy Exception 2) Reject the Policy Exception or 3) Request a Business Level Approval.
116
How does a Policy Exception get to the Awaiting Approval state?
Compliance manager requests Approval.
117
How does a Policy Exception get to the Approved state?
Compliance manager approves it during Review or Business Level approver approves it when it is Awaiting Approval.
118
How does a Policy Exception get to the Closed state?
Compliance manager rejects it during review (maybe?) or otherwise sets it to Closed.
119
Who can request an extension to an approved Policy Exception?
Control Owner
120
Where can you initiate a Policy Exception? (5)
Employee Center, Compliance Workspace, Policy Exception module, Related Lists - Issue/Control Objective/Policy, other integrated SN applications
121
What happens during Analyze phase of a Policy Exception?
Compliance manager will review - add impacted Controls, approve, request review, request more information, or request approval.
122
What are options for the compliance manager when the analysis is complete for a Policy Exception? (4) (OBS)
Compliance manager can either 1) approve it 2) Request more info from the Control Owner 3) Request that a Risk Manager review it (where it goes to Review state) 4) Request a business owner approval
123
What happens during the review phase of a policy exception?
Requester or risk manager can submit more information, compliance manager, reviews, additional information.
124
What is the Policy Acknowledgement lifecycle?
New, Pending Acknowledgement, Closed, Cancelled
125
Who can create a Policy Acknowledgement campaign?
Policy owner or Compliance User/Analyst and above
126
Who can designate the audience and add users for a Policy Acknowledgment campaign?
Compliance Admin or Compliance Manager
127
Who can be added to a Policy Acknowledgement campaign?
Users, Groups, filtered user definition.
128
Where can audience members of a Policy Ack campaign respond?
Service Portal, Employee Center, Classic UI (P&C My Acknowledgements)
129
How can audience members of a Policy Ack campaign respond?
Accept, Decline or Request Exception (if allowed)
130
When does a Policy Ack campaign get closed?
When it's overdue or policy is expired
131
When does a Policy Ack record get reset?
When a policy exception is expired
132
Who can cancel a Policy Ack campaign?
Compliance manager or owner of the campaign
133
What Policy and Compliance components do you get to via the P&C->Compliance module?
Authority Documents (sn_compliance_authority_document) and Citations (sn_compliance_citation)
134
What Policy and Compliance components do you get to via the P&C->Policies and Procedures
Policies (sn_compliance_policy) and Control Objectives (sn_compliance_policy_statement)
135
What module do you use to get to Authority Documents?
Policy and Compliance->Compliance
136
What module do you use to get to Citations?
Policy and Compliance->Compliance
137
What module do you use to get to Policies?
Policy and Compliance->Policies and Procedures
138
What module do you use to get to Control Objectives
Policy and Compliance->Policies and Procedures
139
What are table names for policy acknowledgement campaign and policy acknowledgement record
sn_compliance_policy_acknowledgement
| sn_compliance_policy_acknowledgement_instance
140
Which Script Include? Requirement is to modify who can edit a policy in the Review State.
ComplianceUtils
141
Which Script Include? Requirement is to modify how compliance scores roll up.
ComplianceScoreCalculator
142
Which Script Include? Requirement is to display the number of controls excluded from the compliance score.
AssessmentStrategy
143
Which Script Include? Requirement is to use a different criteria to create control records.
ControlGeneratorStrategy
144
Which Script Include? Requirement is to add a new state to Policy Exception process
PolicyException
145
Which Script Include? Requirement is to modify the policy acknowledgement process.
PolicyAcknowledgementUtil
146
How is compliance score calculated when there are no children control objectives?
((Sum of weight of compliant controls)/ (Sum of weight of all controls))*100 - excluding any in states of Draft,Retired or Not Applicable
147
How is compliance score calculated when there ARE children control objectives?
Calculate compliance percentage of parent control same as if it did not have children -> ParentPerc
Get average score for all downstream (child) controls.
->ChildAvg
Score=(ParentPerc+ChildAvg)/2
148
What happens if a compliance manager requests a business approval for a Policy Exception?
Policy Exception Business Owner Approval workflow sends a notification to the control owners for all of the controls in the impacted controls related list.
149
For P&C - Entity Types can be applied to what objects (2) and which is the best practice?
Policies and Control Objectives. Control Objectives is best practice.
150
What are the Policy Exception workflows?
Policy Review, Policy Approval, Policy Exception and Policy Exception Business Owner Approval
151
What P&C tables can have SLAs associated with them?
Indicator Tasks, Issues, Policy Exceptions
152
What Risk tables can have SLAS associated with them?
Risk Responses and Remediation Task
153
What Audit tables can have SLAS associated with them?
Control Test, Interview, Audit, Walkthrough Task
154
What Risk Event tables can have SLAS associated with them?
Risk Events, Risk Event Tasks
155
What GRC tables are not extended from Task? (6)
Control, Control Objective, Registered RIsk, Risk Statement, Risk Framework, Policy
156
What is the Risk Record Lifecycle
Draft, Assess, Respond, Review, Monitor, Retired
157
Who can create a risk?
Risk User
158
Who can create a risk statement?
Risk Manager
159
Who can create a risk framework?
Risk Manager
160
Who can return a risk to the Draft state?
Risk Manager
161
Who performs risk assessment?
Usually Risk Owner
162
What happens during risk assessment?
Risk is reviewed and either sent back to draft or the assessment is completed which moves the risk to Respond and generates Risk Responses
163
What is the Risk Response Task lifecycle?
Draft, Work in Progress, Awaiting Approval (Accept response tasks ONLY) Review, Closed
164
What is "Governance" in GRC?
Policies and oversight to ensure consistent sustainability of internal controls and objectives while understanding inherent risk and adhering to external laws and regulations.
165
What is "Risk Management" in GRC?
Process of determining where the org is vulnerable and exposed. Manages and monitors the System of Internal Controls
166
What is "Compliance Management" in GRC?
Implements and manages the governance structure by managing and monitoring the system of internal controls.
167
What is "Audit Management" in GRC?
Internal or External consultancy process to prove effectiveness of controls that are used to ensure the effectiveness of compliance.
168
Where does SN GRC store external legislation/regulation data?
Authority documents - headers and citations. These documents dictate things an organization should do.
169
What are some sources of authority documents
UCF (United Compliance Framework) and HITRUST, COSO, Lexis-Nexis
170
How can customers use the UCF?
UCF will map headers and citations to control objectives.
171
What is an Entity?
Records that aggregate GRC information related to a specific item - can be a record in any table in the instance. Examples would be applications, locations, business services, etc.
172
What is a Citation?
Specific requirement in an authority document. Citation record relates an Authority Document to its applicable control.
173
What is a policy?
Internal practice followed by business process to ensure compliance and reduce risk. Related to authority documents and controls.
174
Where are policies published in SN?
Knowledge base
175
What is a control objective?
Specific details that a process follows within a policy. They are the templates from which controls are generated.
176
What is a control?
Actual control activity to be performed by an organization. Contains information such as owner, activity and frequency. Related to Authority Documents, Policies, and Risks via Control Objectives
177
What is an issue?
GRC task to track control and risk issues.
178
What is an indicator?
A metric to collect data to monitor controls and risks and collect audit evidence.
179
What is a risk framework?
Manageable hierarchy of Risk Statements. Formalized process for managing risk. Consists of assessment, response, accountability, remediation. Related to Entity Types and Risk Statements
180
What is a risk statement?
Defined consequence when a threat exploits a vulnerability.
181
What is a risk register?
the central repository for all potential risks that could occur at anytime, anywhere in the organization.
182
What is a risk?
Specific occurrence of a risk statement against a single entity. Also, threat or vulnerability that can adversely affect an organization's businesses objectives. Can be related to Policies, Controls or Remediation Tasks.
183
What are the possible outcomes for a risk?
It can be mitigated, prevented or controlled using Controls and Control Tests.
184
What is Risk Criteria?
Qualitative or Quantitative values against which level of risk is evaluated
185
What is the Risk's Residual Score?
Score AFTER response strategy is implemented.
186
What is the Risk's Inherent Score
Score BEFORE response strategy is implemented.
187
What is the Risk's Calculated Score?
Score derived from inherent and residual scores - refers to actual exposure of risk based on quality of the control system.
188
What is the Risk's Inherent Likelihood?
Likelihood BEFORE response strategy is implemented.
189
What is the Risk's Inherent RIsk?
Level of Risk BEFORE response strategy is implemented (risk level without controls or mitigating actions)
190
What is the Risk's Residual Likelihood?
Likelihood AFTER response strategy is implemented.
191
What is the Risk's Residual RIsk?
Level of Risk AFTER response strategy is implemented.(leftover risk after the implementation of controls)
192
What is the Risk's Qualitative Impact?
Uses Impact (significance of risk) and Likelihood (probability of risk occurring) ratings. Result is impact*likelihood.
193
What is the Risk's Quantitative impact?
SLE (Single Loss Expectancy) * ARO (Annualized rate of occurrance) = ALE (annualized Loss Expectancy)
194
What is an audit engagement?
Audit project with audit tasks to accomplish specific objectives.
195
What is an audit test plan?
A specific audit test of the effectiveness of a control. Used to generate control tests during engagements.
196
What is an audit test plan template?
Used to establish criteria for many test plans. Related to control objectives.
197
What is an audit task?
Task completed to provide evidence that a control is operating effectively
198
What are the 4 types of audit tasks?
Control Tests, Interviews, Walkthroughs and Activities
199
What are some examples of Authority Documents?
GDPR, HIPPA, Sarbanes-Oxley
200
Where do UCF control documents go in SN GRC?
Control Objectives
201
If you import the UCF framework to SN GRC, what tables will be populated? What relationships will be created?
Authority Documents, Citations, Control Objectives
| Auth Doc->Citations, Citations->Ctl Obj, Relationships between overlapping Auth Docs/Citations/Ctl Objs.
202
What are the different policy types? (6)
Procedure, Standard, Plan, Checklist, Framework, Template
203
What are attestations?
Surveys to gather evidence to prove a control is implemented.
204
Attestations are used to measure if a control is effective - T or F
False, Indicators are used to measure effectiveness. Attestations are just to gather evidence.
205
What drives the compliance status for a control?
The attestation results.
206
What are 3 levels of control validation?
Attestation (evidence), Indicators (manual or automated steps to measure effectiveness, Tests (used during audit to validate that the control is effective)
207
What are entities?
People/Places/Things that require 1 or more of these: Risk management, Controls to be applied, Audits to be conducted.
208
What can entities be related to?
Entity Types, upstream and downstream entities, downstream risks, downstream controls
209
What are entity types assigned to?
Control Objectives and Risk Statements (can be assigned to policies or risk frameworks also, not best practice?)
210
What is the name of the risk table?
sn_risk_risk
211
Under what module will you find Risk Framework and Risk Statements?
Risk Library
212
Where all can you create a risk?
Risk Framework Entity Type related list, Risk Statement Entity Type related list, Entity Type Risk Framework Related list, Entity Type, Risk Statement Related list. Risks are created as relationships are created.
213
What happens to risk assessments if a risk is retired?
Assessments are cancelled.
214
What are the possible risk response types and what prefix will each type of task have?
Risk Acceptance (APT), Risk Avoidance (AVT), Risk Mitigation (MGT), Risk Transfer (TFT)
215
What is an example of a way to mitigate a risk?
Create a control. Relate the control to the risk.
216
A control is related to a risk for mitigation purposes. What does the Control Weight field signify?
Weight tells us how impactful the control is in mitigating the risk - high impact=high weight, low impact=low weight. Used to determine control failure factor.
217
A control is related to a risk for mitigation purposes. What does the Control Compliance field signify?
Control Compliance is a calculated field based on the # of controls mitigating the risk that have a compliant status. (Empty or N/A status=compliant)
218
A control is related to a risk for mitigation purposes. What does the Control Non-Compliance field signify?
Control Non-Compliance is a calculated field based on the # of controls mitigating the risk that have a non-compliant status.
219
What happens to a Risk Response Task (Avoid, Mitigate, Review types) after it is created?
Risk Response Task Owner moves it to Work In Progress, does necessary steps and sets the Risk Response Task to Review.
220
What happens when a Risk Response Task (Avoid, Mitigate, Review type) is set to Review?
The Risk is also automatically set to Review. The Risk Manager will review the Response Task and determine if it can be closed.
221
What happens to a Risk Response Task (Accept type) after it is created?
Risk Response Task Owner moves it to Work In Progress, does necessary steps and sets the Risk Response Task to Awaiting Approval.
222
What happens to a Risk Response Task (Accept type) after it is set to Awaiting Approval?
Risk Owner approves or rejects the task. If approved, the Risk Response Task is set to Review. If rejected, the Risk Response Task is Rejected. The Risk is set to Review.
223
If an "Accept" Risk Response Task is created, what is required to move the task and the risk forward?
Risk Owner Approval
224
Controls can be identified to mitigate risk? How can you get controls to be automatically related to risks?
If a control objective is related to a risk statement (done manually), and if the control objective and the risk statement have the same entity, then a relationships will be automatically created between the registered risks and the controls (control instances.)
225
What is a Risk Event?
Part of Advanced Risk - Potential or actual, financial or non-financial losses, near misses or gains that occur within an organization
226
How are risk events useful?
They provide hard data about existing risks - ability to quantify and validate them, and provide visibility to new risks.
227
What are the 2 types of Risk Events?
Financial, Non-financial
228
Who can report a RIsk Event?
Any employee (via the portal.)
229
What is the Risk Event Lifecycle?
New, Analyze, Awaiting Approval, Approved, Closed/Rejected
230
What happens during the Analyze phase of a Risk Event?
Additional info is gathered, the Risk Event is related to Risks (new or existing), Controls, other RIsk events, response tasks and issues can be created and assigned out, approvers are assigned. When analysis is done, Risk Event is sent for approval.
231
What is minimum role that approvers for a Risk Event need?
Risk User
232
Risk Event is approved when at least 1 designated approver approves it. T or F
False - all approvers must approve it.
233
For a Risk Event to close - all related Issues and Remediation Tasks must be closed. T or F
True
234
What is the role of the person who analyzes a risk event, requests approval and closes the Risk Event?
Risk Manager
235
What happens when an entity is deactivated?
Associated controls, risks, indicators and test plans are all deactivated or retired.
236
What happens when an entity is re-activated?
Associated controls, risks go to Draft. Associated indicators and test plans become Active.
237
Indicators in GRC are used to monitor what?
Controls and Risks
238
What does an indicator do in GRC?
Continuously monitors a controls compliance/non-compliance. Within risk, an indicator will adjust a risk score up or down. Indicators are used to gather evidence of performance for the compliance and risk processes
239
Risk indicators and Policy & Compliance Indicators are stored in 2 different tables. T or F
False. 2 modules, same table.
240
What are the 3 default types/methods of indicators?
Manual, Basic, Script
241
What are additional types of indicators that come with integrations?
Configuration Test, Vulnerability Response, PA Indicator
242
How do you get indicators to get auto-created and related to controls or risks.
Create indicator templates and relate them to Risk Statements and Control Objectives. Then when an entity is applied to a Risk Statement or a Control Objective, the indicator will get related to the risk or control.
243
How do issues get created (5)?
1) Manually 2) If an Indicator gets a result that is Failed or Not Passed 3) If a Control Attestation returns a result of Not Implemented 4) if a Control Test is Closed Complete and the Effectiveness is set to Ineffective 5) Continuous Monitoring (based on Configuration Test scan results)
244
True or False - A control can be marked compliant even if it has an open issue.
False
245
What are the 2 ways to respond to an Issue?
Remediate (can result in remediation tasks) or Accept (meaning the issue is an exception). If accept, the control status is non-compliant until it is re-assessed.
246
Issues can be grouped under a parent. What is the parent record?
An issue.
247
How do you group Issues?
From List view, select issues to group, Select Group from Actions on Selected Rows list.
248
How many times can you request a policy exception for a policy?
1
249
What is a Policy Exception?
A Policy Exception provides temporary relief for a non-compliant control. It will have evidence, comments and rationale to support acceptance or rejection of the Policy Exception request.
250
What are the things for which you might request a Policy Exception (3)?
Policy, Control Objective, Issue (or combination of the 3)
251
A policy exception must have related controls (that are not Draft or Retired) - T of F
False. This is true if the exception is for a Control Objective or an Issue. Not if it is for a Policy.
252
To request a policy exception for an issue, what needs to be true about the issue?
It must not be in Draft or Retired and it must have at least 1 active control.
253
What are the 3 groups of audit users?
Audit Administrators - run the internal audit department , Audit Managers - plan, conduct and manage audit engagements,
Internal Auditors - Conduct control tests and other tasks for an Audit Engagement
254
What does an audit Control Test task do?
Performs a design or operation test to determine the effectiveness of a control
255
When do you use an Interview audit task?
When you need to gather data for auditors, possibly to learn a process or evaluate evidence.
256
When do you use a Walkthrough audit task?
To establish reliability of an organizaton's internal Control over a procedure or Process
257
What is an Activity audit task used for?
Any miscellaneous activity that is part of the audit process.
258
What is the only kind of Audit task that can have a parent that is another Audit task rather than an Engagement?
Activity audit task.
259
What are the 3 types of Audit Interview Tasks
Structured, Unstructured, Mixed
260
Audit engagements must always be created from scratch. True or False
False. You can use another audit engagement as a template.
261
What is a Test Template?
A generic audit test that applies to a control objective.
262
What is a Test Plan?
A specific audit test that applies to a control
263
What is the Engagement lifecycle?
Scope, Validate, Fieldwork, Awaiting Approval, Follow-up, Closed
264
How do Control Test audit tasks get created during an engagement?
From a Control, go to the Test Plans related list and select Generate Control Test. This will create the audit tasks.
265
What is the module for creating Test Templates and Test plans?
Audit->Audit Testing->Test Templates
| Audit->Audit Testing->Test Plans
266
What are the components of an audit Test Plan?
Design Test - steps to test the design.
| Operational Test - steps to test operational effectiveness.
267
What is the Control Test lifecycle?
Open, Work In Progress, Review, Closed
268
What happens while a Control Test audit task is Work In Progress?
The effectiveness of the controls are evaluated. When complete, it is set to Review.
269
What happens when a Control Test audit task is in Review?
All auditors on the engagement receive an approval test to review the Control Test task. If any one approves it, then the Control Test task moves to Closed.
270
A Control Test audit task requires only one of the approvers to approve it for it to move from Review to Closed. True of False
True
271
It is possible to skip the approval process for a Control Test audit task by just moving it to Closed. T or F
True
272
Control Effectiveness will be "Effective" if at least one of "Design Effectiveness" or "Operational Effectiveness" is "Effective" for the control. T of F
False. They both must be Effective. If one is ineffective, the control is ineffective.
273
What happens to the related risks when a risk statement is deactivated?
The risks are automatically retired.
274
If a risk is in a retired state, do the indicators still run?
No
275
What happens to the related risks when a risk statement is re-activated?
Risks are set to Draft.
276
What role is required to manually retire a risk?
Risk Manager
277
What is the table name for Risk Statements and Risk Frameworks?
sn_risk_definition and sn_risk_framework
278
What are the table names for Indicators and Indicator Templates and what app are they part of?
sn_grc_indicator and sn_grc_indicator_template, GRC Profiles
279
What items can be related to a Risk Event? Which are in m2m tables?
Another Risk Event (m2m), Risk Event Task, Event Entry, Risks (m2m), Entity(m2m), Issue, Control (m2m)
280
What is the Script Include if you want to modify the calculations of multiple risks on an entity?
RiskUtils
281
What is the Script Include if you want to add additional calculations to risks?
RiskALECalculator
282
What is the Script Include if you want to change the relationship behavior between a control and a risk?
MitigationControls
283
What is the Script Include if you want to change the states and behaviors of risk mitigations?
RiskResponse
284
What is the Script Include if you want to modify how risks are generated and associated to entities?
RiskGeneratorStrategy
285
What is the Script Include if you want to adjust color and display settings when creating a risk heat map?
RiskHeatMap
286
What SN core table can you use to see all components installed by a particular application/plugin?
sys_metadata
287
What role is used for creating GRC attestations?
Attestation Creator - sn_compliance.attestation_creator
288
What role is used for creating Risk assessments?
Risk Assessment Creator - sn_risk.asmt_creator
289
What role is required to answer a risk assessment?
Risk Analyst (sn_risk.user) I think
290
What role is required to answer a control attestation?
No role required
291
What role is required to create a policy?
Compliance Analyst (sn_compliance.user)
292
What role is required to approve a policy?
Compliance Manager (sn_compliance.manager)
293
What role is required to submit a control for attestation?
Compliance Analyst (sn_compliance.user) I think?
294
What role is required to create an issue within Risk?
Risk Analyst (sn_risk.user)
295
What role is required to create an indicator template within Risk?
Risk Manager (sn_risk.manager)
296
What role is required to create a policy exception?
Risk Analyst (sn_risk.user)
297
What role is required to Retire policies?
Compliance Manager (sn_compliance.manager)
298
What are some considerations that drive your choice of entity types?
Regulations you need to comply with, Who are the people working on risks and controls, How are you managing policies/exceptions/risks today? What areas are audited?
299
What are Entity Classes used for?
Reporting and roll up of risk responsibility.
300
What are the 3 parent tables in GRC:Profiles application/scope that are extended in P&C and Risk?
Document (sn_grc_document), Content (sn_grc_content), Item (sn_grc_item)
301
What tables in P&C and Risk are extended from the Document table?
Risk Framework (sn_risk_framework) , Authority Document (sn_compliance_authority_document), Policy (sn_compliance_policy)
302
What tables in P&C and Risk are extended from the Content table?
Risk Statements (sn_risk_definition), Control Objectives (sn_compliance_policy_statement), Citations (sn_compliance_citation)
303
What tables in P&C and Risk are extended from the Item table?
Risks (sn_risk_risk), Controls (sn_compliance_control)
304
An entity can only be related to a single Entity Class. T or F
True
305
An entity can only be part of a single Entity Type. T or F
False. An entity can belong to 1 or multiple entity types.
306
What is the table name that holds Entity Filters?
sn_grc_enrichment_query
307
What is the name of the m2m table that relates entities and entity types?
sn_grc_m2m_profile_profile_type
308
Indicator and Issue tables are part of what scope?
GRC:Profiles
309
What are 3 GRC tables extended from the Global scope?
Indicator Task is extended from task.
Issue is extended from Planned task,
Acknowledgement Campaign is extended from task.
310
What is baseline frequency for generating entities and deleting invalid entities?
Generating entities happens hourly.
| Deleting invalid entities happens daily.
311
What happens if someone requests approval for a policy record and there are no approvers designated?
It goes straight to published.
312
What is the Control Objective lifecycle?
It doesn't have one. It is managed by the lifecycle of its parent, the policy record.
313
When a control goes to Attest, who receives the attestation?
Control Owner
314
Can Policies be nested?
Yes
315
A control objective can only be related to 1 policy. T or F
False.
316
A control objective can be related to multiple citations. T or F
True. This is what allows you to test once to satisfy many requirements.
317
Can Control objectives be nested?
Yes
318
Can Citatons be nested?
Yes
319
Authority docs and citations are required to use SN GRC. T or F
False
320
Implementing Policy and Compliance, what is a common configuration task?
Updating choice lists for Category, Classification and Type fields on Control Objective table.
321
A policy must be published before you can create a policy acknowledgement campaign. T or F
True
322
Give an example of how you might define/use an indicator.
A policy/citation? is Manage Change Requests. A control is "All change requests must have a back out plan prior to approval." An indicator could be defined to look at changes that have been approved and the backout plan is empty. If found, the control will be marked non-compliant.
323
Are the knowledge article templates for the GRC Knowledge base stored in the same table as the templates for the other KBs?
No, they are in a different table and they require javascript.
324
Which statements are true about assessments in GRC?
Risk assessments are administered on risks, Control attestations are administered on controls
325
In the baseline, the Compliance Workspace has a role-based home page for data classified as IT risk and compliance. For which role is this home page intended?
IT compliance manager
326
The citation is a breakdown of the authority document. What GRC component is the breakdown of a policy?
Control objective
327
What line of defense is typically responsible for responding to risk assessments and control attestations within an organization?
1st line
328
What ServiceNow tables are used to import and maintain regulatory content?
Authority Document
329
What are three things we do with entities?
Entities are the objects against which we manage risks, apply controls and scope for an audit as part of an engagement
330
What is an entity type?
dynamic categories containing one or more entities
331
To what are entity types associated?
policies, control objectives, risk frameworks, and risk statements
332
What is an entity class?
An entity class identifies common information about a set of entities that can be used when creating reports and assigning advanced risk assessments. Every entity is assigned to one entity class.
333
What are entity tiers?
Entity tiers are a way for an organization to logically group entity classes and then filter reports by those groupings. They are used for building an entity hierarchy between various entity classes. For example, the database and server entity classes can be grouped together under the IT Asset entity tier.
334
see libbys test deck 14
when the Auto-update owner field is set to true, the value of the entity owner stays in sync with the value of the source field. For example, if the value of the owner changes in the Managed by field (source field), a scheduled job runs to sync this value with the entity owner field value.
For scenarios in which the value of the owner field is empty, there are two possible outcomes:
Use Default: When selected, the "Default owner" field value populates the "Entity Owner" field.
Do Not Create: When selected, the entity record is not created.
If the entity filter is pulling in an existing entity record, the entity owner assigned when it was originally generated remains assigned.
335
Entities are designed to create efficiencies and tracking through relationships. Select the statement(s) that accurately describe relationships that can be defined in an entity framework.
Entities can belong to more than one entity type,
Entities can belong to only one entity class
336
Aglow Travel Co. wants to generate controls to ensure each of its travel branches complete required training for site cleaning and sanitization. How can they do this most efficiently?
Associate the entity type for travel branches to the control objective
337
Aglow Travel Co. has several travel branches. The various branch locations are an example of which component of the entity framework?
entity
338
What fields should be populated on the entity type record to ensure entities are automatically generated based on changes to the source?
table, filter condition
339
What can you do with the compliance admin role?
Set up the policy and compliance application
Coordinate and facilitate configuration requests
Delete authority documents, citations, policies, policy statements, and controls
340
What can you do with the color compliance user role?
Create policies and manage the policy lifecycle
Relate policies to control objectives
Send out policy acknowledgement campaigns and monitor progress
Schedule and follow-up with attestations for control validation
Respond to an indicator task
Create, manage, and review issues
Request evidence for controls, policies, and issues
341
What can you do with the compliance manager role?
Manage the compliance library, which includes authority documents, citations, and control objectives
Relate control objectives to citations and policies
Create and manage entity types and entity filters
Leverage entity types and entities for scoping
Approve and retire policies
Approve and track policy exceptions
Manage policy acknowledgement campaigns and related audiences
Triage, monitor, and review compliance issues
Monitor control testing and control performance
342
What can you do with the GRC business user role?
Respond to issues and evidence requests
Perform indicator tasks
Perform remediation tasks
343
What are tasks for the control Owner?
Respond to control tests and evidence requests on the controls they own
Respond to indicator tasks assigned by the compliance team
Create and manage control issues
344
What role does the control Owner need?
sn_compliance.user
345
What three roles are the compliance workspaces designed for?
Corporate compliance manager, corporate compliance, analyst, IT compliance manager.
346
What are the roles associated to the corporate compliance analyst persona/workspace?
sn_compliance_ws.corporate_compliance_analyst
Contains roles:
sn_compliance.user
sn_audit.user
347
What are the roles associated to the corporate compliance manager persona/workspace?
sn_compliance_ws.corporate_compliance_manager
Contains roles:
sn_compliance.manager
sn_compliance_ws.corporate_compliance_analyst
sn_audit.manager
348
What are the roles associated to the IT compliance manager persona/workspace?
sn_compliance_ws.it_compliance_manager
Contains roles:
sn_compliance.manager
sn_audit.manager
349
What are three choice List fields on the control objective to classify it?
Category, classification, type
350
What is a control?
the implementation of a control objective for a scoped entity.
351
What happens when a control is determined to be noncompliant?
The compliance percentage score is rolled up to related upstream records, An issue is created
352
What defines an internal practice that an organization must follow to ensure compliance?
policy
353
Which role is required for sending out policy acknowledgement campaigns to the audience?
Compliance user [sn_compliance.user]
354
Who can redline policy with Office365 integration?
Reviewer
355
In what policy state is the KB article created in the GRC knowledge base?
Published
356
What are available answers for acknowledgement responses by the audience members in the Employee Center?
accept, request exception, decline
357
What happens to policy acknowledgement requests when someone leaves an organization and is no longer a valid member of an audience?
Existing acknowledgement tasks are automatically cancelled
358
The compliance analyst wants to create a group of control attestations. However, she is unable to add one of the control attestation records to the group. What could be the reason(s)?
It is already cancelled, already complete, not assigned to her
359
After controls are generated for entities , control owners need to validate that a control is implemented before evaluating its effectiveness. How do they validate this?
Control attestation
360
What is the Triage Issue lifecycle?
New, Analyze Review, Close
361
fund, intro to risk, risk architecture - bunch of defns
362
What are tasks that a risk admin performs?
Set up the risk management and advanced risk applications
Coordinate and facilitate configuration requests
Maintain connections across the enterprise and integrations throughout the ServiceNow platform
363
What are tasks that a risk manager performs?
Create risk statements, create entity, types and classes, create indicator templates, retire, risks, initiate risk assessments for any entity, set up the risk assessment scheduler, process risk, triage issues, create remediation tasks.
364
What are tasks that a risk user/owner performs?
Create risks, risk, events, and indicators, update risk records, relate controls to a risk, view entities, create risk issues, update remediation tasks, read risk statements, create risk assessments for owned entities, respond to assigned advanced risk assessments.
365
What are tasks that a risk reader performs?
Receives read-access to most risk reporting tables and risk dashboards
Generally given to managers and executives to monitor their risk posture
Complete tasks assigned to them by the risk team such as risk assessments, issue tasks, indicator tasks, remediation tasks, and risk event tasks
366
What are risk specific tasks that a GRC business user performs?
Respond to risk assessments
Respond to issue tasks, indicator tasks, remediation tasks, and risk event tasks
Report risk events in their business
367
What are the three persona/workspace based roles for risk?
Operational risk manager, Business operational risk manager, and IT risk manager
368
What is the role required for the operational risk manager workspace view?
sn_risk_workspace.operational_risk_manager
Contained in roles:
sn_risk.manager
sn_compliance.manager
sn_audit.manager
369
What is the role required for the business risk manager workspace view?
sn_risk_workspace.business_op_risk_manager
Contained in roles:
sn_risk.user
sn_compliance.user
sn_audit.user
370
What is the role required for the IT risk manager workspace view
sn_risk_workspace.IT_risk_manager
Contained in roles:
sn_risk.manager
sn_compliance.manager
sn_audit.manager
371
What are mitigating controls?
Methods used to reduce the overall likelihood and impact of a threat.
372
What is risk appetite?
Risk appetite is the degree of uncertainty (risk) an organization is willing to accept in pursuit of its objectives. or an organization’s risk capacity or or the maximum amount of residual risk it will accept after mitigating controls and other measures have been put in place
373
What is risk tolerance?
Risk tolerance is the amount of deviation from an organization’s risk appetite that is accepted to achieve a specific objective based on specified parameters.
374
What is risk threshold?
Risk threshold is the level of risk exposure above which risks are addressed and below which risks may be accepted. Anything above the threshold level is beyond what an organization will tolerate.
375
What are the three types of risk indicators?
Manual, basic, script.
376
What 3 key principles are covered by risk assessments?
Identify, analyze, evaluate.
377
What application should be installed if a customer wants to show the aggregation of risks?
Advanced risk management
378
Which of the following are true statements about records in the risk statement table?
Risk statements serve as a template to generate a risk record for a scoped entity.
A risk statement is typically related to multiple registered risks.
Advanced risk is required to create parent-child relationships between risk statements.
NOT TRUE: Risk statements are assessed in the advanced risk assessment process.
379
What can be related to a risk that will reduce either its likelihood of occurring or its impact should it occur?
controls
380
The level of risk exposure above which risks are addressed and below which risks may be accepted is known as what?
Risk threshold
381
What advanced risk role is needed to create factors that can be used in an advanced risk assessment?
ARA admin
382
What workspace roles is typically assigned to individuals that are risk owners?
Business operational risk manager
383
What are the five stages for the risk identification workflow?
Information, gathering, inherent, risk, assessment, risk, mapping, compliance mapping, control mapping
384
What tools are available to a risk manager to identify risks?
Risk identification questionnaires
Risk identification workflow on the Risk Workspace
385
During the risk identification process on the Risk Workspace, what step in the guided set up allows users to generate new risks?
Risk Mapping
386
What could trigger the generation of a risk identification questionnaire?
New records created in the class specified on the Risk Identification Configuration record
New records created in a table specified on the Risk Identification Configuration record
Incorrect answers included references to a group rule, or an assignment rule rather than an identification configuration record
387
What step in the guided set up allows the risk manager relate the entity with the policies and citations?
Compliance Mapping
388
How do you enable advanced risk assessments?
Navigate to Advanced Risk Assessment > Administration > Properties and select "Yes" for Migrate to Advanced Risk Assessments
389
What is a RAM
risk assessment methodology - a unique risk assessment template that can be used to generate a risk assessment instance. This risk assessment instance will allow users to assess a risk scoped with an entity or an object.
390
What are the two types of RAMs
Risk based, object based
391
What are the characteristics of a risk based RAM
It is used to assess a risk that has been scoped with an entity. This type of risk is sometimes referred to as a registered risk.
392
What are the characteristics of an object based RAM?
Object based RAMs are used for less granular things than risk based RAMs, such as a new product, process, project, etc.
393
What are the five workflows that can be included with a RAM template?
inherent risk, control effectiveness, residual risk, target risk, and risk response
394
who would primarily be responsible to create the standard risk management taxonomy and map recommended controls to mitigate those risks?
Risk manager
395
Which principle in risk management is this: comparing the results of the risk analysis with the established risk criteria and determines next steps
Risk evaluation
396
Which of 5 RAM Residual risk workflows are types of questionnaires to which an assessor will respond?
Residual risk, Inherent risk, Target risk, Control effectiveness
Not Risk response
397
What is the purpose of the GRC business user role?
It is used for people who need to perform GRC tasks, only in the context of things that are assigned specifically to them.
398
What are tasks done by people with GRC business user role?
Take assessments, take attestations, update assigned tasks, issues, and indicator tasks.
399
What role requires activation of a specific plugin and mapping of other roles to it?
sn_grc.business_user_lite
400
What is the advantage/
importance of entity scoping
Automates entity, risk, and control generation for continuous monitoring
401
If you have a risk hierarchy with a parent risk statement and multiple child risk statements, and you relate an entity type to the parent risk statement, will risks get created for the children risk statements?
no, you need to relate the entity type to the children risk statements for the risks to be automatically created.
402
When creating a dependency model, is it possible to create a Parent child relationship to the same class?
Yes, but only on the workbench.
403
Compliance manager role: what is it and what does it contain?
sn_compliance.manager contains sn_compliance.user sn_risk.advanced.ara_creator
404
Compliance user role: what is it and what does it contain?
sn_compliance.user contains sn_risk.reader sn_compliance.reader
405
Corporate compliance manager role: what is it and what does it contain?
sn_compliance_ws.corporate_compliance_manager contains sn_compliance.manager and sn_compliance_ws.corporate_compliance_analyst
406
IT compliance manager role: what is it and what does it contain?
sn_compliance_ws.it_compliance_manager contains sn_compliance.manager
407
Corporate compliance analyst role: what is it and what does it contain WSs corporate compliance?
sn_compliance_ws.corporate_compliance_analyst contains sn_compliance.user
408
What happens when a policy exceeds the valid to date?
If there are reviewers, it goes back to the reviews state. If there are no reviewers, it goes back to the draft state.
409
What are the types of controls?
Standard (original, 1 control per entity) , Unique (additional controls for same entity and control objective combo - also standard) , Common (related to primary entry that is tested, has other reliant entries)
410
Where can a control owner go to perform control attestations
Service portal (My attestations), Classic View (P&C ->My Attestations), Employee Center (GRC Tasks)
411
When would you use unique controls?
To get additional control objective granularity
412
What are some characteristics of a common control?
Only available in the compliance workspace, must have one primary entity relationship, testing occurs only on the primary entity, can have reliant entity relationships, reliant entities inherit the testing results of the primary entity.
413
How many entities can you convert at one time from standard control to a reliant entity?
15
414
What are the benefits of a compliance score calculation?
A nuanced result, key, operational insights, enables remediation.
415
Who can change the properties for a policy acknowledgment campaign?
Compliance admin
416
Who can view the responses/ststus for a policy acknowledgment campaign?
Compliance reader
417
What role is required to acknowledge policies?
GRC business user (??)
418
For policy exceptions, when do you need an integration registry?
When the exception is being requested from a non-GRC application.
419
For policy exceptions, when do you use an exception questionnaire?
Optionally when the exception is being requested from a non-GRC application.
420
Who configures the options for policy exceptions, including questionnaires, verification rules, and approval rules?
Compliance admin
421
What are the two different approval flows for policy exceptions?
The initial approval flow is "Generate initial approvals for policy exception" and uses the verification rules. The final approval flow is "Generate final approvals for policy exception" and uses the approval rules.
422
For a policy exception initiated within GRC, what happens if there are no approval rules defined?
Owners of the impact of controls on the exception, will be the approvers.
423
What are the key differences between classic and advanced risk?
Advanced risk has: multiple levels/hierarchy of risk statements, assessment, risk score roll up, assessments contribute to the risk score along with a customer provided formula, objects can be assessed in addition to scoped risks, question, types can be other than qualitative or quantitative, integrates with other service now applications. Classic Risk has no statement hierarchy, assessments do not contribute to the risk score, only scoped risks can be assessed. Question types are only qualitative or quantitative.
424
What are the type of factors used in advance risk?
Manual & Base automated, which includes automated scripted and automated query.
425
What are manual factors?
Questions that require human responses.
426
What are automated factors?
Factors where data is automatically fetched from ServiceNow, tables, or other sources. Scripted automated factors use scripts
427
What are group factors?
Manual or automated factors that are grouped together to provide one combined score.
428
True or false, a factor can be related to multiple RAMs.
False
429
What are the key attributes of a factor?
Response type, wait, guidance text
430
If you're trying to group factors, but you are unable to do it, what is the likely cause?
The factors have not yet been published.
431
Enabling the property for advanced risk assessment will change which forms and how.
Risk, entity and risk statement. New related lists for ARA assessments, New fields added for aggregated, risk scores, fields removed for manual risk calculations.
432
What are the configuration options for an inherent assessment in an advanced risk RAM?
Assessment contribution (qualitative and or quantitative), scoring logic, qualitative rating criteria
433
What are the configuration options for a Control effectiveness assessment in an advanced risk RAM?
Control assessment, options, control, identification, qualitative rating criteria
434
What are the configuration options for a residual assessment in an advanced risk RAM?
Calculation basis, matrix.
435
Residual assessment calculation for the residual assessment, for a ram is generally based on _________ and _________
Inherent risk assessment and control effectiveness assessment.
436
What are the configuration options for a target risk assessment in an advanced risk RAM?
Calculation basis, qualitative rating criteria
437
Can you move a RAM back into the draft state?
Only if there are no assessment instances.
438
What is the lifecycle for the advanced risk assessment instance?
Ready to assess, assessment types (inherent, control, residual, target), respond, awaiting approval, monitor.
439
What role is required to initiate an advanced risk assessment and assign the assessor?
sn_risk_advanced.ara_creator
440
What role is required to perform an advanced risk assessment?
sn_risk_advanced.ara_assessor
441
What role is required to do an advanced risk approval?
sn_risk_advanced.ara_approver
442
What are the four types of risk response tasks?
Accept, mitigate, avoid, transfer
443
Which indicator type leverages platform automation to gather records (TQ)
Basic (and Scripted?)
444
What needs to be done in order for indicators to be automatically generated?
Relate indicator templates to control, objectives and risk statements.
445
