GRC Part 1

Question 1

What is the database table name for Control Objectives starting with Orlando?

Answer 1

sn_compliance_policy_statement

Question 2

Can you nest or stack policy records?

Answer 2

Yes

Question 3

Can you nest or stack control objectives?

Answer 3

Yes

Question 4

What GRC record generates a KB article when approved

Answer 4

Policy

Question 5

What must be set up for controls to be generated?

Answer 5

The Control Objective has the checkbox for “Create Controls Automatically” checked and Entity Type is applied to the Control Objective,

Question 6

Attestations are generated when a control is moved from draft to what?

Answer 6

Attest

Question 7

What can you do with the Policy Acknowledgement feature?

Answer 7

Send out policies for review & acknowledgement, Track responses on the campaign record, designate the campaign audience for acknowledgement.

Question 8

What can you NOT do with the Policy Acknowledgement feature

Answer 8

Enable employees to ask for more info about the policy.

Question 9

A control attestation can be used to measure the level of compliance - T or F

Answer 9

False

Question 10

How many entity types can an entity belong to?

Answer 10

None, 1 or multiple

Question 11

Entities can be added to an entity type via what methods?

Answer 11

Manually, from the All Entities module or using a filter defined on the Entity Type record.

Question 12

Entities can be added to an entity type on a Policy Related List - True or False

Answer 12

False

Question 13

An entity must always relate to a record in a ServiceNow table - True or False

Answer 13

False

Question 14

What records are generated when an entity type is related to a risk statement/template?

Answer 14

Risks, Risk Indicators (if there is an indicator template related to the risk statement)

Question 15

Risk Frameworks are required records in Risk Framework Process - T or F

Answer 15

False

Question 16

What’s another name for Risk Statement Records

Answer 16

Risk Templates

Question 17

Risk statements can be nested or created in a hierarchy - T or F

Answer 17

True

Question 18

Risk Events always involve a loss - T or F

Answer 18

False

Question 19

Customers may refer to Risk Events as Loss Events - T or F

Answer 19

True

Question 20

Risk Events are the same as Risk Statements - T or F

Answer 20

False

Question 21

Risk Events can be related to Risks - T or F

Answer 21

True

Question 22

What is the module name for all Registered Risks?

Answer 22

Risk->Risk Register->All Risks

Question 23

Entity Types can be applied at what level to generate risks?

Answer 23

Risk Framework and Risk Statement/Template

Question 24

Default Risk Scoring Method in SN baseline is ___

Answer 24

Quantitative

Question 25

What does ALE refer to in Risk Scoring

Answer 25

Annualized Loss Expectancy - Expected loss in a single year - SLE (Single Loss Expectancy) x ARO (Annual Rate of Occurrence)

Question 26

What is equivalent to SLE in Qualitative Risk Scoring?

Answer 26

Single Loss Expectancy - Impact - $$$$

Question 27

What is equivalent to ARO in Qualitative Risk Scoring?

Answer 27

Annual Rate of Occurrence - Likelihood - %

Question 28

Which type of risk is “worst case scenario” according to ServiceNow?

Answer 28

Inherent (not residual or calculated)

Question 29

Calculated Risk Scoring values are impacted by Controls and Indicators. Can you configure one control to have more weight than another control?

Answer 29

Yes

Question 30

Risk Responses are generated after Risk Assessments are complete - T or F

Answer 30

True

Question 31

Which fields cover the duration covered by the audit? (not the dates that the audit occurred)

Answer 31

Audit Period (start and end)

Question 32

When creating an audit engagement record, what record is used to scope the audit?

Answer 32

Entity

Question 33

Control Test Records are set up to control the Design of the Control and the Effectiveness of the Control. When is a control set to ineffective?

Answer 33

When either the design effectiveness or the operational effectiveness of the control are set to ineffective.

Question 34

When an audit engagement is created and an entity is related to it, what records are automatically related to the engagement when it moves to Validate?

Answer 34

Risks, Controls, Test Plans, Indicator Results

Question 35

When an audit engagement is created and an entity is related to it, what records are NOT automatically related to the engagement?

Answer 35

Policies, Control Objectives

Question 36

A control objective in SN GRC is often called what by people in the GRC industry? (3)

Answer 36

Control Objective, Requirement, Control Template

Question 37

If an entity type has 5 entities related to it, then when the entity type is related to a control objective, 5 controls will ALWAYS be generated - T or F

Answer 37

False - Depends on whether the “Create Controls automatically” checkbox is checked on the control objective.

Question 38

Can you nest or stack Risk Statements?

Answer 38

Yes, but only with Advanced Risk (and post NY)

Question 39

Can a Risk Manager update Entity Types and Entities?

Answer 39

Yes (requires grc.manager and risk manager inherits it)

Question 40

Entity Types can be applied at what level to generate Registered Risks

Answer 40

Risk Framework or Risk Statement

Question 41

Alternative Terms for a Control Objective (4)

Answer 41

Control, Control Template, Requirement, Policy Statement

Question 42

Alternative Terms for an Entity (4)

Answer 42

Scope definition, Scope Object, Target, Profile

Question 43

Alternative Terms for an Entity Type (1)

Answer 43

Entity Group

Question 44

Alternative Term for a Control (1)

Answer 44

Control Instance

Question 45

Alternative Term for a Risk Statement

Answer 45

Risk Template

Question 46

Alternative Term for an Issue

Answer 46

Finding

Question 47

NY onward - table name for Entity Class

Answer 47

sn_grc_profile_class

Question 48

NY onward - table name for Entity Type

Answer 48

sn_grc_profile_type

Question 49

NY onward - table name for Entity

Answer 49

sn_grc_profile

Question 50

NY onward - table name for Control Objectives

Answer 50

sn_compliance_policy_statement

Question 51

What are compliance related roles in order of inheritance

Answer 51

Compliance Developer, Admin, Manager, User, Reader

Question 52

What are Risk related roles in order of inheritance

Answer 52

Risk Admin, Manager, User, Reader

Question 53

What roles do you get with GRC Developer?

Answer 53

Compliance Developer

Question 54

What roles do you get with GRC Admin?

Answer 54

Risk Admin and Compliance Admin

Question 55

What roles inherit Survey Reader?

Answer 55

Compliance User and Risk User

Question 56

What role will Compliance Managers group get?

Answer 56

sn_compliance.manager

Question 57

What can Compliance Managers with sn_compliance.manager role do?

Answer 57

1) Create Entity Classes, Entity Types and Entities 2) Create Issues, Indicators and Remediation Tasks 3) Create Policies, Control Objectives, Policy Exceptions, Controls, Authority Documents, Citations

Question 58

What role will Compliance Analysts group get?

Answer 58

sn_compliance.user

Question 59

What can Compliance Analysts with sn_compliance.user role do?

Answer 59

1) View Authority Documents and Citations 2) Create Policies, Control Objectives, Policy Exceptions and Controls

Question 60

What can Compliance Managers do that Analysts cannot?

Answer 60

1) Create Entity Classes, Entity Types and Entities 2) Create Issues, Indicators and Remediation Tasks 3) Create Authority Documents, Citations

Question 61

What role will Risk Managers get?

Answer 61

sn_risk.manager

Question 62

What can Risk Managers do with the sn_risk.manager role?

Answer 62

1) Create Entity Classes, Entity Types and Entities 2) Create Issues, Indicators and Remediation Tasks 3) Create Policy Exceptions 4) View Risk Frameworks, RIsk Statements, Assessments, Risk Response Tasks 5) Create Risks, Risk Frameworks, Risk Statements 6) View GRC Workbench

Question 63

What role will Risk Analysts get?

Answer 63

sn_risk.user

Question 64

What can Risk Analysts do with the sn_risk.user role?

Answer 64

1) Create Policy Exceptions 2) View Risk Frameworks, Risk Statements, Assessments, Risk Response Tasks, Risks

Question 65

What role is needed to answer a risk assessment?

Answer 65

No role

Question 66

What role is needed to create a risk assessment

Answer 66

Risk Assessment Creator (sn_risk.asmt_creator)

Question 67

What role is needed to answer a control attestation?

Answer 67

No role

Question 68

What role is needed to create policies?

Answer 68

Compliance User (Analyst)

Question 69

What role is needed to approve policies?

Answer 69

Compliance User (Analyst)

Question 70

What role is needed to Submit a control for attestation?

Answer 70

Compliance User (Analyst)

Question 71

What role is needed to create an issue for Risk?

Answer 71

Risk User

Question 72

What role is needed to Create an indicator template for Risk?

Answer 72

Risk Manager

Question 73

What role is needed to Create a Policy Exception from Control Issue?

Answer 73

Compliance User (Analyst)

Question 74

What role is needed to retire policies

Answer 74

Compliance Manager

Question 75

An entity can only be related to a single entity class - T or F

Answer 75

True

Question 76

What tables are frequently used on the Entity Type filter to generate Entities

Answer 76

Department, Group, Service (not Control or Indicator)

Question 77

Entity Owner is derived from Managed by field on the Service record for the Critical Service Entity Type - T or F

Answer 77

True

Question 78

What tables are extended from the Document table?

Answer 78

Risk Framework, Policy, Authority Document

Question 79

What tables are extended from the Content table?

Answer 79

Risk Statement, Control Objective, Citation

Question 80

What tables are extended from the Item table?

Answer 80

Risk, Control

Question 81

What is the Policy Lifecycle?

Answer 81

Draft, Review, Awaiting Approval, Published, Retired

Question 82

Who can create a Policy?

Answer 82

Compliance Users/Analysts and above

Question 83

Who can set a Policy to Review state?

Answer 83

Compliance users/analysts and above

Question 84

Who can move a Policy from Review to its next state?

Answer 84

Named reviewer or the Policy Owner

Question 85

Compliance admins can move a Policy from Review to its next state - T or F

Answer 85

False

Question 86

A policy waiting for apporval will be published when at least 1 approver approves it - True or False

Answer 86

False - all approvers must approve it.

Question 87

What happens when a Policy is published?

Answer 87

A KB article is created

Question 88

Who can retire a policy?

Answer 88

Compliance Manager or Policy Owner

Question 89

What is the Control lifecycle?

Answer 89

Draft, Attest, Review, Monitor, Retire

Question 90

Who can modify a Draft control?

Answer 90

Compliance users/analysts

Question 91

Who can use Attest button on a Draft control?

Answer 91

Compliance users/analysts

Question 92

Who can complete an attestation?

Answer 92

The person to whom it is assigned

Question 93

Can a system admin complete an attestation for someone?

Answer 93

Only via impersonation

Question 94

What is best practice when an attestation cannot be completed by its assignee?

Answer 94

Return the control to Draft state.

Question 95

Who moves a control to the Review state?

Answer 95

It happens automatically when the attestation is done

Question 96

Who can move a control from Review to Monitor?

Answer 96

Compliance Manager

Question 97

When a control is in Monitor state, Indicators can be scheduled - T or F

Answer 97

True

Question 98

Who edits the control in a Monitor state?

Answer 98

Controls are usually not edited when in Monitor. Updates happen via Indicators.

Question 99

When does a control go to the Retire state?

Answer 99

Compliance is no longer required or relevant to the business (manually retired) or if the Entity becomes inactive (auto-retired)

Question 100

When a control is in Retired state, Indicators will run - T or F

Answer 100

False

Question 101

Who can manually retire a control?

Answer 101

Compliance Manager

Question 102

What is the Issue lifecycle?

Answer 102

New, Analyze, Respond, Review, Closed

Question 103

Who can create a new issue?

Answer 103

Compliance, Risk or Audit User

Question 104

An issue can be related to what other things? (6)

Answer 104

Entities, Control Objectives, Risk Statements, Controls, Risks, other Issues

Question 105

Who can move issue to Analyze?

Answer 105

Any GRC user

Question 106

Who can move issue to Respond?

Answer 106

Any GRC User

Question 107

What things will auto-trigger an issue creation? (4)

Answer 107

1) Indicator Result=Failed or Not Passed, 2) Control Attestation result is Not Implemented, 3) Control Test with state Closed Complete and Control effectiveness=Ineffective, 4) Continuous monitoring based on Configuration Test scanning results

Question 108

What is the Policy Exception Lifecycle?

Answer 108

New, Analyze, Risk Assessment, Review, Awaiting Approval, Approved, Closed

Question 109

Who can request a Policy Exception?

Answer 109

Any internal user.

Question 110

How does a Policy Exception go from New to Analyze?

Answer 110

Requester uses Request Approval UI Action/button.

Question 111

Who performs the Analyze phase of the Policy Exception?

Answer 111

Compliance Manager

Question 112

How does a Policy Exception get to the Risk Assessment state?

Answer 112

Compliance Manager requests a risk assessment.

Question 113

What happens when a Compliance Manager requests a risk assessment for a Policy Exception?

Answer 113

A notification goes to the Risk Manager’s group and a risk manager performs the assessment.

Question 114

How does a Policy Exception get to the Review state?

Answer 114

Compliance Manager requests a risk assessment and risk manager requests a review.

Question 115

What happens when a Policy Exception is set to Review by the Risk Manager?

Answer 115

Notification goes to the Compliance Manager.

Question 116

What happens after a compliance manager is notified that a Policy Exception needs a Review?

Answer 116

Compliance manager can either 1) Approve the Policy Exception 2) Reject the Policy Exception or 3) Request a Business Level Approval.

Question 117

How does a Policy Exception get to the Awaiting Approval state?

Answer 117

Compliance manager request Business Level Approval.

Question 118

How does a Policy Exception get to the Approved state?

Answer 118

Compliance manager approves it during Review or Business Level approver approves it when it is Awaiting Approval.

Question 119

How does a Policy Exception get to the Closed state?

Answer 119

Compliance manager rejects it during review (maybe?) or otherwise sets it to Closed.

Question 120

Who can request an extension to an approved Policy Exception?

Answer 120

Control Owner

Question 121

Where can you initiate a Policy Exception? (6)

Answer 121

Policy Exception modules, Related Lists - Issue/Control Objective/Policy, other integrated SN applications, Service Portal

Question 122

What happens during Analyze phase of a Policy Exception?

Answer 122

Compliance manager will review and update Source, Schedule, Comments, look at impacted Controls, mitigating controls and risks, update business impact analysis including residual likelihood, impact and score.

Question 123

What are options for the compliance manager when the analysis is complete for a Policy Exception? (4)

Answer 123

Compliance manager can either 1) approve it 2) Request more info from the Control Owner 3) Request that a Risk Manager review it (where it goes to Review state) 4) Request a business owner approval

Question 124

What is the Policy Acknowledgement lifecycle?

Answer 124

New, Pending Acknowledgement, Closed, Cancelled

Question 125

Who can create a Policy Acknowledgement campaign?

Answer 125

Compliance User/Analyst

Question 126

Who can designate the audience for a Policy Acknowledgment campaign?

Answer 126

Compliance Admin or Compliance Manager

Question 127

Who can be added to a Policy Acknowledgement campaign?

Answer 127

Users, Groups, filtered user definition.

Question 128

Where can audience members of a Policy Ack campaign respond?

Answer 128

On the portal.

Question 129

How can audience members of a Policy Ack campaign respond?

Answer 129

Accept, Decline or Request Exception (if allowed)

Question 130

When does a Policy Ack campaign get closed?

Answer 130

When it’s overdue. (any other???)

Question 131

When does a Policy Ack record get reset?

Answer 131

When a policy exception is expired

Question 132

Who can cancel a Policy Ack campaign?

Answer 132

Compliance manager or owner of the campaign

Question 133

What Policy and Compliance components do you get to via the P&C->Compliance module?

Answer 133

Authority Documents (sn_compliance_authority_document) and Citations (sn_compliance_citation)

Question 134

What Policy and Compliance components do you get to via the P&C->Policies and Procedures

Answer 134

Policies (sn_compliance_policy) and Control Objectives (sn_compliance_policy_statement)

Question 135

What module do you use to get to Authority Documents?

Answer 135

Policy and Compliance->Compliance

Question 136

What module do you use to get to Citations?

Answer 136

Policy and Compliance->Compliance

Question 137

What module do you use to get to Policies?

Answer 137

Policy and Compliance->Policies and Procedures

Question 138

What module do you use to get to Control Objectives

Answer 138

Policy and Compliance->Policies and Procedures

Question 139

What are table names for policy acknowledgement campaign and policy acknowledgement record

Answer 139

sn_compliance_policy_acknowledgement

sn_compliance_policy_acknowledgement_instance

Question 140

Which Script Include? Requirement is to modify who can edit a policy in the Review State.

Answer 140

ComplianceUtils

Question 141

Which Script Include? Requirement is to modify how compliance scores roll up.

Answer 141

ComplianceScoreCalculator

Question 142

Which Script Include? Requirement is to display the number of controls excluded from the compliance score.

Answer 142

AssessmentStrategy

Question 143

Which Script Include? Requirement is to use a different criteria to create control records.

Answer 143

ControlGeneratorStrategy

Question 144

Which Script Include? Requirement is to add a new state to Policy Exception process

Answer 144

PolicyException

Question 145

Which Script Include? Requirement is to modify the policy acknowledgement process.

Answer 145

PolicyAcknowledgementUtil

Question 146

How is compliance score calculated when there are no children control objectives?

Answer 146

((Sum of weight of compliant controls)/ (Sum of weight of all controls))*100 - excluding any in states of Draft,Retired or Not Applicable

Question 147

How is compliance score calculated when there ARE children control objectives?

Answer 147

Calculate compliance percentage of parent control same as if it did not have children -> ParentPerc
Get average score for all downstream (child) controls.
->ChildAvg
Score=(ParentPerc+ChildAvg)/2

Question 148

What happens if a compliance manager requests a business approval for a Policy Exception?

Answer 148

Policy Exception Business Owner Approval workflow sends a notification to the control owners for all of the controls in the impacted controls related list.

Question 149

For P&C - Entity Types can be applied to what objects (2) and which is the best practice?

Answer 149

Policies and Control Objectives. Control Objectives is best practice.

Question 150

What are the Policy Exception workflows?

Answer 150

Policy Review, Policy Approval, Policy Exception and Policy Exception Business Owner Approval

Question 151

What P&C tables can have SLAs associated with them?

Answer 151

Indicator Tasks, Issues, Policy Exceptions

Question 152

What Risk tables can have SLAS associated with them?

Answer 152

Risk Responses and Remediation Task

Question 153

What Audit tables can have SLAS associated with them?

Answer 153

Control Test, Interview, Audit, Walkthrough Task

Question 154

What Risk Event tables can have SLAS associated with them?

Answer 154

Risk Events, Risk Event Tasks

Question 155

What GRC tables are not extended from Task? (6)

Answer 155

Control, Control Objective, Registered RIsk, Risk Statement, Risk Framework, Policy

Question 156

What is the Risk Record Lifecycle

Answer 156

Draft, Assess, Respond, Review, Monitor, Retired

Question 157

Who can create a risk?

Answer 157

Risk User

Question 158

Who can create a risk statement?

Answer 158

Risk Manager

Question 159

Who can create a risk framework?

Answer 159

Risk Manager

Question 160

Who can return a risk to the Draft state?

Answer 160

Risk Manager

Question 161

Who performs risk assessment?

Answer 161

Usually Risk Owner

Question 162

What happens during risk assessment?

Answer 162

Risk is reviewed and either sent back to draft or the assessment is completed which moves the risk to Respond and generates Risk Responses

Question 163

What is the Risk Response lifecycle?

Answer 163

Draft, Work in Progress, Review, Closed

Question 164

What is “Governance” in GRC?

Answer 164

Policies and oversight to ensure consistent sustainability of internal controls and objectives while understanding inherent risk and adhering to external laws and regulations.

Question 165

What is “Risk Management” in GRC?

Answer 165

Process of determining where the org is vulnerable and exposed. Manages and monitors the System of Internal Controls

Question 166

What is “Compliance Management” in GRC?

Answer 166

Implements and manages the governance structure by managing and monitoring the system of internal controls.

Question 167

What is “Audit Management” in GRC?

Answer 167

Internal or External consultancy process to prove effectiveness of controls that are used to ensure the effectiveness of compliance.

Question 168

Where does SN GRC store external legislation/regulation data?

Answer 168

Authority documents - headers and citations. These documents dictate things an organization should do.

Question 169

What are some sources of authority documents

Answer 169

UCF (United Compliance Framework) and HITRUST, COSO, Lexis-Nexis

Question 170

How can customers use the UCF?

Answer 170

UCF will map headers and citations to control objectives.

Question 171

What is an Entity?

Answer 171

Records that aggregate GRC information related to a specific item - can be a record in any table in the instance. Examples would be applications, locations, business services, etc.

Question 172

What is a Citation?

Answer 172

Specific requirement in an authority document. Citation record relates an Authority Document to its applicable control.

Question 173

What is a policy?

Answer 173

Internal practice followed by business process to ensure compliance and reduce risk. Related to authority documents and controls.

Question 174

Where are policies published in SN?

Answer 174

Knowledge base

Question 175

What is a control objective?

Answer 175

Specific details that a process follows within a policy. They are the templates from which controls are generated.

Question 176

What is a control?

Answer 176

Actual control activity to be performed by an organization. Contains information such as owner, activity and frequency. Related to Authority Documents, Policies, and Risks via Control Objectives

Question 177

What is an issue?

Answer 177

GRC task to track control and risk issues.

Question 178

What is an indicator?

Answer 178

A metric to collect data to monitor controls and risks and collect audit evidence.

Question 179

What is a risk framework?

Answer 179

Manageable hierarchy of Risk Statements. Formalized process for managing risk. Consists of assessment, response, accountability, remediation. Related to Entity Types and Risk Statements

Question 180

What is a risk statement?

Answer 180

Defined consequence when a threat exploits a vulnerability.

Question 181

What is a risk register?

Answer 181

Repository of key attributes of potential and known risk issues.

Question 182

What is a risk?

Answer 182

Specific occurrence of a risk statement against a single entity. Also, threat or vulnerability that can adversely affect an organization’s businesses objectives. Can be related to Policies, Controls or Remediation Tasks.

Question 183

What are the possible outcomes for a risk?

Answer 183

It can be mitigated, prevented or controlled using Controls and Control Tests.

Question 184

What is Risk Criteria?

Answer 184

Qualitative or Quantitative values against which level of risk is evaluated

Question 185

What is the Risk’s Residual Score?

Answer 185

Score AFTER response strategy is implemented.

Question 186

What is the Risk’s Inherent Score

Answer 186

Score BEFORE response strategy is implemented.

Question 187

What is the Risk’s Calculated Score?

Answer 187

Score derived from inherent and residual scores - refers to actual exposure of risk based on quality of the control system.

Question 188

What is the Risk’s Inherent Likelihood?

Answer 188

Likelihood BEFORE response strategy is implemented.

Question 189

What is the Risk’s Inherent RIsk?

Answer 189

Level of Risk BEFORE response strategy is implemented.

Question 190

What is the Risk’s Residual Likelihood?

Answer 190

Likelihood AFTER response strategy is implemented.

Question 191

What is the Risk’s Residual RIsk?

Answer 191

Level of Risk AFTER response strategy is implemented.

Question 192

What is the Risk’s Qualitative Impact?

Answer 192

Uses Impact (significance of risk) and Likelihood (probability of risk occurring) ratings. Result is impact*likelihood.

Question 193

What is the Risk’s Quantitative impact?

Answer 193

SLE (Single Loss Expectancy) * ARO (Annualized rate of occurrance) = ALE (annualized Loss Expectancy)

Question 194

What is an audit engagement?

Answer 194

Audit project with audit tasks to accomplish specific objectives.

Question 195

What is an audit test plan?

Answer 195

A specific audit test of the effectiveness of a control. Used to generate control tests during engagements.

Question 196

What is an audit test plan template?

Answer 196

Used to establish criteria for many test plans. Related to control objectives.

Question 197

What is an audit task?

Answer 197

Task completed to provide evidence that a control is operating effectively

Question 198

What are the 4 types of audit tasks?

Answer 198

Control Tests, Interviews, Walkthroughs and Activities

Question 199

What are some examples of Authority Documents?

Answer 199

GDPR, HIPPA, Sarbanes-Oxley

Question 200

Where do UCF control documents go in SN GRC?

Answer 200

Control Objectives

Question 201

If you import the UCF framework to SN GRC, what tables will be populated? What relationships will be created?

Answer 201

Authority Documents, Citations, Control Objectives

Auth Doc->Citations, Citations->Ctl Obj, Relationships between overlapping Auth Docs/Citations/Ctl Objs.

Question 202

What are the different policy types? (6)

Answer 202

Procedure, Standard, Plan, Checklist, Framework, Template

Question 203

What are attestations?

Answer 203

Surveys to gather evidence to prove a control is implemented.

Question 204

Attestations are used to measure if a control is effective - T or F

Answer 204

False, Indicators are used to measure effectiveness. Attestations are just to gather evidence.

Question 205

What drives the compliance status for a control?

Answer 205

The attestation results.

Question 206

What are 3 levels of control validation?

Answer 206

Attestation (evidence), Indicators (manual or automated steps to measure effectiveness, Tests (used during audit to validate that the control is effective)

Question 207

What are entities?

Answer 207

People/Places/Things that require 1 or more of these: Risk management, Controls to be applied, Audits to be conducted.

Question 208

What can entities be related to?

Answer 208

Entity Types, upstream and downstream entities, downstream risks, downstream controls

Question 209

What are entity types assigned to?

Answer 209

Control Objectives and Risk Statements (can be assigned to policies or risk frameworks also, not best practice?)

Question 210

What is the name of the risk table?

Answer 210

sn_risk_risk

Question 211

Under what module will you find Risk Framework and Risk Statements?

Answer 211

Risk Library

Question 212

Where all can you create a risk?

Answer 212

Risk Framework Entity Type related list, Risk Statement Entity Type related list, Entity Type Risk Framework Related list, Entity Type, Risk Statement Related list. Risks are created as relationships are created.

Question 213

What happens to risk assessments if a risk is retired?

Answer 213

Assessments are cancelled.

Question 214

What are the possible risk response types and what prefix will each type of task have?

Answer 214

Risk Acceptance (APT), Risk Avoidance (AVT), Risk Mitigation (MGT), Risk Transfer (TFT)

Question 215

What is an example of a way to mitigate a risk?

Answer 215

Create a control. Relate the control to the risk.

Question 216

A control is related to a risk for mitigation purposes. What does the Control Weight field signify?

Answer 216

Weight tells us how impactful the control is in mitigating the risk - high impact=high weight, low impact=low weight. Used to determine control failure factor.

Question 217

A control is related to a risk for mitigation purposes. What does the Control Compliance field signify?

Answer 217

Control Compliance is a calculated field based on the # of controls mitigating the risk that have a compliant status. (Empty or N/A status=compliant)

Question 218

A control is related to a risk for mitigation purposes. What does the Control Non-Compliance field signify?

Answer 218

Control Non-Compliance is a calculated field based on the # of controls mitigating the risk that have a non-compliant status.

Question 219

What happens to a Risk Response Task (Avoid, Mitigate, Review types) after it is created?

Answer 219

Risk Response Task Owner moves it to Work In Progress, does necessary steps and sets the Risk Response Task to Review.

Question 220

What happens when a Risk Response Task (Avoid, Mitigate, Review type) is set to Review?

Answer 220

The Risk is also automatically set to Review. The Risk Manager will review the Response Task and determine if it can be closed.

Question 221

What happens to a Risk Response Task (Accept type) after it is created?

Answer 221

Risk Response Task Owner moves it to Work In Progress, does necessary steps and sets the Risk Response Task to Awaiting Approval.

Question 222

What happens to a Risk Response Task (Accept type) after it is set to Awaiting Approval?

Answer 222

Risk Owner approves or rejects the task. If approved, the Risk Response Task is set to Review. If rejected, the Risk Response Task is Rejected. The Risk is set to Review.

Question 223

If an “Accept” Risk Response Task is created, what is required to move the task and the risk forward?

Answer 223

Risk Owner Approval

Question 224

Controls can be identified to mitigate risk? How can you get controls to be automatically related to risks?

Answer 224

If a control objective is related to a risk statement (done manually), and if the control objective and the risk statement have the same entity, then a relationships will be automatically created between the registered risks and the controls (control instances.)

Question 225

What is a Risk Event?

Answer 225

Part of Advanced Risk - Potential or actual, financial or non-financial losses, near misses or gains that occur within an organization

Question 226

How are risk events useful?

Answer 226

They provide hard data about existing risks - ability to quantify and validate them, and provide visibility to new risks.

Question 227

What are the 2 types of Risk Events?

Answer 227

Financial, Non-financial

Question 228

Who can report a RIsk Event?

Answer 228

Any employee (via the portal.)

Question 229

What is the Risk Event Lifecycle?

Answer 229

New, Analyze, Awaiting Approval, Approved, Closed/Rejected

Question 230

What happens during the Analyze phase of a Risk Event?

Answer 230

Additional info is gathered, the Risk Event is related to Risks (new or existing), Controls, other RIsk events, response tasks and issues can be created and assigned out, approvers are assigned. When analysis is done, Risk Event is sent for approval.

Question 231

What is minimum role that approvers for a Risk Event need?

Answer 231

Risk User

Question 232

Risk Event is approved when at least 1 designated approver approves it. T or F

Answer 232

False - all approvers must approve it.

Question 233

For a Risk Event to close - all related Issues and Remediation Tasks must be closed. T or F

Answer 233

True

Question 234

What is the role of the person who analyzes a risk event, requests approval and closes the Risk Event?

Answer 234

Risk Manager

Question 235

What happens when an entity is deactivated?

Answer 235

Associated controls, risks, indicators and test plans are all deactivated or retired.

Question 236

What happens when an entity is re-activated?

Answer 236

Associated controls, risks go to Draft. Associated indicators and test plans become Active.

Question 237

Indicators in GRC are used to monitor what?

Answer 237

Controls and Risks

Question 238

What does an indicator do in GRC?

Answer 238

Continuously monitors a controls compliance/non-compliance. Within risk, an indicator will adjust a risk score up or down. Indicators are used to gather evidence of performance for the compliance and risk processes

Question 239

Risk indicators and Policy & Compliance Indicators are stored in 2 different tables. T or F

Answer 239

False. 2 modules, same table.

Question 240

What are the 3 default types/methods of indicators?

Answer 240

Manual, Basic, Script

Question 241

What are additional types of indicators that come with integrations?

Answer 241

Configuration Test, Vulnerability Response, PA Indicator

Question 242

How do you get indicators to get auto-created and related to controls or risks.

Answer 242

Create indicator templates and relate them to Risk Statements and Control Objectives. Then when an entity is applied to a Risk Statement or a Control Objective, the indicator will get related to the risk or control.

Question 243

How do issues get created (5)?

Answer 243

1) Manually 2) If an Indicator gets a result that is Failed or Not Passed 3) If a Control Attestation returns a result of Not Implemented 4) if a Control Test is Closed Complete and the Effectiveness is set to Ineffective 5) Continuous Monitoring (based on Configuration Test scan results)

Question 244

True or False - A control can be marked compliant even if it has an open issue.

Answer 244

False

Question 245

What are the 2 ways to respond to an Issue?

Answer 245

Remediate (can result in remediation tasks) or Accept (meaning the issue is an exception). If accept, the control status is non-compliant until it is re-assessed.

Question 246

Issues can be grouped under a parent. What is the parent record?

Answer 246

An issue.

Question 247

How do you group Issues?

Answer 247

From List view, select issues to group, Select Group from Actions on Selected Rows list.

Question 248

How many times can you request a policy exception for a policy?

Answer 248

1

Question 249

What is a Policy Exception?

Answer 249

A Policy Exception provides temporary relief for a non-compliant control. It will have evidence, comments and rationale to support acceptance or rejection of the Policy Exception request.

Question 250

What are the things for which you might request a Policy Exception (3)?

Answer 250

Policy, Control Objective, Issue (or combination of the 3)

Question 251

A policy exception must have related controls (that are not Draft or Retired) - T of F

Answer 251

False. This is true if the exception is for a Control Objective or an Issue. Not if it is for a Policy.

Question 252

To request a policy exception for an issue, what needs to be true about the issue?

Answer 252

It must not be in Draft or Retired and it must have at least 1 active control.

Question 253

What are the 3 groups of audit users?

Answer 253

Audit Administrators - run the internal audit department , Audit Managers - plan, conduct and manage audit engagements,
Internal Auditors - Conduct control tests and other tasks for an Audit Engagement

Question 254

What does an audit Control Test task do?

Answer 254

Performs a design or operation test to determine the effectiveness of a control

Question 255

When do you use an Interview audit task?

Answer 255

When you need to gather data for auditors, possibly to learn a process or evaluate evidence.

Question 256

When do you use a Walkthrough audit task?

Answer 256

To establish reliability of an organizaton’s internal Control over a procedure or Process

Question 257

What is an Activity audit task used for?

Answer 257

Any miscellaneous activity that is part of the audit process.

Question 258

What is the only kind of Audit task that can have a parent that is another Audit task rather than an Engagement?

Answer 258

Activity audit task.

Question 259

What are the 3 types of Audit Interview Tasks

Answer 259

Structured, Unstructured, Mixed

Question 260

Audit engagements must always be created from scratch. True or False

Answer 260

False. You can use another audit engagement as a template.

Question 261

What is a Test Template?

Answer 261

A generic audit test that applies to a control objective.

Question 262

What is a Test Plan?

Answer 262

A specific audit test that applies to a control

Question 263

What is the Engagement lifecycle?

Answer 263

Scope, Validate, Fieldwork, Awaiting Approval, Follow-up, Closed

Question 264

How do Control Test audit tasks get created during an engagement?

Answer 264

From a Control, go to the Test Plans related list and select Generate Control Test. This will create the audit tasks.

Question 265

What is the module for creating Test Templates and Test plans?

Answer 265

Audit->Audit Testing->Test Templates

Audit->Audit Testing->Test Plans

Question 266

What are the components of an audit Test Plan?

Answer 266

Design Test - steps to test the design.

Operational Test - steps to test operational effectiveness.

Question 267

What is the Control Test lifecycle?

Answer 267

Open, Work In Progress, Review, Closed

Question 268

What happens while a Control Test audit task is Work In Progress?

Answer 268

The effectiveness of the controls are evaluated. When complete, it is set to Review.

Question 269

What happens when a Control Test audit task is in Review?

Answer 269

All auditors on the engagement receive an approval test to review the Control Test task. If any one approves it, then the Control Test task moves to Closed.

Question 270

A Control Test audit task requires only one of the approvers to approve it for it to move from Review to Closed. True of False

Answer 270

True

Question 271

It is possible to skip the approval process for a Control Test audit task by just moving it to Closed. T or F

Answer 271

True

Question 272

Control Effectiveness will be “Effective” if at least one of “Design Effectiveness” or “Operational Effectiveness” is “Effective” for the control. T of F

Answer 272

False. They both must be Effective. If one is ineffective, the control is ineffective.

Question 273

What happens to the related risks when a risk statement is deactivated?

Answer 273

The risks are automatically retired.

Question 274

If a risk is in a retired state, do the indicators still run?

Answer 274

No

Question 275

What happens to the related risks when a risk statement is re-activated?

Answer 275

Risks are set to Draft.

Question 276

What role is required to manually retire a risk?

Answer 276

Risk Manager

Question 277

What is the table name for Risk Statements and Risk Frameworks?

Answer 277

sn_risk_definition and sn_risk_framework

Question 278

What are the table names for Indicators and Indicator Templates and what app are they part of?

Answer 278

sn_grc_indicator and sn_grc_indicator_template

GRC:Profiles

Question 279

What items can be related to a Risk Event? Which are in m2m tables?

Answer 279

Another Risk Event (m2m), Risk Event Task, Event Entry, Risks (m2m), Entity(m2m), Issue, Control (m2m)

Question 280

What is the Script Include if you want to modify the calculations of multiple risks on an entity?

Answer 280

RiskUtils

Question 281

What is the Script Include if you want to add additional calculations to risks?

Answer 281

RiskALECalculator

Question 282

What is the Script Include if you want to change the relationship behavior between a control and a risk?

Answer 282

MitigationControls

Question 283

What is the Script Include if you want to change the states and behaviors of risk mitigations?

Answer 283

RiskResponse

Question 284

What is the Script Include if you want to modify how risks are generated and associated to entities?

Answer 284

RiskGeneratorStrategy

Question 285

What is the Script Include if you want to adjust color and display settings when creating a risk heat map?

Answer 285

RiskHeatMap

Question 286

What SN core table can you use to see all components installed by a particular application/plugin?

Answer 286

sys_metadata

Question 287

What role is used for creating GRC attestations?

Answer 287

Attestation Creator - sn_compliance.attestation_creator

Question 288

What role is used for creating Risk assessments?

Answer 288

Risk Assessment Creator - sn_risk.asmt_creator

Question 289

What role is required to answer a risk assessment?

Answer 289

Risk Analyst (sn_risk.user) I think

Question 290

What role is required to answer a control attestation?

Answer 290

No role required

Question 291

What role is required to create a policy?

Answer 291

Compliance Analyst (sn_compliance.user)

Question 292

What role is required to approve a policy?

Answer 292

Compliance Manager (sn_compliance.manager)

Question 293

What role is required to submit a control for attestation?

Answer 293

Compliance Analyst (sn_compliance.user) I think?

Question 294

What role is required to create an issue within Risk?

Answer 294

Risk Analyst (sn_risk.user)

Question 295

What role is required to create an indicator template within Risk?

Answer 295

Risk Manager (sn_risk.manager)

Question 296

What role is required to create a policy exception?

Answer 296

Risk Analyst (sn_risk.user)

Question 297

What role is required to Retire policies?

Answer 297

Compliance Manager (sn_compliance.manager)

Question 298

What are some considerations that drive your choice of entity types?

Answer 298

Regulations you need to comply with, Who are the people working on risks and controls, How are you managing policies/exceptions/risks today? What areas are audited?

Question 299

What are Entity Classes used for?

Answer 299

Reporting and roll up of risk responsibility.

Question 300

What are the 3 parent tables in GRC:Profiles application/scope that are extended in P&C and Risk?

Answer 300

Document (sn_grc_document), Content (sn_grc_content), Item (sn_grc_item)

Question 301

What tables in P&C and Risk are extended from the Document table?

Answer 301

Risk Framework (sn_risk_framework) , Authority Document (sn_compliance_authority_document), Policy (sn_compliance_policy)

Question 302

What tables in P&C and Risk are extended from the Content table?

Answer 302

Risk Statements (sn_risk_definition), Control Objectives (sn_compliance_policy_statement), Citations (sn_compliance_citation)

Question 303

What tables in P&C and Risk are extended from the Item table?

Answer 303

Risks (sn_risk_risk), Controls (sn_compliance_control)

Question 304

An entity can only be related to a single Entity Class. T or F

Answer 304

True

Question 305

An entity can only be part of a single Entity Type. T or F

Answer 305

False. An entity can belong to 1 or multiple entity types.

Question 306

What is the table name that holds Entity Filters?

Answer 306

sn_grc_enrichment_query

Question 307

What is the name of the m2m table that relates entities and entity types?

Answer 307

sn_grc_m2m_profile_profile_type

Question 308

Indicator and Issue tables are part of what scope?

Answer 308

GRC:Profiles

Question 309

What are 3 GRC tables extended from the Global scope?

Answer 309

Indicator Task is extended from task.
Issue is extended from Planned task,
Acknowledgement Campaign is extended from task.

Question 310

What is baseline frequency for generating entities and deleting invalid entities?

Answer 310

Generating entities happens hourly.

Deleting invalid entities happens daily.

Question 311

What happens if someone requests approval for a policy record and there are no approvers designated?

Answer 311

It goes straight to published.

Question 312

What is the Control Objective lifecycle?

Answer 312

It doesn’t have one. It is managed by the lifecycle of its parent, the policy record.

Question 313

When a control goes to Attest, who receives the attestation?

Answer 313

Control Owner

Question 314

Can Policies be nested?

Answer 314

Yes

Question 315

A control objective can only be related to 1 policy. T or F

Answer 315

False.

Question 316

A control objective can be related to multiple citations. T or F

Answer 316

True. This is what allows you to test once to satisfy many requirements.

Question 317

Can Control objectives be nested?

Answer 317

Yes

Question 318

Can Citatons be nested?

Answer 318

Yes

Question 319

Authority docs and citations are required to use SN GRC. T or F

Answer 319

False

Question 320

Implementing Policy and Compliance, what is a common configuration task?

Answer 320

Updating choice lists for Category, Classification and Type fields on Control Objective table.

Question 321

A policy must be published before you can create a policy acknowledgement campaign. T or F

Answer 321

True

Question 322

Give an example of how you might define/use an indicator.

Answer 322

A policy/citation? is Manage Change Requests. A control is “All change requests must have a back out plan prior to approval.” An indicator could be defined to look at changes that have been approved and the backout plan is empty. If found, the control will be marked non-compliant.

Question 323

Are the knowledge article templates for the GRC Knowledge base stored in the same table as the templates for the other KBs?

Answer 323

No, they are in a different table and they require javascript.