Governance Terms Explained

GRC is the methodology created to manage the strict and complex regulatory and industry requirements across corporate environments

The regulations, certifications, frameworks, standards, and best practices that an organization chooses or is required to adhere to for compliance with regulations. Related to controls, risks, policies. IT audits typically rely on the authority documents downloaded from Network Frontiers, Unified Compliance Framework.

Citations are records with the specific requirements cited by an authoritative document. The citation record relates authority documents to its applicable control.

Policies include policies, standards, and procedures. Policies are related to authoritative documents and control records. Publishing and version control of policies are managed using document and knowledge management capabilities. ServiceNow workflows ensure all policy changes are routed to the appropriate work owners for final approval. All approved organizational policies are published in the ServiceNow knowledge base and can be made available for search and reference.

A risk is any threat or vulnerability that could adversely affect your organization’s business objectives. All risks are contained in one risk repository. Risks can be related to any item, policy, control, and remediation task. Risks requiring immediate or ongoing attention can be mitigated, prevented, or controlled using the defined controls and related control tests.

Controls are the rules or processes that assure the achievement of an organization’s objectives in compliance with laws, regulations, and policies. An example of an IT identity and access management control might be that complex passwords with a minimum of eight characters are required for all applications. These control records include the basic required information about the control (owner, activity, frequency, etc.) Controls can be related to authoritative source contents, policies, and risks.

The control framework is a single consolidated set of controls which perform and preserve the cross-mapping of controls that are critical for audits. Cobit, NIST, COSO, and ISO are examples of control frameworks.

An audit is a coordinated event where the organization identifies all of the controls that they want to test at one time and assigns the responsibility of the overall audit to a single person or group. A single task manages the testing of all the controls. Audits are related to controls and control tests.

An audit activity is one of the tasks within an audit that is assigned to an individual for the execution of the audit. 

Audit observations are used by internal auditors for identifying control gaps or identifying new risks. Audit observations are related to control gaps and risks.

Remediation tasks are automatically created when a control test fails or when audit observations are noted. Remediation tasks include information about the control test instance and are typically assigned to a remediation group or to the control owner. Remediations are related to controls, control test failures, and control test instances.

This is an overview of domain separation and Governance, Risk, and Compliance. Domain separation allows you to separate data, processes, and administrative tasks into logical groupings called domains. You can then control several aspects of this separation, including which users can see and access data.

The Vendor Risk Management provides a centralized process for managing your organization's vendor portfolio and completing the vendor assessment and remediation lifecycle to determine inherent and residual risk presented by a vendor in various control domains.