Operational changes in item generation of common controls

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Operational Changes in Item Generation of Common Controls

    The operational changes in item generation for common controls focus on how controls are created and associated with entities within the Governance, Risk, and Compliance (GRC) framework. Key considerations include prioritizing the association of reliant entities over creating new controls to prevent control explosion.

    Show full answer Show less

    Key Features

    • Control Creation: Utilize existing controls for testing before creating new ones. If necessary, select 'Common' in the Control form and use the 'Convert to common' action, ensuring a control objective is chosen.
    • Reliant Entity Association: Use the Reliant entities related list to manage associations, and the Inherit common controls UI action to group controls based on control objectives.
    • No Auto-Generation: Common controls are not auto-generated; matching is required for control names, entities, and control objectives for associations.
    • New Action Types: Added actions streamline the association and removal of entities from common controls and manage risks related to those controls.

    Key Outcomes

    These changes enable users to effectively manage and utilize common controls, reduce unnecessary control creation, and ensure that risks are accurately associated with controls. By following the revised item generation process, customers can maintain a streamlined GRC system that enhances compliance and governance practices.

    Operational changes are made in item generation mainly because item generation either creates a control or activates an existing standard control. When it comes to associating a control to an entity, then associating a reliant entity to a common control takes precedence over creating a control for that entity.

    Creation of controls

    If the existing controls in your system can be used for testing entities, then you can take advantage of the existing data and avoid creating controls. Having many controls can lead to control explosion. If that is not feasible, then you can associate a primary entity with a common control, test the common control, and implement the test results on the reliant entities of the common control. If both these options don’t work, then you can create a control.

    To create a common control, select Common in the Function field of the Control form. Select the Convert to common list UI action. A common control is created upon validation. It’s mandatory that you select a control objective before you convert a standard control to common control.

    Association of reliant entities to common control

    1. Use the Reliant entities related list in the Control form to add individual entities to the common control. You can also remove the reliant entities using the Remove button.
    2. Use Reliant entity types related list in the Control form to add entity types to the common control. You can also remove the reliant entity types using the Remove button.
    3. Use the Inherit common controls UI action in the Controls related list of the Risk form to select common controls grouped by control objectives.
    Note:
    For more information on reliant entity associations for a common control, see Create a control using the Compliance Workspace and Convert standard control to common control and add reliant entities.

    Item generation – Assumptions

    • There’s no auto-generation of common controls.
    • When the existence of common controls or associations of reliant entities to common control or standard controls are checked, the control’s name, entity, and control objective must match.
    • Order of precedence between standard and common controls:
      • If reliant association and standard control do not exist, then based on the action type, a standard control is created. Action types, for example can be Add content to entity type, Add document to entity type, Activate content, Activate document.
      • If reliant association and standard control do not exist, then based on the action type a reliant association to common control is created. Action type can be Add entity type to common control.
      • If the user's intent is not clear from the action type and a standard control does not already exist, then in conflicting entity type, the preference is to associate the reliant entity to the common control over creation of a standard control. Action type, for example can be Add entity to entity type.

    Item generation changes

    Table 1. New action types in the generation of items
    Item generation action type Description
    Add entity type to common control If the entity is not associated with the common item, then the application associates the entity with the common item by creating an m2m association between the two.
    Remove entity type from common control If the entity is associated with the common item, and the Entity types field has other entity types or Individually_added is true in the m2m record, then the application removes the Entity type ID from the Entity types column or deletes the entity to common item m2m record.
    Add entity to item If Risk Management is installed, based on the risk statement associated to the control objective, the risk to common control m2m records are added in the Control to Entity m2m table after considering the reliant entities.
    Remove entity from item
    • If Risk Management is installed, based on the risk statement associated to the control objective, risk to common control m2m records are deleted in consideration of the reliant entities.
    • If Privacy Management is installed, then the Processing Activity to common control m2m association based on its reliant entity and also the Processing Activity to control objective m2m association are removed.
    Activate entity to item If Risk Management is installed, based on the risk statement associated to the control objective, risk to common control m2m records are added in the Control to Entity m2m table in consideration of its reliant entities.
    Deactivate entity to item
    • If Risk Management is installed, based on the risk statement associated to the control objective, then the risk to common control m2m records are deleted after considering the control's reliant entities.
    • If Privacy Management is installed and the Processing Activity corresponds to a reliant entity, then the Processing Activity to common control m2m association and also the Processing Activity to control objective m2m association are removed.
    Activate item A common item is added:
    1. When no standard control exists with the same name, content (control and control objective), and entity combination.
    2. If the entity is not reliant on any other common item with the same name, content, and entity.
    3. When the entity is active.
    A standard item is added:
    1. Risk Management and Policy and Compliance Management plugins are installed
    2. Based on the risk statement and control objective association, risks are associated to controls.
    Deactivate item
    • Common item: Deactivates all Control to Entity m2m records.
    • Standard item: Deletes risks to control associations based on the Risk statement and Control objective associations.