Pre-requisites to enable smart assessment in Policy and Compliance Management

Smart assessment scoped applications

The base system ships the GRC smart assessment template to the users when the GRC: Policy and Compliance Management (sn_compliance) plugin is installed. However, the following scoped applications are required:

1. Smart Assessment core (sn_smart_asmt)
2. Smart assessment Migration tools (sn_smart_asmt_mig). For more information, see Migrate a legacy metric type to an assessment template
3. Smart Assessment Connected (sn_smart_asmt_conn)
4. Smart Assessment Designer (sn_smart_asmt_desg). For more information, see Using the template designer

Enable smart assessments system property

The Enable smart assessments on control system property must be set to true if you want to assess the controls using the assessment method based on GRC attestation template. For more information on the system property, see Enable smart assessments on control.

Migrate the template

Create a new template in Smart Assessment Engine. For more information, see Creating an assessment template from legacy assessment metric types.

Access control limitations for smart assessment user roles

sn_grc.business_user and sn_grc.business_user_lite

As logged in users they can respond to attestations in My Attestations on the Task page of Compliance Workspace, Risk Portal, and Employee Center.

sn_compliance_ws.corporate_compliance_manager and sn_compliance_ws.it_compliance_manager

Can view and edit the templates.

sn_compliance.attestation_creator

Can create template category and template migration.

sn_compliance.user

Can read all the assessments related to control category.

Assessment template category and migration tables

Assessment template categories [sn_smart_asmt_template_category]

The Category role field has the configuration of the minimum reader role required to read the template of this category. The role must contain sn_smart_asmt.template_reader role.

Assessment template migrations [sn_smart_asmt_mig_template_migration]

Used to migrate the existing source metric type and template category to the new assessment template format.

Impact of attestation method on control objective and control generation

When the Enable smart assessments on control system property is set to true and the Control objective record has the value Attestation in the Attestation method field, then all the controls that are generated for this control objective record after attestation has values defaulted from the control objective. The Attestation method field value defaults to Attestation.

• If the control objective is associated with the control, then the generated control inherits the Attestation method and Attestation field values.
• If a control is created from a control objective, the Attestation method and the Attestation fields are pre-populated, if the control objective has values in these fields.
  Nota:

  The controls are automatically created if the Create controls automatically option is enabled for the control objective.

  The Attestation method field is read only. However, you can edit the Attestation field and select a different template for attestation. Any changes done to the control objective are automatically updated in the associated controls.

• After the control is saved and attested, the Attestations related list appears in the Control record. This related list displays all Assessment instances that are in Open and Completed states.

  If the assessment method is changed from Classic attestation to Attestation in the control objective record, then the changes are reflected in all the control records generated for the control objective. Up until the control moves to the Attest state, the Attestation method and Attestation field values can be updated.

• If the control was previously generated opting the classic attestation method, then the Classic attestation related list has the details of all completed attestations.
• If the control is moved to the Draft state by selecting the Return to Draft button, all the assessments that were active are canceled. Similarly, if the control retires, all related assessments are canceled as well.
• If the control is marked Exempt owing to a policy exception, all the associated assessments are canceled. However, if the Exempt option is cleared for the control and if the control is in the Attest state, then the assessments are re-triggered. And, all the fields in the Attestation section of the control becomes read only.
• If a policy is associated to the control objective, and the policy is published, then all the fields of the control objective form become read only.
• When the control moves to the Attest state, the assessments are triggered. An email notification is sent to the control owner and the attestation respondents of the control, with the subject line referencing the new attestation name of the control number and the due date by which the attestation must be completed.
• If an attestation fails for one of the controls generated from a control objective, then the control becomes non-compliant and an issue is created. Or, if the control has an issue that already exists, then the Issue source field is updated. If the control moves to the Attest state and if the attestation passes, then the existing issues are closed, and the control becomes compliant.