Integrate with Governance, Risk, and Compliance to identify application risks and controls
Application Portfolio Management (APM) integrates with Governance, Risk, and Compliance (GRC) to help identify and assess risks on business applications.
Before you begin
Role required: admin
About this task
Using GRC application, you can analyze the risks associated with assets such as hardware, software, and business application. You can also identify and test controls associated with those risks as well as look at the audits that were conducted on those assets. This analysis helps the application owners to understand the risk of the business application effectively.
The application owner can identify significant risks and compliance issues that the business applications are exposed to, without having to engage an external auditing system and run the applications through the auditing process.
Activate the following plugins to integrate APM with GRC.
Procedure
What to do next
Create an entity referencing the business application. Attach the entity to an audit.
Create an entity for audit referencing business application
Create an entity with reference to the business application table and its specific application record. Use the entity to scope risk exposure and perform risk assessments on business applications.
Before you begin
Role required: sn_audit.admin or sn_audit.manager
About this task
GRC uses the term, entity, instead of profile. An entity can be anything such as a database, server, or a business application that can be audited.
Procedure
Associate a risk to the entity
Attach the entity to a risk and create a risk record. Assess and identify risks that can adversely affect your business applications.
Before you begin
Role required: sn_risk.admin and sn_risk.manager
Procedure
Add business application entity to an engagement
The entities are assessed and evaluated for audit engagement. After which the entities that are scoped for audit engagement and validated are associated to an audit.
Before you begin
Role required: sn_audit.manager or sn_audit.admin
To add a business application entity to an engagement, you should have created an entity referencing the business application in the Entity field of the Entity form. See: Create an entity for audit referencing business application.
Procedure
Add a control to the business application entity
Associate a control to a business application entity that might be at risk. It is mandatory that you set effective control on the business applications to mitigate risks and protect your business. As you upgrade your business applications, you can replace your outdated controls.
Before you begin
Role required: admin
You should have created an entity before associating a control to it. Controls are created in GRC.
Procedure
- The entity that you select from the Controls [sn_compliance_control] table must be a business application and the entity Class of the record must be application.
- The control record can be either in the Draft or Retired state. However, controls in such states are not visible in Application Portfolio Management to be associated to a business application.
View Governance, Risk, and Compliance risks and engagements for business application
As an application owner, you can view the risks that a business application is exposed to. Governance, Risk, and Compliance (GRC) audits the business application entity and the audited risks and engagements are captured as scripted related lists in the business application form.
Before you begin
Role required: sn_apm.apm_user, sn_apm.business_stakeholder_apm_user
Procedure
-
Click display/hide hierarchical lists arrow beside a risk record in the GRC
Risks related list to view all the controls that you have associated to the risk
of the business application.
When you associate a control to a risk, the control with its associated risk is created in Risk to Control [sn_risk_m2m_risk_control] table.
Figure 1. Controls associated to a risk