About the use cases for control attestations

Ohki_Yamamoto1
Tera Contributor

‎09-13-2024 03:41 AM

What are the use cases for control attestations? I am particularly interested in knowing who the actor is for responding to control attestations.

 

Since control attestations are surveys that collect evidence proving that controls are implemented, I assume that the actors answering them would be each employee, similar to policy acknowledgements. Is this correct?

 

According to the description of the newly added "GRC employee" user role in Xanadu, it seems they can respond to policy acknowledgements. However, there was no mention of whether they can respond to control attestations, so I am confirming this point.

0 Helpfuls
  • 645 Views
2 REPLIES 2

Community Alums
Not applicable

‎09-13-2024 06:20 AM

Hi @Ohki_Yamamoto1 ,

Before we go to Control Attestation, we need to understand what are control objectives and how it boils down to a control.

Let's make one thing simple, control objective is nothing but a template and it's the actual control which a Entity should apply to be complaint.

A control objective is an objective, direction, or standard that acts as guidance for company interactions and operations. Control objectives can be categorized, classified, and related to policies.

Now, let's undersatnd by an example :

We have control objective called "Smoke detector"

SandeepDutta_0-1726232700941.png

 

Under the related list we have enity type which is nothing but we are getting a bundle or list of entities using a enity filter.

SandeepDutta_1-1726232809797.png

Enity type filter used:

SandeepDutta_2-1726232830207.png

 

Now we need each one of these entites to apply the "Smoke detector" control to be complaint.

So what we do is, apply this enity type to the control objective and the controls gets created and gets associated to each entities associated to the entity type.

SandeepDutta_3-1726232987570.png

Now, each control will follow it's lifecycle to get into monitor state.

SandeepDutta_4-1726233035662.png

Finally, let's understand attestation :

When the control is the draft state , you mention the attestation and the respondent, in general it's the Entity owner/ control owner takes the attestation to provide evidence if the control has been applied or not.

 

To answer your question , you will need "sn_grc.business_user or sn_grc.business_user_lite" role to take up the attestation not "GRC Employee" role.

 

"GRC Employee role to report or request GRC workflows, and read and acknowledge policies from the Employee Center (Only applicable to customers who are entitled to and have installed the GRC Employee User application)."

 

 

0 Helpfuls

Phil Swann
Tera Guru
Tera Guru

‎09-16-2024 01:07 AM

Hi Okhi. 

 

To try and answer your question, typically the use case for an attestation I would say is three parts:

- Firstly, is this control appropriate, e.g. does it exist, is it right that we have it?

- Secondly, is it implemented and performing? Do we expect it to be in place if we go and dig a bit deeper?

- Thirdly, are YOU willing to take responsibility for it, and remediating any failures?

 

So, when we trigger an attestation, it will go to the attestation respondent(s) [let us please just assume a single respondent, as I have yet to find a compelling use case for multiple...] , the respondent is going to default to the control owner, who is by default the entity owner. 

Of course, we can override each of these. And ownership of controls (and risks), and ownership in general is probably the hardest concept. We have to put someone's name in the frame, and not everyone likes their name being used!

 

So if you own the system, you own the controls, you respond to the attestation to validate it is in place and working and you are the person who is going to own that. If not, your response is NO = its not in place (but it should be), or.. possibly N/A, as in... its not in scope , it doesn't apply, we shouldn't have it, or... I am the wrong person to ask... 

 

Whatever the response on the attestation, the control moves to review and that response will be checked , and you can then decide to move it to monitor, if everything is OK (even if non-compliant, you can still monitor it if you know you have ownership to remediate)

If not, you can move back to draft. You can retire, or you can modify the scope, etc.. 

 

 

IN terms of evidence you can use it for that but its really a high level, show me, not a detailed control test or continuous monitoring. I see the use case more about ownership than evidence. 

 

In terms of which roles are available, it depends on your license. As there is also the concept of IRM Operator Lite. Please speak to your account rep to confirm. 

0 Helpfuls