Automated factors? sn_compliance_control?

Don Dom · ‎11-14-2024

Hello

Any one got some nice explanation how does Automated Factors work - practical ?

All trainings are only about manual. I'm running my tail to understand this.

Customer is asking:

If we have an automated factor on a RAM and the factor looks at changes, does the end user need to initiate the RAM again to update the scoring OR does the scoring automatically update based on the factor ?

So for example: If I have a RAM that check controls effectiveness, if the underlying control changes to ineffective does that update the associated risks scoring or does the end user need to run a new RAM?

How I can add control from I guess "sn_compliance_control" in to RAM? I do not see any option like this.

Kindly please explain to me.

Thank you in advance.

Phil Swann · ‎11-15-2024

automated factors run on a daily schedule, so its not realtime but it is automated

controls ARE visible in the RAM, during control effectiveness if you are assessing individual control effectiveness (not environment) , and this is based on the relationship between risk to control. if you already have them mapped, or if you map them via the RAM.

but the factor is based on producing an effectiveness score and the compliant status is only one element. even if a control is compliant does not mean it is effectively reducing the risk being assessed, or how much.

Don Dom · ‎11-15-2024

Phil please advise.

Do you know if there's a scheduled check that looks at that factor when the RAM is already completed?
RAM assessment is always manual? If factors changes RAM must be run manually again by real user?