- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-26-2022 09:16 AM
Hi,
I was wondering if anyone knows what is the difference of creating a hierarchy of Policies (One parent policy with one or more child policies) and a hierarchy of Control Objectives (One parent Control Objective with one or more child Control Objectives).
Any examples on when to use one of the other?
I could not figure out a big difference, considering that the compliance score always rolls up to the highest level.
Thanks!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-26-2022 08:37 PM
Hi @Bruno Miyabara ,
The hierarchy allows you to have statements related to multiple policies so that you can have relative control compliance status speak for more than just one policy. Similarly, if you're complying to regulatory initiatives (authoritative docs), you can link policy statements to citations that may be related to one or several authoritative docs. In both cases, this allows you to test once, comply many... harmonization, universe, etc.
EntityTypes are normally linked to Policy Statements, not Policies due to the level of granularity one would lose if against a high level Policy.
Controls are linked to Policy Statements and produced when a Profile Type is applied at some level in this Policy>Policy Statement hierarchy. The Profiles then automatically generate Controls (Assuming the "Creates Controls Automatically" box is ticked in the Policy Statements).
The idea behind Policy Hierarchies is to allow organisations to build and link their Policies together to represent their Policy Universe.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-26-2022 08:37 PM
Hi @Bruno Miyabara ,
The hierarchy allows you to have statements related to multiple policies so that you can have relative control compliance status speak for more than just one policy. Similarly, if you're complying to regulatory initiatives (authoritative docs), you can link policy statements to citations that may be related to one or several authoritative docs. In both cases, this allows you to test once, comply many... harmonization, universe, etc.
EntityTypes are normally linked to Policy Statements, not Policies due to the level of granularity one would lose if against a high level Policy.
Controls are linked to Policy Statements and produced when a Profile Type is applied at some level in this Policy>Policy Statement hierarchy. The Profiles then automatically generate Controls (Assuming the "Creates Controls Automatically" box is ticked in the Policy Statements).
The idea behind Policy Hierarchies is to allow organisations to build and link their Policies together to represent their Policy Universe.
