Issues and Remediation task explaination for GRC.

kaushlendra · ‎06-17-2020

I have 2 questions:-
1) what is the role of priority field in issue form and what are its impact on other modules.

2) what is the purpose of Remediation Task in Issues Module, how does it affect an issue record.

Thanks,

Uncle Rob · ‎06-17-2020

Priority is a field that's available for any and all Task types (issues and remediations are both task types).

The role of the priority field is to give a sense of relative importance among other issues. Rather than read all issues every time to figure out which to deal with next, you start with highest priority and work down.

The purpose of a remediation is gauge the work involved in resolving an issue. Since one Issue may require multiple remediations from different parties, they're a separately assignable task with the issue as the parent.

View solution in original post

Uncle Rob · ‎06-17-2020

Priority is a field that's available for any and all Task types (issues and remediations are both task types).

The role of the priority field is to give a sense of relative importance among other issues. Rather than read all issues every time to figure out which to deal with next, you start with highest priority and work down.

The purpose of a remediation is gauge the work involved in resolving an issue. Since one Issue may require multiple remediations from different parties, they're a separately assignable task with the issue as the parent.

Community Alums · ‎06-18-2020

@Robert Fedoruk is right on everything.

1) The priority is standard field that comes from the task table. This is to be used to filter out the priority ones by ordering by priority etc. A very common operation on tasks records.

2) Before going further lets understand what is an issue, what triggers them and their lifecycle.

What is an issue?

Is a task (grc_task) that allows users to document Control or Risk issues and track response to remediate or accept the issue.
Any GRC user (compliance, risk or audit user) can create an issue and issues are related to profiles, control objectives, risk statements, controls or risks.

An issue can come from..

Indicator Results if result indicates failed or not passed.
Attestations if attestation returns the result not implemented.
Control Tests if control effectiveness is ineffective and state of the test is closed.
Created Manually by any manager, admin or audit users.
Continuous Monitoring through configuration test scanning results

Lets talk about lifecycle now..

The issue can be in New, Analyse, Respond, Review and Closed.

They are initially created in state "New" and (again) any GRC user can move the issue to Analyse state.
When the issue is in state Analyse, the assigned person have the responsibility to identify the root cause and add additional information.
After been analysed, the issue should be moved to Response. Again, any GRC user can move the issue to Response state. In this state, it will be requested a response to make the decision to remediate or accept the issue.
- Remediate
  A choice to fix the underlying issue causing Control failure or Risk exposure. This also can be used to document remediation tasks for observations during audits.
- Accept
  A choice to create an exception for a known Control failure and Risk. Accepting a Control issue will cause the Control status to remain non-compliant until the Control is re assessed. This also can be used to document exceptions for observations during audits. When you accept the issue is reported as an expectation.

After been analysed, the issue should be moved to Response. Again, any GRC user can move the issue to Response state. In this state, it will be requested a response to make the decision to remediate or accept the issue.
Once the issue has been remediated or accepted, it can be Reviewed by the managers.
After review, issues are Closed

For expeditious handling, issues can be grouped manually or automatically to optimize the remediation activity.

Hope this help answers to your question.