My control is exempt - should an isssue be created ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago
I have an exempt control through an active Policy Exception.
So, I know that my Control should remain in a compliant state if a scripted control indicator fails.
I run my scripted indicator which fails.
My control remains compliant, so that's great 🙂
However, an Issue is still created from the indicator failure, and the issue is in the NEW state - therefore requiring work and attention from the issue management team.
Isn't this a mismatch ?
Is this OOB behavior ?
I would like to suppress Issue creation when the control is exempt.
Please can you help with your advice/experience on this subject ?
Colin.
- Labels:
-
Policy and Compliance Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Technically we can suppress issue creation and we have done it for different business use case, trust me this is not good thing to do because there are many rules running on this configuration ex: when an indicator fails, it creates issue first, this issue generation will set the control status as "non compliant".
To your point, when a control is exempted with active policy exception, all associated attestations will get auto cancelled (this is ootb) , because there is no point in attesting them.
In the same way, when you a control is exempted with active policy exception, you should not be running any indicators against those controls.
Hit Thumb, if it is helpful
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Thanks Rakesh,
So, a follow on question : which GRC functionality will stop indicators running when the control is exempted ? To my knowledge, in order to achieve that I will need to manually de-activate all indicators which are associated with exempted controls.
So, you don't recommend customizing to NOT produce the issue, during indicator failure, if the control is exempt ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
There is no ootb functionality to stop indicators executing when control is exempted, this is something we have to update as per our requirements. we made changes to run indicators only in monitor state.
Indicators are executed by scheduled job "GRC indicator nightly run" which calls "new IndicatorEngine().runAllIndicators();". This is in script include IndicatorEngine which extends IndicatorEngineBase which runs all indicators
Indicators are executed by scheduled job "GRC indicator nightly run" which calls "new IndicatorEngine().runAllIndicators();". This is in script include IndicatorEngine which extends IndicatorEngineBase.
Hit Thumb, if it is helpful
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
@Colin Anderson this is intended OOTB behaviour as its intended to show that there are still problems with the exempt control. Customers tackle this one of two ways, they create an automated flow to deactivate or reactivate the linked indicators to a control when the exempt flag changes or alternatively introduce a concept of exempt on the issue itself and add an extra substate and state to capture this.
The more lightweight way is to create a flow to deactivate and reactivate linked indicators for a control when the exemption flag changes. This means you dont need to customise any of the scripts others have mentioned and create a more upgrade safe way of handling your requirement
