Relation between "sn_compliance_control" Control and RAM with "sn_risk_advanced_control_assessment"

Don Dom
Tera Contributor

‎11-14-2024 01:55 PM

Hello.

I'm fresh in GRC and do not understand this. Can anyone kinldy please explain to me a relation.


(1)

What is the relation between: Controls created in "sn_compliance_control"

I understand it has a lifecycle:

DonDom_0-1731620955655.png

And can be compliant and not:

DonDom_1-1731620997944.png

 

Person opens and do ATTEST.

 

 

(2)
Then I have RAM configuration where I can set "Control effectiveness"

DonDom_2-1731621073092.png

Is it something related to the control I created in point (1) ?

I'm adding a Assessment Type name: Controll Assessment:

DonDom_3-1731621162357.png

And I put Factor (manual or group)

DonDom_4-1731621199679.png

But is there any calulation of a Control I created in "sn_compliance_control" ?

I see I can choose this:

DonDom_5-1731621246977.pngDonDom_6-1731621279890.png

But what are those Factors?

I really do not understand this.

Kindly please explain 🙂

0 Helpfuls
  • 519 Views
2 REPLIES 2

ShafrazMubarak
Giga Guru

‎11-17-2024 09:36 PM

Hi Don,

 

While you are configuring the RAM, you can mention that as part of the assessment the assessor can assess the control effectiveness. If you configure this, during the risk assessment, once the previous assessment type completed (mostly the inherent risk assessment), the assessor will mark the effectiveness of the control related to the risk. 

 

Let's say an example, We have a control called 'Multi-factor authentication (MFA) for accessing sensitive data.' assigned to IT Security Department. The Risk Team creates a risk record on 'Data breach due to unauthorized access' and assigned to one of assessor to assess the risk. They have to:

1. Assess the inherent risk (evaluating the risk before any controls are applied. It considers the likelihood and impact of the risk occurring in its natural state.)

2. Evaluate the effectiveness of existing controls in mitigating the identified risk. (Controls are evaluated to determine how well they reduce the likelihood or impact of the risk.)

3. Evaluate the risk remaining after controls have been applied. It considers the adjusted likelihood and impact after control measures are in place.

 

In this example, the second activity is where the control effectiveness is evaluated, Once he/she moved to the assessment, all the controls belonging to the entity (of the risk) will be showcased. They have to select the controls that are applicable for this risk and select the qualitative value (effective, not effective, adequate and etc). 

 

The configuration settings you have shown in the image will decide how to calculate the effectiveness (individually select a effectiveness value for each control or whole). 

 

Hope this explanation answers your doubt,

__PRESENT

Rakesh Chigari
Tera Guru

‎11-17-2024 09:39 PM

Hi @Don Dom 

 

1. First lets understand purpose of controls: Controls are created to mitigate risk, this can be achieved by mapping control objective to risk statements or risk framework which map controls to risk automatically when generated  or map mitigating controls to risk.

 

2. Now lets understand impact of controls on risk score, to start with definition

     -Inherent risk score: The level of risk before any actions are taken to mitigate or control it.

     -Residual risk score:  The level of risk after mitigating controls are applied 

So now you understand, controls directly impact risk score (residual risk score)

 

3. Advance risk RAM configuration

Anyhow control assessment is optional in risk assessment lifecycle  but it is important to validate the effectives on controls on the risk as you already know it impact risk score. there are 2 option available in RAM configuration for control assessment

  • Control Environment Assessment

-When I don’t have well defined controls created or mapped to risk, the option is recommended, assessor will give scores based on overall controls in the system

-Here i just need to give answer for overall control design

  • Individual Assessment of controls

-When controls are very well established and they are mapped to risk, assessor can assess based on individual control mapped to that specific risk (risk mitigating controls)

- Here you need to give answer for individual control mapped to risk so you need to create factors to calculate overall effectiveness of individual controls mapped to risk.

 

All the controls mapped against this risk will be visible on control assessment form along with control status (compliant / non compliant) screenshot attached for reference 

RakeshChigari_0-1731908106475.png

Factors are those questions, you wanna ask assessors about control design effectives for whole control environment or individual controls defined in sn_risk_advanced_manual_factor (Manual) or sn_risk_advanced_automated_query_factor (Automated)

 

Mark it helpful and Accept Solution!! If this helps you to understand