What determines the STATUS of a control in GRC?

juliesutton · ‎09-03-2020

I have a policy with an associated control objective, control, indicator template and indicator. The indicator shows passing as the last result. What changes the status of the control itself? It shows non-compliant? Is that tied to the attestation?

Thanks,

Julie Sutton

SanjivMeher · ‎09-04-2020

The Control Status is dependent on both Indicator task result as well as attestation result.

So if the attestation was failed, control becomes non-compliant

Or if the indicator task failed, control becomes non-compliant.

In any case an issue is created. So you should check, if there is an issue still open.

Even if the last indicator task was passed, there could be an old indicator task, which was failed and its corresponding issue is still open, which is keeping the control non-compliant.

Please mark this response as correct or helpful if it assisted you with your question.

View solution in original post

juliesutton · ‎09-03-2020

Does that mean OOB that the status should change based on the indicator results?

sachin_namjoshi · ‎09-03-2020

You can use UI actions based on your control objects to update control status.

Regards,

Sachin

Dexter Parre_o · ‎09-03-2020

Hi Julie,

The following makes a control non-compliant:

When the attestation result is Not Implemented, which will create an issue
If an indicator result for that control is Failed or Not Passed, which will create an issue
If there is an existing control test (tied to the control) in Closed Complete state and the Control Effectiveness is Ineffective, which will create an issue
If an issue has been manually created regarding that control
If you have some continuous monitoring processes that automatically create an issue due to the control being non-compliant or not effective

It could be that the control has a non-resolved issue which is why it is still non-compliant even though the indicator's last result is Passed. Try to check the Issues tab in the control form.

Regards,

Dexter

Phil Swann · ‎09-04-2020

Further to Dexter's very detailed account, just be aware of the recent enhancements to Issue Source!

You need to take into account the full scope of issues which may exist on a control; and what their sources are. the Issue API will try and ensure that existing issues are re-used to avoid generation of multiple issues, so the sources field will be used to 'stack' the various failures.

It will never close an ad-hoc issue automatically, except by Control Test effectiveness from Audit. Control Tests will reign supreme, so a successful control test can close all other open issues.

There is a property which handles whether to close indicator failures automatically.

But generally speaking if a Control fails attestation, the source of the newly generated issue will be attestation failure. When the attestation passes, it will close the issue and set control to compliant.

If in the meantime, an indicator fails, the source will be updated. If while the indicators are failing, the attestation passes, the source of attestation fail will be removed but it will still be noncompliant while the indicator is taken care of!!

juliesutton · ‎09-04-2020

I've checked everything I can think of. There are no issues, the indicator is passing, the CO is in Monitor state. We did skip the attestation, so maybe that's it?

What is the script that updates the status? We are OOB with the scripts (I've added only a field to the table for tracking purposes).

This is a manual indicator, does that matter? The indicator task is closed and the indicator result shows passing.