Compliance Scoring is a game-changing feature that transforms your approach to compliance from a binary "Pass/Fail" system to a refined and nuanced view of your entire organization. The tool relies on the existence of Entities and Controls for each of these Entities.
In this tutorial, Anne Marie Fernandez, Sr. Education Advisor with many hours of GRC instruction, explains Compliance Scoring in very simple terms. As an added bonus, this simple explanation brings a simple view on Entities, what they are and why you need them.
00:51 Why we need to talk about Compliance Scoring
01:47 Refreshers - The GRC maturity model. GRC definitions cheat-sheet (to print and keep).
02:43 Definition of Compliance Scoring. A very powerful feature: a granular view of Compliance in the organization.
03:28 Without Entities no Compliance Scoring: a very blunt and basic view of Compliance with a given Control Objective..
04:14 With Entities, all relevant parts of the organization have their own Control, we can measure a "score" AND get a granular view that reveals where the challenges are.
05:21 An example with NIST SO 800-53. Authority, Policy, Control Objective, Entities, Entity Type, Controls. We get a Compliance Scoring not a "Pass/Fail".
07:28 The states of the Controls are important: Draft and Retire are excluded from the measurement.
08:20 Not all Entities carry the same weight in the calculation.
08:37 When Controls pass or Fail they participate in the calculation. We then get a Compliance Score and we did not have to wait for the Audit to know this. We also know what Entity requires attention to get to as score of 100%.
09:30 In product demo. Control Objective, Citation, establish Control owners: scope out the Control Objective, Entity Type, Entities, Controls, Compliance Score, Control Attest phase, Control is not applicable for one Entity, Control not implemented in one Entity: non compliant, policy exception, Control implemented for 2 Entities, scheduled job: Compliance Score, execute, Control weight by Entity.
19:25 The big insight. Now I know why we need Entities, it all makes perfect sense and it is quite easy.
20:17 What to do right now: review the distribution of ownership to validate the choice of Entities, hold a scoping workshop, review the previous tutorials.
However, would have been great if you covered the compliance score on an entity level as well, especially when this entity has associated downstream entities via the GRC workbench.
In this case, the Entity compliance score percentage seems to ignore some of the controls shown on the downstream controls related list of the entity but I'm finding it hard to find any documentation on what is actually being considered.
Apparently (and surprisingly) downstream entities are not taken into consideration. This is IMHO a much missing feature in GRC. Please see the link below regarding the proposed idea, you could support it as well - just to add more weight.
