Entities in GRC

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Entities in GRC

    In Governance, Risk, and Compliance (GRC), entities represent various elements such as people, processes, departments, applications, or objects whose exposure needs to be managed. Each entity can have defined controls to monitor their status effectively. Properly managing entities allows for accountability, especially when non-compliance occurs.

    Show full answer Show less

    Key Features

    • Entity Definition: Entities can be classified and filtered to create a structured approach to managing critical systems, such as mapping financial systems to an entity class called Financial.
    • Entity Classes: These are used to tag and conceptualize entities. For instance, office spaces can be classified under a location entity class.
    • Entity Class Rules: These rules automatically assign classes to new entities based on the table they are created in, ensuring consistent tagging and organization.
    • Entity Types: Grouping entities based on filter conditions facilitates the efficient creation of risks and controls relevant to those entities, such as grouping departments under an entity type called Departments.
    • Entity Tiers: This feature applies a hierarchy to entity classes, allowing for focused management of critical business items.

    Key Outcomes

    Defining entities enhances accountability by identifying entity owners and applying appropriate controls. This structured approach streamlines audits and compliance checks, as issues can be traced back to specific entities rather than affecting the entire system. Additionally, the hierarchical organization of entities aids in managing risks and compliance efficiently, enabling organizations to maintain a robust governance framework.

    In Governance, Risk, and Compliance, entities can be people, processes, departments, applications, or objects, whose exposure must be managed. These entities have controls that are defined to view the status.

    To understand entities, consider the following example. Assume you are a new GRC user and you want to implement a change management process to all your critical financial systems. All the systems can be considered as individual entities. Map all the systems to an entity class called Financial. Have an entity type filter for critical financial systems to determine the systems that are identified as critical.

    The primary benefit of creating entities is that you can maintain accountability because each entity has an owner. To understand this benefit, assume that you want to configure all the servers in a new way. After you finish the configuration, you perform an audit and then discover that only one server failed to comply with the new configuration. If you had not defined all the entities, then the entire audit result would have been deemed as failed. But because you have the entities defined, then only the non-compliant server entity and its identified owner are held accountable instead of all the servers.

    Having defined entities ensures that the entity owners can be identified and that appropriate controls can be applied to those entities. It also helps in tracking the entities that are non-compliant. Any entity that has child entities can be said to have downstream entities. Any entity that has parent entities can be said to have upstream entities.

    After creating entities, you can tag the similar entities by defining the entity class for them individually or you can link them to an existing entity class.

    Entity classes

    Entity classes are used to add a conceptual information about the entity or tag the entity. To understand the concept of entity class, consider an example. A company has office branches in three cities. The office space is considered as an entity and the entity class for these entities would be the location. You can create an entity class by associating it with an entity tier as shown in the following example.
    Figure 1. Sample configuration for an entity class
    Sample configuration for an entity class.

    Entity class rules

    Entity class rules help to assign classes to the entities at the table level. Any new entity created on the table gets that entity class automatically. Entity classes are used to tag your entities.

    When you create an entity over a specific table, the class associated with that table automatically gets assigned to the entity. You can set a new entity class rule for a table.

    Entity types

    An entity type is a grouping of entities that is based on filtering. Entity types enable you to find and create entities that match a set of filter conditions. Hierarchy can be created within the entity classes.

    Entity types also enable you to create risks and controls for each entity without spending much time. For example, an organization can have multiple departments, such as finance, HR, or IT. All these departments can be considered as entities and can be grouped under the entity type called Departments.

    You can create an entity type by associating it with the core business pillar such as Technologies or Facilities as shown in the following example.
    Figure 2. Sample configuration for an entity type
    Sample configuration for an entity type.

    Entity tiers

    When you create entity tiers, you apply a level or hierarchy to the entity classes. This level applies to all the entities in those entity classes. Entity tiers enable you to select and view the status of the most critical items in the business as shown in the following example.
    Figure 3. List view for an entity tier
    List view for an entity tier.