Create a control objective
A control objective is an objective, direction, or standard that acts as guidance for company interactions and operations. Control objectives can be categorized, classified, and related to policies.
Before you begin
Role required: sn_compliance.admin, sn_compliance.manager, sn_compliance.user
About this task
To understand the difference between a control objective and a control, see Structural overview of Policy and Compliance Management.
Procedure
- Navigate to All > Policy and Compliance > Control Objectives.
- Click New.
-
On the form, fill in the fields.
Table 1. Control Objectives form Field Description Name Name of the control objective. Source Source of the control objective. For example, if the control objective is from a third-party provider, indicate which one. Source ID Unique identification number used by the source to catalog this control objective. Reference Unique numerical identifier. Parent Control objective that is not a child of the current control objective. This is to avoid cyclic parent – child relationship. Compliance Score Percentage Compliance score percentage calculated for this control objective and it's color code: - 80 and higher in green
- 80 to 50 in yellow
- below 50 in red
Active Option that indicates whether a control objective is active. Creates controls automatically Option that indicates that controls are automatically created from the control objective. Note:Select this option if the control objective can also serve as the control.Category List of options: - Acquisition or sale of facilities, technology, and services
- Audits and risk management
- Compliance and Governance Manual of Style
- Human Resources management
- Leadership and high-level objectives
- Monitoring and measurement
- Operational management
- Physical and environmental protection
- Privacy protection for information and data
- Records management
- System hardening through configuration management
- Systems continuity
- Systems design, build, and implementation
- Technical security
- Third Party and supply chain oversight
- Root
- Deprecated
Classification List of options: - Preventive
- Corrective
- Detective
Type List of options: - Acquisition/Sale of Assets or Services
- Actionable Reports or Measurements
- Audits and Risk Management
- Behavior
- Business Processes
- Communicate
- Configuration
- Data and Information Management
- Duplicate
- Establish Roles
- Establish/Maintain Documentation
- Human Resources Management
- Investigate
- IT Impact Zone
- Log Management
- Maintenance
- Monitor and Evaluate Occurrences
- Physical and Environmental Protection
- Process or Activity
- Records Management
- Systems Continuity
- Systems Design, Build, and Implementation
- Technical Security
- Testing
- Training
Attestation List of options. - GRC Attestation is chosen by default
- Note:If the user changes the control attestation, the related control objective attestation type is changed also.
Issue group rule Group rule assigned to this control objective. Description Description of the control objective. -
Click Submit.
The control objective is created and all related lists are visible.
- A control is created for every control objective when a policy is associated with an entity.
- The control attributes default to the same attributes as the related control objective.
What to do next
If you are implementing the Policy and Compliance Management software, return to the Policy and Compliance Management setup checklist and proceed to the next step.