Integrate with Governance, Risk, and Compliance to identify application risks and controls
Enterprise Architecture (formerly Application Portfolio Management) integrates with Governance, Risk, and Compliance (GRC) to help identify and assess risks on business applications.
시작하기 전에
Role required: admin
이 태스크 정보
Using GRC application, you can analyze the risks associated with assets such as hardware, software, and business application. You can also identify and test controls associated with those risks as well as look at the audits that were conducted on those assets. This analysis helps the application owners to understand the risk of the business application effectively.
The application owner can identify significant risks and compliance issues that the business applications are exposed to, without having to engage an external auditing system and run the applications through the auditing process.
Activate the following plugins to integrate Enterprise Architecture with GRC.
프로시저
다음에 수행할 작업
Create an entity referencing the business application. Attach the entity to an audit.
Create an entity for audit referencing business application
Create an entity with reference to the business application table and its specific application record. Use the entity to scope risk exposure and perform risk assessments on business applications.
시작하기 전에
Role required: sn_audit.admin or sn_audit.manager
이 태스크 정보
GRC uses the term, entity, instead of profile. An entity can be anything such as a database, server, or a business application that can be audited.
프로시저
Associate a risk to the entity
Attach the entity to a risk and create a risk record. Assess and identify risks that can adversely affect your business applications.
시작하기 전에
Role required: sn_risk.admin and sn_risk.manager
프로시저
Add business application entity to an engagement
The entities are assessed and evaluated for audit engagement. After which the entities that are scoped for audit engagement and validated are associated to an audit.
시작하기 전에
Role required: sn_audit.manager or sn_audit.admin
To add a business application entity to an engagement, you should have created an entity referencing the business application in the Entity field of the Entity form. See: Create an entity for audit referencing business application.
프로시저
Add a control to the business application entity
Associate a control to a business application entity that might be at risk. It is mandatory that you set effective control on the business applications to mitigate risks and protect your business. As you upgrade your business applications, you can replace your outdated controls.
시작하기 전에
Role required: admin
You should have created an entity before associating a control to it. Controls are created in GRC.
프로시저
- The entity that you select from the Controls [sn_compliance_control] table must be a business application and the entity Class of the record must be application.
- The control record can be either in the Draft or Retired state. However, controls in such states are not visible in Enterprise Architecture (formerly Application Portfolio Management) to be associated to a business application.
View Governance, Risk, and Compliance risks and engagements for business application
As an application owner, you can view the risks that a business application is exposed to. Governance, Risk, and Compliance (GRC) audits the business application entity and the audited risks and engagements are captured as scripted related lists in the business application form.
시작하기 전에
Role required: sn_apm.apm_user, sn_apm.business_stakeholder_apm_user
프로시저
-
Click display/hide hierarchical lists arrow beside a risk record in the GRC
Risks related list to view all the controls that you have associated to the risk
of the business application.
When you associate a control to a risk, the control with its associated risk is created in Risk to Control [sn_risk_m2m_risk_control] table.
그림 1. Controls associated to a risk