As you may know, GRC programs may vary by industry, internal needs, types of external laws and regulations that the organization must comply with, and, of course, your region will point out the right regulations. Keep in mind a competency framework in itself changes nothing about the organization unless it is implemented correctly. Buy-in needs be obtained at all levels if you are to deliver the results you are after. Senior managers or specialists need to 'walk the talk' and the framework needs to become embedded in the day to day operations of the department. There are many resources for content out there for you to consider. Unfortunately, most of which do not have published integrations at the moment and for those who have integration it is part of your responsibility to keep these regulations up to date since SN does not provide you (yet) an automatic scheduled job to get latest data.
Please find below the list of the most popular used programs.
Area | Frameworks | How to Implement |
Information Technology (IT) | SOX | The Sarbanes-Oxley (SOX) Content Pack provides basic SOX content for an organization to commence and manage activities towards attaining operational SOX compliance using the ServiceNow GRC application. A content pack may include pre-defined scope, specific policies, controls, risks, audit, test plans, dashboards and reports providing users of ServiceNow GRC a head-start in using the applications towards SOX compliance-related activities. |
Information Technology - IT | COBIT | COBIT is a framework created by ISACA for the governance and management of enterprise IT. This program is available via UCF integration |
Information Technology - IT | ITIL | ITIL is a best practice created by AXELOS for the governance and management of enterprise IT. |
| | |
Legal | Enterprise Policy Management (EPM) | EPM stands for Enterprise Policy Management, and it’s a framework designed with the objective of allowing a scalable use of PBM (Policy Based Management) feature. This is internal framework usually available within the organization. |
Legal | Code of Conduct | A code of conduct is a set of rules outlining the norms, rules, and responsibilities or proper practices of an individual party or an organisation. This code sets out the minimum personal and professional standards that individual party or an organization should adopt and provides guidance to achieve these requirements.
This is internal framework usually available within the organisation. You may find code of conduct for employee, codes of conduct for suppliers and grant recipients, etc. Please check the code of conduct of your corporation location, internal regulations, etc. |
| | |
Audit | SOX | The content pack available in the Area IT > SOX also includes Audit programs. |
Audit | Internal Audit Standards | Internal Audit operates within The Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing (“Standards” or “Red Book”) including the IIA’s Definition of Internal Auditing, Code of Ethics, Rules of Conduct and Quality Assurance Improvement Program. Internal Audit utilizes the Committee of Sponsoring Organizations of the Treadway Commission (COSO) control framework(s), Internal Audit’s procedure manual, and when required and not otherwise in conflict with the Standards, the Generally Accepted Government Auditing Standards (“Yellow Book”). The IIA's Practice Advisories, Practice Guides, and Position Papers will guide operations as applicable. Internal Audit will adhere to Southern Oregon University’s relevant policies and procedures, but in the event of conflicting direction, the Standards shall prevail. |
Audit | Risk Management | The Risk Management process is provided by National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) is a disciplined and structured process that integrates information security and risk management activities |
Audit | SOC | If your company provides services to other companies, those services may have an impact on your customers’ financial reporting. As a result, your customers’ auditors may need assurance that the controls surrounding your services are designed effectively, and in some cases, operating effectively. A way to provide that assurance is by undergoing a Service Organization Control (SOC) audit. What type of SOC report is right for your organization?
Do you need to report to regulators on controls over financial reporting?
Does your company rely on vendors to process and safeguard your sensitive data—or are you a vendor entrusted with sensitive data? SOC 2 reports cover controls such as security and privacy and may be used by leaders in internal audit, risk management, operations, business lines and IT, as well as regulators.
Do you need to extend beyond the accepted trust services principles to address other compliance and regulatory frameworks, such as NIST, HITRUST, or GDPR?
Do you need a simpler report to support your marketing purposes and to share with anyone? For more information, check the following link: https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html |
| | |
Health Care | HIPAA | The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules protect the privacy and security of health information and provide individuals with certain rights to their health information. Any resource can be obtained directly from cms.gov and later you need to import data manually using transform maps. |
Health Care | PCI DSS | The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment. |
Health Care | HITRUST | The CSF can be obtained through hitrustalliance.net and later you need to import data manually using transform maps. |
| | |
Security | ISO 27001 | ISO27001 is a framework created by ISO (International Organization of Standardization). ISO 27001:2013 (Requirements for Information Security Management Systems) |
Security | NIST | Out of the box, SN provides a GRC: NIST CSF Use Case Accelerator also known as NIST Cybersecurity Framework (CSF) Accelerator gives customers an operational head-start when adopting the NIST CSF. When the accelerator is downloaded and activated in the GRC applications, pre-configured policies, scopes (profiles, profile type recommendations), risks, indicators, and other GRC elements appear. The security and privacy control families outlined by NIST 800-53 are flexible, customizable and can be implemented by organizations as part of their overall risk management strategy. The controls cover areas such as access control, security awareness training, formal risk assessments, incident response or continuous monitoring to support organizational risk management. |
Security | PCI DSS | The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment. |
| | |
Finance | SOX | The content pack available in the Area IT > SOX also includes Financial programs. |
Finance | GLBA | The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. |
Finance | BASEL | The Basel Framework is the full set of standards of the Basel Committee on Banking Supervision (BCBS), which is the primary global standard setter for the prudential regulation of banks. The membership of the BCBS has agreed to fully implement these standards and apply them to the internationally active banks in their jurisdictions. |
Finance | GDPR | GDPR stands for General Data Protection Regulation. It's the core of Europe's digital privacy legislation. Introduced in 2012, GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.
SN provides some accelerators but they are also some applications from partners that are doing a great job by covering also international GDPR regulations such as CCPA (California), LLPD (Turkey), LGPD (Brazil). |
| | |
Comments