top of page

Regulations, Standards and Frameworks that can be used within GRC

As you may know, GRC programs may vary by industry, internal needs, types of external laws and regulations that the organization must comply with, and, of course, your region will point out the right regulations. Keep in mind a competency framework in itself changes nothing about the organization unless it is implemented correctly. Buy-in needs be obtained at all levels if you are to deliver the results you are after. Senior managers or specialists need to 'walk the talk' and the framework needs to become embedded in the day to day operations of the department. There are many resources for content out there for you to consider. Unfortunately, most of which do not have published integrations at the moment and for those who have integration it is part of your responsibility to keep these regulations up to date since SN does not provide you (yet) an automatic scheduled job to get latest data.


Please find below the list of the most popular used programs.

Area

Frameworks

How to Implement

Information Technology (IT)

SOX

The Sarbanes-Oxley (SOX) Content Pack provides basic SOX content for an organization to commence and manage activities towards attaining operational SOX compliance using the ServiceNow GRC application. A content pack may include pre-defined scope, specific policies, controls, risks, audit, test plans, dashboards and reports providing users of ServiceNow GRC a head-start in using the applications towards SOX compliance-related activities.

Information Technology - IT

COBIT

COBIT is a framework created by ISACA for the governance and management of enterprise IT. This program is available via UCF integration

Information Technology - IT

ITIL

ITIL is a best practice created by AXELOS for the governance and management of enterprise IT.

Legal

Enterprise Policy Management (EPM)

EPM stands for Enterprise Policy Management, and it’s a framework designed with the objective of allowing a scalable use of PBM (Policy Based Management) feature. This is internal framework usually available within the organization.

Legal

Code of Conduct

A code of conduct is a set of rules outlining the norms, rules, and responsibilities or proper practices of an individual party or an organisation. This code sets out the minimum personal and professional standards that individual party or an organization should adopt and provides guidance to achieve these requirements.

This is internal framework usually available within the organisation. You may find code of conduct for employee, codes of conduct for suppliers and grant recipients, etc. Please check the code of conduct of your corporation location, internal regulations, etc.

Audit

SOX

The content pack available in the Area IT > SOX also includes Audit programs.

Audit

Internal Audit Standards

Internal Audit operates within The Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing (“Standards” or “Red Book”) including the IIA’s Definition of Internal Auditing, Code of Ethics, Rules of Conduct and Quality Assurance Improvement Program. Internal Audit utilizes the Committee of Sponsoring Organizations of the Treadway Commission (COSO) control framework(s), Internal Audit’s procedure manual, and when required and not otherwise in conflict with the Standards, the Generally Accepted Government Auditing Standards (“Yellow Book”). The IIA's Practice Advisories, Practice Guides, and Position Papers will guide operations as applicable. Internal Audit will adhere to Southern Oregon University’s relevant policies and procedures, but in the event of conflicting direction, the Standards shall prevail.

Audit

Risk Management

The Risk Management process is provided by National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) is a disciplined and structured process that integrates information security and risk management activities

Audit

SOC

If your company provides services to other companies, those services may have an impact on your customers’ financial reporting. As a result, your customers’ auditors may need assurance that the controls surrounding your services are designed effectively, and in some cases, operating effectively. A way to provide that assurance is by undergoing a Service Organization Control (SOC) audit. What type of SOC report is right for your organization?

  • SOC 1

Do you need to report to regulators on controls over financial reporting?

  • SOC 2

Does your company rely on vendors to process and safeguard your sensitive data—or are you a vendor entrusted with sensitive data? SOC 2 reports cover controls such as security and privacy and may be used by leaders in internal audit, risk management, operations, business lines and IT, as well as regulators.

  • SOC 2+

Do you need to extend beyond the accepted trust services principles to address other compliance and regulatory frameworks, such as NIST, HITRUST, or GDPR?

  • SOC 3

Do you need a simpler report to support your marketing purposes and to share with anyone?

For more information, check the following link:

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html

Health Care

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach

Notification Rules protect the privacy and security of health information and provide individuals with

certain rights to their health information. Any resource can be obtained directly from cms.gov and later you need to import data manually using transform maps.

Health Care

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.

Health Care

HITRUST

The CSF can be obtained through hitrustalliance.net and later you need to import data manually using transform maps.

Security

ISO 27001

ISO27001 is a framework created by ISO (International Organization of Standardization). ISO 27001:2013 (Requirements for Information Security Management Systems)

Security

NIST

Out of the box, SN provides a GRC: NIST CSF Use Case Accelerator also known as NIST Cybersecurity Framework (CSF) Accelerator gives customers an operational head-start when adopting the NIST CSF. When the accelerator is downloaded and activated in the GRC applications, pre-configured policies, scopes (profiles, profile type recommendations), risks, indicators, and other GRC elements appear.


The security and privacy control families outlined by NIST 800-53 are flexible, customizable and can be implemented by organizations as part of their overall risk management strategy. The controls cover areas such as access control, security awareness training, formal risk assessments, incident response or continuous monitoring to support organizational risk management.

Security

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.

Finance

SOX

The content pack available in the Area IT > SOX also includes Financial programs.

Finance

GLBA

The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.

Finance

BASEL

The Basel Framework is the full set of standards of the Basel Committee on Banking Supervision (BCBS), which is the primary global standard setter for the prudential regulation of banks. The membership of the BCBS has agreed to fully implement these standards and apply them to the internationally active banks in their jurisdictions.

Finance

GDPR

GDPR stands for General Data Protection Regulation. It's the core of Europe's digital privacy legislation. Introduced in 2012, GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.

SN provides some accelerators but they are also some applications from partners that are doing a great job by covering also international GDPR regulations such as CCPA (California), LLPD (Turkey), LGPD (Brazil).


29 views0 comments

Comments


bottom of page