Governance, Risk, and Compliance, entities can be people, processes, departments, applications, or objects, whose exposure must be managed. These entities have controls that are defined to view the status.
To understand entities, consider the following example. Assume you are a new GRC user and you want to implement a change management process to all your critical financial systems. All the systems can be considered as individual entities. Map all the systems to an entity class called Financial. Have an entity type filter for critical financial systems to determine the systems that are identified as critical.
The primary benefit of creating entities is that you can maintain accountability because each entity has an owner. To understand this benefit, assume that you want to configure all the servers in a new way. After you finish the configuration, you perform an audit and then discover that only one server failed to comply with the new configuration. If you had not defined all the entities, then the entire audit result would have been deemed as failed. But because you have the entities defined, then only the non-compliant server entity and its identified owner are held accountable instead of all the servers.
Having defined entities ensures that the entity owners can be identified and that appropriate controls can be applied to those entities. It also helps in tracking the entities that are non-compliant. Any entity that has child entities can be said to have downstream entities. Any entity that has parent entities can be said to have upstream entities.
Take the following entity class model as example:
We have a Company that contains Departments that contains Business Services, Business Applications and Business Process. In GRC this are called “downstream entities”. This model is called “Dependency Model” and can be achieved by setting up the “Entity Class hierarchy”. You can visualise the model by accessing the “GRC Workbench”.
For this exercise, we will create 3 entities to match the above model and generate their respective risks.
| Entity | Class |
| Wrangu | Company |
| Information Security | Department |
| Enterprise Risk Management | Business Process |
| Risk | Entity | Statement |
| Disruption to the business due to critical infrastructure unavailability | Wrangu | Business Continuity and Disruption |
| Inability to retain key employees may result in the departments inability to achieve objectives. | Information Security | Loss of Key Personnel |
| Unauthorized actions have been detected | Enterprise Risk | Unauthorized actions |
Steps
- Create a client callable script include called “GRCReporting” – make sure its you’ve checked the ‘Client callable’.
- Copy the following code into it.
var GRCReporting = Class.create();
GRCReporting.prototype = Object.extendsObject(global.AbstractAjaxProcessor, {
getDownstreamProfileIDs: function(profileID) {
return new sn_grc.GRCProfileLists().getDownstreamProfileIDs(profileID);
},
type: 'GRCReporting'
});
Create your reports
- Create a report against the Risk table (sn_risk_risk)
- In the filter condition type the following “Entity > Sys Id” contains “javascript:new sn_grc.sn_grc.GRCReporting().getDownstreamProfileIDs(<Entity SysId>);”. In this example, I’ve used the entity Wrangu.
- Click “Run”.
