Compliance Scoring is a game-changing feature that transforms your approach to compliance from a binary "Pass/Fail" system to a refined and nuanced view of your entire organization. The tool relies on the existence of Entities and Controls for each of these Entities.
In this tutorial, Anne Marie Fernandez Sr. Education Advisor with many hours of GRC instruction, explains Compliance Scoring in very simple terms. As an added bonus, this simple explanation brings a simple view on Entities, what they are and why you need them.
Video contents
00:01 Introductions
00:51 Why we need to talk about Compliance Scoring
01:47 Refreshers - The GRC maturity model. GRC definitions cheat-sheet (to print and keep).
02:43 Definition of Compliance Scoring. A very powerful feature: a granular view of Compliance in the organization.
03:28 Without Entities no Compliance Scoring: a very blunt and basic view of Compliance with a given Control Objective..
04:14 With Entities, all relevant parts of the organization have their own Control, we can measure a "score" AND get a granular view that reveals where the challenges are.
05:21 An example with NIST SO 800-53. Authority, Policy, Control Objective, Entities, Entity Type, Controls. We get a Compliance Scoring not a "Pass/Fail".
07:12 The equation.
07:28 The states of the Controls are important: Draft and Retire are excluded from the measurement.
08:20 Not all Entities carry the same weight in the calculation.
08:37 When Controls pass or Fail they participate in the calculation. We then get a Compliance Score and we did not have to wait for the Audit to know this. We also know what Entity requires attention to get to as score of 100%.
09:30 In product demo. Control Objective, Citation, establish Control owners: scope out the Control Objective, Entity Type, Entities, Controls, Compliance Score, Control Attest phase, Control is not applicable for one Entity, Control not implemented in one Entity: non compliant, policy exception, Control implemented for 2 Entities, scheduled job: Compliance Score, execute, Control weight by Entity.
19:25 The big insight. Now I know why we need Entities, it all makes perfect sense and it is quite easy.
20:17 What to do right now: review the distribution of ownership to validate the choice of Entities, hold a scoping workshop, review the previous tutorials.
20:51 Conclusion.
To learn more about Controls:
community.serv...
To learn more about Entities:
community.serv...
To learn how GRC Community experts do Entity Scoping:
community.serv...
For all questions about this video tutorial on Compliance Scoring:
community.serv...