Overview
The Compliance Dashboard provides a snapshot of an organization's compliance posture as well as its progression through time.
There are several tables areas on the dashboard that provide detailed metrics around program status and control healthstatuses.
Accessing the Compliance Dashboard
To access the Compliance Dashboard, complete the following:
- Click Dashboard | Compliance Dashboard.
| Anchor | ||||
|---|---|---|---|---|
|
The Program Status table displays all programs in your organization's instance regardless of the state. This alphabetical list provides audit readiness statuses for two phases in a program's development. 
Program Status Phases
The two phases displayed in the Program Status table are as follows:
- Onboarding Phase - The program has no completed audits.
- Audit Phase - The program has at least one completed audit.
| Note | ||
|---|---|---|
| ||
Both phases display the same low, moderate or high icons. They are only differentiated by text on mouse hover and metrics shown after clicking the linked program. Hints on how to tell them apart are outlined in the next documentation sections. |
Understanding Onboarding Phase Readiness
If a program is still in Since there is no completed audit, the onboarding phase , the calculates percentages of objectives with mapped controls.
The message displayed on mouse hover provides percentages of objectives with mapped controls.with at least one mapped control. Then the low, moderate and high rating is based on that percentage
Onboarding phase status definitions are as follows:
- Low - No objectives are scoped or control mappings are less than 40 percent.
- Moderate - Control mappings are equal or greater than 40 percent and less than 80 percent.
- High - Control mappings are equal or greater than 80 percent.
| Tip | ||
|---|---|---|
| ||
The control percentages are only calculated on objectives scoped to the selected program. If the control mappings don't follow the PSSOC mappings, they those controls are excluded. |
Understanding Audit Phase Readiness
If a program is in the audit stage, which means it has there is at least one completed audit, the audit phase calculates control effectiveness during the last audit of the selected program.
And the message displayed on mouse hover provides percentages of effective controls in the last audit.
Audit phase status definitions only cover the last completed audit and are as follows:
- Low - Over 80 percent of control assessments are deemed ineffective either by design or operation.
- Moderate - Over 30 percent and less than or equal to 80 percent are deemed ineffective either by design or operation.
- High - Less than or equal to 30 percent of control assessments are deemed ineffective either by design or operation.
| Tip | ||
|---|---|---|
| ||
If an assessment is mapped to multiple objects, the only assessment used for calculations is the one mapped to a control used in the last completed audit. |
High Risk Entities
The High Risk Entities table reports the top three object types associated with high risk scores, which then provides an organization with risk mitigation focus.
Understanding High Risk Entities
The High Risk Entities table displays three objects with the greatest number of high risk items. Only the following are included in this table's calculation:
The entity must be one of the following objects:
- Contract
- Control
- Org Group
- Data Asset
- Process
- Objective
- Product
- Program
- Threat
- Policy
- Issue
- Market
The entity must have at least one item classified as high high risk status.
- The top three entities (or objects) with the most high risks risk items are displayed with their counts from left to right.
Issues
The Issues table of the Compliance Dashboard displays the top five outstanding issues in in ZenGRC. This These issues should then be your compliance team's focus for the next time period.
Understanding the Issues Table
The Issues table displays columns with the following criteria:
- Top 5 issues - This column pulls all issues in the ZenGRC application, regardless of mappings, that are set to one of the following statuses (other statuses are ignored):
- Identified.
- Assigned.
- Remediation in progress.
- Associated Entities - All This displays all objects mapped to the displayed issue.
- Age - The This is the number of days shown in red since each issue was created. The oldest issues display first.
Future Gap Analysis
The Future Gap Analysis table provides the an estimated level of effort for achieving compliance with a new framework. The estimate is based on overlapping frameworks in your ZenGRC System of Record.
The table only pulls programs still in a Draft status.
Understanding the Future Gap Analysis Table
The Future Gap Analysis table displays columns with the following criteria:
- Program - These are draft programs with at least one mapped objective.
- Objectives not met - This is the number of objectives in the draft program not scoped to other finalized programs. These objectives still need attention.
- Objectives potentially met - This is the number of objectives in the draft program that could be potentially met by objectives in a related finalized program.
- Estimated coverage - Estimate of objective overlap between the finalized and draft programs to show effort in finalizing the draft program.
Risk Heatmap
The Risk Heatmap table is a scaled-down report on risks the organization faces along with their likelihood and impact. This provides risk severity and how soon action is necessary.
Click a cube on the grid to open the Risk Heatmap module.
| Info | ||
|---|---|---|
| ||
For additional information, please see Risk Heatmap. |
Individual Program Status
Clicking a program in the Program Status table displays metrics regarding the selected program's control efficiency, regardless of whether the . Metrics differ if the program is in the Onboarding or Audit phase.
| Info | ||
|---|---|---|
| ||
For information on the the Onboarding or Audit phase in the Program Status table of the Compliance Dashboard, please see Program Status. |
| Note | ||
|---|---|---|
| ||
If no audit has been performed on the selected program, the table pulls information ratings for controls that are mapped to a different program that HAS undergone an auditother programs with completed audits. |
Accessing Program Metrics
On the Compliance DashboardTo access individual program metrics, complete the following:
- Click From the Compliance Dashboard, click a linked program in the Program Status table.
Control Health Metrics Table
- The metrics for
- the selected program
- display.
Control Health
The following describes how the metrics in the Control Health table graphic are obtained.
Control Count and % Control Effectiveness
The control numbers on the left side of the graphic are calculated as follows:
- Only controls mapped
- take into consideration the last completed audit:
- 1st level sorting: "Audited period end" date
- 2nd level sorting (if 1st level not available or its tied): date when audit was completed
- count of effective controls
- count of ineffective controls
- show gauge color:
- 0-60 percent: red
- 61 percent-80 percent: orange
- 81 percent and above: green
- in the PSSOC hierarchy are counted.
- The numbers are based on latest assessments in the most recent audit.
- If the program hasn't undergone an audit, metrics are pulled from completed audits for other programs that share the selected program's control mappings.
The % control effectiveness graph in the middle displays colors and percentages as follows:
- Red - 0 percent to 60 percent assessed controls are effective.
- Orange - 61 percent-80 percent assessed controls are effective.
- Green - 81 percent and above assessed controls are effective.
- Click on Effectiveness metrics or on the round percentage: take the user to the SoR listing for controls
- filters applied: map:program
- workaround for now: old SOR, go to program page, controls tab
Section Status
all the sections for this program with metrics about mapped objectives and controls count and highlighted with colors based on control effectiveness
- display all sections mapped up the hierarchy (to the standard and program)
- Show objective and controlcount
- Objective count: all objectives mapped to the section
- Control count: cumulative sum of all controls mapped to each objective (per section)
- Objective count: objectives mapped to the section, standard, and program (all the way up in the hierarchy)
- Display frame around each section color:
- Green: more than 80 percent of the objectives have at least one control mapped
- Orange: between 50 percent and 80 percent of the objectives have t least one control mapped
- Red: let than 50 percent of the objectives have at least one control mapped
- Hover on the "badge" same as in US#4 (see above)
- on click take to the SoR objective list:
- filter is applied: map:program
- filter is applied: map:section
- visible column selected: map:control
- workaround for now: old SOR, go to program page, controls tab
High Risk Entities
the top 3 highest risk entities for a specific program.
- display top three high risk entities mapped to objects that are mapped to specific program
Top Five Issues
the top five outstanding issues regarding a specific program
- up to 5 non truncated titles and descriptions for issues mapped to this specific program
Risk Matrix
The Risk Matrix displays risks for the selected program along with the likelihood and impact. This narrows the focus of your risk management action to a single program.
- display a scaled down risk heat map here (/risk_heatmap) only with risks mapped to this specific program
- filter risk heat map for that specific program if on a single program view
- clicking on the scaled down risk heat map takes me to the risk heat map page
- select the box I clicked on
- if a program is selected keep the same program filter