Versions Compared

Version Old Version 1 New Version Current
Changes made by

Tristan Mohn (Deactivated)

Victoria Buhler (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Page Contents

Table of Contents
indent18px

Overview

The Compliance Dashboard provides a snapshot of an organization's compliance posture and its progression through time.There are several sections on the dashboard that provide detailed metrics around program status and control healthdetailed metrics around program and control statuses.

Note
titleIMPORTANT

If control mappings don't follow the Program, Standard, Section, Objective, Control (PSSOC) structure, they are excluded from all Compliance Dashboard calculations. For information on the PSSOC structure, please see Mapping Structure.


Accessing the Compliance Dashboard

To access the Compliance Dashboard, complete the following:

  1. Click Dashboard | Compliance Dashboard.



Anchor
programstatus
programstatus
Program Status

The Program Status section area displays all programs in your organization's instance. This alphabetical list provides a status and shows audit readiness for two different phases in a program's timelinedevelopment

Tip
titleTIP

The two phases are not official phases of ZenGRC programs. They are terms used in this documentation to simplify Compliance Dashboard calculations.


Image Added

Those two phases of Audit Readiness are as follows:

  • Onboarding Phase - The program has no completed auditaudits. Program mappings are calculated.
  • Audit Phase - The program has at least one completed audit. Control effectiveness is calculated.
     
Note
titleIMPORTANT

Both phases display

a

the same design for the low, moderate or high

status

icons. The

phases

statuses are only differentiated by what is calculated and the text on

mouse hover and the metrics displayed on click.

Image Removed

Understanding Onboarding Phase Readiness

If a

hover.

Hints to tell them apart are outlined in the next documentation sections.

Onboarding Phase Audit Readiness

If there is no completed audit, the program is still in the onboarding phase, the message displayed on mouse hover provides percentages of objectives that have mapped controls. This program may have active audits, but if it has no completed audits, there are no metrics to display for control health. The Audit Readiness calculations are based on percentages of objectives with mapped controls. Then the low, moderate and high rating is based on that and not control effectiveness.

Tip
titleTIP

On hover, the onboarding phase text provides percentages of objectives with at least one mapped control. Control effectiveness is not considered.




Onboarding phase status definitions are as follows:

  • Low - No objectives are scoped or control mappings are less than 40 percent. 
  • Moderate Control mappings are equal or greater than 40 percent and less than 80 percent. 
  • High - Control mappings are equal or greater than 80 percent
Tip
titleTIP
The control percentages are only calculated on objectives scoped to the program
  • .
Understanding

Audit Phase Audit Readiness

If a program is in the audit stage, which means it has there is at least one completed audit, the message displayed on mouse hover  the program is in the audit phase. The Audit Readiness calculations are based on calculations of control effectiveness during the last program audit.

Tip
titleTIP

On hover, the audit phase text provides percentages of effective controls

in the last audit

.




Audit phase status definitions only cover the last completed audit and are as follows:

  • Low - Over 80 percent of control assessments are deemed ineffective either by design or operation.
  • Moderate Over 30 percent and less than or equal to 80 percent are deemed ineffective either by design or operation.
  • High - Less than or equal to 30 percent of control assessments are deemed ineffective either by design or operation.
tip

Anchor

title

highriskentity

TIP

If an assessment is mapped to multiple objects, the only one used for calculations is the one mapped to a control in the last completed audit.

highriskentity
High Risk Entities

The High Risk Entities section reports shows the top three object types associated with high risk scores, which then provides the focus for an organization with risk mitigation focus.

Understanding High Risk Entities


 In order to display Image Added

The numbers in the High Risk Entities section, objects must have at least one high risk mapped with a score that is greater than or equal to 20.In addition, a risk only displays if it is mapped to one of the followingRisk Entities graphic are calculated as follows:

  • The entity must be a(n):

    • Contract
    • Control
    • Org Group
    • Data Asset
    • Process
    • Objective
    • Product
    • Program
    • Threat
    • Policy
    • Issue
    • Market

  • The entity must have at least one high risk object mapped to it.

  • The top three entities (or objects) with the largest number of high risk items are displayed with their counts from left to right. 

Anchor
issues
issues
Issues

The Issues section area of the Compliance Dashboard displays the top five outstanding issues in ZenGRC. This These issues should then be your compliance team's focus for the next time period.

  • up to 5 non truncated titles of issues
    • in states Identified, Assigned or Remediation in progress
    • sort by age, oldest on top
  • Get issues from the entire system
  • List all objects mapped to issue separated by newline
  • age is calculated as number of days since issue creation
  • on click pass send user to the issue card/info panel/page (whichever exists at the point of implementation)

Future Gap Analysis

Risk Heatmap

Scaled

Image Added

The Issues area displays columns with the following criteria:

  • Top 5 issues - This column pulls the oldest issues in the ZenGRC application, regardless of mappings, that are set to one of the following statuses (other statuses are ignored):
    • Identified.
    • Assigned.
    • Remediation in progress.
  • Associated Entities - This displays all objects mapped to the displayed issue.
  • Age - This is the number of days shown in red since each issue was created. The oldest issues display first.

Future Gap Analysis

The Future Gap Analysis area provides an estimated level of effort for achieving compliance with a new framework. The estimate is based on overlapping frameworks in your ZenGRC System of Record.

The area only pulls programs still in a Draft status.

Image Added

The Future Gap Analysis area displays columns with the following criteria:

  • Program - These are draft programs with at least one mapped objective.
  • Objectives not met - This represents two things:
    • Objectives in the draft program are not mapped to objectives in finalized programs.
    • No controls mapped to objectives of finalized program also mapped to objectives in draft program
  • Objectives potentially met - This is the number of objectives in the draft program that are also scoped to finalized programs that have corresponding mapped controls.
  • Estimated coverage - This value is computed by dividing the number of objectives potentially met by the total number of objectives (sum of previous two columns).

Risk Heatmap

The Risk Heatmap area is a scaled-down report on risks the organization is facingfaces along with the their likelihood and impact. This provides risk severity and how soon do we have to take the actionaction is necessary.

  • display a scaled down risk heat map here (/risk_heatmap)
    • clicking on the scaled down risk heat map takes me to the risk heat map pageselect the box I clicked on

    Click a cube on the grid to open the Risk Heatmap module.

    Info
    titleNOTE

    For additional information, please see Risk Management in ZenGRC.


    Image Added

    Individual Program Status

    Clicking a program in the Program Status area displays metrics regarding the that program's control efficiency of the selected program.

    Accessing

    Individual

    Program Metrics

    On the Compliance DashboardTo access individual program metrics, complete the following:

    1. Click the 

    Control Health Metrics

    metrics for control efficiency
    1. From the Compliance Dashboard, click a linked program in the Program Status area.
    2. The metrics for the selected program
    • count controls mapped to the selected programthrough the PSSOC hierarchyand evaluate effectivenessbased on last assessment mapped to the control whose audit has been completed
      • take into consideration the last completed audit:
        • 1st level sorting: "Audited period end" date
        • 2nd level sorting (if 1st level not available or its tied): date when audit was completed
      • count of effective controls
      • count of ineffective controls
      • show effectiveness count: effectives control/all control
        • show gauge color:
          • 0-60%: red
          • 61%-80%: orange
          • 81% and above: green
      • show audit readiness badge for program (same as for all programs, user story no. 3 in this spec)
    • Click on Effectiveness metrics or on the round percentage: take the user to the SoR listing for controls
        • filters applied: map:program
        • workaround for now: old SOR, go to program page, controls tab

    Section Status

    all the sections for this program with metrics about mapped objectives and controls count and highlighted with colors based on control effectiveness

    • display all sections mapped up the hierarchy (to the standard and program)
    • Show objective and controlcount
      • Objective count: all objectives mapped to the section
      • Control count: cumulative sum of all controls mapped to each objective (per section)
    • Objective count: objectives mapped to the section, standard, and program (all the way up in the hierarchy)
    • Display frame around each section color:
      • Green: more than 80% of the objectives have at least one control mapped
      • Orange: between 50% and 80% of the objectives have t least one control mapped
      • Red: let than 50% of the objectives have at least one control mapped
    • Hover on the "badge" same as in US#4 (see above)
    • on click take to the SoR objective list:
      • filter is applied: map:program
      • filter is applied: map:section
      • visible column selected: map:control
      • workaround for now: old SOR, go to program page, controls tab

    High Risk Entities

    the top 3 highest risk entities for a specific program.

    • display top three high risk entities mapped to objects that are mapped to specific program

    Top Five Issues

    the top five outstanding issues regarding a specific program

    • up to 5 non truncated titles and descriptions for issues mapped to this specific program

    Risk Matrix

    This section displays risks for the selected  program and at what likelihood and what impact, so I can decide on risk severity and how soon do we have to take the action

  • display a scaled down risk heat map here (/risk_heatmap) only with risks mapped to this specific program
    • filter risk heat map for that specific program if on a single program view
    • clicking on the scaled down risk heat map takes me to the risk heat map page
  • select the box I clicked on
    • if a program is selected keep the same program filter
    1. display.


    Image Added

    Control Health

    The following sections describe how Control Health metrics are obtained.

    Control Count

    Regardless of whether the program has a completed audit, the effective and ineffective control numbers on the left side of the graphic are calculated as follows:

    • Numbers are based on assessments in the most recent, completed audit.
    • If the program has no completed audits, metrics are pulled from audits for other programs that share the selected program's controls. 
    • Only controls mapped in the PSSOC hierarchy are counted.

      Image Added

    % Control Effectiveness

    The % control effectiveness in the middle displays colors and percentages that are based on the numbers in the Control Count  described above. The percentages are calculated as follows:

    • Red - 0 percent to 60 percent assessed controls are rated effective.
    • Orange - 61 percent-80 percent assessed controls are effective.
    • Green - 81 percent and above assessed controls are effective.

      Image Added

    Audit Readiness

    The audit readiness rating is pulled from Program Status on the Compliance Dashboard home page. 

    Info
    titleNOTE

    For information on how audit readiness is calculated, please see Program Status.


    Image Added

    Sections Status

    The Sections Status displays sections for the selected program along with the counts for objectives and related controls. The information is separated out as follows:

    • Section color:
      • Red - Less than 50 percent of the objectives have at least one control mapped.
      • Orange - Between 50 percent and 80 percent of the objectives have at least one control mapped.
      • Green - More than 80 percent of the objectives have at least one control mapped.

    Tip
    titleTIP

    All information is clickable. 


    Image Added

    High Risk Entities

    This calculates the highest risk entities for the selected program only.

    Info
    titleNOTE

    For additional information, please see High Risk Entities in this documentation.

    Top Five Issues

    This displays the top five outstanding issues mapped to the selected program only.

    Info
    titleNOTE

    For additional information, please see Issues in this documentation.

    Risk Matrix

    The Risk Matrix displays risks for the selected program along with the likelihood and impact. This narrows the focus of your risk management action to a single program.

    Info
    titleNOTE

    For additional information, please see Risk Management in ZenGRC.



    Include Page
    DI:RH Navigation
    DI:RH Navigation