Page Contents

Overview

The Compliance Dashboard provides detailed metrics around program and control statuses.

If control mappings don't follow the Program, Standard, Section, Objective, Control (PSSOC) structure, they are excluded from all Compliance Dashboard calculations. For information on the PSSOC structure, please see Mapping Structure.


Accessing the Compliance Dashboard

To access the Compliance Dashboard, complete the following:

  1. Click Dashboard | Compliance Dashboard.



Program Status

The Program Status area displays all programs and shows audit readiness for two phases in a program's development. 

The two phases are not official phases of ZenGRC programs. They are terms used in this documentation to simplify Compliance Dashboard calculations.




Those two phases of Audit Readiness are as follows:

  • Onboarding Phase - The program has no completed audits. Program mappings are calculated.
  • Audit Phase - The program has at least one completed audit. Control effectiveness is calculated.
     

Both phases display the same design for the low, moderate or high icons. The statuses are only differentiated by what is calculated and the text on hover.

Hints to tell them apart are outlined in the next documentation sections.

Onboarding Phase Audit Readiness

If there is no completed audit, the program is still in the onboarding phase. The Audit Readiness calculations are based on percentages of objectives with mapped controls. Then the low, moderate and high rating is based on that and not control effectiveness.

On hover, the onboarding phase text provides percentages of objectives with at least one mapped control. Control effectiveness is not considered.




Onboarding status definitions are as follows:

  • Low - No objectives are scoped or control mappings are less than 40 percent. 
  • Moderate Control mappings are equal or greater than 40 percent and less than 80 percent. 
  • High - Control mappings are equal or greater than 80 percent.

Audit Phase Audit Readiness

If there is at least one completed audit, the program is in the audit phase. The Audit Readiness calculations are based on calculations of control effectiveness during the last program audit.

On hover, the audit phase text provides percentages of effective controls.




Audit phase status definitions only cover the last completed audit and are as follows:

  • Low - Over 80 percent of control assessments are deemed ineffective either by design or operation.
  • Moderate Over 30 percent and less than or equal to 80 percent are deemed ineffective either by design or operation.
  • High - Less than or equal to 30 percent of control assessments are deemed ineffective either by design or operation.

High Risk Entities

The High Risk Entities shows the top three object types associated with high risk scores, which then provides an organization with risk mitigation focus.



The numbers in the High Risk Entities graphic are calculated as follows:

  • The entity must be a(n):

    • Contract
    • Control
    • Org Group
    • Data Asset
    • Process
    • Objective
    • Product
    • Program
    • Threat
    • Policy
    • Issue
    • Market

  • The entity must have at least one high risk object mapped to it.

  • The top three entities (or objects) with the largest number of high risk items are displayed with their counts from left to right. 

Issues

The Issues area of the Compliance Dashboard displays the top five outstanding issues in ZenGRC. These issues should then be your compliance team's focus for the next time period.



The Issues area displays columns with the following criteria:

  • Top 5 issues - This column pulls the oldest issues in the ZenGRC application, regardless of mappings, that are set to one of the following statuses (other statuses are ignored):
    • Identified.
    • Assigned.
    • Remediation in progress.
  • Associated Entities - This displays all objects mapped to the displayed issue.
  • Age - This is the number of days shown in red since each issue was created. The oldest issues display first.

Future Gap Analysis

The Future Gap Analysis area provides an estimated level of effort for achieving compliance with a new framework. The estimate is based on overlapping frameworks in your ZenGRC System of Record.

The area only pulls programs still in a Draft status.



The Future Gap Analysis area displays columns with the following criteria:

  • Program - These are draft programs with at least one mapped objective.
  • Objectives not met - This represents two things:
    • Objectives in the draft program are not mapped to objectives in finalized programs.
    • No controls mapped to objectives of finalized program also mapped to objectives in draft program
  • Objectives potentially met - This is the number of objectives in the draft program that are also scoped to finalized programs that have corresponding mapped controls.
  • Estimated coverage - This value is computed by dividing the number of objectives potentially met by the total number of objectives (sum of previous two columns).

Risk Heatmap

The Risk Heatmap area is a scaled-down report on risks the organization faces along with their likelihood and impact. This provides risk severity and how soon action is necessary.

Click a cube on the grid to open the Risk Heatmap module.

For additional information, please see Risk Management in ZenGRC.


Individual Program Status

Clicking a program in the Program Status area displays metrics regarding that program's control efficiency.

Accessing Program Metrics

To access individual program metrics, complete the following:

  1. From the Compliance Dashboard, click a linked program in the Program Status area.
  2. The metrics for the selected program display.


Control Health

The following sections describe how Control Health metrics are obtained.

Control Count

Regardless of whether the program has a completed audit, the effective and ineffective control numbers on the left side of the graphic are calculated as follows:

  • Numbers are based on assessments in the most recent, completed audit.
  • If the program has no completed audits, metrics are pulled from audits for other programs that share the selected program's controls. 
  • Only controls mapped in the PSSOC hierarchy are counted.

% Control Effectiveness

The % control effectiveness in the middle displays colors and percentages that are based on the numbers in the Control Count  described above. The percentages are calculated as follows:

  • Red - 0 percent to 60 percent assessed controls are rated effective.
  • Orange - 61 percent-80 percent assessed controls are effective.
  • Green - 81 percent and above assessed controls are effective.


Audit Readiness

The audit readiness rating is pulled from Program Status on the Compliance Dashboard home page. 

For information on how audit readiness is calculated, please see Program Status.


Sections Status

The Sections Status displays sections for the selected program along with the counts for objectives and related controls. The information is separated out as follows:

  • Section color:
    • Red - Less than 50 percent of the objectives have at least one control mapped.
    • Orange - Between 50 percent and 80 percent of the objectives have at least one control mapped.
    • Green - More than 80 percent of the objectives have at least one control mapped.

All information is clickable. 


High Risk Entities

This calculates the highest risk entities for the selected program only.

For additional information, please see High Risk Entities in this documentation.

Top Five Issues

This displays the top five outstanding issues mapped to the selected program only.

For additional information, please see Issues in this documentation.

Risk Matrix

The Risk Matrix displays risks for the selected program along with the likelihood and impact. This narrows the focus of your risk management action to a single program.

For additional information, please see Risk Management in ZenGRC.