Program Scoping Dashboard

Owned by Predrag Kanazir (Deactivated)
Last updated: Feb 09, 2023 by Victoria Buhler (Deactivated)
6 min read


Page Contents


Benefits

The Program Scoping dashboard simplifies the processes of:

  1. Designating which specific program requirements apply to your organization
  2. Mapping your internal controls to those in-scope requirements
  3. Looking ahead toward future programs to see how much coverage your existing controls might already provide toward them.

Overview

Once your organization has determined which programs you want to see in ZenGRC, there are three high-level steps to perform before those programs can be audited:

  1. IMPORT CONTENT: CSV-formatted program content is imported into ZenGRC. Reciprocity's productized program content will typically be imported for you by our Product Implementation Experts team. If you are using your own custom program content, your administrators can also import it themselves using the Data Import tool.
  2. SCOPE OBJECTIVES: Your team utilizes the Program Scoping dashboard to designate which standards, sections, and objectives you consider to be "in-scope" for your organization.
  3. MAP CONTROLS: Your team maps your internal controls to the in-scope objectives, a process that culminates in a clear view of any remaining control gaps that you might want to address before starting an audit. The controls you utilize here might be Reciprocity-provided controls such as the SCF, or they might be your own internally-written controls. The benefit of leveraging a common control set like the SCF is that you can test those controls once and satisfy common objectives across multiple programs (or even to quickly assess what coverage those common controls might provide against frameworks you might wish to adopt in the future). Note that you can also leverage the SCF cross-mappings while still providing your own custom control language. Ask your Product Implementation Expert for more information. 

Accessing the Program Scoping Dashboard

To access the Program Scoping dashboard, complete the following:

  1. In the left-hand navigation, click Program Scoping. The Program Scoping dashboard displays

  2. In-app guidance provides instructions on how to use and interpret the information on the Program Scoping screen. To access this in-app help, click the information icon in the top-right section of the screen:

Understanding the Program Scoping Dashboard

The Program Scoping dashboard doubles as both a report for viewing current program scoping information as well as  wizard that allows you to easily make changes to the current scoping.

  1. The Program Scoping screen displays all "Final" programs first, followed by all "Draft" programs (within each status grouping, programs are further sorted alphabetically by Title).
    1. "Final" means that the program is ready to be audited. You'll designate a program to be "Final" once you have scoped in relevant objectives, mapped controls to the objectives, and resolved and control gaps that you wish to resolve prior to conducting an audit of the program.
    2. "Draft" programs might be programs that you're actively scoping in preparation for a future audit, or they could also be programs that you've imported into ZenGRC in order to see a "Future Gap Analysis" (i.e. an understanding of what coverage you might already have for a future program based on your existing common controls)
  2. The Standards, Sections, and Objectives columns each show how many of those respective items from the program have been designated as "In-Scope". Clicking on the value in any of those 3 columns will bring you to the relevant tab in the Program Scoping wizard, where you can further scope those items in or out.
  3. The Controls column displays the count of controls that have been mapped to the program (by way of mapping those controls to the program's objectives). By default, the Controls column includes all mapped controls, regardless of the status of those controls. However, you can filter these counts to show only controls in "Final" status by enabling the Count only controls that in final status toggle.
  4. The Coverage column displays the percentage of in-scope objectives that have at least one control mapped to them. By default, the Coverage column includes all mapped controls, regardless of the status of those controls. However, you can filter the Coverage percentage to include only controls in "Final" status by enabling the Count only controls that in final status toggle.
  5. For each program, scoping should be completed in order from left to right, following the ZenGRC Mapping Structure for Standards, Sections, Objectives, and Controls.
  6. After one Standard, Section, or Objective in a program is scoped, the button for the next item in the hierarchy is activated, with the scoping order as follows:
  7. Scope standards - Select which standards apply to your program.
  8. Scope sections - Choose which sections of the standard apply to your organization.
  9. Scope objectives - Determine which objectives from selected sections are applicable to your organization.
  10. Map controls - Map your internal controls to the scoped objectives

  11. Finalize scoping - Once scoping is completed and controls are mapped, you should finalize each program (i.e. update its status from "Draft" to "Active" to indicate that it is ready for the auditing process.

    TIP

    When program content is imported into your organization’s instance, standards and sections have often been pre-scoped to their respective programs. In these cases, the Standards and Sections columns display the number of scoped items instead of a button. You can still modify this scoping by clicking on the counts to enter those sections fo the Program Scoping wizard, but its recommended that you simply move on to the Objectives and Control columns.

Scoping Standards, Sections, and Objectives

The scoping process is the same for standards, sections and objectives. The example in the steps below is for scoping objectives, but it applies to all.

To begin the scoping process on a program, complete the following steps.

  1. Click the first active button in the row beside the program. In the screenshot below, the first active button is for scoping objectives, which means the buttons to the right of this column won't be active until objectives are scoped.

    TIP

    Once an area is scoped, you can still review the information by clicking the linked number in the column.




  2. Select an item in the left-hand column of the mapper as shown in step 2 of the image below. This column contains sections you've selected and each needs applicable objectives scoped.
  3. In the right-hand column, click Scope beside each item that is relevant to the section selected as shown in step 3 of the image below. Alternatively, click Scope all to scope all items to the object.



  4. When all items are scoped for the first item, select the next item and repeat all steps.

  5. After all items are scoped, click Next Step to continue scoping the next object or click Save & Close at lower left to return to the Program Scoping page.

  6. If possible, you can continue scoping standards, sections and objectives, click Finish Scoping at page bottom. Controls can now be mapped.

Mapping Controls

Mapping controls can only be started after standards, sections, and objectives are scoped. The goal is to map at least one control to each objective to ensure that relevant details are provided that satisfy objective requirements.

To map an item on the Program Scoping page, complete the following steps:

  1. Click Map controls to open the standard Object Mapper. Objectives will be mapped to the relevant program on the left with all controls on the right. 
  2. Select an item from the Available Objectives column. Each individual item needs selecting and will follow these same steps.
  3. Select one or more items in the Available Controls.
  4. Once all controls are selected for the objective, click Map Controls. Repeat the process by selecting another item from the Available Controls column.



  5. Once all available objectives have mappings, click Complete to save selections and return to the prior page.

Finalizing the Program

Once you've determined your program scope and mapped controls, you can finalize the program by moving it from a Draft to a Final status.

To finalize a program, complete the following:

  1. Click Finalize.
  2. In the resulting dialog, click OK, Finalize, which moves unscoped standards, sections and objectives from a Draft to Not-in-Scope status. You can still add them to scope later.
  3. In the next dialog, click Go to the Program Page, which then opens the program's Details page. This allows you to review all mapped controls and ensure all objectives are satisfied. 



  4. Alternatively, click Skip for Now to close the dialog and return to the Program Scoping page with the program in a Final status.
  5. Actions - "Final" programs display an ellipsis icon in the Actions column, which provides the following actions:
    • Rescope - Gives you the option to update scoping for an already finalized program
    • Review controls - Provides a quick glance at the list of scoped controls for a finalized program.


Other Helpful Content

•  Access and User Assistance 
•  System of Record List Views  
•  Actions on the Details Page 
•  Creating New Objects 
•  Favorites 
•  Quick Tips for End Users (Printable) 
•  Searching the Left-Hand Navigation

© 2021 Copyright Reciprocity, Inc.
https://reciprocity.com