The Glossary contains definitions for terms commonly used within ZenComply and throughout ZenComply Help.

A

Application

ZenGRC’s platform features and content (Global Navigation, Record Types, User Roles, Workflows, Dashboards & Reports, etc.) that are specifically designed to solve a set of related business problems. One or more applications may be implemented on the ZenGRC platform (i.e. ZenComply, ZenRisk).

Audit

A targeted project of assessing an organization over a set framework (i.e. PCI, SOC2) by 1) determining which control and requirements those assets will be evaluated against, 2) evaluating the design and operation effectiveness of implemented controls against those defined requirements, and 3) identifying and remediating any issues found during the course of the evaluation. Audits are the data containers for Control Assessments, Evidence Requests, and Findings.

Authoritative Source

Refers to any structured document that dictates specific requirements with which an organization must comply. Authoritative sources might come in the form of government-mandated rules and regulations (i.e. GRPR, CCPA, PCI) or industry-standard / best-practices frameworks that an organization has been compelled to adopt (e.g. NIST, ISO 27001, COSO, COBIT).

^Top

B

No Glossary terms

^Top

C

Common Control Frameworks

Common control frameworks (CCF) are implemented by organizations, which are typically seeking compliance with multiple frameworks. A common control framework is procured from multiple privacy and security compliance frameworks (i.e. ISO27001, NIST, GDPR) which serve to map individual controls to satisfy multiple requirements within multiple frameworks. A CCF supports an organization’s compliance audit and assessment efforts within their GRC business operations.

Common Component

A platform-level “building block” of reusable functionality that appears across multiple applications and provides a common user experience pattern throughout the platform (ie: System of Record, Questionnaires, Configurable Dashboards, Activity Log, and more).

Controls

Also commonly referred to as Internal Controls, these are the systems, policies, procedures, physical controls, or any other measures that have been designed and implemented in order to ensure that one or more of an organization’s compliance requirements are being met.

As defined by COSO: controls are the specific measures that provide assurance that an enterprise’s operations are effective and efficient, its financial reporting is reliable, and the enterprise is in compliance with all regulatory requirements.

Controls might be derived from an external control framework (e.g. the SCF), however, organizations ultimately own the design, implementation, and testing of their internal controls.

Control Assessments

The evaluation of a control in order to determine the effectiveness of its design and implementation, either 1) with regard to how well it ensures compliance with its related control requirements, or 2) with regard to how well it controls against its related risks. Control assessments typically rely on evidence, which is collected from Evidence Providers through Evidence Requests.

Control Assessor

Responsible for assessing specific controls within the scope of a given audit. This also includes managing any supporting processes, such as evidence requests, that support the assessment of those controls.

^Top

D

No Glossary terms

^Top

E

Enterprise Risks

Enterprise Risks are potential events that, should they occur, would have a negative impact on the organization’s ability to achieve its business objectives. Enterprise Risks are typically scored, or assessed, using a combination of their likeliness to occur and the impact that they would have on the organization if they did in fact occur.

Evidence Provider

Provides evidence (e.g. file attachments, comments) on their assigned Evidence Requests to confirm controls are established and operating effectively. Submitted evidence is used in the audit process by Control Assessors, who review the evidence to determine the effectiveness of controls. Evidence Providers may view only their assigned Evidence Requests, and are typically the employees who have responsibility for operationalizing a control; They might be application owners, process owners, owners of vendor relationships (where the vendor is providing a control), etc.

Evidence Request

Evidence requests track the process of collecting, reviewing, and approving evidence from control owners. Evidence refers to any form(s) of proof that a control is in place and operating effectively. Evidence is typically provided as file attachments.

Execution

Refers to user activity within ZenComply regarding evidence collection, identifying deficient controls, and documenting observations as it relates to the controls. Here, users will: Create and Notify other users within ZenGRC, respond to requests, review requests, and the effectiveness of controls.

^Top

F

Findings

Any identified problems in the control infrastructure found during a Control Assessment (e.g. documenting an audit finding). Findings usually require follow-up in the form of a Treatment Plan (a plan of action), which may contain additional tasks that need to be completed. Findings in ZenGRC may also be known as industry terms like “gaps”, “issues”, or “risks”.

Framework

Refers to the ZenGRC content that provides a structured representation of externally-imposed authoritative sources and the specific requirements contained within those authoritative sources. Authoritative sources might come in the form of government-mandated rules and regulations (i.e. GDPR, CCPA, PCI) or industry-standard / best-practices frameworks that an organization has been compelled to adopt (e.g. NIST, ISO 27001, COSO, COBIT).

^Top

G

No Glossary terms

^Top

H

No Glossary terms

^Top

I

No Glossary terms

^Top

J

No Glossary terms

^Top

K

No Glossary terms

^Top

L

No Glossary terms

^Top

M

No Glossary terms

^Top

N

No Glossary terms

^Top

O

Organizational Administrator

Manages the listing of users that are part of an organization. This user can create users, manage permissions for users, and delete users from the organization. This user can set up the integrations with authentication methods, that the users can import groups or users from. They also can configure the settings for the organization to only allow users who are authenticated with Directory Services to be users.

^Top

P

Planning

Planning is the establishment of the first audit, description of the objectives, the dates that are going to be used for reporting and calculations, and assignment of control assessors associated with that audit. Users are able to confirm all of the elements of scoping and planning and start the execution process. 

Programs

Programs in ZenGRC are uniquely defined by the organization using the platform. Programs serve as an over-arching container for the specific functionality, content, and user-generated data that helps achieve the program’s mandate.

Program Manager

Manages a GRC program by determining which framework content it includes, determining which users play which roles in it, and managing the various projects and activities being performed within the context of that program.

^Top

Q

No Glossary terms

^Top

R

Record

A Record is an “instance” of a Record Type. Some examples include: “2021 Q1 PCI Audit” and “2021 Q3 SOC 2 Audit“ are both records of record type “Audit”; “2021 Policy on Acceptable Use” and “2021 Policy on Travel and Expense Reimbursements” are both records of record type “Policy”; and “ISO 27001” and “PCI DSS” are both records of record type “Framework”

Record Types

The System of Record is organized by Record Types like “Frameworks”, “Controls”, “Risks”, “Products”, and “Vendors”. Each Record Type in the SoR can have its own unique attribute forms, workflows, list views, etc. A Record Type serves as a principal definition of distinct items that are captured in the SoR.

Requirements

Refers to the statements that an organization must meet as dictated by a Framework. Requirements are typically met by ensuring that the organization has effective “controls” in place to achieve them. It is common for organizations to have multiple requirements they need to adhere to, and one control may support meeting multiple requirements. In the security and compliance industry, there are several names used in place of requirements like Regulation, Standard, and Statement.

Risk Register

Risk Register refers to a collection of risks. It may refer to a collection of Enterprise Risks or to a collection of Findings. Risk Registers might also be further sub-divided by org units, risk categories, etc. (i.e. an “HR Risk Register” vs. an “IT Risk Register”). Organizations typically populate and maintain their own risk registers, but ZenGRC also provides sample risk registers that organizations can use to populate their risk registers.

^Top

S

Seed Risk Register

Seed risk registers provide sample risks that organizations may use to seed their own internal risk registers. Organizations may use the seed risk registers to help bolster a less mature risk management program to get up and running quickly and start thinking about some of the more commonly managed risks.

Scoping

The primary way of understanding the necessary frameworks, requirements, and controls for use in a compliance program. Provides governance for other teams to leverage. For example, in NIST’s resilience and continuity section for Contingency Planning (Family CP), ZenGRC users are able to leverage that content to drill in deeper in understanding the gaps related to resilience and continuity goals.

^Top

T

Treatment

Refers to any user activities within ZenGRC that involve ensuring that any identified observation from the compliance activities are associated with a Treatment Plan for each detailed Finding. The reason for this is to make it easier for monitoring the closure of findings from an Audit. 

Treatment Plan

A general term for treating a risk, where specific treatment strategies might include remediation (i.e. adding new controls or improving existing ones), avoidance (i.e. ceasing whatever activity ensures the risk), transference (i.e. insuring the risk), or granting a temporary exception.

^Top

U

No Glossary terms

^Top

V

^Top

W

No Glossary terms

^Top

X

No Glossary terms

^Top

Y

No Glossary terms

^Top

Z

ZenComply

ZenComply is the first Application in ZenGRC’s Next-Gen Cybersecurity Platform. It enables organizations to adhere to specific regulatory requirements through collecting information on controls. This helps organizations justify their security posture as it relates to the domains of a framework.

ZenGRC Platform

All of the common components and functionality that enable the deployment of Reciprocity’s ZenGRC application, ZenComply.

^Top

^