IBM OpenPages GRC Platform Version 7.0.0: IT Governance ...

by user

on 15 сентября 2016

Category: Documents

>> Downloads: 1

views

Report

Comments

Description

Download IBM OpenPages GRC Platform Version 7.0.0: IT Governance ...

Transcript

IBM OpenPages GRC Platform Version 7.0.0: IT Governance ...

IBM OpenPages GRC Platform
Version 7.0.0
IT Governance Module Overview
򔻐򗗠򙳰
Note
Before using this information and the product it supports, read the information in “Notices” on page 37.
Product Information
This document applies to IBM OpenPages GRC Platform Version 7.0.0 and may also apply to subsequent releases.
Licensed Materials - Property of IBM Corporation.
© Copyright IBM Corporation, 2003, 2013.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Chapter 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Module Description . .
Object Type Licensing .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 1
. 1
Chapter 2. Object Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Object Types Enabled by Default
Object Types Disabled by Default
Subcomponents . . . . . .
.
.
.
.
.
.
Chapter 3. Computed Fields
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 3
. 7
. 8
. . . . . . . . . . . . . . . . . . . . . . . . . . 11
Chapter 4. Helpers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Chapter 5. Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Issue and Action Bulletin notification .
KPI Reminder notification . . . .
KPI Breach notification . . . . .
KRI Reminder notification . . . .
KRI Breach notification . . . . .
Chapter 6. Reports
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
15
16
16
16
17
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
ITG-Specific Reports . . . . . .
Reports Shared with Other Modules .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 19
. 20
Chapter 7. Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
ITG-Specific Triggers . . . . . . . . .
Triggers Shared with Other Modules . . . .
Issue Management and Remediation trigger
KRI Lifecycle trigger . . . . . . . .
KPI Lifecycle trigger . . . . . . . .
Risk and Control Self-assessments triggers .
Visualization triggers . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
23
23
23
24
25
25
30
Chapter 8. Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
OpenPages ITG 7.0.0 Master Profile
Home Page Filtered Lists . . . .
Activity Views . . . . . . .
Grid Views . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
31
31
32
33
Chapter 9. Role Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
iii
iv
IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview
Document Release and Update Information
This topic lists information about this document and where updates to this
document can be found.
Document Release Information
Software Version: 7.0.0
Document Published: December, 2013
Document Updates
Supplemental documentation is available on the web. Go to the IBM® OpenPages®
GRC Platform Information Center (http://pic.dhe.ibm.com/infocenter/op/
v7r0m0/index.jsp).
v
vi
IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview
Chapter 1. Introduction
Use this guide with the IBM OpenPages IT Governance module.
Finding information
To find IBM OpenPages GRC Platform product documentation on the web,
including all translated documentation, access the IBM OpenPages GRC Platform
Information Center (http://pic.dhe.ibm.com/infocenter/op/v7r0m0/index.jsp).
Release Notes are published directly to the Information Center, and include links
to the latest technotes and APARs.
Accessibility features
Accessibility features help users who have a physical disability, such as restricted
mobility or limited vision, to use information technology products.
IBM HTML documentation has accessibility features. PDF documents are
supplemental and, as such, include no added accessibility features.
Module Description
IBM OpenPages IT Governance (ITG) is an enterprise IT Governance solution that
aligns IT services, risks and policies with corporate business initiatives, strategy,
and operational standards.
IBM OpenPages IT Governance allows you to manage internal IT control and risk
according to the business processes they support. In addition, IBM OpenPages IT
Governance unites multiple silos of IT risk and compliance to deliver improved
visibility, better decision support, and ultimately enhanced corporate performance.
Key features include:
v
v
v
v
v
v
v
IT Regulatory and Policy Compliance
Risk and Control Assessments
Control Testing and Issue Remediation
IT Resource Management
Incident Tracking
Key Performance and Key Risk Indicators
Reporting, monitoring and analytics
Object Type Licensing
For the IBM OpenPages IT Governance module, you are licensed to use the object
types listed in Chapter 2, “Object Types,” on page 3. Use of any other object types
is prohibited without prior written approval from IBM.
1
2
IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview
Chapter 2. Object Types
The IBM OpenPages IT Governance module includes object types that are enabled
or disabled by default, and subcomponents.
Object Types Enabled by Default
The following object types are available in the default IBM OpenPages IT
Governance configuration and are enabled by default.
Table 1. Object types enabled by default
Object Type
Label
Business Entity
Description
Business entities are abstract representations of your business structure.
A business entity can contain sub-entities (such as departments,
business units, or geographic locations). The entity structure that you
create depends on your business needs. For example, you could create
a parent entity for your business headquarters then a sub-entity for
each location or department. You may also want to represent both a
legal entity structure and a business entity structure.
Business entities are also used to organize library data such as risk and
control libraries, or regulatory content (for example, laws, regulations,
and standards).
When setting up your business entity hierarchy, you should work with
your OpenPages consultant as the structure of your business entities
will greatly impact the type and quality of the information that can be
extracted from the application.
Process
Processes represent the major end-to-end business activities within a
business entity that are subject to risk. The processes will typically
reside in areas such as financial reporting, compliance, information
security, and so forth.
Sub-Process
A sub-process is a component of a Process. It is used to decompose
processes into smaller granularity units for assessment purposes.
Risk
Risks are potential liabilities. Risks can be associated with, for example,
business processes, business entities, or compliance with a particular
mandate. Each risk has one or more controls associated with it that
provide safeguards against the risk and help mitigate any
consequences that may result from the risk. You can use the Risk object
to categorize risks; capture the frequency, rating, and severity of
inherent and residual risk data; and view reports that help identify
your top risk items.
Control
Controls are typically policies and procedures (procedures are actions
that implement the policies), to help ensure that risk mitigation
responses are carried out.
Once you have identified the risks in your practices, you need to
establish controls (such as approvals, authorizations, verifications, and
so forth) that remove, limit, or transfer these potential risks.
Controls should be designed to provide either prevention or detection
of risks. Controls are usually associated with tests that ensure a control
is effective.
3
Table 1. Object types enabled by default (continued)
Object Type
Label
Description
Test Plan
You can determine the operating effectiveness of a control by
conducting one or more detailed tests of a control and then
documenting the results. Test Plans are descriptions of the mechanisms
used to determine whether or not a control is effective.
Test Result
A test result is the information obtained from running a test plan.
Risk Assessment
Risk assessments give you the ability to evaluate and report on
potential liabilities for a set of business entities or processes. You can
use the Risk Assessment object – which contains the names of the
assessor and reviewer, the time frames for the assessment, and the
status of the assessment – to manage your risk self-assessment process.
KPI, KPI Value
KPIs are components of the risk monitoring process and are used to
provide leading or lagging indicators for potential risk conditions. Each
instance of a KPI within the organization can have unique target and
threshold limits.
KRI, KRI Value
KRIs are components of the risk monitoring process and are used to
provide leading or lagging indicators for potential risk conditions. Each
instance of a KRI within the organization can have unique target and
threshold limits.
Control Plan
Object name is RiskEntity; label is Control Plan. Control Plan is a self
contained object type; this means that folders are created for each
Control Plan. Used to group multiple Baselines to represent elements
in your operating environment that can be assessed for risk.
Baseline
Object name is RiskSubEntity; label is Baseline. Baseline is a self
contained object type; this means that folders are created for each
Baseline. Baselines in the Library are representative of types of
elements of the IT Operating Environment. They are linked to
Requirements in the Library to indicate what must be complied with
for that type of element.
When a Baseline is copied from the library to the business hierarchy
(using a helper which is part of IBM OpenPages IT Governance) it
copies the Baseline, creates an association back to the Requirement in
the library, creates the descendent Risk, Control and Test and
pre-populates the Risk/Control/Test as appropriate with data from the
Requirement. A Baseline can represent the assessment of element(s) of
the IT Operating Environment, instead of or in addition to representing
the actual element. Process, Resource, etc. can represent the actual
elements.
Resource
4
CobiT suggests that there are four types of IT assets, while
practitioners often include additional types as well. The Resource
object is sub-typed using dependent fields to represent any of these
types of IT assets. Resources are typically created as a pool associated
to the owning or responsible IT Business Entity, then associated to the
relevant operating elements (Baselines, Processes, etc.) in the IT
Operating Environment, and potentially associated to relevant Business
Entities for the Business as well. Although Resources can represent
individual IT Assets (e.g. a particular Windows 2003 server) they will
more often represent a group of assets (e.g. a pool of Windows 2003
Application Servers used for a particular application).
IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview
Table 1. Object types enabled by default (continued)
Object Type
Label
Description
Resource Link
CobiT suggests that IT assets have complicated relationships. They
indicate that assets of type People, Process, Infrastructure and
Information can each be parents and can each be children of each
other. In addition, Resources of the same type often need to be related
to each other. A Resource Link can be used to link Resources in a
many-to-many fashion, but the practice (supported by the User
Interface helper) is to link exactly two Resources. Note that if the
names or attributes of either of the parent resources are changed, the
Resource Link name and attributes will be “out of sync” with its
parent Resources.
Incident
Incidents are used to capture, track and manage events that occur in
the organization and IT Operating Environment. Incidents are typically
stored under the Business Entity or IT Resource where the event
occurred and associated secondarily to an impacted Mandate or Policy.
They may be created by hand, or via integration with other systems
(i.e. IT monitoring system.) and are commonly of type Regulatory
Compliance, Legal Compliance, Information Security, or IT. Incidents
can be a child of Business Entity, Mandate, Sub-Mandate, Requirement,
Policy, Risk, Resource and Risk Sub-Entity. If ORM is also installed,
Incident is also the parent of Loss Event.
Waiver
Waivers give you the ability to document, process and manage the
lifecycle of exceptions to Corporate Policies, InfoSec Policies, IT Policies
or Regulatory Compliance Requirements. Waivers can be associated to
Business Entities, Policies, Procedures, Requirements, Risks, Controls,
Baselines and Resources.
Mandate
Mandates represent external items with which organizations need to
comply, such as laws, regulations, and standards. Out of the box the
configuration directly supports content provided by Deloitte and UCF,
and can be adapted to support content from other vendors. Typically,
Mandates are represented in a Library Business Entity structure, and
are not replicated throughout the system.
Sub-Mandate
Sub-Mandates represent external (or internal) sub-items with which the
organization needs to comply. Out of the box the configuration directly
supports content provided by Deloitte and UCF, and the configuration
can be adapted to support content from other vendors. Typically,
Sub-Mandates are represented in a Library Business Entity structure,
and are not replicated throughout the system. Sub-Mandate is
recursive, but Deloitte and UCF content use exactly one level of
Sub-Mandate.
Requirement
Requirements represent the normalized “things you need to
accomplish” in order to comply with all of their associated
Sub-Mandates. Requirements accomplish two primary purposes: They
translate the often difficult and wordy legalese of Mandates/SubMandates into plain English, and they leverage the commonality across
multiple Sub-Mandates. For example, there may be many
Sub-Mandates across numerous Mandates which are all telling you to
have strong passwords. A single Requirement can document the details
of the strong password needs. By complying with this single
Requirement, IT can satisfy many Mandates/Sub-Mandates.
Out of the box the configuration directly supports content provided by
Deloitte and UCF, and can be adapted to support content from other
vendors. Typically, Requirements are represented in a Library Business
Entity structure, and are not replicated throughout the system.
Chapter 2. Object Types
5
Table 1. Object types enabled by default (continued)
Object Type
Label
Policy
Description
Policies represent internal guidelines generally adopted by the Board of
Directors or senior governance body within an organization. The text
of a Policy can either be stored in standardized fields on the object or
as an attachment to the object. Policies typically have a distinct
lifecycle from Draft to Published to Expired, as well as a review and
approval process. Draft policies typically reside in the Organizational
Business Hierarchy, while Published and Expired Policies typically
reside in reference Library entities. Policies are also often mapped to
applicable Mandates in the Library to which they relate.
Preference Group, The Preference Group object is used for grouping Preference object
Preference
instances together. Without this grouping object, each Preference object
instance would need to be associated separately to each of the relevant
Business Entities. The group object helps to minimize the associated
maintenance.
The Preference object is a child of Business Entity, and is used for
holding variable values that can drive reports, workflows and
computed fields (it has entity-specific variable values which enable
different behavior for the same workflows). For example, to determine
the behavior for review and approval workflows (e.g. who the
appropriate users are for each level of review and approval, and what
the thresholds are for determining how many levels of review and
approval are required).
Procedure
Procedures represent the 'what', 'where', 'when', and ‘how' of how
policies are implemented in an organization. The text of Procedures is
typically stored in the fields on the object. Typically, Procedures are
represented as children of a Policy and reside in the same entity
structure as its parent Policy.
Signature
A signature generally indicates agreement that the object meets your
approval. It has no enforcement powers, and does not prevent the item
from being modified after approval has been given. An object with a
signature has a signature icon next to the signer's name on the
Signatures tab.
Depending on your system configuration, signatures (with or without
associated locks) can be applied to an object in the following ways:
v Manually from the detail page of an object.
v Automatically through a workflow task.
v Some combination of both automatic and manual.
If signature locks are configured on your system, when you sign off on
an object, the object and all its associated child objects are locked and
cannot be modified until you either revoke your signature or an
administrator unlocks the object.
Issue, Action Item Although issues typically result from areas where internal controls are
not properly implemented or designed, you can use the Issue object to
document a concern associated with any object type.
An issue is resolved through one or more Action Items. You can use an
Action Item object or a series of related Action Item objects to form an
action plan. Each Action Item can be assigned to a user for resolution,
and progress can be tracked from the detail page of the parent Issue.
Once all Action Items for an Issue are complete (an assignee sets the
value to 100%), you can close the Issue.
6
IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview
Table 1. Object types enabled by default (continued)
Object Type
Label
Description
File
The File object type is used to embed a reference to a file (such as a
document, flow chart or spreadsheet) in the OpenPages system, and
associate it to one or more relevant objects.
Link
The Link object type is used to embed a reference to a URL in the
OpenPages system, and associate it to one or more relevant objects.
Process Diagram
A Process Diagram is a child object of the Process and can have many
diagrams per process. It is used to store the sequence of sub-processes
or activities within a process with associated Risks and Controls along
with any annotations such as decision nodes. All attributes of the
Business Process visualization are stored in the Process Diagram object.
Data Input, Data
Output
The Data Input Object and Data Output Object are child objects of the
Process and can have associations only to existing Risks. They
represent elements of a flow to depict an Input into the Business Flow
or an Output from various activities within a process, such as running
a report or updating a CRM system or getting an external data source
feed.
Object Types Disabled by Default
The following object types are available in the default IBM OpenPages IT
Governance configuration and are disabled by default.
Table 2. Object types disabled by default
Object Type Label
Description
Questionnaire,
Section, Question
Questionnaire, Section and Question are three objects that are used
together to implement questionnaires.
Control Objective
A Control Objective is an assessment object that helps define the risk
categories for a Process or Sub-Process. For each Process or
Sub-Process, an organization sets the Control Objectives.
Control Objectives define the COSO compliance categories that the
Controls associated with the Risks are intended to mitigate. For
example, Control Objectives can be classified into one or more
categories such as Compliance, Financial Reporting, Strategic,
Operations, or Unknown.
Once a Control Objective is identified, the Risks belonging to that
Control Objective can then be identified and defined. In most cases,
each Control Objective will have one Risk associated with it.
However, Control Objectives can have more than one Risk
associated with them, so they are separated into their own object
type.
Chapter 2. Object Types
7
Table 2. Object types disabled by default (continued)
Object Type Label
Description
Milestone, Milestone A Milestone represents a significant point in the development of
Action Item
your project. You can tie Milestones to specific dates, or use them to
signify the completion of a portion of the entire project. Milestones
can contain other Milestones or Milestone Action Items. You cannot
associate a Milestone with other objects in the object hierarchy.
A Milestone Action Item is a specific objective that must be
completed in order to reach a Milestone. In general, all Milestone
Action Items associated with a Milestone must be completed in
order to reach a Milestone. When you are assigned a Milestone
Action Item object, it is displayed (if configured) in the My
Milestone Action Items section of your My Work tab.
Risk Eval
Risk Evaluation objects are children of Risk objects and they are
used to capture risk measurement values for trending purposes.
Often reporting periods do not line up with risk evaluation cycles
and so Risk Eval objects can be used to capture multiple evaluation
cycles within a single reporting period.
Control Eval
Control Evaluation objects are similar to Risk Evaluation objects
except that they are instantiated as children of Controls. They store
control assessment data.
Risk Assessment
Eval
Risk Assessment Evaluation objects are similar to Risk Evaluation
objects except that they are instantiated as children of Risk
Assessments. They store risk assessment data.
Process Eval
Process Evaluation objects are children of Process objects and they
are used to capture process measurement values for trending
purposes.
When the reporting periods do not align with the evaluation cycles,
you can use Process Eval objects to capture multiple evaluation
cycles within a single reporting period.
Subcomponents
IBM OpenPages GRC Platform modules consist of several subcomponents, which
are groups of object types that support a logical function within a module. The
following tables list the subcomponents for the IBM OpenPages IT Governance
module.
Table 3. Subcomponents shared with other modules
8
Subcomponent
Object Types
Organization
Business Entity
Preference
Preference Group, Preference
Risk Assessment
Risk Assessment, Risk Assessment Eval
Process
Process, Process Eval, Sub-Process, Control Objective
Risk
Risk, Risk Eval
Control
Control, Control Eval
Test
Test Plan, Test Result
Issue
Issue, Action Item
Questionnaire
Questionnaire, Section, Question
Milestone
Milestone, Milestone Action Item
IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview
Table 3. Subcomponents shared with other modules (continued)
Subcomponent
Object Types
KRI
KRI, KRI Value
KPI
KPI, KPI Value
Incident
Incident
Waiver
Waiver
Regulatory Library
Mandate, Sub-Mandate, Requirement
Visualization
Process Diagram, Data Input, Data Output
Table 4. ITG-specific subcomponents
Subcomponent
Object Types
ITG Policy
Policy, Procedure
Control Plan
Control Plan, Baseline
Resource
Resource, Resource Link
In addition to the subcomponents listed in the tables, the following object types are
included in each module and can be accessed by any authorized user:
v Signature
v File
v Link
Chapter 2. Object Types
9
10
IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview
Chapter 3. Computed Fields
By default, the IBM OpenPages IT Governance module includes the following
computed fields.
Table 5. Computed fields
Object Type
Label
Field Group
Name
Field Name
Label
Control Plan
OPSS-RiskEnt
Baselines
Creates a link to launch the Get
Baselines helper.
Resource
OPSS-Res
Resource Links
Creates a link to launch the Add a
Resource Link helper.
Description of Computation
11
12
IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview
Chapter 4. Helpers
IBM OpenPages IT Governance includes the following helpers by default: Get
Baselines, and Create Resource Links.
Refer to IBM OpenPages GRC Platform ITG Module Details for more information on
these helpers.
Get Baselines Helper
Invoked via a computed field link on Control Plan, the helper copies the selected
Baseline from the Library to the IT Operating Environment, and copies, or creates
and pre-populates, descendent Risks, Controls and Test Plans. The helper creates
associations from the new elements back to the Library elements and writes status
information to the Additional Description field on the created Baseline.
Create Resource Links Helper
Invoked via a computed field link on Resource, the helper creates a Resource Link
as a child of the “starting” Resource, and as a child of the selected Resource. The
helper pre-populates fields on the created Resource Link object.
13
14
IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview
Chapter 5. Notifications
Notifications are email notifications sent to owners of a process as a reminder to
act. These notifications can occur at different stages of a process or as a final step
in a trigger.
All notifications that are sent from IBM OpenPages ITG use the following sender
address. Configure the email address and server settings:
v /OpenPages/Solutions/ORM/Email/From Email - the sender address that is used to
send notifications
v /OpenPages/Solutions/ORM/Email/From Name - configure this item to identify the
email sender name that is used by notifications
v /OpenPages/Common/Email/Mail Server - configure this item to identify the email
server that is used to send notifications
Notifications are part of the KRI lifecycle, the KPI lifecycle, and the Issue
Management and Remediation process.
Issue and Action Bulletin notification
During the closedown phase of the Issue Management and Remediation (IMR)
process, an Issue and Action Bulletin is sent as an email notification to the users.
The bulletin highlights important areas such as overdue issues and Actions that are
due for closure. The administrator can set the frequency of this notification by
using the Issue Management and Remediation (IMR) bulletin.
When the Issue is defined, its status is Open and the user must enter a value in
the Current due date field. The due date is copied to a read-only field that
contains the original due date. When the user creates an Issue, the Issue Owner
(who might not be the same person who created the Issue) receives an email
notification.
The Issue Owner must record the appropriate actions to resolve an identified Issue.
The following data is captured in an Action Item:
v Description
v Assignee
v Start Date
v Due Date
v Actual Closure date
v Status (Read Only)
v A comment field to record the latest updates
The Issue Owner receives an email that summarizes the Actions that must be
approved for closure. The owner can either Accept Closure or Reject Closure.
When Actions are completed, the Issue Owner must review the Issue and update
the status to Closed. If any child actions are Open or Awaiting Approval, the
Issue Owner cannot close the issue.
Users receive email notifications through the consolidated Issue and Action
bulletins. The bulletin consolidates the following information in an email:
15
v
v
v
v
v
Issues Assigned to the recipient in the past number days
Actions Assigned to recipient in the past number days
Issues due for Closure in the next number days
Actions due for Closure in the next number days
Overdue Issues
v Overdue Actions
v Actions awaiting closure approval
KPI Reminder notification
The KPI Reminder notification is an email sent to the KPI owner that contains a
list of all KPI Values that the owner or recipient is required to capture in the next
seven days.
After the Risk Owner defines the Key Performance Indicator (KPI), the IBM
OpenPages system determines whether it must generate a KPI Value object as a
child object of the KPI. If the KPI is set as Active, the KPI helper generates the
values. If the KPI is set as Inactive, a batch utility sets up the KPI Value object as a
placeholder with a status of Awaiting collection.
The administrator can run the KPI Value utility when necessary, for example, when
the automatically scheduled job fails to run. The utility creates the KPI Values with
details, such as ID, Description, Expected Capture date, KPI Capturer, and KPI
Owner.
A notification that requests the KPI Capturer enters a KPI value is presented in one
of the following ways:
v Weekly email notifications, which instruct the user to log in to IBM OpenPages.
v Based on the status of the KPI Value (Awaiting Collection) and the KPI Capturer
(logged-in user), the KPI Value is shown on the user's home page.
The email notification that is sent to the KPI owner contains a list of KRIs that
have the following characteristics:
v An expected collection date that is less than (TODAY + 7)
v A KPI status that is set to Awaiting Collection.
KPI Breach notification
The KPI Breach notification sends an email to the Risk Owner when a KPI breach
status changes from Green to Red or from Amber to Red.
The KPI Breach notification is started by the KPI Lifecycle trigger. The email
notification contains a link to the KPI that is in breach and advises the Risk Owner
to review the breach and take appropriate actions.
KRI Reminder notification
The KRI Reminder notification is an email sent to the KRI owner that contains a
list of all KRI Values that the owner or recipient is required to capture in the next
seven days.
After the Risk Owner defines the Key Risk Indicator (KRI), the IBM OpenPages
system determines whether it must generate a KRI Value object as a child of the
16
IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview
KRI. If the KRI is set as Active, the KRI helper generates the values. If the KRI is
set as Inactive, a batch utility sets up the KRI Value object as a placeholder with a
status of Awaiting collection.
The administrator can run the KRI Value utility when necessary, for example, when
the automatically scheduled job fails to run. The utility creates the KRI Values with
details, such as ID, Description, Expected Capture date, KRI Capturer, and KRI
Owner.
A notification that requests the KRI Capturer enters a KRI value is presented in
one of the following ways:
v Weekly email notifications, which instruct the user to log in to IBM OpenPages.
v Based on the status of the KRI Value (Awaiting Collection) and the KRI Capturer
(logged-in user), the KRI Value is shown on the user's home page.
The email notification that is sent to the KRI owner contains a list of KRIs that
have the following characteristics:
v An expected collection date that is less than (TODAY + 7)
v A KRI status that is set to Awaiting Collection.
KRI Breach notification
The KRI Breach notification sends an email to the Risk Owner when a KRI breach
status changes from Green to Red or from Amber to Red.
The KRI Breach notification is started by the KRI Lifecycle trigger. The email
notification contains a link to the KRI that is in breach and advises the Risk Owner
to review the breach and take appropriate actions.
Chapter 5. Notifications
17
18
IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview
Chapter 6. Reports
The IBM OpenPages IT Governance module includes a set of default reports.
IBM OpenPages GRC Platform Modules Report Details provides additional details on
the reports described here.
For a description of additional reports installed with the OpenPages Platform and
available to all modules, see the IBM OpenPages GRC Platform Administrator's Guide.
ITG-Specific Reports
Descriptions are provided for reports that are available only from the IBM
OpenPages IT Governance module.
Table 6. IT asset reports
Name
Drill-Through
Description
Baseline
Shows key attributes of the selected Baseline,
along with associated Requirements, and
recommended Control Activities and Test
Procedures.
Control Plan
Shows key attributes of the selected Control
Plan, along with associated Baselines, their
Requirements, and recommended and
implemented Control Activities and Test
Procedures.
Table 7. IT compliance reports
Name
Drill-Through
Description
IT Control
Effectiveness by
Mandate
IT Control Effectiveness
by Sub-Mandate
For a selected Business Entity, the report
shows associated Mandates with the % of
Effective Controls associated to Control Plans.
The report has the ability to drill-through to a
sub-report for detail information.
Looks at IT Operating Environment Controls
that are shared between Mandates and
Baselines in the IT Operating Environment.
Provides a view of Control Operating
Effectiveness by Mandate. One subreport
drills down for the selected Mandate to show
Control Operating Effectiveness by
Sub-Mandate. The other subreport drills
down for the selected Mandate to show Test
Results grouped by Resource
(type=Application). This provides a view of
how compliant each application is. This
report is always run from the IT Operating
Environment (it filters out the Library
Business Entity).
19
Table 7. IT compliance reports (continued)
Name
Drill-Through
Requirements
Library
Description
For the selected Requirements, this report
shows all applicable laws and regulations.
Report is a look “up” the hierarchy from the
Requirements that fit the prompt scoping, to
the Sub-Mandates and Mandates that each of
those Requirements satisfy. So this shows you
that meeting this one Requirement satisfies
many Laws. Report has one page per
Requirement and associated Mandates. This
report is run from the Library.
UCF
Requirements
Library
For the selected UCF Harmonized Control(s),
this report shows all applicable Authority
Documents.
Reports Shared with Other Modules
The IBM OpenPages IT Governance module contains a number of reports that are
shared with other IBM OpenPages GRC Platform modules.
Table 8. Risk assessment reports
Name
Drill-Through
Description
Risk Assessment
List
Shows Risk Assessment details for a specified
Business Entity and all of its descendents.
Risk Assessment Risk Assessment Status
Status
Detail
Displays a stacked column chart showing the
status of Risk Assessments for the specified
Business Entity and its direct descendents.
Risk Assessment Risk Assessment Issues
Summary
and Action Items
Displays Risk Assessment details along with
all associated Risks and Controls. A drill
through report displays Issues and Action
Items that are related to the Risk Assessments,
Risks, or Controls.
Table 9. Risk reports
Name
Drill-Through
Risk Analysis
20
Description
Shows Risks grouped by Process for a
specified Business Entity.
Risk Heat Map
Risk Detail
Displays a table that aggregates Risks by
Residual Impact and Likelihood for a
specified Business Entity.
Risk Rating by
Entity
Risk Rating by Entity
Detail
Displays Residual Risk Rating summary
information for the selected Business Entity
and its descendents, with the ability to
drill-through to risk details.
Risk Rating by
Category
Risk Rating by Category
Detail
Displays Risk Category and Residual Risk
Rating summary information for the selected
Business Entity, with the ability to
drill-through to Risk details.
IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview
Table 9. Risk reports (continued)
Name
Drill-Through
Description
Top Risks
Summary of the top Risks ranked by Residual
Risk Exposure, and also shows the Inherent
Risk Exposure. By default, Risk quantitative
assessment fields are not included in FCM, so
this report may not be appropriate for FCM
users.
Table 10. Control reports
Name
Drill-Through
Description
Risk and
Control Matrix
Control
Effectiveness
Map
Shows Risk and Control data for specified
Business Entity and Process(es).
Control Effectiveness
Detail
Control map shows counts of Controls
grouped by Process(es) and Operating
Effectiveness, with the ability to drill-through
to a sub-report for detail information.
Table 11. Testing reports
Name
Drill-Through
Description
Testing
Dashboard
Testing Details
Displays summary Test Result information
for the selected Business Entity, with the
ability to drill-through to detail and trend
information.
Table 12. Indicator reports
Name
Drill-Through
Description
KRI Dashboard
KRI Details
Displays summary KRI information for the
selected Business Entity and its descendents,
with the ability to drill-through to detail and
trend information.
KPI Dashboard
KPI Details
Displays summary KPI information for the
selected Business Entity and its descendents,
with the ability to drill-through to detail and
trend information.
Table 13. Visualization reports
Name
Description
Process Analysis
Displays Risk and Controls in the context of a process
diagram. Provides an aggregated view of Risk and
Controls with risk rating and control effectiveness at the
Process and Business Entity level.
Chapter 6. Reports
21
22
IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview
Chapter 7. Triggers
The IBM OpenPages IT Governance module contains several available triggers.
IBM OpenPages GRC Platform Modules Trigger Details provides additional details on
the triggers described here.
Triggers must be disabled before loading XML instance data via Object Manager to
any object types which are configured to have triggers by default.
Object types that are configured for IBM OpenPages IT Governance to have
triggers by default include:
v Risk
v KRI Value
v
v
v
v
v
KPI Value
Action Item
Issue
Data Input
Data Output
Object types that are configured for other Modules to have triggers by default
include:
v Audit
v Audit Section
v
v
v
v
v
Workpaper
Plan
Timesheet
Finding
Audit Review Comment
v
v
v
v
v
Loss Impact
Loss Recovery
Loss Event
File (SOXDocument)
Policy
ITG-Specific Triggers
The IBM OpenPages IT Governance module does not include any ITG-specific
triggers.
Triggers Shared with Other Modules
Several triggers are shared with other IBM OpenPages GRC Platform modules.
Issue Management and Remediation trigger
In an Issue Management and Remediation (IMR) framework, you can effectively
document, monitor, remediate, and audit identified Issues.
23
Issues are items that are identified against the documented framework and are
deemed to negatively affect the ability to accurately manage and report risk. In its
lifecycle, an issue can have only one of two states: Open or Closed.
To resolve the identified Issue, the Issue Owner establishes and records the
appropriate actions. When the Action is complete, the Assignee sets the Submit for
Closure field to Yes. When this field is saved, a trigger is started and completes
the following actions:
v Copies the value in the Issue Owner field from the parent Issue to the Action
v Sets the Action field to Awaiting Approval
The Issue owner reviews the Action and can specify to either Accept Closure or
Reject Closure. If the Action is saved with Reject Closure, the status reverts to
Open and the Action returns to the Action Assignee.
Several triggers are used to automate the Issue management process.
Issue Lifecycle trigger
The Issue Lifecycle trigger sets the Original Due date on the first instance of Save
of Issue and checks for any Open Actions when the Issue is saved with a status of
Closed.
When an Issue object type is created or updated, and the status of the Issue object
type is set to Closed, the trigger completes the following actions:
v The trigger checks all direct child Actions and determines whether they are all
closed. If any Actions have a status of Open or Awaiting Approval, the trigger
generates an error message. If all Actions are closed, the trigger saves the
changes.
Note: As an administrator, you can configure the error message under the
Administrator > Settings menu.
v If the Original Due date field on the Issue is blank, the trigger populates the
Original Due date with the Current Due date value.
KRI Lifecycle trigger
The KRI Lifecycle trigger calculates and persists field values on the KRI and KRI
Value object types. The trigger occurs only if the Collection status of the KRI value
is set to Collected.
When a KRI Value object is updated, associated, or disassociated, the trigger
completes the following steps:
1. Determines whether KRI is set for approval.
v If the status is Yes, the trigger updates the status to Awaiting Approval and
proceeds with steps 2, 3, 4, and 6.
v If the status is No, the trigger updates the status from Awaiting Collection
to Collected and proceeds with steps 2, 3, 4, and 5.
2. Copies the current threshold information from the KRI to the child KRI Value.
3. Evaluates the Breach status.
4. Copies the KRI Value, Value Date, Collection, and Breach status to the parent
KRI.
5. If the status of the KRI Breach field changed from Green or Amber to Red, the
trigger sends an email notification to the Risk Owner to inform the owner of
the breach.
24
IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview
6. If the status is set to Awaiting Approval, the KRI Value is displayed on the
home page of the KRI Owner. The KRI Owner can approve or reject the value:
v If the KRI Owner saves the record with a Reject status, the KRI Value and
Value Date are changed to a blank and the KRI Value status is set to
Awaiting Collection.
v If the KRI Owner saves the record with an Approved status, the Collection
status changes to Collected on the Value field and on the KRI.
Note: When the KRI Owner defines the KRI, the owner can specify the details
regarding the Approval of the KRI.
KPI Lifecycle trigger
The KPI Lifecycle trigger calculates and persists field values on the KPI and KPI
Value object types. The trigger occurs when if the KPI Value changed from a blank
state to a value and the status of Value Date is Completed.
When a KPI Value object is updated, associated, or disassociated, the trigger
completes the following actions:
1. Determines whether KPI is set for approval.
v If the status is Yes, the trigger updates the status to Awaiting Approval and
proceeds with steps 2, 3, 4, and 6.
v If the status is No, the trigger updates the status from Awaiting Collection
to Collected and proceeds with steps 2, 3, 4, and 5.
2. Copies the current threshold information from the KPI to the child KPI Value.
3. Evaluates the Breach status.
4. Copies the KPI Value, Value Date, Collection, and Breach status to the parent
KPI.
5. If the status of the KPI Breach field changed from Green or Amber to Red, the
trigger sends an email notification to the Risk Owner to inform the owner of
the breach.
6. If the status is set to Awaiting Approval, the KPI Value is displayed on the
home page of the KPI Owner. The KPI Owner can approve or reject the value.
v If the KPI Owner saves the record with a Reject status, the KPI Value and
Value Date are changed to a blank and the KPI Value status is set to
Awaiting Collection.
v If the KPI Owner saves the record with an Approved status, the Collection
status changes to Collected on the Value field and on the KPI.
Note: When the KPI Owner defines the KPI, the owner can specify the details
of the Approval of the KPI.
Risk and Control Self-assessments triggers
The Risk Assessments process is used to identify, assess, and quantify a risk profile
of the business. Each Risk is assessed on either a Qualitative or Quantitative basis.
When a Risk is saved, the Qualitative risk rating trigger determines a Risk Rating
of Low, Medium, High, or Very High. The trigger also populates the hidden
Quantitative fields: Severity, Frequency, and Exposure.
When a Risk is saved, the Quantitative risk rating trigger completes the following
actions:
1. Computes the Exposure (Frequency x Severity)
Chapter 7. Triggers
25
2. Computes the Risk Rating as Low, Medium, High, or Very High
3. Derives the Impact value (1 - 10) based on a mapping table for each Business
Unit that is stored in its Preference record.
4. Derives the Likelihood value (1 - 10) based on a mapping table for each
Business Unit that is stored in its Preference record
RCSA Quantitative trigger
The Risk and Control Self-assessments (RCSA) Quantitative trigger sets the Risk
Rating and establishes impact, likelihood, and exposure for risks that are entered
by using the Quantitative method. The trigger occurs only if the values for the
Impact or Likelihood fields for Risk were modified.
Important: You must determine whether you want to assess risks by using a
quantitative or qualitative approach. If you chose qualitative, this trigger does not
apply. The option for quantitative or qualitative is set during the Application
installation of IBM OpenPages GRC Modules. For more information, see the IBM
OpenPages GRC Platform Modules Installation Guide.
When a Risk object is updated, associated, or disassociated, the trigger completes
the following actions:
v Obtains the parent Preference object.
The trigger attempts to find the Preference object associated with the business
entity. The trigger traverses up the parent Entity hierarchy until a Preference
object that is associated with a business entity is found. The preference object
contains the settings for required parameters as described in the Severity table.
v Determines the Impact fields of the Risk object.
The Impact is calculated by identifying the threshold range in which the Severity
Value falls. If any Severity value is null, the previous value is managed as the
MAX Severity.
Table 14. Impact value based on severity value
Severity value
Impact value
>= 0 and <= Severity 1
1
> Severity 1 and <= Severity 2
2
> Severity 2 and <= Severity 3
3
> Severity 3 and <= to Severity 4
4
> Severity 4 and <= Severity 5
5
> Severity 5 and <= Severity 6
6
> Severity 6 and <= Severity 7
7
> Severity 7 and<= Severity 8
8
> Severity 8 and <= Severity 9
9
> Severity 9
10
v Determines the Liklihood fields on the SOXRisk object.
The Likelihood is calculated by identifying the threshold range in which the
Frequency value falls. If any Frequency value is null, the previous value is
managed as the MAX frequency.
26
IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview
Table 15. Likelihood value based on frequency value
Frequency value
Likelihood value
>= 0 and <= Frequency 1
1
> Frequency 1 and <= Frequency 2
2
> Frequency 2 and <= Frequency 3
3
> Frequency 3 and <= Frequency 4
4
> Frequency 4 and <= Frequency 5
5
> Frequency 5 and <= Frequency 6
6
> Frequency 6 and <= Frequency 7
7
> Frequency 7 and <= Frequency 8
8
> Frequency 8 and <= Frequency 9
9
> Frequency 9
10
v Calculates the Exposure as Severity multiplied by Frequency
v Where the Impact value is X and the Likelihood value is Y:
The XMAX value is the maximum value for impact. The YMAX value is the
maximum value for likelihood.
The XMAX and YMAX settings are available at /OpenPages/Application/GRCM/
ORM/Triggers/RCSA/XMAX and /OpenPages/Application/GRCM/ORM/Triggers/RCSA/
YMAX.
The XMAX and YMAX values are defined during installation. Do not change
these values. If these values are changed, the RCSA Qualitative and Quantitative
triggers might not correctly compute the risk rating.
The trigger computes the Risk Rating by using the following formula:
((X x X) + (Y x Y)) / ((Xmax x Xmax) + (Ymax x Ymax))
The rating value is 0 - 1 and expressed as a percentage.
Table 16. Risk ratings based on rating values
Rating value
Risk rating
0 - 25 %
LOW (green)
26-50 %
MEDIUM (yellow)
51-75 %
HIGH (orange)
76-100 %
VERY HIGH (red)
RCSA Qualitative trigger
The Risk and Control Self-assessments (RCSA) Qualitative trigger sets the Risk
Rating and establishes severity, frequency, and exposure for risks that are entered
by using the Qualitative method.
Important: You must determine whether you want to assess risks by using a
quantitative or qualitative approach. If you chose quantitative, this trigger does not
apply. The option for quantitative or qualitative is set during the Application
installation of IBM OpenPages GRC Modules. For more information, see the IBM
OpenPages GRC Platform Modules Installation Guide.
When a Risk object is updated, associated, or disassociated, the trigger completes
the following actions:
Chapter 7. Triggers
27
v Evaluates the Preference record for the entity, or its parent entity if no Preference
record exists.
The trigger attempts to find the Preference object associated with the business
entity. The trigger traverses up the parent Entity hierarchy until a Preference
object that is associated with a business entity is found. The preference object
contains the settings for required parameters as described in the Severity table.
v Evaluates the Severity fields of the Risk object.
The Severity is determined by the Impact Value mappings that are specified in
the Preference object.
Table 17. Severity based on impact values
Impact value
Severity
1
Severity 1
2
Severity 2
3
Severity 3
4
Severity 4
5
Severity 5
6
Severity 6
7
Severity 7
8
Severity 8
9
Severity 9
10
Severity 10
v Based on the Likelihood, evaluates the Frequency fields of the Risk object.
The Frequency is determined by the Likelihood Value mappings that are
specified in the Preference object.
Table 18. Frequency based on Likelihood values
Likelihood value
Frequency
1
Frequency 1
2
Frequency 2
3
Frequency 3
4
Frequency 4
5
Frequency 5
6
Frequency 6
7
Frequency 7
8
Frequency 8
9
Frequency 9
10
Frequency 10
v Calculates the Exposure as Severity multiplied by Frequency.
v Where the Impact value is X, Likelihood value is Y:
The XMAX value is the maximum value for impact. The YMAX value is the
maximum value for likelihood.
The XMAX and YMAX settings are available at /OpenPages/Application/GRCM/
ORM/Triggers/RCSA/XMAX and /OpenPages/Application/GRCM/ORM/Triggers/RCSA/
YMAX.
28
IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview
The XMAX and YMAX values are defined during installation. Do not change
these values. If these values are changed, the RCSA Qualitative and Quantitative
triggers might not correctly compute the risk rating.
The trigger computes the Risk Rating by using the following formula:
((X x X) + (Y x Y)) / ((Xmax x Xmax) + (Ymax x Ymax))
The rating value is 0 - 1 and expressed as a percentage.
Table 19. Risk ratings based on rating values
Rating value
Risk rating
0 - 25 %
LOW (green)
26-50 %
MEDIUM (yellow)
51-75 %
HIGH (orange)
76-100 %
VERY HIGH (red)
Risk Approval Submission trigger
The Risk Approval Submission trigger updates the Status field on Risk and
Controls so that the Process Owner can process the Approval.
When a Risk object is created or updated, and the Submit for Approval field value
is set to Yes, the trigger completes the following actions:
v Obtains all associated child Control objects and applies validation rules.
All child Control objects are assessed and the Status field is set to Awaiting
Assessment.
v Updates the Status field on the Risk object and all associated control objects
from Awaiting Assessment to Awaiting Approval.
v Obtains the parent Process object to obtain all Risk objects and checks whether
all risks for a Process are Awaiting Approval.
v Determines whether all risks for a Process are awaiting approval, and continues
based on the following status:
– If the status is Yes, the trigger ends its process.
– If the status is No, the trigger sets the Status of the parent Process object to
Awaiting Approval, and sends an email notification to the Process Owner.
RCSA Risk and Control Approval trigger
The RCSA Risk and Control Approval trigger allows the Process Owner to approve
or reject an assessment of a risk and its controls.
When a Risk object Approve/Reject field is set to Approve or Reject, the trigger
completes the following actions:
v If the Approve/Reject field is set to Reject, the trigger updates the Status field
value of the Risk and associated Controls to Awaiting Assessment, and sends an
email notification to the Risk Owner.
v If the Approve/Reject field is set to Approve, the trigger continues with the
following processes:
– Updates the Status field value of the Risk and associated Controls to
Approved.
– Updates the Process status to Approved, sets the Approval Date, and sends
an email notification to the RCSA coordinator.
Chapter 7. Triggers
29
Visualization triggers
The Visualization triggers prevent the user from adding new Risks as children of
the Data Input and Data Output object types.
Risks can only be made children of these object types by associating existing Risks
to them. Data Input and Data Output object types are not allowed to be primary
parents of Risks.
30
IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview
Chapter 8. Profiles
The IBM OpenPages IT Governance module includes the OpenPages ITG 7.0.0
Master profile by default.
OpenPages ITG 7.0.0 Master Profile
The OpenPages ITG 7.0.0 Master profile includes the fields and configuration for
all of IBM OpenPages IT Governance.
This profile includes:
v Filters
v My Work Home page tab and Home page tabs
v Dependent fields and dependent pick lists
v Computed fields
v Activity, Detail, Context, Folder, Overview, Filtered List, Grid Views, and List
Views
Subsets of this profile that are appropriate for an IT Library Administrator, IT
Director, etc. are created during the implementation project.
Home Page Filtered Lists
The following filtered lists are defined for the My Work home page for users of
the OpenPages ITG 7.0.0 Master profile.
Table 20. IBM OpenPages IT Governance My Work home page filter list
Filter
Description
Object Type
My Open Issues
Home page access to your open Issues.
Issue
KRI Breaches
Home page access to KRIs that have a breach
status of red.
KRI
KPI Breaches
Home page access to KPIs that have a breach
status of red.
KPI
Control Plans Under Home page access to Control Plans being
Development
developed.
Control Plan
Critical IT Incidents
Home page access to open critical IT-related
Incidents.
Incident
Expiring Waivers
Home page access to approved Waivers that
will expire in the next 3 months.
Waiver
My Waiver
Approvals
Home page access to Waivers that are being
reviewed that you need to approve.
Waiver
31
Activity Views
By default, the OpenPages ITG 7.0.0 Master profile includes the following activity
views.
Table 21. IBM OpenPages IT Governance Activity views
Activity View Name
Description
UCF Mandates
Shows all of the Requirements driven from each Mandate
supplied by UCF.
Deloitte Mandates
Shows all of the Requirements driven from each Mandate
supplied by Deloitte.
Deloitte Mandate Overview Shows all of the Sub-Mandates, and for each Sub-Mandate
shows its Requirements. Most appropriate for Deloitte
content.
UCF Mandate Overview
Shows all of the Sub-Mandates, and for each Sub-Mandate
shows its Requirements. Most appropriate for UCF content.
Assess Risk
Used for performing risk assessments on Baselines in the IT
Operating Environment.
Assess Control Plan
Used for performing risk assessments on Control Plans in the
IT Operating Environment.
Assess Baseline
Used for performing risk assessments on Baselines in the IT
Operating Environment.
Mandate Controls
For the selected Mandate, see all of the associated Controls in
the IT Operating Environment. Provides corporate wide view
of Control Effectiveness for a given Mandate. Filters out
Controls in the Library, and only includes Ineffective or Not
Determined Controls. Should be run from a Business Entity
in the Library.
Control Testing Summary
Used to indicate Control Operating Effectiveness. Provides
Test Plan and Test Result information that informs the
Operating Effectiveness decision.
Questionnaire Set Up
Used to create and modify questionnaires using the
Questionnaire, Section, Question object model.
Questionnaire
Used to respond to questionnaires using the Questionnaire,
Section, Question object model.
Process RCSA View
Facilitates conducting process-based Risk and Control Self
Assessments.
KPI Value Entry
Use to enter KPI values and change the status to collected.
KPI Value Approval
Use to approve KPI values.
KRI Value Entry
Use to enter KRI values and change the status to collected.
After the KRI is defined, the system determines if a KRI
value is required. If the KRI is marked as Active, the KRI
helper generates values. If the KRI value is set to Inactive,
the utility does not generate a blank value. The value object
is initially set up as a placeholder with a status of Awaiting
collection.
KRI Value Approval
32
Determines whether the KRI Value approval is required. Set
to Yes if the entry of the Value must be reviewed by the KRI
owner.
IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview
Table 21. IBM OpenPages IT Governance Activity views (continued)
Activity View Name
Description
Process Approval
From the Home page, the Process owner can navigate to
Processes that are awaiting Approval, using the Process
Approval Activity view.
RCSA Approval
From the Home page, the Process owner can navigate to
Self-Assessments that are awaiting Approval.
Grid Views
By default, grid views are defined for users of the OpenPages ITG 7.0.0 Master
profile.
Table 22. Grid Views
Grid View
Description
Object Type
Enter KRI Values
Use to enter KRI Values. Before using this
view, create KRI Value objects.
KRI Value
Approve KRI
Values
Use to review and approve KRI Values. Before KRI Value
using this view, create KRI Value objects and
enter the values.
Enter KPI Values
Use to enter KPI Values. Before using this
view, create KPI Value objects.
Approve KPI
Values
Use to review and approve KPI Values. Before KPI Value
using this view, create KPI Value objects and
enter the values.
KPI Value
Chapter 8. Profiles
33
34
IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview
Chapter 9. Role Templates
The following role templates are available, by default, for the IBM OpenPages IT
Governance module.
OpenPages ITG 7.0 - All Permissions
Full Read, Write, Delete, Associate (R/W/D/A) access to all default IT
Governance object types that are present and enabled by default. Full
administrator rights.
OpenPages ITG 7.0 - All Data - No Admin
Full Read, Write, Delete, Associate (R/W/D/A) access to all default IT
Governance object types that are present and enabled by default. No
administrator rights except those associated with workflows, files and
folders.
The above role templates provide read, write, delete, and associate access to the
following object types.
Table 23. Role template object types
Object Type Name
Object Type Label
DataInput
Data Input
DataOutput
Data Output
Incident
Incident
KeyPerfindicator
KPI
KeyPerfindicatorValue
KPI Value
KeyRiskindicator
KRI
KeyRiskIndicatorValue
KRI Value
Mandate
Mandate
Policy
Policy
Procedure
Procedure
ProcessDiagram
Process Diagram
Requirement
Requirement
Resource
Resource
ResourceLink
Resource Link
RiskAssessment
Risk Assessment
RiskEntity
Control Plan
RiskSubEntity
Baseline
SOXBusEntity
Business Entity
SOXControl
Control
SOXDocument,
SOXExternalDocument
File, Link
SOXIssue
Issue
SOXProcess
Process
SOXRisk
Risk
SOXSignature
Signature
35
Table 23. Role template object types (continued)
36
Object Type Name
Object Type Label
SOXSubprocess
Sub-Process
SOXTask
Action Item
SOXTest
Test Plan
SOXTestResult
Test Result
Submandate
Sub-Mandate
Waiver
Waiver
IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service. This document may
describe products, services, or features that are not included in the Program or
license entitlement that you have purchased.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not grant you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan Ltd.
19-21, Nihonbashi-Hakozakicho, Chuo-ku
Tokyo 103-8510, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law: INTERNATIONAL
BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"
WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE. Some states do not allow disclaimer of express or implied warranties in
certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
37
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:
IBM Corporation
Location Code FT0
550 King Street
Littleton, MA
01460-1250
U.S.A.
Such information may be available, subject to appropriate terms and conditions,
including in some cases, payment of a fee.
The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
If you are viewing this information softcopy, the photographs and color
illustrations may not appear.
This Software Offering does not use cookies or other technologies to collect
personally identifiable information.
38
IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview
Copyright
Licensed Materials - Property of IBM Corporation.
© Copyright IBM Corporation, 2003, 2013.
US Government Users Restricted Rights – Use, duplication or disclosure restricted
by GSA ADP Schedule Contract with IBM Corp.
This information contains sample application programs in source language, which
illustrate programming techniques on various operating platforms. You may copy,
modify, and distribute these sample programs in any form without payment to
IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating
platform for which the sample programs are written.
These examples have not been thoroughly tested under all conditions. IBM,
therefore, cannot guarantee or imply reliability, serviceability, or function of these
programs. You may copy, modify, and distribute these sample programs in any
form without payment to IBM for the purposes of developing, using, marketing, or
distributing application programs conforming to IBM's application programming
interfaces.
Trademarks
IBM, the IBM logo and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the Web at “ Copyright and
trademark information ” at www.ibm.com/legal/copytrade.shtml.
Notices
39
40
IBM OpenPages GRC Platform Version 7.0.0: IT Governance Module Overview
Index
N
A
Action items
24
notifications 15
Issue and Action Bulletin 15
KPI Breach notification 16
KPI Reminder notification 16
KRI Breach notification 17
KRI Reminder notification 16
D
Data Input trigger 30
Data Output trigger 30
O
G
grid views
object types
Issue 24
SOXRisk 26
33
I
Impact values 26, 27
Issue (object type) 24
Issue and Action Bulletin notification
Issue Lifecycle trigger 24
Issues
management 24
K
KPI Breach notification 16
KPI Capturer
KPI Reminder notification
KPI Lifecycle trigger 25
Breach notification 16
KPI Reminder notification 16
KPI Value
KPI Reminder notification
KRI Breach notification 17
KRI Capturer
KRI Reminder notification
KRI Lifecycle trigger 24
Breach notification 17
KRI Reminder notification 16
KRI Value
KRI Reminder notification
L
Likelihood values 27
Liklihood values 26
16
16
16
16
R
15
RCSA Qualitative trigger 27
RCSA Quantitative trigger 26
RCSA Risk and Control Approval trigger 29
RCSA triggers 25
Risk and Control Self-assessments triggers
See RCSA triggers
Risk Approval Submission trigger 29
S
Severity values 27
SOXRisk (object type)
26
T
triggers
Issue Lifecycle 24
KPI Lifecycle 25
KRI Lifecycle 24
RCSA Qualitative 27
RCSA Quantitative 26
RCSA Risk and Control Approval
Risk Approval Submission 29
visualization 30
29
V
visualization triggers
30
41