IT Controls Assurance Use Case Design

The Control Procedures application serves as a central repository for instances of control procedures, baselines and activities that are mapped to corporate Primary Controls, establishing the foundation for enterprise-wide risk monitoring and compliance measurement. Control Procedures are categorized into two types: Technical and Process. Based on the selected type, different pieces of information are captured and different testing options are made available.

Note: The Control Procedures application is included in the Enterprise Catalog package.

The Primary Controls application serves as a central repository for procedures, baselines, and activities that are mapped to corporate control standards, establishing the foundation for enterprise-wide risk monitoring and compliance measurement. Primary Controls are categorized into two types: Technical and Process. Based on the selected type, different pieces of information are captured and different testing options are made available.

Note: The Primary Controls application is included in the Enterprise Catalog package.

The Control Generator application allows users to create Control Procedures from Primary Controls. This allows Compliance Teams to view their controls broken down into several different options, such as Business Processes, Business Units, Applications, Devices, and Facilities.

The Control Self Assessment application enables control owners to indicate whether the related control is still in operation and functioning as documented. The intent is that control owners would perform validation on an annual basis. If the owner indicates that the control has changed or is no longer in operation, the system flags the control as non-compliant, which prompts the organization to take follow-up action, with one possibility being removing the control from operation.

The Configuration Checks application facilitates the automated control testing of technical control procedures utilizing an automated assessment technology. To automate the compliance testing of a technical control procedure, a relationship between the control procedure and the external configuration assessment must be created. This application stores the external checks provided by the assessment technology and allows the company to map their technical control procedures in Archer to the check performed by the external system.

The Configuration Check Results application stores the scan results fed into Archer through the Data Feed Manager to assess compliance with specified technology baselines. These records will contain the date of the scan, the device scanned, the configuration check that was performed, and the result of the check. The user may then address any instances of non-compliance through an exception request or remediation plan.

Through the Compliance Engagement application, the Compliance Team can initiate and manage the testing life cycle, report the results of testing to executive management, and create engagements that target certain compliance scopes, control sets, or control instances.

Through the Compliance Scope application, users can define a testing scope for compliance so Compliance Teams can quickly generate and scope compliance engagements.

The Evidence Repository application provides your compliance program with a way to capture evidence for controls that you want to continuously monitor. Through this application, you can upload attachments, documents, or evidence and have an access-controlled method for capturing updates to versions of documents that have been uploaded. You can use the included workflow to submit, reassign, approve, and re-initiate the workflow for evidence records.

The Design Test Results application enables you to document an evaluator’s assessment of whether a control is properly designed to achieve stated objectives and mitigate related risks. If a control is properly designed, the control meets the stated objective and the evaluator proceeds to test the control’s operating effectiveness. If, however, a control is ineffectively designed, the control is flagged as non-compliant and remediation of any related issues becomes the next step. Similar to Control Self Assessment, the intent is that design effectiveness is assessed on an annual basis.

The Operating Test Results application enables you to document the results of the operating tests designed to evaluate whether the control procedure is indeed in place and operating as intended. For SOX testing purposes, key controls should be tested on a quarterly basis with the total annual sample size to be tested and dictated by the frequency of the control’s operation.

The Technical Control Manual Assessment questionnaire may be used to assess the compliance for devices related to their applicable technical control procedures. The admin would add the proper Archer Technical Control Content Library questions from the Question Library to match the company's technical baselines they wish to cover. The device owner could then answer the questions and the non-compliant answers would generate findings which would be linked back to the non-compliant control procedure. This is factored into the procedure's compliance rating.

The Business Processes application captures the base data for a given process. A process may be assigned to a particular business unit or shared across multiple business units. A business process may also be referenced to one or multiple products or services. The application enables you to track the business processes personnel, criticality, recovery time objective (RTO) and ITIL category, and associate it with other aspects of the enterprise infrastructure.

Note: The Business Processes application is included in the Enterprise Catalog package.

The Applications application stores all software applications used by the organization to perform business operations. You can view how an application is used, the people that use it, and the devices on which the application is installed. You can also track the business impact, customer impact, and licensing details, and associate it with other aspects of the enterprise infrastructure.

Note: The Applications application is included in the Enterprise Catalog package.

The Devices application serves as a central repository for knowledge, such as criticality, about IT devices and which applications they support. You can manage devices to ensure that they are protected according to management expectations. The application is also associated with other aspects of the enterprise infrastructure.

Note: The Devices application is included in the Enterprise Catalog package.

The Facilities application maintains a listing of all organizational facilities, such as data centers and branches. You can document and review all information associated with a specific facility, such as contact personnel, location information, and technologies associated with the location.

Note: The Facilities application is included in the Enterprise Catalog package.

The Information Assets application allows you to manage a repository of information assets, such as credit card data, financial forecasts, employee Social Security numbers, and trademarks. Use this application to perform online assessments to determine information classification ratings and required retention periods. Link information assets to the business processes they support, the applications where they are managed, and the facilities where they are housed.

Note: The Information Assets application is included in the Enterprise Catalog package.

The Question Library application stores assessment questions that you can reference and copy into a questionnaire. Each question is stored as an individual record, and each record contains information including the question and answer text as well as information necessary to display and score the question. Depending on the solution that you have licensed, the Question Library contains a large set of pre-built questions by default. In addition, you can add new questions and store them in the Question Library.

The Storage Devices application serves as a central repository for storage devices used within the infrastructure.

Note: The Storage Devices application is included in the Enterprise Catalog package.

The Technologies application provides a searchable and extensible repository of technology version information that can be leveraged to relate devices of like technology. Devices can be identified and grouped using 1 of the 3 tiered hierarchical values lists detailed:

• Operating System Technology. This list details information such as the operating system vendor, product, and version of the operating system.
• Application Technology. This list contains information such as the application vendor, name, and version of the application.
• Hardware Technology. This list describes information relating to hardware vendor, including name, description, and technology version naming conventions.

Users can filter technologies that have been company approved and view reports detailing known vulnerabilities threatening their technologies.

Note: The Technologies application is included in the Enterprise Catalog package.

The Contacts application serves as a central repository for contact information, is utilized across multiple areas of Archer, and contains information that is often leveraged by other use cases. Updates to a profile record within this application automatically propagate in any records with displayed contact information.

Note: The Contacts application is included in the Enterprise Catalog package.

Serves as the administrator for the use case, providing create, read, update, and delete access rights.

Provides create, read, and update access to executive stakeholders within the use case.

Provides create, read, and update access to management stakeholders within the use case.

Provides create, read, and update access to business process owners within the use case.

Provides read-only access for the use case.

Creates questionnaires that target control procedures.

Tests and reviews controls, assesses the compliance of devices, and completes questionnaires and tests.

Edits and submits evidence for affected controls.

Note: This user can change user access to Evidence Repository records.

Can submit evidence with attachments.

This dashboard allows you to track the status and compliance of your Compliance Program, including active test work, assessments, and configuration check compliance by filtering work for both submitters and reviewers. Compliance by Control Set, a report in the Compliance Summary iView, is filtered by control sets that are tagged to control procedures. The report tracks compliance against different control sets that an organization attempts to comply with.

This dashboard allows you to track active control tests, submitting and reviewing control tests, assessment evidence, scope records, and configuration check compliance by filtering work for both submitters and reviewers. Users can only see results for which they have been granted access.

This dashboard allows you to track the status of ongoing evidence collection. This dashboard features metrics, such as evidence requests that are overdue, due today, or pending approval. This dashboard also uses interactive charts to show data, such as controls based on evidence requests, overdue evidence requests by evidence provider, and evidence submitted per month. Any user who is assigned to a CM or FCM role can access this dashboard.

Moves Control Procedure records to the Primary Controls application. This data feed should be run once to populate Primary Controls. This data feed brings the top level of the Authoritative Sources (Source) and associates it to the Primary Control where applicable.

Moves the second level of the Authoritative Sources content (Topic) to the Primary Controls application, and associates it to the newly created Primary Control, where applicable.

Moves the third level of the Authoritative Sources content (Section) to the Primary Controls application, and associates it to the newly created Primary Control, where applicable.

Moves the fourth level of the Authoritative Sources content (Sub-Section) to the Primary Controls application, and associates it to the newly created Primary Control, where applicable.

Runs against the Control Procedures application for any Control Procedures that have been queued for snapshot creation. This data feed creates a record in the Control Snapshots application using data that is selected from Control Procedures for historical reporting purposes and associates the record back to the Control Procedure so that users can look at point-in-time snapshots of their controls.

Runs against the Control Generator application. Users identify Primary Controls to be instantiated as Control Procedures and queue the Control Generator record for Control Procedure creation. This data feed generates Control Procedures using the selected variables in the Control Generator record.

The Evidence Repository data feed runs against records being re-initiated in the workflow. The function of this feed is to create a sub-form record in the Version History section of the Evidence Repository application and associate the current document with the sub-form record, so that if a new document is uploaded during re-initiation - users have a historical record via sub-form where they can view what the document used to look like.

Creates Control Self Assessments, Design Test Results, and Operating Test Results using variables selected in the Compliance Engagement record. This data feed always uses every Control Procedure that is identified in the Scope tab of the Compliance Engagement application record.

Creates Control Self Assessments, Design Test Results, and Operating Test Results using variables selected in the Compliance Engagement record. This data feed runs when Partial Scope is selected within a Compliance Engagement and uses Controls that are In Scope from the Partial Scope Selection section to generate assessments.

Uses identified Compliance Scope records and associates related data to the Compliance Engagement Record. Control Procedures, Primary Controls, Business Processes, Applications, Devices, Storage Devices, Facilities, and Information Assets that are related to the Compliance Scope record are linked to the Compliance Engagement record. The data feed creates a Scoping Unit record for each Control Procedure that is associated to the Compliance Engagement.

Uses identified Compliance Scope records and associates related data to the Compliance Engagement Record. Control Procedures, Primary Controls, Business Processes, Applications, Devices, Storage Devices, Facilities, and Information Assets that are related to the Compliance Scope record are linked to the Compliance Engagement record. The data feed creates a Scoping Unit record for each Control Procedure that is associated to the Compliance Engagement.

Uses identified Control Set values within Control Procedures records to identify Control Procedures matching the selected criteria and associates any related data to the Compliance Engagement Record. Business Processes, Facilities, Primary Controls, and Applications linked to Control Procedures. Information Assets, Storage Devices, and Devices linked to Applications. The data feed creates a Scoping Unit record for each Control Procedure that is associated to the Compliance Engagement.

Uses identified Business Process records and associates related data to the Compliance Scope Record. Control Procedures are linked to Business Processes. Facilities, Primary Controls, and Applications are linked to Control Procedures. Information Assets, Storage Devices, and Devices are linked to Applications.

Uses identified Control Procedures records and associates related data to the Compliance Scope Record. Business Processes, Facilities, Primary Controls, and Applications are linked to Control Procedures. Information Assets, Storage Devices, and Devices are linked to Applications.

Uses identified Control Set value within Control Procedures records to identify Control Procedures matching the selected criteria and associates any related data to the Compliance Scope Record. Business Processes, Facilities, Primary Controls, and Applications are linked to Control Procedures. Information Assets, Storage Devices, and Devices are linked to Applications.

This data feed automates the evidence repository records creation for Primary Control records when the Evidence Collection Method is 'automated', on a desired scheduled frequency.

This data feed automates the evidence repository records creation for Control Procedure records when the Evidence Collection Method is "automated", on a desired scheduled frequency.

This data feed migrates the records from Scoping Unit application to Control Scoping Unit application. Run this data feed after upgrading to Archer version 6.13.