ServiceHub Governance, Risk, and Compliance (GRC) Module

Welcome

To ensure we are compliant with state and federal laws and regulations, the ServiceHub GRC module will automate many processes. Audit-related activities, information and artifacts will now be saved in a single repository. This module is also used to process and manage all security policy exception requests and to manage the Colorado Information Security Policies (CISPs) throughout the entire life cycle. 


Note: The documents on this page are only available to those logged in to their state Google account.

Why is GRC important to me? The ServiceHub GRC module: 

Who will see changes?
Those employees and contractors who have GRC-related permissions in ServiceHub can view additional items in the ServiceHub navigator. (e.g., Policy and Compliance, Evidence Request, My Policy Reviews, etc.). These components of the GRC tool and workflows will remain empty unless or until you are assigned any GRC-related task. Any OIT/agency employee or contractor assigned a GRC-related task should follow ServiceHub GRC-defined processes.

ServiceHub Governance, Risk & Compliance (GRC) Module

There are three different user role levels within ServiceHub GRC, each with its own set of access to various GRC functionality.
The GRC Compliance Admin, GRC Compliance Manager and GRC Business User roles are described in full below.

GRC Business User 

The GRC Business User role is provided to users who require access only to GRC applications in the context of performing tasks assigned to them.


GRC Business Users can perform the following functions in the GRC module:


Individuals provided the GRC Business User role are provided with limited access to data and to information relevant to their assigned tasks.

GRC Compliance Manager 

The GRC Compliance Manager role is provided to members of the OIT OIS Security Risk & Compliance, Security Architecture and Governance & Cybersecurity teams. 


The GRC Compliance Manager can perform all the GRC Business User
tasks and view all GRC-related records. Additionally, GRC Compliance Managers can create dashboards and reports, authority documents, citations, controls, control attestations, policies, issues ad-hoc and
policy exceptions.

GRC Compliance Admin 

The GRC Compliance Admin role is provided to select members of the OIT OIS Security Risk & Compliance and Governance & Cybersecurity teams.


The person in this role can perform all the GRC Compliance Manager and GRC Business User tasks. Additionally, the GRC Compliance Admin can delete GRC-related records and manage GRC-related functionality settings including but not limited to: policy categories, compliance data source registry, GRC properties, attestation types, question bank.

Jobs Aid Videos

GRC Module Training

View the list