ServiceHub Governance, Risk, and Compliance (GRC) Module
Welcome
To ensure we are compliant with state and federal laws and regulations, the ServiceHub GRC module will automate many processes. Audit-related activities, information and artifacts will now be saved in a single repository. This module is also used to process and manage all security policy exception requests and to manage the Colorado Information Security Policies (CISPs) throughout the entire life cycle.
Note: The documents on this page are only available to those logged in to their state Google account.
Why is GRC important to me? The ServiceHub GRC module:
All audit-related activities (audit inquiries, findings, remediations).
All secure configuration exception requests.
All information security policy reviews and approvals.
All evidence requests (initiation, remediation and, if needed, security policy exception request).
All control attestations (providing information and evidence on whether the requirements of a particular control (i.e., safeguard from the Colorado Information Security Policies [CISP]) have been implemented.
All security risk assessments.
Who will see changes?
Those employees and contractors who have GRC-related permissions in ServiceHub can view additional items in the ServiceHub navigator. (e.g., Policy and Compliance, Evidence Request, My Policy Reviews, etc.). These components of the GRC tool and workflows will remain empty unless or until you are assigned any GRC-related task. Any OIT/agency employee or contractor assigned a GRC-related task should follow ServiceHub GRC-defined processes.
ServiceHub Governance, Risk & Compliance (GRC) Module
There are three different user role levels within ServiceHub GRC, each with its own set of access to various GRC functionality.
The GRC Compliance Admin, GRC Compliance Manager and GRC Business User roles are described in full below.
GRC Business User
The GRC Business User role is provided to users who require access only to GRC applications in the context of performing tasks assigned to them.
GRC Business Users can perform the following functions in the GRC module:
Review information security policies.
Approve information security policies.
Respond to policy compliance attestation requests.
Manage compliance-related issues through the entirety of the issue process (initiation, remediation (and security policy exception request if needed).
Respond to evidence, audit and risk assessment requests.
Manage audit-related findings through the entirety of the response and remediation process (and security policy exception request if needed).
View and interact with the GRC Business User Dashboard.
Individuals provided the GRC Business User role are provided with limited access to data and to information relevant to their assigned tasks.
GRC Compliance Manager
The GRC Compliance Manager role is provided to members of the OIT OIS Security Risk & Compliance, Security Architecture and Governance & Cybersecurity teams.
The GRC Compliance Manager can perform all the GRC Business User
tasks and view all GRC-related records. Additionally, GRC Compliance Managers can create dashboards and reports, authority documents, citations, controls, control attestations, policies, issues ad-hoc and
policy exceptions.
GRC Compliance Admin
The GRC Compliance Admin role is provided to select members of the OIT OIS Security Risk & Compliance and Governance & Cybersecurity teams.
The person in this role can perform all the GRC Compliance Manager and GRC Business User tasks. Additionally, the GRC Compliance Admin can delete GRC-related records and manage GRC-related functionality settings including but not limited to: policy categories, compliance data source registry, GRC properties, attestation types, question bank.
