Launching Late Spring 2023

Governance, Risk and Compliance Tool

Automate many processes, including all audit-related activities, from start to finish and store all audit information and artifacts in a single repository, all to ensure we are compliant with state and federal laws and regulations. This tool is also used to process and manage all security policy exception requests and to manage the Colorado Information Security Policies (CISPs) throughout the entire lifecycle.
The documents on this page are only available to those logged in to their state Google account.


Why is GRC important to me? The SvcHub GRC tool will manage: 

Who will see changes? All OIT employees and contractors, and any agency employee assigned any GRC-related tasks, will see additional items in the ServiceHub navigator (e.g., Policy and Compliance, Evidence Request, My Policy Reviews, etc.). These components of the GRC tool and workflows will remain empty unless and until you are assigned any GRC-related task. Any OIT or agency employee or contractor assigned a GRC-related task will follow ServiceHub GRC-defined processes.

ServiceHub Governance, Risk & Compliance (GRC) Module

There are three different user role levels within ServiceHub GRC, each with its own set of access to various GRC functionality.
The GRC Compliance Admin, GRC Compliance Manager and GRC Business User roles are described in full below.

GRC Business User 

The GRC Business User role is provided to users who require access only to GRC applications in the context of performing tasks assigned to them.

GRC Business Users can perform the following functions in the GRC module:

Individuals provided the GRC Business User role are provided with limited access to data and to information relevant to their assigned tasks.

GRC Compliance Manager 

The GRC Compliance Manager role is provided to members of the OIT OIS Security Risk & Compliance, Security Architecture and Governance & Cybersecurity teams. 

The GRC Compliance Manager can perform all the GRC Business User
tasks and view all GRC-related records. Additionally, GRC Compliance Managers can create dashboards and reports, authority documents, citations, controls, control attestations, policies, issues ad-hoc and
policy exceptions.

GRC Compliance Admin 

The GRC Compliance Admin role is provided to select members of the OIT OIS Security Risk & Compliance and Governance & Cybersecurity teams.

The person in this role can perform all the GRC Compliance Manager and GRC Business User tasks. Additionally, the GRC Compliance Admin can delete GRC-related records and manage GRC-related functionality settings including but not limited to: policy categories, compliance data source registry, GRC properties, attestation types, question bank.

Document Library

Jobs Aids

Coming Soon