Launching Late Spring 2023
Governance, Risk and Compliance Tool
Automate many processes, including all audit-related activities, from start to finish and store all audit information and artifacts in a single repository, all to ensure we are compliant with state and federal laws and regulations. This tool is also used to process and manage all security policy exception requests and to manage the Colorado Information Security Policies (CISPs) throughout the entire lifecycle.
The documents on this page are only available to those logged in to their state Google account.
Welcome
Why is GRC important to me? The SvcHub GRC tool will manage:
All audit-related activities (audit inquiries, findings, remediations).
All secure configuration exception requests.
All information security policy reviews and approvals.
All evidence requests (initiation, remediation and, if needed, security policy exception request).
All control attestations (providing information and evidence on whether the requirements of a particular control (i.e., safeguard from the Colorado Information Security Policies [CISP]) have been implemented.
All security risk assessments.
Who will see changes? All OIT employees and contractors, and any agency employee assigned any GRC-related tasks, will see additional items in the ServiceHub navigator (e.g., Policy and Compliance, Evidence Request, My Policy Reviews, etc.). These components of the GRC tool and workflows will remain empty unless and until you are assigned any GRC-related task. Any OIT or agency employee or contractor assigned a GRC-related task will follow ServiceHub GRC-defined processes.
ServiceHub Governance, Risk & Compliance (GRC) Module
There are three different user role levels within ServiceHub GRC, each with its own set of access to various GRC functionality.
The GRC Compliance Admin, GRC Compliance Manager and GRC Business User roles are described in full below.
GRC Business User
The GRC Business User role is provided to users who require access only to GRC applications in the context of performing tasks assigned to them.
GRC Business Users can perform the following functions in the GRC module:
Review information security policies.
Approve information security policies.
Respond to policy compliance attestation requests.
Manage compliance-related issues through the entirety of the issue process (initiation, remediation (and security policy exception request if needed).
Respond to evidence, audit and risk assessment requests.
Manage audit-related findings through the entirety of the response and remediation process (and security policy exception request if needed).
View and interact with the GRC Business User Dashboard.
Individuals provided the GRC Business User role are provided with limited access to data and to information relevant to their assigned tasks.
GRC Compliance Manager
The GRC Compliance Manager role is provided to members of the OIT OIS Security Risk & Compliance, Security Architecture and Governance & Cybersecurity teams.
The GRC Compliance Manager can perform all the GRC Business User
tasks and view all GRC-related records. Additionally, GRC Compliance Managers can create dashboards and reports, authority documents, citations, controls, control attestations, policies, issues ad-hoc and
policy exceptions.
GRC Compliance Admin
The GRC Compliance Admin role is provided to select members of the OIT OIS Security Risk & Compliance and Governance & Cybersecurity teams.
The person in this role can perform all the GRC Compliance Manager and GRC Business User tasks. Additionally, the GRC Compliance Admin can delete GRC-related records and manage GRC-related functionality settings including but not limited to: policy categories, compliance data source registry, GRC properties, attestation types, question bank.
