In preparation for our latest release of ZenGRC, we decided to take a step back in order to evaluate the high level requirements most relevant to our current users. Two areas of improvement that we quickly identified were evidence collection for audit activities and comprehensive reporting on overall compliance posture. With our latest release, ZenGRC now offers robust evidence collection functionality through a new request object. Furthermore, from ZenGRC, you can now easily create visual dashboards that allow you to effectively communicate your compliance progress!
Evidence Collection Made Easier
We are introducing a completely revamped Request object. The request object handles document request list use cases. It documents what is being requested, the description, mapped controls, systems (or any other object), and keeps track of all uploaded evidence.
New Request Roles
There are three different roles that can be assigned for each request:
- Requester – manager of the request assignee
- Assignee – person assigned to the request
- Verifier – person that verifies that the request has been sufficiently completed, once the assignee marks the request as finished. If no Verifier is designated, then anyone can verify the request.
Evidence Collection Improvements
All evidence gathered through comments is now being aggregated in the evidence list. Same applies to all linked URLs. This will be particularly useful in next release, where evidence will be shareable between different audits and relevant requests.
Evidence files and URLs can be added through comments during conversation, or directly in the evidence/URL lists.
Introducing ZenGRC Onboarding Progress Dashboard
Our new progress dashboard helps customers visualize their progress in terms of building a system-of-record. The dashboard tracks 4 vital metrics to help you understand how well you are complying with a certain standard.
To obtain a copy of this Excel reporting dashboard, please contact Reciprocity.
You can now use “<” and “>” in your search strings, filter and in downloadable reports.
Support for the “parent control/objective” pattern has been added:
- When a control is mapped to another control it now inherits the parent objective, and
- When an objective is mapped to another objective it now inherits a parent section through auto mapping.
Section and Clause Improvements
Sections and Clauses are the bits and pieces of directives. We’ve upgraded them so that all mapping restrictions for sections and clauses are removed. They can now be mapped just like any other object. Sections and clauses can:
- exist independently of any directive (regulation, standard, contract or policy)
- be mapped to any object
- maintain a proper object-level RBAC (role based access control)
Request Flow and States Simplified
The request object changes in state in a new, simplified manner:
In the event that a verifier of a finished request is not satisfied, he or she can decline the request and it will revert back to In Progress.
Response Object Removed in Favor of Comments
We’ve removed the response object in favor of migrating all responses to audit requests into comments. All communication between request assignees and verifies/requesters is maintained in a conversational form within the Request object. It is transparent and visible to all participants. Additionally, all objects mapped to responses are now being mapped directly to the request.
Removal of Private Programs
Private programs no longer exist and are removed from ZenGRC. New RBAC that was introduced with previous release actually makes every program private, so this feature became redundant.