Professional Documents
Culture Documents
Compliance Management
Table of Contents
Why this Chapter is Important 3
Basic Concepts 3
Compliance Package and Items 4
Compliance Treatment 5
Compliance Findings 6
Compliance Management 6
Uploading a Compliance Package 6
Editing Compliance Packages 8
Duplicating Compliance Packages 8
Deleting Compliance Packages 8
Mapping Compliance Requirements 9
Manual Mapping Definitions 11
CSV Mapping Definitions 13
Linking GRC Elements 14
Creating Audit Findings 15
Additional Features 16
Notifications 16
Filters 17
Reports 17
ANNEX 17
Compliance Package CSV Format 17
Pre-Compiled CSV Packages 18
Why this Chapter is Important
This module helps you to analyze and understand how compliant you are against a set
of legal, contractual, regulatory requirements, or standards such as PCI-DSS, ISO 27001,
etc.
WARNING - BEFORE ATTEMPTING TO READ THIS GUIDE, MAKE SURE YOU READ
AND UNDERSTAND HOW BASIC GRC RELATIONSHIPS WORK IN ERAMBA AND HAVE
NOT SKIPPED ANY PREVIOUS STEPS
Basic Concepts
Essentially, this module helps you to map each requirement from a compliance package
(e.g., PCI, ISO, etc.) with GRC elements with the objective of describing how each
requirement is being met by your organization.
Eramba ships empty, this means when you do a clean install you won't find any
compliance packages (e.g., PCI, ISO, Etc) or GRC elements (e.g., controls, policies, risks,
etc). It’s your responsibility to design and create these to your individual needs.
The Compliance Management module is split across three key sections, the following
table provides a brief summary of their function.
Module Objective
Compliance Management /
Manage the library of things you need to be compliant with.
Compliance Packages
Compliance Management / Link GRC elements (Controls, Policies, Etc) with the compliance
Compliance Analysis requirements defined on the previous module.
Compliance Management / Document audit findings that affect one or more compliance
Compliance Analysis Findings requirements.
In Compliance Management / Compliance Packages, you can manage the library of the
packages by uploading, deleting, or editing them - as you can see on the screenshot
below two tabs exist on this section, one with the packages and the other with the
items.
Clicking on the number of items for each compliance package will take you to the
Compliance Package Items tab with a filter view for these packages in particular.
You can define your own compliance packages using a CSV file (we have a standard
format you need to follow) and upload them to Eramba using an import function.
Additionally, there is a list of pre-compiled packages (commonly used) that are ready for
upload.
Once compliance packages are uploaded, you can start working on how to meet (or not)
each one of these requirements by linking controls, risks, policies, etc.
Compliance Treatment
Treatment is defined by the associated module within Eramba that is used to meet a
requirement, whether it be policies, controls, etc.
In the likely scenario that you need to be compliant with multiple compliance packages
at the same time (e.g., ISO, PCI, etc.), you can reuse (leverage) one control, policy, or risk
for more than one compliance requirement. You may link it with as many as needed.
Link one or more policies from. For example: ISO 5.1.1, PCI
Control Catalogue / Policies
1.1.3, Etc.
Control Catalogue / Internal Controls Link one or more controls. For example: ISO 6.12, 9.1.2, Etc.
Link one or more risks, some ISO auditors might want to see
Risk Mgt / All three types of Risk
risks linked to ISO 27002 controls.
Compliance Findings
In order to demonstrate compliance, inevitably you will need to be assessed by an
independent auditor. Audits inherently result in findings that must be mitigated by a
given date.
Under Compliance Mgt / Compliance Analysis Findings, you can document audit
findings and link them with one or more compliance package requirements to make it
clear what items the findings apply to.
Compliance Management
Keep in mind that you can create multiple Compliance Packages in case you need to
upload multiple compliance packages, for example:
● PCI-DSS
● PCI-DSS Production Datacenter
● ISO 27001 India
● ISO 27001 UK
The import uses our standard import function, so any errors on the CSV file will be
shown to you before Eramba completes the import. Once the import is complete, you
will see the package as a new filter on the section.
Editing Compliance Packages
Once a compliance package has been uploaded. You might need to edit its content (e.g.,
add, delete or modify rows), you can do this directly from Eramba (imports won't
overwrite existing packages).
You can edit directly from the filters or by using the menu / Edit form or click on Add /
New Item.
● If the changes against the old standard are not too big, it is easier to “Duplicate”
an existing compliance package (to make a backup) and edit the cloned copy by
adding, editing and deleting the changes (rows).
● If the changes are considerable, then it is perhaps best to build a new CSV and
import it as a new Third Party. You will then need to re-associate all GRC
elements to each item (see next section).
Cloning a compliance package will not just duplicate the items on the compliance
package. It also clones all the GRC elements that have been assigned to them using
Compliance Management / Compliance Analysis.
Imagine in your view PCI 2.3.5 is similar to PCI 2.3.6 and HIPAA 5.4 and 800-53 item
1.4.b. So your Internal Control “AD Security Standards” that you have been using for PCI
2.3.5 can be used as well for the other three requirements.
You can now define those mappings in eramba (manually or with CSV imports) and
from that point in time any treatment (control, policy, risk, etc) on PCI 2.3.5 (the origin)
will be copied to the other items (destinations).
The fields being synchronized from the origin to the destination compliance items are
the following:
● Internal Controls
● Policy Management
● Compliance Exceptions
● Asset Risk
● Third Party Risks
● Business Continuity Plans
● Assets
Once mappings have been defined, you can go to the compliance analysis module
(Compliance Management / Compliance Analysis) and if you edit an item and the item
has mappings defined you will notice a warning on the fields:
This means whatever you define in these fields will be copied to all mapped items. You
can see what items are mapped on the “Mappings” tab.
On the Compliance Analysis module you might want to see what items are mapped as
soon as you list compliance items, for that you will need to edit filters and enable the
field to be displayed on the default filter.
If the items have mapped items it will then be visible as a new column on the filter.
Note that a mapping is defined by telling eramba who is the origin and the destination
(multiple). This means that whatever treatment (policies, controls, etc) are defined on
the origin will be copied automatically to the destination. Since the destination is being
synchronized with the origin, you won't be able to edit the fields above on the
destination once a mapping has been defined.
Source Destination
By clicking on Actions / Add you can define each one of these mappings.
You will define the origin and destination of the mapping, remember anything defined
on the origin (controls, policies, etc) will be copied to the destinations automatically.
As you define your mappings, they will be shown on the filter below. At any point in time
you can edit or delete these mappings.
If you create a map for PCI 3.4.5 (which lets assume already has some treatment, such
as Internal Controls, Policies, Etc) to ISO 5.6.7 - as soon as you save the new mapping
the synchronization will take place and whatever PCI 3.4.5 has will be copied to ISO
5.6.7. You won't be able to edit the mitigation fields on ISO 5.6.7 as they are all the time
inherited by the PCI requirements.
If you delete an existing mapping the items involved will not change its treatment.
Everything will stay as it was before the deletion took place.
If you edit a mapping, those new items included on the edition will be synchronized
automatically. Items removed on the edition will be left as they were before the edition
took place.
The form that handles this is self-explanatory, bear in mind that not all fields are
mandatory so the way you describe each item is entirely up to you. If you haven't used
Eramba before, we recommend you prepare all your controls and policies in a CSV file,
import them and then simply do the linking.
Our template standards include ready to import control and policies for ISO, PCI, and
HITRUST. Please review our documentation guides.
The form is simple, you should not have any trouble completing it. Keep in mind the
status “Open” and “Closed”, if a finding is “Open” and the deadline is in the past a status
will trigger: “Expired”.
Additional Features
Notifications
Please review the notifications documentation on how to configure this notification.
Here a few ideas on types of notifications you can use:
Compliance Management
Notify the item owner every time a comment or
/ Compliance Analysis Attachments & Comments
attach is included.
Finding
Compliance Management
Reminder to the finding owner that there is an
/ Compliance Analysis Awareness
item assigned to them.
Finding
Compliance Management Weekly report listing all compliance findings which
/ Compliance Analysis Filter will soon have a deadline or have already expired
Finding the deadline.
Compliance Management
Send reminders 30,15,10,5, Etc days before the
/ Compliance Analysis Warning
deadline for any given finding.
Finding
Filters
The system comes with multiple filters (these cannot be removed or modified) created
and many more can be created to help manage the system.
Reports
The system comes with multiple system reports created (these cannot be removed or
modified) and many more can be created to help manage the system. Please review the
report documentation to understand the full capabilities of this feature.
ANNEX
You may also use them to see examples of how a custom compliance package can be
produced. You will need to prepare a CSV (Excel can deal with CSV very easily) file with
the above fields (e.g., Compliance Package ID, name, description, Compliance Package
Item, name, description, question) completed.
WARNING
● Make sure you have all 7 columns required;
● If you are using Microsoft Excel, you need to save the spreadsheet as
“Windows CSV” (not DOS CSV);
● Make sure all cells have some text if you don't have anything to put just
write “Empty” or something so the cell is NOT empty
● Sometimes when exporting spreadsheets in CSV, empty lines are created at
the bottom of the CSV file, check with “notepad” or similar those have not
been created.
You may want to download an existing CSV file from our website as an example to
follow.
201 CMR
Massachusetts General Law Chapter https://malegislature.gov/laws/generallaw
17.00
93H s/parti/titlexv/chapter93h
HITRUST v8 8 https://hitrustalliance.net/