The primary objective of the IT GRC Process Management Pack is to help you implement IT GRC control and risk management in your organization. The first scenario for implementing an IT GRC management program uses the predefined control objectives in the IT GRC Process Management Pack. In this scenario, you will create a program and then select its scope, authority documents, control objectives, and control activities. You will then customize the predefined controls, create a control activity for a control objective, and then view the compliance status of the control activities in the IT GRC Process Management Pack reports.

To implement an IT GRC management program using predefined control objectives in the IT GRC Process Management Pack, complete the steps in the following list. Detailed information about each step is provided in the subsections that follow the list.

  1. Import the IT CML Management Pack.

  2. Create an IT GRC management program.

  3. Add a scope to the program.

  4. Create control objectives and control activities for the program.

  5. Approve the IT GRC management program.

  6. Create a manual control activity for a control objective.

  7. Add the control activity to the control objective.

  8. Activate the new control activity.

  9. Add the results of a control activity.

  10. Create a program readiness review.

Step 1: Import the IT Compliance Management Library Management Pack

As part of the IT GRC Process Management Pack installation process, a set of control objective templates were imported from the Microsoft Control Pack. A set of control activity templates that are intended to work with the control objective templates are included with the IT Compliance Management Library Management Pack. Import the IT Compliance Management Library Management Pack using the following table and instructions.

Note
For additional information on importing and using the IT Compliance Management Library Management Pack, see “Step 1: Import the IT Compliance Management Library Configuration Pack into System Center Service Manager” section in the IT Compliance Management Library Deployment Guide and ITCML_ReleaseNotes file that is included with the IT Compliance Management Library Management Pack.

Information needed

Value

<target_folder>

Fully qualified path to the folder where the IT GRC Process Management Pack is extracted

<management_pack_name>

Microsoft.IT.Compliance.WindowsServer7.Library.xml

Microsoft.IT.Compliance.WindowsServer2008.Library.xml

To import a GRC Library Management Pack into System Center Service Manager

  1. Click Start, click All Programs, click Microsoft System Center, click Service Manager 2010, and then click Service Manager Console.

    The System Center Service Manager Console starts.

  2. In the Service Manager Console, in the Navigation pane, click Administration.

  3. In the Administration pane, click Management Packs.

  4. In the Tasks pane, click Import Management Packs.

    The Select Management Packs to Import dialog box displays.

  5. In the Select Management Packs to Import dialog box, go to <target_folder>, click <management_pack_name>, and then click Open (where target_folder is the folder where the IT GRC Process Management Pack is extracted and management_pack_name is the name of the management pack to be imported).

    The Import Management Packs dialog box displays.

  6. In the Import Management Packs dialog box, click Import.

    The progress bar for the import process displays. Allow some time for the import process to complete, and verify that the status message in the Management Pack Details text box indicates that the management pack imported successfully.

  7. In the Import Management Packs dialog box, click OK.

    The name of the imported GRC Library Management Pack displays in the list of management packs in the Results pane.

Step 2: Create an IT GRC Management Program

Programs define a boundary for the compliance and risk process efforts or projects in your organization. Programs define the security within the boundary by defining user permissions in the program. This approach allows delegation of tasks based on user roles within the program.

Programs also establish a boundary for other IT GRC items, such as items in the Risk Management and Control Management folders. This boundary allows the program manager for the Program to manage risks and controls specifically for the program.

Create a new program using the following table and instructions.

To create a new program

  1. Click Start, click All Programs, click Microsoft System Center, click Service Manager 2010, and then click Service Manager Console.

    The System Center Service Manager Console starts.

  2. In the Service Manager console, in the navigation pane, click Compliance and Risk Items.

  3. In the Compliance and Risk Items pane, go to the Program Management/All Programs location.

  4. In the Tasks pane, click Create Program.

    The Program Management <program_id -- status> dialog box appears (where program_id is the unique identifier for the new program being created and status is the program status).

  5. Complete the Program Management <program_id -- status> dialog box using the information in the following table, and then click Apply and OK (where program_id is the unique identifier for the new program being created and status is the program status).

    Tab

    Description

    General

    Contains basic information about the program, including:

    · Title of the program: Credit Card Processing Compliance Program

    · Owner of the program.

    · Co-owner of the program.

    · Business justification for the program.

    · Configuration items to include as a part of the program scope.

    · Authority documents to include as a part of the program scope.

    Framework

    Contains a hierarchy of items within the program and buttons for adding the items, including program categories, risks, control objectives, and control activities.

    Approval

    Contains a list of the program change requests.

    Settings

    Contains the configuration settings for the program, including:

    Default threshold for the program control activity.

    Default workflow settings, which specify if approval is required for control objectives or risks associated with this program and specifies the default approver if approval is required.

    List of supporting control activities and the threshold for each control activity.

    List of supporting control objectives.

    History

    Contains a list of all changes to the program.

  6. In the Tasks pane, click Refresh.

The details pane in the All Programs view refreshes to display a list of all programs, including the new program.

Each new program must be approved before the program can be published and used. The approval process is done through a Service Manager review activity..

Step 3: Add a Scope to the Program

Scopes allow you to limit the number of computers that are included in a program. You can add multiple scopes to a program so that you can precisely target the program to the appropriate managed devices in your environment. Add scope to your program using the following table and instructions.

Information needed

Value

Title

Credit Card Processing Compliance Program

Scope

Computers, groups of computers, or service maps that you wish to target for the new program.

To add a scope to an existing program

  1. Click Start, click All Programs, click Microsoft System Center, click Service Manager 2010, and then click Service Manager Console.

    The System Center Service Manager Console starts.

  2. In the Service Manager Console, in the Navigation pane, click Compliance and Risk Items.

  3. In the Compliance and Risk Items pane, go to the All Compliance and Risk Items/Program Management/All Programs location.

  4. In the Results pane, click <program> (where program is the name of the program to which you want to add a scope).

  5. In the Tasks pane, click Edit.

    The Program Management form appears with the information for the program.

  6. In the Program Management form, on the General tab, in the Scope section, in the Configuration Items in Scope list box, click Add.

    The Select objects dialog box appears.

  7. In the Select objects dialog box, click <configuration_items>, click Add, and then click OK (where configuration_items are the configuration items you want to include in the program, such as individual computers, groups of computers, or service maps).

    The items appear in the Configuration Items in Scope list box.

  8. In the Program Management form, click OK.

Step 4: Create Control Objectives and Control Activities for the Program

After you create a program, you are ready to create control objectives and control activities for the program (in this example, the Credit Card Processing Compliance program). Creating control objectives and control activities for the program defines which control objectives are to be accomplished in the program. Import the control objectives and control activities to the program using the following table and instructions.

Note
As you run the Create Controls from Library Wizard, look at the number of control activities that are created for the program. This illustrates the dramatic reduction of effort required to implement an IT GRC management program because of the number of predefined control activities that are automatically created for the program.

Information needed

Value

Title

Credit Card Processing Compliance Program

<libraries>

Microsoft.ControlActivity.WinSrv08.Library

Microsoft.ControlActivity.SystemCenter.Library

Microsoft.ControlObjective.Library

<program_category>

None

<document_category>

Payment Card Guidance

<authority_document>

PCI DSS 1.2

Amex DSS

<control_objective>

Select All

<control_activity>

Select All

To create control objectives and control activities for an existing program

  1. Click Start, click All Programs, click Microsoft System Center, click Service Manager 2010, and then click Service Manager Console.

    The System Center Service Manager Console starts.

  2. In the Service Manager Console, in the Navigation pane, click Compliance and Risk Items.

  3. In the Compliance and Risk Items pane, go to the All Compliance and Risk Items/Program Management/All Programs location.

  4. In the Results pane, click <program> (where program is the name of the program to which you want to import control objectives and control activities).

  5. In the Tasks pane, click Create Controls from Library.

    The Create Controls from Library Wizard appears.

  6. Complete the following pages in the Create Controls from Library Wizard using the provided information.

    1. On the Before you Begin wizard page, click Next.

      On the Program Selection page

    2. In Select a Program that you own, where the Control Objectives and Activities will be Imported, select <program> (where program is the name of the program to which you want to import control objectives and control activities).

    3. Click Next.

      On the Library Selection page

    4. In the left list box, select the check box next to <libraries> (where libraries include one or more libraries that contain the category, control objective, or control activity templates) and then click Add.

      Note
      The “Microsoft.ControlObjective.Library” file contains all of the predefined control objective templates which can be used in your program. The four “Microsoft.ControlActivity.<Product>.Library” files are part of the IT Compliance Management Library series. These libraries contain predefined control activity templates developed for the respective Microsoft technologies and designed to work in conjunction with the control objective templates. Using the predefined control activities can dramatically reduce the effort required to implement an IT GRC management program.
      Tip
      You can search for specific libraries by typing in some portion of the library name in the text box above the left list box.

      The libraries appear in the right list box.

      Tip
      You can remove one or more libraries from the right list box by selecting the check box next to a library and then clicking Remove.
    5. Click Next.

      On the Authority Document Selection page

    6. In Category, select <document_category> (where document_category is the category of the type of authority document you want to select). If you do not select a category, all authority documents are displayed.

      Tip
      You can search for specific authority documents by typing in some portion of the authority document name in the text box above the left list box.
    7. In the Authority Documents list box, click the check box next to each <authority_document>, and then click Add (where authority_document is the name of the authority documents that you want to select). You can select as many authority documents as required by your program.

      The authority documents appear in the right list box.

      Tip
      You can remove one or more authority documents from the right list box by selecting the check box next to an authority document and then clicking Remove.
    8. Click Next.

      On the Control Objective Selection page

    9. In Select Control Objectives, select the check box next to each <objective> or select the Select All check box to select all control objectives (where objective is one or more control objectives that you want to select). You can select as many control objectives as required by your program.

    10. Click Next.

      On the Control Activity Selection page

    11. In Select Control Activity Libraries, select the check box next to each <activity> or select the Select All check box to select all control activities (where activity is the control activity that you want to select). You can select as many control activities as required by your program.

    12. Click Next.

      On the Summary page

    13. Review the list of control objectives and control activities to be imported.

    14. Click Create.

      Note
      This process can take a number of minutes depending on the number of control objectives and control activities to import.

      On the Completion page

    15. Review the status of the import process.

    16. Click Close.

  7. In the Results pane, click <program> (where program is the name of the program in which you imported the control objectives and control activities).

  8. In the Tasks pane, click Edit.

  9. In the Program Management dialog box, on the Framework tab, in Expand to, click Level 7, and then click Expand.

    The framework hierarchy of the program is displayed in the Framework list box. Review the list of control objectives and control activities that have been added to the program.

  10. In the Program Management dialog box, click OK.

Step 5: Approve the IT GRC Management Program

After you create the control objectives and control activities for the program you created (in this example, the Credit Card Processing Compliance Program), you are ready to publish the new program using the Publish Program task. You publish a program in order to change its status from Draft to Published and use the program in your production environment.

Publish the program using the following table and instructions.

Information needed

Value

Program

Credit Card Processing Compliance Program

To publish an existing program

  1. Click Start, click All Programs, click Microsoft System Center, click Service Manager 2010, and then click Service Manager Console.

    The System Center Service Manager Console starts.

  2. In the Service Manager Console, in the Navigation pane, click Compliance and Risk Items.

  3. In the Compliance and Risk Items pane, go to the All Compliance and Risk Items/Program Management/All Programs location.

  4. In the Results pane, click <program> (where program is the name of the program that you want to publish).

  5. In the Tasks pane, click Publish Program.

The Results pane in the All Programs view refreshes to display the list of all programs. The status of a program just after you create it is set to Draft. The status of program after you publish it is set to Pending and this action also initiates a Service Manager review activity. After the review activity is approved, the status of the program is set to Published. After it is approved, the program appears in the Programs: Published view.

Step 6: Create a Manual Control Activity for a Control Objective

You can create new manual control activities based on the requirements of your organization, without using a template.

Create a manual control activity using the following table and instructions.

Information needed

Value

Program

Credit Card Processing Compliance Program

Owner

User account that is to be the owner of the new manual control activity

<control_objective_title>

Policy Needs Assessment

<control_activity_title>

Assess the applicability of program policies to current e-commerce web application.

<control_activity_description>

Determine whether the program policies affect the e-commerce web application.

<control_activity_type>

Detective

To create a new manual control activity

  1. Click Start, click All Programs, click Microsoft System Center, click Service Manager 2010, and then click Service Manager Console.

    The System Center Service Manager Console starts.

  2. In the Service Manager Console, in the Navigation pane, click Compliance and Risk Items.

  3. In the Compliance and Risk Items pane, go to All Compliance and Risk Items/Control Management/Control Activities/Manual Control Activities/All Manual Control Activities.

  4. In the Tasks pane, click Create Manual Control Activity.

    The Control Activity <CAID> - New dialog box appears (where CAID is the identity of the new control activity).

  5. Complete the tabs on the Manual Control Activity <CAID> – New dialog box using the information in the following table, and then click OK (where CAID is the identity of the new control activity).

    Tab

    Description

    General

    Contains basic information about the control activity, including:

    · Title of the control activity.

    · Description of the control activity.

    · Owner of the control activity.

    · User the control activity is assigned to.

    · Type of control activity, which you can set to: Corrective, Detective, or Preventive.

    · If the control activity can be shared, which can be set to Yes or No.

    · The classification level for the control activity, which can be set to a value between 1 and 5.

    · The classification priority for the control activity, which can be set to a value between 1 and 5.

    · Control objectives that the control activity supports.

    Framework

    Contains a hierarchy of items within the selected program, including program categories, risks, control objectives, and control activities.

    Procedure

    Contains information about the procedures to perform to complete the control activity, including:

    · A description of implementation method for the control activity.

    · A statement about the gap to be resolved by implementing the control activity.

    · Additional guidance to perform the control activity.

    Validation

    Contains information about the procedures to validate the completion of the control activity, including:

    · A summary description of the test to be performed to validate the completion of the control activity.

    · A description of the test criteria used to validate the completion of the control activity.

    · A description of any gaps that might exist in the validation tests.

    Results

    Contains a list of the possible results for the control activity, which you can set to: Error, Compliant, Non-Compliant, or Unknown. Each result includes the owner of the results and any additional details of the result.

    Related Items

    Contains other items managed in the Compliance and Risk Items pane that relate to this control activity, including:

    · List of related incidents.

    · List of related control activities.

    · List of related risks.

    · List of related work items.

    · List of attached files.

    Tip
    On lower resolution computer displays you can click the arrow next to each item to collapse or expand the list of related items.

    History

    Contains a list of all the changes made to the control activity.

    The completed Manual Control Activity <CAID>- New dialog box disappears (where CAID is the identity of the new control activity). The results pane in the All Manual Control Activities view refreshes to display the list of control activities.

Step 7: Add the Control Activity to the Control Objective

After you create the control activity for the control objective, you are ready to add the control activity to the control objective.

Add the control activity to your control objective using the following table and instructions.

Information needed

Value

Program

Credit Card Processing Compliance Program

<control_objective_title>

Policy Needs Assessment

<control_activity_title>

Assess the applicability of program policies to current e-commerce web application.

To add a control activity to a control objective in an existing program

  1. Click Start, click All Programs, click Microsoft System Center, click Service Manager 2010, and then click Service Manager Console.

    The System Center Service Manager Console starts.

  2. In the Service Manager Console, in the Navigation pane, click Compliance and Risk Items.

  3. In the Compliance and Risk Items pane, go to the All Compliance and Risk Items/Program Management/All Programs location.

  4. In the Results pane, click <program> (where program is the name of the program that you want to modify).

  5. In the Tasks pane, click Edit.

    The Program Management property dialog box appears.

  6. In the Program Management dialog box, on the Framework tab, in Expand to, click Level 7, and then click Expand.

    The framework hierarchy of the program is displayed in the Framework list box.

  7. In the Framework list box, go to <control_objective>, and then click Add Control Activity (where control_objective is the name of the control objective that you want to add to the control activity).

    The Select objects dialog box appears and the list of existing control activities is displayed.

  8. In the Select objects dialog box, click <control_activity>, click Add, and then click OK (where control_activity is the name of the control activity).

    The control activity appears beneath the control objective in the Framework list box.

  9. In the Program Management dialog box, click OK.

The results pane in the All Programs view refreshes to display the list of programs.

Each update to control activity must be activated before the control activity can be put into use. The status of the new control activity is set to Pending and must be activated by using Activate Control Activity task.

Step 8: Activate the New Control Activity

After you create the control activity for the control objective for the program you created, you are ready to activate the control activity.

Activate a control activity using the following table and instructions.

Information needed

Value

<control_activity_title>

Assess the applicability of program policies to current e-commerce web application.

To activate a control activity

  1. Click Start, click All Programs, click Microsoft System Center, click Service Manager 2010, and then click Service Manager Console.

    The System Center Service Manager Console starts.

  2. In the Service Manager Console, in the Navigation pane, click Compliance and Risk Items.

  3. In the Compliance and Risk Items pane, go to the All Compliance and Risk Items/Control Management/Control Activities/All Manual Control Activities location or the All Compliance and Risk Items/Control Management/Control Activities/All Automated Control Activities location depending on the type of control activity.

  4. In the Results pane, click <control_activity> (where control_activity is the name of the control activity that you want to activate).

  5. In the Tasks pane, click Activate Control Activity.

  6. In the Tasks pane, click Refresh.

    The Results pane in the All Manual Control Activities view or the Active Manual Control Activities view refreshes to display the list of all control activities in that view.

Step 9: Add the Results of a Control Activity in an IT GRC Management Program

After you activate a control activity in your program, you need to set the completion status of the control activity by attesting the results of the control activity. Setting the result of an existing control activity signifies the completion status of the control activity.

Set the result of a control activity in your program using the following instructions.

Tip
You can use the Filter function to find the control activity listed in the following table.

To set the result of an existing control activity

  1. Click Start, click All Programs, click Microsoft System Center, click Service Manager 2010, and then click Service Manager Console.

    The System Center Service Manager Console starts.

  2. In the System Center Service Manager Console, in the Navigation pane, click Compliance and Risk Items.

  3. In the Compliance and Risk Items pane, go to the All Compliance and Risk Items/Control Management/Control Activities/All Manual Control Activities location.

  4. In the Results pane, click <control_activity> (where control_activity is the name of the control activity for which you want to set the result).

    Tip
    The control activity must be activated prior to setting the result of the control activity.
  5. In the Tasks pane, click Add Result.

    The Select Template dialog box appears.

  6. Complete the Select Template dialog box using the information in the following table, and then click OK.

    Information needed

    Value

    Templates

    Compliant

    The Control Activity Result form appears.

  7. Complete the tabs on the Control Activity Result form using the information in the following table, and then click OK.

    Information needed

    Value

    Owner

    User account that has validated the result of the control activity.

    Programs

    Credit Card Processing Compliance Program.

    Details

    The program policies have been assessed and the program policies are applicable to the e-commerce web application.

    Control Activity

    Assess the applicability of program policies to current e-commerce web application.

    Result

    Compliant

  8. In the Control Activity Result form, click OK.

    The Results pane in the All Manual Control Activities view refreshes to display the list of all control activities. The result of the control activity is set to the status that you configured in the Create Control Activity Result dialog box.

Step 10: Create a Program Readiness Review

After you create an IT GRC management program, configure the control objectives for the program, and configure the control activities for the program you can create a compliance program readiness review. A program readiness review helps the compliance program manager to ensure that all of the control objectives and control activities in the program are ready for an audit or management review. You can perform the readiness review on one or more control objectives in a program or for the entire program using the Start Readiness Review wizard.

Create a program readiness review using the following table and instructions.

Information needed

Value

Program

Credit Card Processing Compliance Program

<review_program_work_item_title>

Credit Card Processing Compliance Program Readiness Work Item

<review_start_date>

Today

<review_end_date>

Two months from today

<categories_control_objectives>

PC5 / Policy Needs Assessment

To perform a program readiness review of an existing program using the Start Readiness Review wizard

  1. Click Start, click All Programs, click Microsoft System Center, click Service Manager 2010, and then click Service Manager Console.

    The System Center Service Manager Console starts.

  2. In the Service Manager Console, in the Navigation pane, click Compliance and Risk Items.

  3. In the Compliance and Risk Items pane, go to the All Compliance and Risk Items/Program Management/All Programs location.

  4. In the Results pane, click <program> (where program is the name of the program that you want to modify).

  5. In the Tasks pane, click Start Readiness Review.

    The Start Readiness Review wizard starts.

  6. Complete the following pages in the Start Readiness Review wizard using the provided information, and accepting the defaults unless otherwise specified.

    1. On the Before you Begin page, click Next.

      On the Program Selection page

    2. In Program Title, select <program> (where program is the name of the program for which you want to check readiness).

    3. Click Next.

      On the Review Activity Details page

    4. In Review Program Work Item Title, type <review_program_work_item_title> (where review_program_work_item_title is the title you wish to assign to the work item title for the readiness review).

    5. In Review Program Start Date, select <review_start_date> (where review_start_date is the starting date for the readiness review work item).

    6. In Review Program End Date, select <review_end_date> (where review_end_date is the ending date for the readiness review work item).

    7. Click Next.

      On the Control Objective Selection page

    8. In Select Categories and Control Objectives, select <categories_control_objectives> (where categories_control_objectives are the categories and control objectives to be selected for the readiness review).

    9. Click Next.

      On the Summary page

    10. Review the list of configuration settings for creating the work item.

    11. Click Create.

      On the Completion page

    12. Review the status of the Control Objectives Summary.

    13. Click Close.

The work item created by the wizard is visible in the Work Items/Activity Management/Manual Activities/All Activities location. For more information about the work items in System Center Service Manager, see the topic "Managing Activities and Changes" in the System Center Service Manager Help, which is included with System Center Service Manager.