Editor’s note: this article was co-authored by product experts Jingcong Zhao and Lisa Bielik.
It doesn’t matter what you call them – issues, findings, exceptions, non-conformities, deficiencies or something else – discovering a problem during an audit is an alarming situation that you’d rather avoid. To improve your chance of passing an infosec compliance audit, issues ought to be identified and remediated in advance of the audit.
Because remediating an issue often requires multiple people and days (or months) of work, visibility on progress is absolutely vital. Hyperproof is a continuous compliance operations platform, and we’ve built functionality to help your organization efficiently document and address issues well before your organization enters its audit season.
How Our Issues Management Feature Can Help You
Now you may be thinking, we track issues in spreadsheets. Does Hyperproof do something more valuable than that?
The answer is a resounding, “Yes.”
Hyperproof allows you to track issues in context of everything else you care about. You can create issues on all major Hyperproof objects and modules:
- A program
- A particular control
- An audit
- An individual audit request
- A label
- In the risk register
- A risk item within a risk register
This means that an issue can be created once and linked to its related multiple objects. For instance, you may document one issue one time that addresses three audit findings, or you may create one issue that’s linked to a couple of controls and a risk in Hyperproof.
Linking an issue to the objects that issue relates to provides another benefit: it allows you to automatically identify the problematic areas in your compliance/risk management program that need attention.
Hyperproof can automatically calculate and update the health of your controls, risks and programs based on variables like freshness of evidence, number of tasks, and number of past due tasks linked to an object. It’s no different with issues: you can configure Hyperproof to automatically update the health of controls and risks (when they are linked to controls) in your account based on properties on issues. For instance, you may want to see controls show up as “at risk” if they are linked to open issues, or you may want to see controls as “critical” if you have linked open issues that are also past due.
How to Create and Monitor Issues in Hyperproof
Creating an Issue
You can create an issue on the following objects and modules: programs, controls, labels, audit requests, risks and vendors. You can also create an issue from the My Work page, but the issue must be linked to a source (e.g., a control).
Each issue comes with a standard set of fields to be filled out:
- The Summary field where you can enter a summary of the issue and the potential result if the issue isn’t remediated (required)
- A Description field where you can detail the issue
- The Action Plan field where you can enter the team’s plan to remediate the issue (Note: You may choose to link Tasks to the issue as an alternative way to document your remediation plan)
- The Impact drop-down where you can enter the impact this issue has on your organization if it isn’t resolved
- The Assignee drop-down menu to select the individual responsible for the issue
- Business Owner drop-down menu to select the individual who owns the issue
- The Status drop-down menu to select a status that represents the current state of the issue
- The Due Date field to indicate the date in which the remediation should be completed
- The Discovered On field to indicate the date in which the issue was discovered
You can also add custom fields to issues to track other properties that are important to you. Some of the popular additional fields our customers use include:
- Source category
- Issue type
- Source sub-category
- Business unit
You can easily import your organization’s issues via CSV.
Adding a New User to an Issue
To view an issue, a user must be a member of the issue’s related object (e.g., a control or directly added to the facepile). If you want to see all issues in an organization, you must either be a member of all objects or be added to all issues directly by the individuals who create them. Additionally, we recommend for Hyperproof Administrators to be members of all related objects so they do not miss any issues.
To see details on roles and permissions on issues, see our product documentation.
Linking Objects to an Issue
You can link the following objects to an issue:
- Proof: this could be documents showing that the activities in your Action Plan had been completed.
- Tasks: instead of using the native Action Plan field in issues, you may choose to add Tasks to the issue as an alternative way to track remediation of an issue.
- Affected Objects: these are objects whose health can be affected or impacted by an issue. Affected objects include Programs, Controls, Labels, Audits, Risk, Vendor, or My Work. For controls and labels, you must select the control or label you want the issue linked to.
Customizing Health Rules Based on Issues
By default, if you have a past due issue linked to a control, the control is automatically labeled as At risk regardless of the control’s other health settings, e.g. implementation status, freshness status, etc. However, administrators in Hyperproof can modify this rule via Settings > Health.
For more information on how controls affect the overall health of your program, please refer to our help article, Managing the Health of Your Program. For steps on how to customize the default health settings, please refer to Customizing the Health of Your Program.
Viewing Issues on Dashboards
Hyperproof provides multiple views to help you quickly see what issues are outstanding and which ones need work. You can see an overview of all issues you’ve created or been assigned to in the Issues tab of the My Work page. You can find an Issues tab under each program, audit, label or risk register if you’ve created issues that are linked to these objects.
Certain compliance authorities and governing bodies need to see your POA&M (plan of action and milestones) in a specific format. If you’re using Hyperproof to track and manage issues, you can export all the issues you want to export in bulk as a formatted report in a couple of clicks.
What’s Next for Issues Management
Hyperproof has made it our priority to build the world’s most flexible, efficient, and powerful platform for managing compliance, risk management, and audit workflows. Rolling out an issues management system in our platform helps our customers stress less knowing that they have a single place and an efficient means to track and manage all remediation projects.
In the coming months, we will continue to make enhancements to our project management functionality to make this aspect of the platform increasingly valuable to our customers. For instance, we’ll release a new My Work overview dashboard that highlights issues and all other outstanding work items in an organization in a clear, actionable manner for all parties that work on compliance and risk projects.
Want to see how you can make efficiency a competitive advantage for your compliance program?
Book a demo of Hyperproof today.