Mappings(Relations) Functionality for GRC Platform

GRC platforms are designed to allow relations between various GRC objects. Controls might be linked to assets, risks, organizations, Authority etc.

To provide the ability to manage mappings efficiently, the Mappings functionality should be available and also very user friendly. Mappings should not only be available from within the object, but rather implemented as a mappings layer, where any object can be quickly selected and mapped to another object.

UI requirements:

1. Mappings should be performed on one screen, without the need to switch anywhere else.
2. Screen should be separated into two sections (left and right).
3. Left section:
   • Dropdown will allow to select one object as Level-1 selection from
     • Library Category(Risk, Control, Asset, Organization, Authority, Control Baseline, Document, Glossary, Data Classification, Data Collection, Data Attribute)
     • Risk Management Object (Initiative, Objective, Task, Issue, Action, Attestation, Control Testing, Assessment)
   • When Level-1 selection is complete, Level-2 selection dropdown called “Type” is presented. Level 2 selection will allow to subset the Level-1 types, or to show “all”. By Default, it is empty and awaiting user input
   • When Level-2 selection is complete, it will show the Level-3 dropdown with options:
     • Some level-3 objects do not have level-4 objects: Controls, Risks, Asset, Control Baseline, Glossary, Data Classification, Data Collection, Data Attribute, Initiative, Objective, Task, Issues, Actions, Control Testing, Attestations. Some objects might of might not have Level3 like some policies might or might not have them
     • Tier-3 objects, for example, in Authority will have level-4 authority requirements. Tier4 objects in Policy, might or might not have specific Policy requirements.
     • Level3 dropdown will show “All” option that will list all level3 objects, if selected.
     • In addition to “All”, Level3 dropdown will also show specific Level-3 objects that have Level-4 objects under them. If specific Level 3 object is selected, then display the list of Level-4 objects in the list of items that require mappings.
     • Example without level4: when user picks “All” option as level 3, then the list of all controls that fit level-2 filter will show under the selection we just performed.
     • Some Objects will have sub-objects under them. For example, if we selected “Authority” as Level 1, “Framework” type as Level2, and selected NIST CSF as Level 3, then the list will show “items” under NIST CSF, also in a tree format.
   • Between the list of final objects (whether level-3 of level 4 is shown) and the Level3 dropdown show the following options:
     • 3 buttons inline: All, Mapped, Unmapped
       • These buttons will only show when the right section (level3 or level4 objects) is displayed. It will indicate relation to objects on the right.
       • “All” will display all objects (selected by default)
       • “Mapped” will filter out only items that already have mappings to any objects on the right side
       • “Unmapped” will filter out only items that do not have any mappings to any objects on the right
     • Search box with search button, and “Clear” (if any selection is set on the left) button
       • When you Type in search box and click “find” button, it will filter out Level3 or level4 based on search. “clear search” “x”-button within the search field will remove search and will show all level3 or level4 objects
   • Level 3 or 4 will be displayed in a tree view, will have a checkbox on the left, ID of the record and an indicator whether there is a mapping to any right side objects.
     • When you hover of the “mappings” indicator, it will show a modal with the list of items the specific record is linked to (all mappings, not just to the relation of the right section)
4. Right section
   • Same ability to select level1,level2,level3, level 4 objects
   • “All”, “Mapped”, “Unmapped” will work to show relation based on the selection of the left. If there is no selection of the left, and user selects “unmapped”, it will filter right section to indicate objects that have no mapping to anything that fits level 3/4 on the left
   • After “All”, “Mapped”, “Unmapped” buttons, on the next line, show the “AI Assist” button.
     • When pressed, it will submit an API request to check the correlation between item selected on the left and item shown on the right. As a result, it will display “(AI Match: 50% certainty)” for each visible record on the right.
5. Workflow
   • Only 1 checkbox can be selected at the same time on the left side of the screen and that selection will allow to map one or many objects on the right.
   • When checkbox is checked, for usability, the selected item will appear under the search bar as a helper button with the “x” on the right side that will allow the user to remove the selection. User can also remove the selection by unchecking the box they previously checked. Unchecking will remove the “helper button”.
   • Each mapping is bi-directional.
   • When Left section checkbox is checked on level3 or 4, and the right section objects at level3 or 4 are visible, they will
     • Indicate whether there is a mapping by having right checkboxes preselected based on the left section selection
     • Unchecking checkbox on the right will remove the mapping
     • Checking checkbox on the right will create a mapping in relation to one selected object on the left
   • When the left and right sections are shown, the left section, next to each record there should be an indicator on the right side of the record name showing whether the object on the left is already mapped to something on the right.
     • Blue circle with checkmark indicates that there is mapping somewhere within the selection on the right
     • Grey circle with checkmark indicates mapping within other objects outside of the items on the right
     • No circle indicates there are no mappings to any objects on the platform
6. Data integrity – only for Level 4 objects
   • For left section:
     • When mapping Level 4 object to another object, the system must check whether Level 3 object, that Level4 belongs to, is also mapped to selected object. If not, the system must use the specific toggle called “Auto Map Parent Library Objects” to whether to create that mapping
     • When un-mapping last Level 4 object (no other L4 objects on the left are mapped to anything to the right) from another object, the system must check whether Level 3, that Level4 belong has any mappings to the object we are trying to un-map from. If yes, and the user managed “Auto Remove Parent Library Objects” toggle is checked, then the system must remove that L3 mapping as well
     • “Auto Map Children” toggle will monitor whether user has selected the “parent” L4 that has children. If toggle is checked and parent is selected, then all children will get mapped to the same object that was selected on the right side.
     • For Right section:
       • “Auto Map all Children if parent is selected” toggle will also select and map all children when parent object is selected
       • “Auto Remove Children” will also unselect and un-map all children when parent object is selected

Mock Design:

There must be a separate “object relations” configurable area where the platform admin can predefine what objects can be related to other objects. (This requirement will be captured separately outside of this scope)