Skip to main content

Controls & Assessments

Controls and assessments form the operational heart of your compliance program. Controls define how you implement your policies in practice, while assessments verify that controls are working effectively across your IT infrastructure. This ongoing cycle of implementation and verification ensures your compliance program delivers real protection and meets regulatory requirements.

Understanding Controls

What Are Compliance Controls?

Controls are specific procedures, processes, or activities that implement your policy requirements:

  • Policy Statement: "User access must be reviewed quarterly"
  • Implementation Control: "Quarterly User Access Review Process"
  • Control Activities: Review user lists, verify business justification, document findings, remove unnecessary access

Types of Controls

Preventive Controls

Stop problems before they occur:

  • Multi-factor authentication prevents unauthorized access
  • Change approval processes prevent unauthorized system modifications
  • Data encryption prevents unauthorized data access
  • Segregation of duties prevents fraud and errors

Detective Controls

Identify problems when they occur:

  • Log monitoring detects suspicious activities
  • Access reviews identify inappropriate access
  • Vulnerability scans detect security weaknesses
  • Financial reconciliations detect accounting errors

Corrective Controls

Fix problems after they're identified:

  • Incident response procedures address security breaches
  • Access removal processes eliminate inappropriate access
  • Patch management fixes security vulnerabilities
  • Remediation workflows address compliance gaps

Creating Effective Controls

Starting a New Control

  1. Navigate to Controls Management

    • Go to Compliance → Controls in your NopeSight dashboard
    • Click Create New Control to begin

  2. Define Control Basics

    • Control ID: Unique identifier (e.g., "AC-001" for Access Control 001)
    • Control Title: Clear, descriptive name (e.g., "Quarterly User Access Review")
    • Control Type: Preventive, Detective, or Corrective
    • Description: Detailed explanation of what the control does and how it works

  3. Set Control Importance & Weighting (v3.7.3+)

    • Priority: Classify control importance (Critical, High, Medium, Low)
    • Weight: Assign numeric weight (1-10 scale) for compliance scoring
    • Rationale: Document why this weight/priority was assigned
    • Impact: Higher weights contribute more to overall compliance scores
    • Guidelines:
      • Critical priority: 9-10 (SOX controls, security-critical controls)
      • High priority: 7-8 (Important operational controls)
      • Medium priority: 4-6 (Standard controls)
      • Low priority: 1-3 (Documentation, awareness controls)

  4. Map to Policy Statements

    • Link the control to specific policy statements it implements
    • Ensure clear traceability from policy requirement to control implementation
    • Document how the control fulfills the policy requirement

  5. Assign Ownership

    • Control Owner: Person responsible for ensuring the control operates effectively
    • Process Owner: Person responsible for the business process the control operates within
    • Contact Information: How to reach owners for questions or issues

Configuring Assessment Scheduling

One of the most powerful features is automatic assessment generation based on control frequency:

Assessment Frequency

Choose how often this control should be assessed:

  • Continuous: Always active (e.g., access controls, encryption)
  • Daily: High-risk areas requiring frequent monitoring
  • Weekly: Regular operational controls
  • Monthly: Periodic reviews and reconciliations
  • Quarterly: Comprehensive reviews and assessments
  • Semi-Annual: Mid-year reviews
  • Annual: Strategic reviews and updates
  • Ad-Hoc: On-demand assessments only

Automatic Generation

Enable automatic assessment generation:

  • Toggle On: System automatically creates assessments when they're due
  • Toggle Off: You manually create assessments as needed
  • Auto-Assign: Automatically assigns assessments to the control owner
  • Scheduling: System tracks last generation and next due date

Generate Assessments Now

For immediate assessment needs:

  1. Click "Generate Assessments Now" in the control form
  2. System queues a background job to create assessments
  3. Job processes all applicable profiles and CIs
  4. You receive a confirmation with the job ID
  5. Monitor job progress in the Monitoring dashboard

Understanding Compliance Profiles

Profiles are groups of Configuration Items (CIs) that share common compliance requirements. They connect your controls to your actual IT infrastructure.

What Are Profiles?

Think of profiles as "compliance groups" for your IT assets:

  • Production Database Servers: All database servers in production
  • Development Workstations: Developer machines requiring specific controls
  • Critical Network Devices: Routers and switches supporting critical services
  • Executive Systems: High-value targets requiring enhanced security

Why Use Profiles?

Profiles enable infrastructure-aware compliance:

  1. Scalability: Apply one control to hundreds of systems automatically
  2. Accuracy: Assessments target the actual systems requiring compliance
  3. Visibility: See exactly which systems are compliant or non-compliant
  4. Automation: Systems automatically get assessed when they match profile criteria

Creating a Compliance Profile

  1. Navigate to Profiles

    • Go to Compliance → Profiles
    • Click Create New Profile

  2. Profile Basics

    • Profile Key: Short identifier (e.g., "PROD-DB")
    • Profile Name: Descriptive name (e.g., "Production Database Servers")
    • Description: What this profile represents and why it exists
    • Status: Active profiles generate assessments automatically

  3. Select Controls

    • Choose which controls apply to this profile
    • You can add multiple controls that all apply to these systems
    • Controls will automatically generate assessments for profile members

  4. Define Membership Choose how CIs become members of this profile:

Option A: Dynamic (Rule-Based)

System automatically includes CIs based on criteria:

Example - Production Databases:

Match: ALL of the following
- CI Type equals "Database Server"
- Environment equals "Production"
- Status equals "Active"

Benefits:

  • New systems automatically included
  • No manual maintenance required
  • Always up-to-date membership
  • Scales to any size infrastructure

Option B: Manual Selection

You explicitly select which CIs belong:

When to Use:

  • Small, specific groups
  • Exception-based membership
  • Non-standard groupings
  • Temporary compliance scopes

How It Works:

  1. Click "Select CIs"
  2. Browse or search your CMDB
  3. Check the systems to include
  4. Save your selection

Profile Best Practices

Naming Conventions

Use clear, consistent naming:

  • Good: "PROD-DB", "DEV-WORKSTATION", "CRITICAL-NETWORK"
  • Avoid: "Profile1", "Test", "Misc"

Logical Grouping

Group by common compliance needs:

  • Environment: Production vs Development vs Test
  • Function: Database vs Application vs Network
  • Risk Level: Critical vs Standard vs Low
  • Compliance Scope: PCI Systems, HIPAA Systems, SOX Systems

Dynamic When Possible

Prefer dynamic profiles for:

  • Large infrastructure
  • Frequently changing systems
  • Standard system types
  • Predictable categorization

Use manual profiles for:

  • Small exception groups
  • Temporary assessments
  • Custom compliance scopes
  • Systems with unique requirements

How Assessment Generation Works

The Assessment Matrix

When you generate assessments, NopeSight creates an assessment matrix:

Control × Profile CIs = Individual Assessments

Example:
"Data Classification Control"
   × "Production Database Servers" (7 servers)
   = 7 individual assessments (one per server)

Generation Process

  1. Control Triggers Generation

    • User clicks "Generate Assessments Now", OR
    • Automatic scheduler detects control is due

  2. System Finds Applicable Profiles

    • Identifies all active profiles linked to this control
    • Example: "Prod DB Servers", "Dev DB Servers"

  3. System Resolves Profile Members

    • For dynamic profiles: Runs queries to find matching CIs
    • For manual profiles: Uses explicitly selected CIs
    • Example: Finds 7 production database servers

  4. System Creates Assessment Matrix

    • Creates one assessment per CI per control
    • Sets assessment period (e.g., "2025-Q4" for quarterly controls)
    • Assigns to control owner (if auto-assign enabled)
    • Sets due date based on control frequency

  5. Background Processing

    • Assessment generation runs as a background job
    • Large generations don't block your work
    • Monitor progress in Monitoring → Queue Metrics
    • Check job status via Job ID

Duplicate Prevention

The system prevents duplicate assessments intelligently:

Unique Index: (Control + CI + Period + Tenant)

Example:

  • Control: "Data Classification"
  • CI: "HANADB01"
  • Period: "2025-Q4"
  • Result: Only one assessment can exist for this combination

What This Means:

  • Re-running generation won't create duplicates
  • Safe to click "Generate Now" multiple times
  • System reports: "Created X assessments, skipped Y duplicates"

Working with Assessments

Assessment List View

View all your assessments in Compliance → Assessments:

Key Columns:

  • Control: Which compliance requirement is being assessed
  • Profile: Which group of systems this relates to
  • CI: The specific system being assessed
  • Title: Full assessment name (auto-generated)
  • Status: Current assessment state
  • Due Date: When assessment must be completed
  • Assigned To: Who is responsible

Filtering:

  • Filter by control to see all assessments for a specific requirement
  • Filter by profile to see all assessments for a system group
  • Filter by status to focus on pending or overdue items
  • Filter by assigned user to see your workload

Assessment Lifecycle

1. Pending (Initial State)

What It Means: Assessment created but work hasn't started

Your Actions:

  • Review the control requirements
  • Understand what needs to be tested
  • Gather necessary access and resources
  • Plan your assessment approach

2. In Progress

What It Means: Assessment work is underway

Your Actions:

  • Execute control tests
  • Collect evidence
  • Document findings
  • Interview stakeholders as needed

3. Compliant

What It Means: Control is operating effectively on this CI

Requirements:

  • Control tested and working as designed
  • Evidence collected and documented
  • No significant issues identified
  • All requirements met

4. Non-Compliant

What It Means: Control has significant issues requiring immediate attention

Requirements:

  • Specific deficiencies documented
  • Impact and risk assessed
  • Remediation plan required
  • Management notification needed

5. Partially Compliant

What It Means: Control mostly works but has minor issues

Requirements:

  • Minor gaps documented
  • Improvement recommendations provided
  • Timeline for enhancement agreed
  • No immediate risk to operations

6. Not Applicable

What It Means: Control doesn't apply to this specific CI

When to Use:

  • CI characteristics changed after assessment creation
  • Control requirements don't fit this specific system
  • System decommissioned or role changed
  • Exception approved by management

Performing an Assessment

Step 1: Open the Assessment

  1. Navigate to Compliance → Assessments
  2. Find your assigned assessment
  3. Click to open the assessment form
  4. Review control requirements and CI details

Step 2: Execute the Assessment

For Automated Controls:

  • Review system logs and configurations
  • Verify automated processes ran successfully
  • Check error logs for failures
  • Validate outputs match expectations

For Manual Controls:

  • Review procedure documentation
  • Interview control operators
  • Observe control execution if possible
  • Test samples if control runs frequently

Step 3: Collect Evidence

Types of Evidence:

  • Screenshots: System configurations, reports, logs
  • Documents: Policies, procedures, sign-offs
  • Reports: System-generated compliance reports
  • Links: References to stored evidence or systems
  • Notes: Interview notes, observations, test results

Upload Evidence:

  1. Click "Add Evidence" in assessment form
  2. Choose evidence type (file, link, screenshot, document)
  3. Upload file or paste URL
  4. Add description explaining what this evidence shows
  5. Evidence is securely stored and versioned

Step 4: Document Findings

Assessment Fields:

  • Score: Optional numeric score (0-100)
  • Findings: Detailed description of what you found
  • Status: Select appropriate status (Compliant, Non-Compliant, etc.)
  • Remediation: If issues found, document required fixes
  • Completion Date: Automatically set when you complete

Writing Good Findings:

  • Be specific about what you tested
  • Reference evidence you collected
  • Explain your conclusions clearly
  • Include both positive findings and issues
  • Provide actionable recommendations

Step 5: Complete the Assessment

  1. Review all information for completeness
  2. Ensure all required evidence is attached
  3. Verify findings are clear and accurate
  4. Click "Save" or "Complete Assessment"
  5. Assessment status updates to final state
  6. Control owner and management notified if needed

Assessment Dashboard and Reporting

Compliance Dashboard

Monitor your overall compliance posture:

Key Metrics:

  • Overall Compliance Score: Percentage of compliant assessments
  • Weighted Compliance Score (v3.7.3+): Importance-adjusted compliance percentage
  • Assessment Status Distribution: Breakdown by status
  • Overdue Assessments: Urgent items requiring attention
  • Recent Activity: Latest assessment completions
  • Trend Analysis: Compliance improving or declining?

Understanding Weighted Compliance Scoring (v3.7.3+)

The system provides two compliance scores:

Simple Compliance Score:

  • Treats all controls equally
  • Formula: (Compliant Controls / Total Controls) * 100
  • Example: 8 compliant out of 10 controls = 80%

Weighted Compliance Score:

  • Accounts for control importance/priority
  • Formula: (Achieved Weight / Total Weight) * 100
  • Gives more credit for compliant critical controls
  • Example with weights:
    • 2 Critical controls (weight 10 each) = 20 points total
    • 8 Medium controls (weight 5 each) = 40 points total
    • If both Critical compliant + 6 of 8 Medium compliant = 50 points achieved
    • Weighted score: (50 / 60) * 100 = 83.3%

When to Use Each Score:

  • Simple Score: Quick overview, equal importance assumed
  • Weighted Score: Accurate risk assessment, prioritizes critical controls
  • Both Together: Complete picture of compliance posture

Achievement Multipliers:

  • Compliant: 100% of control weight counted
  • Partially-compliant: 50% of control weight counted
  • Non-compliant: 0% of control weight counted
  • Not-applicable: Excluded from calculation

Filters:

  • By Control: See compliance for specific requirements
  • By Profile: See compliance for system groups
  • By Time Period: Historical compliance trends
  • By Owner: Team member workload and performance

Executive Reporting

Generate reports for management and auditors:

Compliance Status Report

  • Overall compliance level across all controls
  • Breakdown by control type and criticality
  • Trend analysis over time
  • Risk areas requiring attention

Assessment Activity Report

  • Assessment completion rates
  • Overdue assessment analysis
  • Resource utilization
  • Staff performance metrics

Audit Preparation Report

  • Evidence inventory and completeness
  • Control testing coverage
  • Exception analysis
  • Readiness scoring

Queue Monitoring

Track background jobs in Monitoring → Queue Metrics:

Compliance Queue Status:

  • Waiting: Assessment generation jobs queued
  • Active: Jobs currently processing
  • Completed: Successfully finished jobs
  • Failed: Jobs that encountered errors
  • Processing Rate: Jobs per minute

Job Details:

  • Click on specific job to see details
  • View job data and parameters
  • Check progress percentage
  • Review error messages if failed
  • Retry failed jobs if needed

Best Practices

Profile Design

Start with Major Groups

Begin with obvious, large groups:

  • Production systems
  • Development systems
  • Database servers
  • Web servers
  • Network infrastructure

Refine Based on Experience

As you work with profiles:

  • Split large profiles if management becomes difficult
  • Combine small profiles if too fragmented
  • Adjust rules as you learn system patterns
  • Document profile purposes clearly

Balance Automation and Control

  • Use dynamic profiles for standard infrastructure
  • Use manual profiles for exceptions and special cases
  • Review dynamic profile memberships periodically
  • Validate that rules capture intended systems

Assessment Execution

Consistent Methodology

  • Use the same testing approach each time
  • Document your methodology clearly
  • Train all assessors on procedures
  • Review assessments for consistency

Quality Evidence

  • Collect evidence at time of testing
  • Use multiple evidence types
  • Document evidence collection date and method
  • Maintain evidence organization and accessibility

Timely Completion

  • Start assessments early in the assessment period
  • Don't wait until due dates approach
  • Address blockers immediately
  • Communicate delays proactively

Automation

Let the System Work for You

  • Enable automatic assessment generation
  • Use dynamic profiles for scalability
  • Set appropriate frequencies
  • Review and adjust based on workload

Monitor Queue Performance

  • Check queue metrics periodically
  • Address failed jobs promptly
  • Ensure processing keeps pace with generation
  • Scale resources if queues back up

Troubleshooting Common Issues

Assessments Not Generated

Problem: Clicked "Generate Now" but no assessments created

Check:

  1. Profile Status: Is profile active?
  2. Profile Membership: Do any CIs match the profile?
  3. Control-Profile Link: Is control linked to a profile?
  4. Queue Status: Check Monitoring for job status
  5. Tenant Selection: Are you in the correct tenant?

Solutions:

  • Activate the profile if it's inactive
  • Review profile rules or manual selections
  • Add the control to at least one profile
  • Check queue for failed jobs and errors
  • Switch to demo/correct tenant

Duplicate Assessments

Problem: System says "skipped X duplicates" but I expected new assessments

Explanation: This is actually correct behavior!

Why It Happens:

  • Assessments for this period already exist
  • Unique index prevents duplicates
  • System protects data integrity

When You Actually Need New Assessments:

  • Wait for next period (next quarter, next month, etc.)
  • Or manually adjust period in database (not recommended)
  • Or create ad-hoc assessments with different scope

Wrong CIs in Profile

Problem: Dynamic profile includes/excludes wrong systems

Solutions:

  1. Review Profile Rules: Check matching logic (AND vs OR)
  2. Check CI Metadata: Verify CI attributes are correct
  3. Test Rules: Use profile preview to see what matches
  4. Adjust Conditions: Refine rules to match intended systems
  5. Switch to Manual: Use manual selection if rules too complex

Assessment Overload

Problem: Too many assessments due simultaneously

Solutions:

  • Stagger Frequencies: Use different frequencies for different controls
  • Reduce Scope: Start with critical systems only
  • Increase Resources: Assign more team members
  • Automation: Automate evidence collection where possible
  • Adjust Frequencies: Less critical controls can be less frequent

Queue Jobs Failing

Problem: Jobs show "failed" status in monitoring

Check:

  1. Error Message: View job details for specific error
  2. Database Connection: Ensure database is accessible
  3. Permissions: Check user/control has proper access
  4. Data Integrity: Verify control and profile still exist
  5. System Resources: Check for memory/performance issues

Solutions:

  • Retry the job after addressing the error
  • Contact support if errors persist
  • Check system logs for detailed error information
  • Verify all referenced data still exists

Advanced Topics

Custom Assessment Workflows

For organizations with specific needs:

Approval Workflows:

  • Require management review before completion
  • Escalation for non-compliant findings
  • Sign-off requirements for critical controls

Integration with Other Systems:

  • Export assessment results to GRC tools
  • Import evidence from monitoring systems
  • Sync with ticketing systems for remediation

Compliance Automation

Automated Evidence Collection:

  • API integrations with security tools
  • Scheduled evidence gathering
  • Automatic screenshot capture
  • Log aggregation and analysis

Automated Assessment:

  • Technical controls with automated testing
  • Configuration compliance scanning
  • Vulnerability assessment integration
  • Continuous compliance monitoring

Multi-Framework Management

Managing multiple regulatory frameworks:

Shared Controls:

  • One control can support multiple frameworks
  • Reduces duplicate assessment work
  • Maintains separate compliance views per framework
  • Single source of truth for control operation

Framework-Specific Views:

  • Filter assessments by framework
  • Generate framework-specific reports
  • Track compliance per framework
  • Support multiple audits simultaneously

Next Steps

With effective controls, profiles, and assessments in place:

  • Monitor your compliance dashboard regularly to track program health
  • Review queue metrics to ensure smooth operation
  • Use assessment findings to improve controls and infrastructure
  • Prepare for audits with comprehensive evidence and documentation
  • Expand your program to additional frameworks or business areas

For more information: