This chapter provides orientation on managing content through the Knowledge module. In this module, you can manage knowledge used for automating GRC, including authoritative documents, cross-references, response sets, knowledge bases, control groupings, CPEs, CCEs, threats, threat sources, vulnerabilities, surveys, and control/requirement mappings.
The Knowledge module is divided into five sections:
• Compliance Knowledge: This section allows you to manage knowledge used in compliance projects. Authoritative documents, their requirements, and cross-references with requirements from other authoritative documents can be viewed here, or you can create your own from scratch or from copies of existing documents. A number of response sets used in compliance surveys provided by Modulo are also available here, which you can also edit or create your own.
• Risk Knowledge: This section allows you to manage knowledge used in risk projects, including knowledge bases, groupings, CPEs, threats, threat sources, and the catalogue of vulnerabilities. A number of these are provided by Modulo, though you can also create your own from scratch or from copies.
• Surveys: This section allows you to manage surveys used in risk and compliance projects, as well as generic surveys used to update information on organizational objects. A number of surveys are provided by Modulo, though you can also create your own from scratch, based on authoritative documents or knowledge bases, or by copying existing surveys. A powerful survey editor is provided here, allowing you to prepare the questions and rules for processing them.
• Knowledge Updates: This section allows you to export and import custom knowledge content, as well as import and update content provided by Modulo. In addition, you can view the history of packages imported manually or through the Live Update service. Knowledge packages provided by Modulo must be obtained from the support team in advance.
• Control and Requirement Mappings: This section allows you to map associations between controls from knowledge bases and requirements from authoritative documents. These associations can later be used to view risk analysis results for mapped requirements.