GRC Overview

Tripl-i GRC helps organizations manage governance, risk, and compliance in one connected workspace. It brings regulatory frameworks, internal policies, implementation controls, assessments, attestations, and operational risk tracking together with the live infrastructure data already available in Tripl-i.

Instead of managing compliance in spreadsheets and treating risk as a separate process, Tripl-i connects GRC work to your CMDB, discovered assets, service relationships, vulnerabilities, ownership data, and operational evidence.

What You Can Accomplish

Governance

Use Tripl-i to define how your organization expects controls, policies, evidence, and accountability to work.

Create and maintain internal policies
Break policies into specific policy statements
Link policies to regulatory requirements
Assign ownership for controls and risk items
Maintain review cycles and accountability
Track formal sign-off through attestations

Risk Management

Use the risk module to organize known risks and track where they apply across your environment.

Build a reusable risk library
Create risk statements for specific business or infrastructure contexts
Assign risk owners and priorities
Link risks to affected configuration items
Track inherent and residual risk scores where available
Maintain review dates and risk status

Compliance Management

Use the compliance module to translate regulations into practical controls and assessment work.

Manage frameworks such as SOX, HIPAA, PCI-DSS, ISO 27001, NIST, GDPR, and custom frameworks
Map citations to internal policies and controls
Create control libraries with owners, frequencies, and priorities
Define compliance profiles for groups of systems
Generate and complete assessments
Track non-compliance and remediation recommendations
Prepare formal attestations for audit and executive review

GRC Modules

Frameworks and Citations

Frameworks represent the external standards or regulations your organization must follow. Citations are the individual requirements inside those frameworks.

Use this module to answer questions such as:

Which regulatory requirements apply to us?
Which internal policies address each requirement?
Which controls provide evidence that the requirement is being met?

Examples include SOX control requirements, HIPAA safeguards, ISO 27001 controls, PCI-DSS requirements, and organization-specific frameworks.

Policies and Policy Statements

Policies describe your organization’s internal rules and expectations. Policy statements make those rules specific and testable.

Use this module to:

Document internal policies
Organize policies into clear statements
Link policy statements to framework citations
Show auditors how external requirements are translated into internal practice

Controls

Controls define how your organization implements policies in day-to-day operations.

Controls can be:

Preventive, such as requiring multi-factor authentication
Detective, such as reviewing logs or checking certificates
Corrective, such as remediation procedures after a failed assessment

Each control can include ownership, assessment frequency, priority, and importance weighting. Higher-weight controls have a greater impact on compliance scoring, which helps teams focus on the controls that matter most.

Compliance Profiles

Compliance profiles connect controls to actual infrastructure.

A profile defines which configuration items are in scope for a set of controls. For example:

Production database servers
Critical network devices
Payment processing systems
Executive workstations
Internet-facing infrastructure

Profiles can be dynamic, where systems are included automatically when they match rules, or manual, where users select specific CIs.

Assessments

Assessments are the work items used to test whether controls are operating effectively.

Use assessments to:

Record control test results
Track compliant, partially compliant, non-compliant, or not-applicable outcomes
Capture findings and evidence
Assign work to owners
Maintain historical compliance records

When assessments identify gaps, Tripl-i can surface compliance insights and remediation guidance to help teams understand what needs attention.

Attestations

Attestations provide formal sign-off for a control, profile, framework, policy, or custom scope over a defined period.

They are useful for:

Quarterly compliance reviews
SOX-style executive sign-off
Audit preparation
Board reporting
Customer assurance requests
Internal governance evidence

Attestations summarize the compliance state for the selected scope and period, then capture review, signature, approval, rejection, and activity history.

Compliance Insights

Compliance insights show compliance status and violations at the CI level.

They help teams understand:

Which systems are compliant or non-compliant
Which findings are repeated across the environment
Which controls produce the highest-risk gaps
What remediation actions are recommended
Which CIs need attention before the next audit or review

Risk Library

The risk library is a reusable catalog of risks your organization tracks.

Examples include:

Datacenter power outage
Unauthorized administrative access
Expired certificates on critical services
Unpatched internet-facing systems
Failure to retain audit logs
Loss of a critical third-party service

Each risk template can include category, impact, triggers, tags, and linked controls.

Risk Register

The risk register turns risk templates into specific risk statements.

For example:

Risk template: Datacenter power outage
Risk statement: Power outage risk for primary production datacenter

Risk statements can include affected CIs, owner, priority, status, review frequency, appetite, and current risk scores.

How GRC Connects To Tripl-i Data

CMDB

The CMDB gives GRC work an accurate system inventory. Controls, profiles, assessments, risk statements, and compliance insights can all refer to real configuration items rather than static lists.

Discovery

Discovery keeps GRC scope current. When new servers, databases, workstations, services, or network devices are discovered, dynamic profiles can include them in the right compliance scope.

Service Mapping

Service mapping adds business context. A non-compliant server is more important when it supports a critical business service. Service relationships help teams prioritize remediation based on impact, not just asset count.

Vulnerability Management

Vulnerability data enriches compliance and risk decisions. Open vulnerabilities, affected software, patch status, and exposure data help teams understand where controls are weak and which systems need attention first.

Events and Change Activity

Events and change history provide evidence for control monitoring, audit review, and risk investigation. Recent incidents, changes, or repeated failures can help explain risk exposure and compliance drift.

Advantages

One Connected View

GRC is more effective when policy, control, risk, and infrastructure data are connected. Tripl-i reduces the gap between what the organization says should happen and what is actually present in the environment.

Less Manual Scoping

Dynamic compliance profiles reduce manual spreadsheet work. Teams can define the scope once, then let discovered infrastructure determine which systems are included.

Better Audit Readiness

Frameworks, policies, controls, assessments, findings, evidence, and attestations are connected in one place. This gives auditors a clearer path from requirement to evidence.

Risk-Based Prioritization

Weighted controls, CI context, service relationships, vulnerabilities, and risk statements help teams prioritize high-impact work first.

Executive Visibility

Dashboards, assessment status, compliance summaries, and attestations give leadership a clearer view of compliance posture and risk exposure.

Operational Accountability

Owners, due dates, review cycles, assessment status, and activity history make GRC work easier to assign, track, and follow up.

Common Use Cases

Audit Preparation

Prepare for an external audit by reviewing framework coverage, completing assessments, collecting findings, and generating formal attestations for the audit period.

Infrastructure Compliance

Apply controls to groups of systems such as production servers, databases, or critical network devices. Use profiles to keep scope aligned with the current CMDB.

Executive Attestation

Summarize compliance status for a quarter or year and route it for review and sign-off by the appropriate business or technology leaders.

Risk Register Management

Maintain an active list of operational, compliance, security, financial, strategic, and reputational risks. Assign owners, affected systems, priorities, and review dates.

Compliance Gap Remediation

Use assessment findings and compliance insights to identify non-compliant systems, understand why they failed, and plan remediation work.

Recommended Starting Path

Review applicable frameworks and citations.
Create or import internal policies.
Define controls and assign owners.
Create compliance profiles for key system groups.
Generate assessments and record results.
Review compliance insights and remediate gaps.
Create attestations for formal review periods.
Build the risk library and risk register for recurring operational risks.

What You Can Accomplish​

Governance​

Risk Management​

Compliance Management​

GRC Modules​

Frameworks and Citations​

Policies and Policy Statements​

Controls​

Compliance Profiles​

Assessments​

Attestations​

Compliance Insights​

Risk Library​

Risk Register​

How GRC Connects To Tripl-i Data​

CMDB​

Discovery​

Service Mapping​

Vulnerability Management​

Events and Change Activity​

Advantages​

One Connected View​

Less Manual Scoping​

Better Audit Readiness​

Risk-Based Prioritization​

Executive Visibility​

Operational Accountability​

Common Use Cases​

Audit Preparation​

Infrastructure Compliance​

Executive Attestation​

Risk Register Management​

Compliance Gap Remediation​

Recommended Starting Path​

Related Pages​