Usage

What is FEHA GRC?

FEHA GRC is a Governance, Risk, and Compliance (GRC) platform that integrates security, privacy, and certification-readiness management. It helps organizations simplify regulatory processes by centralizing activities and providing AI-driven recommendations and expert guidance.

What does "GRC" stand for?

GRC stands for Governance, Risk, and Compliance — the coordinated approach organizations use to manage policies, address risks, and meet regulatory requirements. FEHA GRC unifies these processes with industry standards and security best practices.

What are the main modules in FEHA GRC?

The platform includes the following key modules:

• Framework Management — Manage and map multiple regulations and standards.
• Risk Management — Centralized view of risks, remediation, and control alignment.
• Vendor Management — Assess third-party security and privacy risks.
• Monitoring Device Management — Track device status and security hygiene.
• Website Scanner / Security Scanner — AI-augmented vulnerability scanning.
• Internal Audit — Support ISO 27001 Clause 9.2 audit activities.
• Policy Management, Asset Management, Privacy Management, Trust Page, Ticketing, and more.

Who is the platform designed for?

FEHA GRC supports two main user types:

• Clients — Organizations managing their own compliance, risk, vendors, policies, and assets.
• Auditors — External or internal auditors who review controls, risks, policies, and other client data.

How do I log in to the FEHA GRC Platform?

You can log in through the official login page at fehagrc.com:

1. Enter your email address to receive a secure login link.
2. Open the link sent to your inbox to access the platform.

Alternatively, you can sign in directly with a Google or Microsoft account — no waiting for a magic link required.

I did not receive my login email. What should I do?

Check your spam or junk folder first, and verify that you entered the correct email address. If the issue persists, contact your administrator or submit a support ticket through the platform.

What is Company User Synchronization?

This feature automatically creates user accounts for employees based on their company email by integrating with Google Workspace or Microsoft Azure Active Directory. During onboarding, the system securely retrieves employee data and generates user profiles without manual input.

How do I connect Microsoft Azure or Google Workspace?

• Microsoft Azure: Select a Microsoft account to log in and approve the connection between Azure and FEHA GRC, then sort and import employee accounts.
• Google Workspace: Select a Google account, confirm the integration agreement, then sort the list of employees to create FEHA GRC accounts.

What does the Main Dashboard show?

The Main Dashboard provides a centralized view of:

• Policies pending approval
• Total available tasks
• Recent and upcoming activities
• Implemented frameworks and their progress
• Control, policy, and risk assignment progress
• A searchable, filterable task list

What is the Instant Setup feature?

Instant Setup is a guided starting point that gives new users predefined tasks to support initial configuration and early compliance. It reduces setup time and provides clear guidance on required actions.

What is Framework Management?

Framework Management helps organizations align internal controls and evidence with recognized standards such as ISO, SOC 2, and NIST. It supports activation, control assignment, evidence management, and progress tracking within a structured workflow.

What compliance statuses can a framework requirement have?

Each framework item is assigned one of the following statuses:

• Not Conform — Does not meet the requirement
• In Progress — Work is ongoing
• OFI (Opportunity for Improvement) — Meets the requirement but can be improved
• Conform — Fully meets the requirement
• Exclude — Not applicable to your organization

What evidence types are supported?

• Mapped — Evidence is already linked to a requirement
• Unmapped — No evidence has been linked yet

Who is responsible for each framework requirement?

Three ownership roles ensure proper management:

• Control Owner — Implements and maintains controls
• Evidence Group Owner — Manages supporting evidence
• Unmapped Evidence Owner — Identifies and links missing evidence

How do I activate a framework?

On the Frameworks page, select Click to Activate for the desired framework, fill in the required fields, and submit. A consultant must confirm the activation before controls can be assigned.

How do I upload evidence for a control?

1. Open the relevant control on the Frameworks page.
2. Open the Evidences section and select View on the evidence card.
3. Click Add Evidence, complete the form, and save.

For evidence not yet tied to a specific control, use Add Unmapped Evidence instead.

Can the system analyze evidence automatically?

Yes. FEHA GRC includes AI-assisted analysis. On the evidence card, select AI Analysis to receive automated insights. In the Evidence Library, you can also use Auto Linked Controls with AI, which suggests which controls an evidence document should map to.

AI suggestions are recommendations and should be reviewed before applying.

What is the Evidence Library?

The Evidence Library is a centralized repository for managing evidence across frameworks and controls. It supports searching, filtering, bulk uploads, comments, AI analysis, and connecting evidence to additional controls.

How do I run an audit on the platform?

Use the Audit submenu to create, search, edit, view, or delete audits. You can also rebuild evidence (refreshes the evidence set based on current control mappings) and download all audit evidence as a ZIP file.

What is Risk Management in FEHA GRC?

Risk Management lets you systematically identify, assess, treat, and monitor threats and vulnerabilities that may impact your organization.

How are risks classified?

Each risk is categorized as either:

• Security & Privacy — Data protection, cybersecurity, compliance
• AI — AI usage, models, and automation

How are risk levels calculated?

Risk levels are calculated as Likelihood × Impact on a 5×5 scale:

• 0–6: Low
• 7–12: Medium
• 13–18: High
• 19–25: Critical

What treatment options are available for risks?

• Accepted — No action; risk is acknowledged
• Mitigate — Reduce likelihood or impact
• Transferred — Risk shifted to a third party (e.g., insurance or outsourcing)

Who owns a risk?

• Risk Owner — Identifies and assesses the risk
• Treatment Owner — Implements and monitors mitigation actions

What is the Risk Heatmap?

A 5×5 visual chart on the Risks page that plots risks by Likelihood and Impact. It highlights high-priority risks and shows how they change after treatment.

What is the Risk Library?

A centralized repository of predefined risks that can be reused across the organization. It promotes consistency, reduces manual effort, and standardizes risk descriptions. Risks can be added directly from the Risk Library to the Risk Register.

Can I attach documents to a risk?

Yes. Through the Risk Attachment module, you can upload, view, download, and manage supporting files for any risk — useful for documentation, traceability, and audit readiness.

What reports are available for risks?

Risk Reports include:

• Risk treatment reports
• Risk assessment reports

These are designed for monitoring and review, not as a replacement for detailed analysis in the Risk Register.

What is Vendor Management?

The process of evaluating, monitoring, and managing third-party vendors. It ensures vendors meet security, compliance, and performance standards while minimizing risk.

What lifecycle statuses can a vendor have?

• Active — Approved and currently in use
• Under Review — Being evaluated or reassessed
• Inactive — No longer in use

How is vendor risk and impact measured?

• Risk Level: None, Low, Moderate, High
• Impact Level: Minor, Moderate, Significant

How often should vendors be reviewed?

Review frequency depends on risk exposure:

• Monthly — High-risk or critical vendors
• Quarterly — Moderate-risk vendors
• Biannually — Lower-risk vendors
• Annually — Minimal-risk vendors

How can I add a vendor?

You can add vendors in two ways:

• Template — Use predefined vendor templates for consistency.
• Manual — Add vendor information manually through the Vendor Management page.

What methods are available for vendor risk assessment?

• AI with security report — AI analyzes uploaded security reports.
• AI with web scraping — AI gathers insights from public sources.
• Internal — Completed by your team.
• External — Provided directly by the vendor.

How do I send a risk assessment to a vendor?

1. Open the Vendor Management page and select the vendor.
2. Open the Vendor Risk Assessment section.
3. Click Review → Assign Question, fill in the required information, then click Send.

What is the Vendor Question submenu?

It lets you manage the structure of vendor assessments — creating, editing, and reordering Categories, Groups, and individual Questions to ensure consistent and structured evaluations.

What is the Access Review submenu?

Access Review records and monitors which employees have access to company vendors. You can add, edit, or revoke access; set review frequency; and generate downloadable Excel reports of vendor access lists.

What is Policy Management?

Policy Management is the process of creating, organizing, approving, and maintaining organizational documents such as policies, procedures, agreements, and plans. You can generate documents using AI, author them manually, or upload existing files.

How do I approve a new policy?

1. Open the Profile page.
2. Select the policy row marked with an orange exclamation icon.
3. Click Approve at the bottom of the page.

Policies must be approved before they become effective.

What is Asset Management?

Asset Management is the process of identifying, organizing, and maintaining all physical and digital assets in your organization. It supports centralized inventory, improved security, and linking assets to risks and controls.

What is Privacy Management?

Privacy Management identifies, assesses, and manages risks related to personal data processing. It supports documentation of data processing activities and alignment with data protection regulations.

What does Device Monitoring do?

Device Monitoring tracks the real-time status and availability of organizational devices. It helps detect issues early, monitor whether devices are online or offline, and maintain business continuity.

What does the Security Scanner do?

The Security Scanner automatically identifies vulnerabilities and security risks across systems, applications, and infrastructure. It classifies findings by severity and helps organizations remediate weaknesses before they can be exploited.

What is Continuous Testing?

Continuous Testing regularly reviews and validates risks, vendors, evidence, and policies to ensure they stay accurate, effective, and compliant over time. It supports automated reminders and periodic review scheduling.

What are Company Activities?

A centralized log of actions and events across the system — useful for tracking changes, supporting audits, improving transparency, and identifying warning signs.

What is the Trust Page?

The Trust Page is a centralized view that showcases your organization's compliance, security posture, and governance practices to internal and external stakeholders. It displays controls, frameworks, policies, and supporting evidence in a structured way.

How do I create a support ticket?

1. Open the Ticket page.
2. Click Create New Ticket.
3. Complete the ticket form with a clear title and description.
4. Click Submit Ticket.

How do I update my company profile?

Open the Settings page, select the Company tab, enter the latest company information, and click Update Company to save your changes.

What can I do from the Profile menu?

The Profile menu lets you manage your personal information, approve new policies, complete assigned vendor risk assessments, and review compliance requirements assigned to you.

What is the User Journey menu?

The User Journey menu offers insight into user compliance activities and personnel documentation. You can send compliance reminders, manage documents, and track user status throughout the user lifecycle.

How do I send a compliance reminder to a user?

1. Open the User Journey page.
2. Select Compliance Reminder on the relevant user row.
3. Click Send Reminder to confirm.

What can auditors do in FEHA GRC?

Auditors have access to dedicated views for managing audits and reviewing client data, including:

• Adding and managing auditor accounts (Users menu)
• Reviewing controls, audits, and evidence (Framework Management)
• Reviewing risks and risk reports (Risk Management)
• Reviewing vendors and vendor risk assessments (Vendor Management)
• Viewing and searching policies (Policy Management)
• Searching and reviewing assets (Asset Management)
• Reviewing user journey data (User Journey)

What can auditors do in FEHA GRC?

Auditors have access to dedicated views for managing audits and reviewing client data, including:

• Adding and managing auditor accounts (Users menu)
• Reviewing controls, audits, and evidence (Framework Management)
• Reviewing risks and risk reports (Risk Management)
• Reviewing vendors and vendor risk assessments (Vendor Management)
• Viewing and searching policies (Policy Management)
• Searching and reviewing assets (Asset Management)
• Reviewing user journey data (User Journey)

How does an auditor view a vendor's risk assessment?

1. Select the target company.
2. Open the Vendor Management menu.
3. Select a vendor row to view its details, then open the assessment to review the report.

Where does FEHA GRC use AI?

AI is embedded throughout the platform, including:

• Framework Management — Identifying overlapping controls across frameworks
• Evidence analysis — Auto-mapping evidence to controls and analyzing content
• Vendor Management — AI-assisted assessments using security reports or web scraping
• Security Scanner — AI-augmented vulnerability scanning with impact summaries
• Policy Management — AI-assisted document generation

Should I trust AI suggestions completely?

AI outputs are recommendations only. The documentation specifies that AI suggestions should always be reviewed before being applied.

Where should I focus first to improve compliance?

Regularly review Unmapped Evidence and Not Conform items first — addressing these areas significantly improves compliance posture and reduces audit risks.

How should I prioritize vendors?

Focus on vendors with High Risk and Significant Impact first. Ensure they are reviewed more frequently and have proper mitigation measures in place.

Should I use the Risk Library or create custom risks?

It's recommended to use risks from the Risk Library wherever possible to maintain consistency and avoid duplication when managing risks at scale.

How can I prepare for an audit?

• Link risks to assets, controls, and treatment plans for full traceability.
• Upload relevant and current documents to the Risk Attachment module.
• Use the Audit submenu in Framework Management to manage audit creation, evidence preparation, and exports.
• Maintain an up-to-date Trust Page to share your compliance posture.