Governance modules

A governance module in Novantra is a self-contained area of the product that handles one part of how your organization is governed. Each module has its own settings, its own records, its own audit footprint, and its own API surface. Modules compose: a control can be linked to a risk, an evidence claim can satisfy multiple controls, an assessment can produce findings, a finding can drive an exception.

The modules below are organized into five tiers. The tiers reflect conceptual dependency, not difficulty. Foundation concepts come first because the other modules borrow vocabulary from them. You can read in tier order to build a complete mental model, or jump straight to the one you need.

Tier 1: Foundation concepts

Vocabulary the rest of the system uses. Set these up first when standing up governance for your organization.

• Frameworks - register the compliance frameworks you operate under and their versions.
• Scope - define the boundaries inside your organization that governance applies to (facilities, services, jurisdictions, programs).
• Management Systems - the programs you run: an ISMS, a privacy program, a quality program, a resilience program.
• Evaluation Models - reusable scoring, maturity, and posture models that other modules apply.
• Applicability - decisions about whether a control, obligation, or other governed item applies to a given scope.

Tier 2: Core governance objects

The day-to-day vocabulary most users will touch first.

• Controls
• Risks
• Evidence
• Assessments
• Findings
• Exceptions

Tier 3: Monitoring and measurement

Continuous and periodic measurement that tells you whether things are working.

• Monitoring - rules that watch a population and report compliance.
• Indicators - KPIs, KRIs, KCIs and other quantitative measures.

Tier 4: Assurance, delivery, oversight

The “show me it works” layer: assurance engagements, regulator submissions, access governance, and retention discipline.

• Assurance
• Submissions
• Access
• Retention

Tier 5: Operational domains

Specific operational domains brought under governance. These build on the foundation tiers.

• Assets
• Party Engagements
• Change Management
• Vulnerability Management
• Secure Development
• Network & Communications
• Security Operations
• Cryptography
• Facilities Security
• Cloud Governance

Where to start

If you’re new to Novantra and have nothing set up yet, work through Tier 1 in order. If your organization already has frameworks and scope defined, jump straight to the module that addresses your immediate need.

Looking for API documentation?

Each module also has a developer guide describing its REST API at /developers/api/governance. The developer guides assume you’ve already read the user guide for that module.