LogicGate Risk Cloud® Services Description

Last Updated: November 2024

Risk Cloud Use Cases
Standard Use Cases Enterprise Risk Management, Third-Party Risk Management, IT Security Risk, Control Audit Management, Compliance Management, Incident Management, Issues Management, Policy Management, Regulatory Compliance, Internal Audit Management, Procurement & Contract Management, Business Continuity Management, Data Privacy.

Risk Cloud Platform
Standard Application or Application A Standard Application, or Application, is a distinct set of rules and logic built in Risk Cloud supporting a singular use case, as determined by the LogicGate team. Live Applications are those used in a production setting and count towards the contracted Application amount.
Premium Application

A Premium Application includes access to advanced features and capabilities not natively available in Standard Applications. They are priced at a premium to reflect additional value-added features and capabilities such as:

  • Automated evidence collection
  • Integrations
  • Advanced document generation

The following are the currently-available Premium Applications:

  1. FedRAMP SSP Premium Application
  2. Controls Compliance Application
Power User Power User functionality includes all Standard User abilities (see below), in addition to the ability to create, modify, and manage Applications. This includes, but is not limited to, jobs, workflows and steps. This user has “Build" permissions in Risk Cloud. This user type was previously denoted as a “Primary User."
Standard User Standard Users can view and interact with records, complete tasks, view home screens, view and create reports and dashboards, and view audit history of records. Standard Users cannot create or manage Applications and cannot be assigned the “Build” permission. This user type was previously denoted as a “Secondary User”.
External User External Users can receive email notifications and perform work using unique, tokenized links. External Users do not have their own login.

Additional Product Features
Single Tenancy Provides database infrastructure that is not shared with other tenants.
Single Tenancy - Healthcare Single tenant Risk Cloud® environment provisioned for customers who (i) are designated as covered entities (e.g., healthcare providers, health insurance companies, etc.), and (ii) wish to upload and/or store protected health information (“PHI”) within such environment for use with its purchased Application(s). For clarity, purchase of this SKU requires the execution of a Business Associate Agreement (“BAA”).
Risk Cloud Documents Provides the ability to configure document templates using a template-building tool called Formstack , and enables users to automate document generation in Risk Cloud. Includes access to up to 50 Reports and 2,000 Downloads (per month).
Risk Cloud Quantify Standard Provides access to a risk quantification product designed to calculate potential loss exposure range in monetary terms for a given risk scenario. Risk Cloud Quantify Standard does not include advanced features.
Risk Cloud Quantify Premium Provides access to a risk quantification product designed to calculate potential loss exposure range in monetary terms for a given risk scenario. Risk Cloud Quantify Premium includes advanced features.
Public Pages Public Pages allow you to create publicly available forms that can be submitted by anyone with the unique link.
SCIM User Provisioning Provides access to SCIM 2.0 supported auto-provisioning that allows integration with identity management systems. Includes support for the following functions: Create, Update, and Deactivate users.
Additional Environment Provides a customer with access to an additional, separate Risk Cloud environment that may be used in conjunction with other Risk Cloud services purchased by the same customer.

Implementation & Professional Services
Lite Implementation LogicGate's Lite Implementation involves configuration and deployment of a Risk Cloud application to meet essential business needs. Subject to required scoping, a Lite Implementation includes minor enhancements to fields included in LogicGate's pre-built application template. This service includes requirements confirmation (based on LogicGate's pre-built application template functionality), initial setup, data import, and admin training to ensure a smooth transition to the platform. The typical timeline for completing a lite implementation is approximately 30 days.
Basic Implementation LogicGate's Basic Implementation involves configuration and deployment of a Risk Cloud application tailored to meet essential business needs. Subject to required scoping, a Basic Implementation includes minor enhancements to fields, steps, and workflows included in LogicGate’s pre-built application template. This service includes requirements gathering, initial setup, basic configuration, data import, and admin training to ensure a smooth transition to the platform. The typical timeline for completing a basic implementation is approximately 60 days.
Standard Implementation LogicGate’s Standard Implementation involves configuration and deployment of a Risk Cloud application tailored to meet business needs. Subject to required scoping, a Standard Implementation includes moderate enhancements to fields, steps, and workflows included in LogicGate’s pre-built application template. This service includes requirements gathering, initial setup, configuration, data import, and admin training to ensure a smooth transition to the platform. The typical timeline for completing a basic implementation is approximately 90 days.
Premium Implementation LogicGate's Premium Implementation involves configuration and deployment of a Risk Cloud application tailored to meet business needs. Subject to required scoping, a Premium Implementation includes significant enhancements to fields, steps, and workflows included in LogicGate’s pre-built application template. This service includes requirements gathering, initial setup, basic configuration, data import, admin training and documentation, and end user training to ensure a smooth transition to the platform. The typical timeline for completing a basic implementation is approximately 120 days.
Advanced Implementation LogicGate’s Advanced Implementation involves configuration and deployment of a Risk Cloud application tailored to meet business needs. Subject to required scoping, an Advanced Implementation includes substantial enhancements to fields, steps, and workflows included in LogicGate’s pre-built application template. This service includes requirements gathering, initial setup, basic configuration, data import, admin training and documentation, and end user training to ensure a smooth transition to the platform. The typical timeline for completing a basic implementation is approximately 135 days.
Elite Implementation LogicGate’s Elite Implementation involves configuration and deployment of a Risk Cloud application tailored to meet business needs. Subject to required scoping, an Elite Implementation includes transformative enhancements to fields, steps, and workflows included in LogicGate’s pre-built application template. This service includes requirements gathering, initial setup, basic configuration, data import, admin training and documentation, end user training, and change management guidance to ensure a smooth transition to the platform. The typical timeline for completing a basic implementation is approximately 150 days.
Custom Implementation Subject to required scoping, LogicGate's Custom Implementation Option provides implementation services for any use case not included in LogicGate's existing implementation packages.
Implementation Scope Each implementation option listed above can be used to cover the implementation of one Application.
Implementation Services Bundle Ten (10) hours of access to the Risk Cloud Implementation Team. Such hours shall be used for hands-on configuration support for any of LogicGate's Standard Use Cases, using an official Risk Cloud Application template or a custom build.
Standard Success Includes access to the LogicGate Help Center (help.logicgate.com); core Risk Cloud training content on LogicGate Learning portal; in-app chat support; and updates related to the latest version of Risk Cloud Standards and Regulations Content provided to you, upon request, via spreadsheet within 120 days of a major release published by the authoritative source.

For updates to the Secure Controls Framework, content and mapping adjustments will be made according to the latest version's Errata.
Premier Success

Premier Success is a recurring service that provides customers with technical support and Power User training in Risk Cloud. Included in the Service: Premier Success Requests (PSR)

  • Customers can request technical support in the form of a Premier Success Request (PSR) performed by the Professional Services team for any Application in their Risk Cloud environment, limited to six (6) PSRs per month. Unused PSRs do not roll over.
  • PSRs are limited to:
    • Data management activities, including: bulk import, bulk mapping, mass record updates, mass field changes / additions.
    • Assistance with reports, including: creating new reports and updating or troubleshooting existing reports.
    • Expert troubleshooting of records, application configuration, access, or automation.
    • Minor Application build updates, including: form updates, access management updates, and job updates.
    • Design guidance in the form of reviewing applications or providing Risk Cloud best practices.
    • New product feature implementation.
    • Functional documentation, including: single process or technical configuration documentation in the format of videos, PDFs, or slides for end users and/or admins.
    • Out-of-scope requests include:
      • Risk or business process advisory services that involve making recommendations for business processes and Workflows outside the scope of Risk Cloud Application template best practices.
      • Full configuration or implementation of net new Applications.
      • Full overhaul of in-scope applications (i.e., significant process changes).
      • Procuring any control framework or other Governance, Risk, and Compliance content that is not already provisioned within the Risk Cloud platform by means of existing Risk Cloud Application Templates.
      • Populating Data Import templates provided to the Customers.
    • The Professional Services team shall review each PSR to confirm it is in-scope for the PSR Issue. Any out-of-scope requests, PSRs that include more than one PSR request, may require a separate Scope of Work for the out-of-scope project or may be separated into separate PSRs.
    • Customers must submit each PSR with a detailed description of the desired request.
    • Upon completion, Customer will test and sign off to close out the PSR.
    • In-progress PSRs will roll over and count towards the next month's PSR limit if they are not completed, tested, or signed off on within the month.
  • Risk Cloud Power User Trainings
  • Standards and Regulation Content Update:
Professional Service Bundles Ten (10) hours of access to the Risk Cloud Consultant Team, in addition to either of the Success packages listed above. Can be used for additional configuration, system administration, content update, or GRC process design and enablement support; and support with applying updates to existing control mappings for Risk Cloud Standards and Regulations Content.
Documents Report Configuration Bundles Ten (10) hours of access to the Risk Cloud Consultant Team to provide initial setup of report(s) based on Customer-provided template(s) and basic training on how to utilize reports. Customer is responsible for providing template(s) for any report(s) created.

Integrations
Ascent Regulators Each individual Regulator includes obligation, rule, and metadata for a given Ascent regulator integrated into the “Regulatory Compliance Powered by Ascent” Application within the Risk Cloud.
Ascent Banking Bundle - US

The Banking Bundle - US includes retail (consumer) banking/lending, wealth management, and business banking/lending entities, such as:

  • Depository financial institutions that are state or federally chartered banks (including special purpose charters)
  • Commercial banks (but not investment banks)
  • Bank holding companies
  • Savings banks and savings associations
  • United States Federal Jurisdictional Content:
    • Federal Reserve + OCC + FDIC + FFIEC
    • HUD (FFEO, FHA, Ginnie Mae) + Freddie Mac + Fannie Mae
    • CFPB + FTC + FCC + FEMA + VA + DOD + EEOC + DOJ
    • FinCEN + OFAC + Treasury
    • 50 States + DC

Items of Note:

  • International bodies set standards and policies relating to liquidity and capital requirements and bank payment and settlement processes (e.g., Basel Committee on Banking Supervision (Basel Committee), Financial Stability Board (FSB), and Bank of International Settlements (BIS))
  • Interstate Banking is governed by the Riegle-Neal Interstate Banking and Branching Efficiency Act of 1994,

The Banking Bundle - US excludes the following:

  • Credit Unions
  • Trust Companies (banks can offer trust services)
  • Specialty Purpose Banks
  • Investment Banks

Full list of specific regulatory offerings included in this Bundle are available upon request.
Ascent Mortgage Lending Compliance Bundle

The Mortgage Lending Compliance Bundle - US includes mortgage brokerage, mortgage origination(insurance) and mortgage servicing:

  • Mortgage lending by nondepository (nonbanking) financial institutions to individuals.
  • Depository institutions may use so long as they understand that they are subject to separate/additional/different requirements applicable to depository institutions.
  • United States Federal Jurisdictional Content
    • HUD (FFEO, FHA, Ginnie Mae) + Freddie Mac + Fannie Mae
    • CFPB + FTC + FCC + FEMA + VA + DOD + EEOC + DOJ
    • FinCEN + OFAC
  • 50 States + DC
  • Puerto Rico, Guam, American Samoa, U.S. Virgin Islands
  • The Mortgage Lending Compliance Bundle excludes the following:
    • Commercial/multifamily residential financing
    • Secondary market activities (including securitization and resale)

Full list of specific regulatory offerings included in this Bundle are available upon request.
Ascent Credit Union Compliance Bundle

The Credit Union Compliance Bundle - US includes Retail(consumer) banking and lending and small business banking and lending:

  • Depository financial institutions that are state or federally chartered credit unions
  • Service offerings for members only
  • United States Federal Jurisdictional Content
  • 50 States (DC does not issue credit union charters)
    • NCUA + FFIEC
    • HUD (FFEO, FHA, Ginnie Mae) + Freddie Mac + Fannie Mae
    • CFPB + FTC + FCC + FEMA + VA + DOD + EEOC + DOJ
    • FinCEN + OFAC
  • The Credit Union Compliance Bundle excludes the following:
    • Commercial/multifamily residential financing
    • Secondary market activities (including securitization and resale)

Full list of specific regulatory offerings included in this Bundle are available upon request.
Ascent Money Transmitter Licensing & Compliance Bundle

The Money Transmitter Licensing and Compliance Bundle - US includes MTL licensing and regulation, Virtual currency licensing and regulation and Federal Financial Rights to Privacy Act:

  • Service of accepting currency, funds (or other value that substitutes for currency) from one person and transmits it to another location or person by any means.
  • Although Congress has considered passing laws to expand federal oversight of money transmitters and the OCC has considered issuing a national MTL, currently only states license and regulate money transmitters.
  • United States Federal Jurisdictional Content
    • FinCEN + OFAC
    • Bank Secrecy Act regulatory controls, including the anti-money laundering
  • 50 State + DC - MTL laws and regulations
    • Montana does not have a money transmitter licensing requirement
    • Massachusetts requirements apply to international transmissions only.

Items of Note:

  • There is no uniformity among the states with respect to licensing or regulation of businesses that deal in virtual currencies
  • Entities regulated by the Securities and Exchange Commission (SEC) and Commodities and Futures Trading Commission (CFTC), do not need money transmitter licenses because that is not their primary business activity

The Money Transmitter Licensing and Compliance Bundle - US excludes the following:

  • Non-state rulesets governing international money transmissions
  • Money service businesses, currency exchangers, issuers of money orders, stored value cards, traveler’s checks
  • Consumer protection and consumer privacy
  • IRS cash transaction reporting laws, regulations

Full list of specific regulatory offerings included in this Bundle are available upon request.
Ascent Consumer Lending Compliance Bundle - US

The Consumer Lending Compliance - US includes Personal, auto, private student and small business loans, Secured and Unsecured loans, Small Business Loans and Lines of credit (including personal lines and HELOCs):

  • Consumer lending by nondepository (nonbanking) financial institutions to individuals.
  • Colleges and other non-financial institutions who make certain types of consumer loans (student loans) may be subject to fewer than all rulesets.
  • “Buy Now, Pay Later” (BNPL) firms may use so long as they understand it is for financing classified as “lending;” some rulesets/regulators classify BNPL as “installment sales.
  • United States Federal Jurisdictional Content
    • CFPB + FTC + FCC + FEMA + VA + DOD + EEOC + DOJ
    • FinCEN + OFAC
  • 50 State + DC, Puerto Rico, Guam, American Samoa, U.S. Virgin Island.

The Consumer Lending Compliance - US excludes the following:

  • Bank partnerships (custom scoping available)
  • Money/Loan Brokers
  • Credit Services Organizations
  • Debt Collection (third party)
  • Debt Management
  • Pay Day Loans
  • Mortgage Lending
  • Loan Finance Companies
  • Specialty lending and factoring
  • Commercial lending
  • Secondary market activities
  • Lending by non-bank subsidiaries of banks
  • Lending by foreign banks/non-banks

Full list of specific regulatory offerings included in this Bundle are available upon request.
Ascent Broker-Dealer + Investment Advisor Compliance Bundle - US

The Broker-Dealer + Investment Advisor Compliance - US includes State licensing and registration, Digital assets and financial activities regulated by the SEC/CFTC:

  • SEC-registered investment advisers, broker-dealers and investment companies
  • CFTC- registered commodity trading advisors, commodity pools and pool operators and commodities/futures merchant.
  • Variable Annuities and Variable Life Insurance (SEC requirements only)

The Broker-Dealer + Investment Advisor Compliance - US excludes the following:

  • Investment banks and non-registered funds (e.g., private equity and hedge funds)
  • Municipal advisors
  • Digital (crypto) finance/assets

Full list of specific regulatory offerings included in this Bundle are available upon request.
Black Kite Vendor Monitoring Includes a bucket of vendors monitored by Black Kite bringing over the Cyber Security Rating, Ransomware Index, Breach Index, Compliance Rating, Compliance Completeness, Compliance Confidence, and all FAIR scoring fields directly to the vendor level within the Risk Cloud TPRM application (“Black Kite Buckets”). Black Kite Buckets can be purchased for a quantity of 50, 100, 250, 500 or 1,000.
CUBE Regulatory Content Includes regulatory information directly from CUBE to monitor changes within tracked regulatory bodies. These can be broken down based upon changes, obligations, and in some cases horizon scanning capabilities if this level of the CUBE platform is purchased. This data is integrated into the Regulatory Compliance application within Risk Cloud.
CUBE Regulatory Services Custom-scoped services required for the implementation and integration of CUBE Regulatory Content.
Workato Middleware platform utilized for Risk Cloud Connector integrations. Customer's use of Workato Services is subject to Workato's Terms of Use and Workato's Privacy Policy.
Native Integrations Provides access to all integrations native to Risk Cloud.
API Access Access to the RESTful API, allowing you to connect Risk Cloud to third-party tools.
Risk Cloud Connector Pre-built connector or custom-built connector by LogicGate's Integration Services Team to connect to common SaaS platforms or GRC use cases.
Integration Service Bundles Ten (10) hours of access to the LogicGate Integration Services Team, in addition to the Risk Cloud Connector above. Will be used to build out the integration to the exact specifications required by the Customer.

Technical Account Management
Technical Account Manager (Silver) The Technical Account Manager (Silver) is a dedicated LogicGate resource who provides strategic and technical support for up to four (4) Applications in Risk Cloud. These four applications are to be agreed upon between the Customer and LogicGate once per contract Term Year.

Included in the Service for defined in-scope Applications:

  • Risk Cloud Training
    • As needed Advanced Admin User Training for configuration owners on all in-scope Applications
    • One (1) custom instructional video for end users per in-scope Application (see above for description)
  • Risk Cloud Configuration Support for live in-scope Applications
    • Minor Configuration Updates (e.g., adding a new step, field-level updates, additional workflow mappings)
    • Bulk actions (e.g., imports, record mappings, field updates, record assignments)
    • Table, Visual, and Dashboard report creations and updates

Included in the Service for the Risk Cloud Environment:

  • Implementation and Professional Services Project Management
    • Project management across all LogicGate scoped services work
    • Monthly alignment call to review the status of all in-progress project
  • Develop and maintain system-level Access Matrix across all Applications
  • Support with loading the latest version of Risk Cloud Standards and Regulations Content within 60 days of a major release published by the authoritative source, as well as mapping the new version to the “primary control set” (i.e., Secure Controls Framework or HITRUST) within 60 days of a major release from the primary control set's authoritative source, to maintain relevant control mappings.

Additional Service Details:

  • Account Strategy
    • Semi-Annual (every 6 months) Health Checks
    • Annual Executive Business Review
    • Semi-Annual (every 6 months) update of Risk Cloud data diagram
  • Technical Account Manager will be available during the hours of 8am - 6pm CST during normal business days and will have a targeted response time of eight (8) business hours.
  • Three (3) tickets to annual user conference Agility + Build Bash.
Technical Account Manager (Gold) The Technical Account Manager (Gold) is a dedicated LogicGate resource who provides strategic and technical support for up to eight (8) Applications in Risk Cloud. These eight Applications are to be agreed upon between the Customer and LogicGate once per contract term year.

Included in the Service for defined in-scope Applications:

  • Risk Cloud training
    • As needed, advanced admin user training for configuration owners on all in-scope Applications
    • One (1) custom instructional video for end users per in-scope Application (see above for description)
    • One (1) custom instructional video for admin users per in-scope Application (see above for description)
    • As needed in-depth knowledge transfer of existing Applications to new Power Users or Application owners
  • Risk Cloud configuration support for live in-scope Applications
    • Minor configuration updates (e.g., adding a new step, field-level updates, additional workflow mappings)
    • Bulk actions (e.g., imports, record mappings, field updates, record assignments)
    • Table, visual, and dashboard report creations and updates
  • Implementation and Professional Services project management
    • Development and maintenance of jobs matrix across all in-scope Applications
    • Development of custom admin manual for all in-scope Applications

Included in the Service for the Risk Cloud environment:

  • Implementation and Professional Services project management
    • Project management across all LogicGate scoped services work
    • Bi-weekly (every 2 weeks) alignment call to review the status of all in progress projects
    • Develop and maintain system-level access matrix across all Applications
    • Summarization and documentation of key decisions and requirements communicated during all LogicGate-scoped services work
  • Support with loading the latest version of Risk Cloud Standards and Regulations Content within 60 days of a major release published by the authoritative source, as well as mapping the new version to the “primary control set” (i.e., Secure Controls Framework or HITRUST) within 60 days of a major release from the primary control set's authoritative source, to maintain relevant control mappings.

Additional Service Details:

  • Account Strategy
    • Quarterly health checks
    • Semi-annual (every 6 months) Executive Business Review
    • Quarterly update of Risk Cloud data diagram
    • One-time GRC Maturity Workshop
  • Technical Account Manager will be available during the hours of 8am - 6pm CST during normal business days and will have a targeted response time of six (6) business hours.
  • Seven (7) tickets to annual user conference Agility + Build Bash.
  • Ninety (90) Professional Services hours per year to be used for scoped Implementation or Professional Services project work. These ninety hours do not roll over to subsequent years.
Technical Account Manager (Platinum) The Technical Account Manager (Platinum) is a dedicated LogicGate resource who provides strategic and technical support for up to twenty (20) Applications in Risk Cloud. These twenty Applications are to be agreed upon between the Customer and LogicGate once per contract Term Year.

Included in the Service for defined in-scope Applications:

  • Risk Cloud training
    • As needed Advanced Admin User Training for configuration owners on all in-scope Applications
    • One (1) custom instructional video for end users per in-scope Application (see above for description)
    • One (1) custom instructional video for Admin Users per in-scope Application (see above for description)
    • As needed in-depth knowledge transfer of existing Applications to new Power Users or Application Owners
  • Risk Cloud Configuration Support for live in-scope Applications
    • Minor Configuration Updates (e.g., adding a new step, field-level updates, additional workflow mappings)
    • Bulk actions (e.g., imports, record mappings, field updates, record assignments)
    • Table, Visual, and Dashboard report creations and updates
  • Implementation and Professional Services Project Management
    • Development and maintenance of Jobs Matrix across all in-scope Applications
    • Development of Custom Admin Manual for all in-scope Applications

Included in the Service for the Risk Cloud Environment:

  • Implementation and Professional Services Project Management
    • Project management across all LogicGate scoped services work
    • Weekly alignment call to review the status of all in progress projects
    • Develop and maintain system-level Access Matrix across all Applications
    • Summarization and documentation of key decisions and requirements communicated during all LogicGate scoped services work
  • Support with loading the latest version of Risk Cloud Standards and Regulations Content within 60 days of a major release published by the authoritative source, as well as mapping the new version to the “primary control set” (i.e., Secure Controls Framework or HITRUST) within 60 days of a major release from the primary control set's authoritative source, to maintain relevant control mappings. Additional Service Details:
    • Account Strategy
      • Monthly Mutual Success Planning
      • Quarterly, (every 3 months) or As-Needed Executive Business Review
      • Continuous updates of Risk Cloud data diagram
      • Annual GRC Maturity Workshop
      • Twice-Annual (every six months) Onsite
    • Technical Account Manager will be available during the hours of 8am - 6pm CST during normal business days.
    • Fifteen (15) tickets to annual user conference Agility + Build Bash.
    • One Hundred and Eighty (180) Professional Services hours per year to be used for scoped Implementation or Professional Services project work. These hours do not roll over to subsequent years.
      • Each project will require separate scoping and will be performed by the designated team, with project management and oversight by the Technical Account Manager.

GRC Maturity Workshop
GRC Maturity Workshop GRC Maturity Workshops enable LogicGate customers to assess, discuss, and plan their GRC management programs with insights and guidance from a LogicGate team member.

This engagement will be led by LogicGate, but require preparation and participation from the customer

  • Completion of a GRC maturity self-assessment
  • In-person workshop
  • Post-workshop readout presentation

Following completion of the GRC Maturity Workshop, customers will receive these deliverables:

  1. Program Roadmap:
    A custom program roadmap that outlines the next steps a customer should take to reach their GRC program goals as defined in the workshop.
  2. Executive Readout:
    A presentation for the customer's executive team highlighting the current strengths of their program and outlining the program roadmap.
  3. Use Case Map:
    A diagram that highlights the customer's GRC program connection points and outlines the path the customer can take to implement additional GRC capabilities as they mature their program over time.

v.2.2.2 | Last Updated: November 2024