IT Governance, Risk and Compliance (GRC) Tool

The BSD Information Security Office’s IT GRC tool is designed to help manage all facets of compliance and information security within the Biological Sciences Division, including policies and procedures, risk assessment and mitigation and vulnerability management.

The BSD Information Security Office’s IT GRC Tool consist of LockPath Keylight’s Compliance Manager, Risk Manager and Security Manager modules.
The Compliance Manager is utilized for the following tasks:

  • Manage policy lifecycle.
    • Create or import existing policies and link to controls.
  • Track regulatory changes.
    • Identify gaps and eliminate inefficient overlaps.
  • Create awareness.
    • Track and report acknowledgement of security policies, standards and procedures.
  • Assess knowledge.
    • Measure comprehension.


The Risk Manager is utilized for the following tasks:

  • Document risks.
    • Generate a risk register, including dynamic records created by assessments.
  • Prioritize risks.
    • Analyze, score and track each risk—configurable for any risk methodology.
  • View key risk indicators.
    • Powerful, flexible reporting on current risk status and trends over time.
  • Manage treatment.
    • Track remediation, including policy exceptions.


The Security Manager is utilized for the following tasks:

  • Automation
    • Keylight leverages scanning capabilities of Qualys and automates the resolution activities of system vulnerabilities.
  • Notification
    • Send immediate notification to the appropriate IT Custodian of known vulnerable systems.
    • Escalation of notifications to System Owners and Department Executive Assistants in the event of noncompliance.
  • Resolution
    • Automated remediation upon Qualys status change.
    • Streamlined workflows for managing vulnerabilities that are deemed to be false positive or mitigated.
  • Reporting
    • Metrics on all information pertaining to vulnerabilities.


Please use the following process for utilizing the BSD ISO’s IT GRC tool.

  1. Navigate to  This website is only available on-campus or by utilizing the VPN.
  2. Click Single Sign On.  You will be directed to the University of Chicago Shibboleth/SAML portal.
  3. Login using your CNET credentials.  If you do not have CNET credentials, a portal account will be created for you upon request.
  4. You will be forwarded to the LockPath Dashboard.  In the upper right corner, mouse over Cm, Rm or Sm and click the Home option.


Training Documents

IT GRC – Compliance Document Management

IT GRC – Submit an IT Security Exception

IT GRC – Asset Tracker

IT GRC – Vulnerability Management