CSDM for Governance, Risk Management and Compliance (GRC)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-06-2021 01:11 AM
For one of our clients we're moving to CSDM to support their GRC activities. Who can I talk to to discuss the CSDM data model in relation to the GRC data model? Or can I join the conversations and designs already going on regarding this topic?
Thanks, Michael

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-06-2021 01:51 AM
Hi
Not sure, what exactly you are looking for, but GRC are using Entities in their model, which can by link to Business Services, last time I checked.
Here I found this youtube discussing Quebec GRC - CSDM:
https://www.youtube.com/watch?v=VKhHhDAnHsc
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-24-2021 09:00 AM
One of the things that comes up frequently is that business applications, application services, or business services have inherent compliance requirements, whether due to specific information managed by the app/service, customer types who consume the service, locations/geographies where the services are consumed. What I'd like to see is more specific guidance and product views on how this is done in a way that we can execute GRC policies and indicators against the CMDB to determine via the service/app layers, which specific Servers need to be included in a configuration audit.
Without CSDM guidance, customers tend to want to define these regulatory indicators as boolean flags on their infrastructure CIs ("is this a SOX server? HIPAA server?") and some of the current GRC guidance out there seems to still advise users to do this when performing configuration audits against GRC policies. This is problematic on multiple levels.
What I would like to see is more specific guidance on how compliance information should be defined in the CMDB according to CSDM, and how this information is best utilized in GRC to perform configuration audits on CIs based on the business applications and services that depend on them.
The opinions expressed here are the opinions of the author, and are not endorsed by ServiceNow or any other employer, company, or entity.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-03-2022 03:50 AM
Hi,
Have you found out the solution. Currently I am implementing CSDM for a client and they are confused from which layer they should track SOX/GXP compliance, is it Business app, App service or Service offering. WHat does the best practice say?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-03-2022 04:02 AM
i believe it is Business Application, as GRC recommendation engine looks the compliance data (BC, SOX) at Business Application level