DORA CSDM Implementation Guide - DRAFT version

KristineNaess · ‎11-14-2024

Hi all,

The introduction of the DORA regulation is approaching, and we have launched the DORA Accelerator on Store. But many have asked us if we have more instructions on how to make use of the CSDM for better and more automated reporting. In this draft version of a DORA ITS Reporting Framework implementation guide, we try do just that: provide tips and tricks that will make your reporting so much better.

The Digital Resilience Third-party Information Register app is now available in the ServiceNow store.

It takes time to get this finalised and approved internally, and we could not let you wait any longer. So please report back to me if you find anything that doesn't make sense, is very hard to understand or is wrong in the guide.

Have a good time reading through the material!

Cheers,

Kristine

ivangulta · ‎11-20-2024

Thank you Kristine for the detailed response 😍

This helped me better understand the use case for Business Function.

With this in mind, would it be possible to apply the Regulatory Policy and GRC Profile Entity to Value Streams (green arrow):

This would enable designing (and governing) resilience at component (Process, Capability, People, etc) and Rolled up (Function, Value stream) levels.

View solution in original post

KristineNaess · ‎11-20-2024

Hi Ivan,

And thanks for your question. It's a very central one. We don't need the Business Functions as part of our data model, but we need to allow our customers to have something to roll up information and report on. And since there is no 1:1 between what is described as a Critical or Important Business Function in DORA and other reporting frameworks and regulations, we try to map it to items in our data model which it makes sense to report on. I will add some more text on this in the guide as a I see that many are struggling to understand why we have added a Functions table at all.

So to give you an answer in the meantime: When centralized IT wants to perform Business Continuity Planning and Disaster Recovery exercises, they may choose to do so from different perspectives: geographical, data center based, application centric, service centric, etc. rather than doing it on the perspective of a Sold product to one single consumer Legal Entity. And to have control over the overall coverage of all DORA requirements, someone within the IT service providing Legal entity needs to be able to roll up information to a level based on what the outcome of all of those activities, systems and people should be. Then it makes sense to do it from a bird's eye perspective such as on a Business Capability or Business Process/Value stream. Whereas the consuming Legal entities can get their reports based on their consumption, rather than the totality, if they like. That would be on a Sold product level. Most of them receive a lot of sold products, so they need to structure the reports according to why they receive those sold products, and that structure can be per Business Capability or Business Service/Value stream.

Since there is a mutual dependency between those legal entities, it also makes sense for a consuming legal entity to know that the IT delivery legal entity has full control and will not be bankrupt following a disaster of some sort. So I think we need both: to show back reports on a consumption on a sold product level, and to show total resilience on a business capability (or if preferred: business process/value stream) level.

I will need to think more about how I can better describe this, but for now: The business functions are useful "labels" we can add on existing entities in the data model, rather than model entities. And for those who have not implemented CSDM 4, it can be a very useful solution to set up on the way to being able to utilise the data model itself, thereby also avoiding wrong usage of the CSDM tables.

Hope that didn't add to your confusion, it was all I had time for today.. Will come up with something better soon.

Best regards,

Kristine

ivangulta · ‎11-20-2024

Thank you Kristine for the detailed response 😍

This helped me better understand the use case for Business Function.

With this in mind, would it be possible to apply the Regulatory Policy and GRC Profile Entity to Value Streams (green arrow):

This would enable designing (and governing) resilience at component (Process, Capability, People, etc) and Rolled up (Function, Value stream) levels.

KristineNaess · ‎11-20-2024

Hi Ivan,

Absolutely, sounds like a good plan. This way you can also set up various security controls or other policy controls to your Business Processes and/or at all related products and CI that are part of your value stream "tooling", and show them on your Value stream as evidence.

The functionality around Value Streams will be enhanced in the coming years, so it's a good thing to be prepared when it comes.

Have a great day!

Kristine

lexveldkamp · ‎11-22-2024

Hi Kristine,

Guide is a great help. Question on the registration of the Critical Business Functions on the Business Capability table. Using the Business Criticality field is mentioned, but this is not part of the Business Capability table. Is suggested that this added to the table?

KristineNaess · ‎12-09-2024

Hi Lex,

Thanks for your question. As you know, the Business Criticality "field" is a drop down added on the cmdb_ci-service (sys_choice_list: busines_criticality(sic)) and the cmdb_ci_business_application (sys_choice_list: business_criticality) branches of the cmdb table. This is good when you need to have different metrics for architecture vs. service delivery, but not if you would like to have the same thresholds. In my past position, we allowed the same values to be used from the cmdb_ci and downwards, but I haven't fail safed this in all thinkable use cases yet.

Business processes differentiate between determined and declared criticality, so those are different.

I have started describing this in the guideline, so it will be added to the next version :-).

Have a great day!

Cheers,

Kristine