I have a requirement to move cyber-security assessments into ServiceNow. Early indication is that Attestations maybe the best place for this. The requirements at the highest level is that when a software solution needs a security review, someone will fill out a questionnaire that will determine the data classification. Based on the data classification, this will bring up the set of questions that pertain to the standards required to attest for High Sensitive information, Medium and Low.
So far, I have created a total of 4 Attestation Questionnaires to accomplish this. A sample of Determine Data Classification attestation screenshot is found below:
Then, I created 3 separate follow-on attestations for High, Medium and Low data classification. A sample of one is found below:
The question: How do I use the results from the Data Classification Attestation to open up either the High, Medium or Low attestation questionnaires? Is this possible?
Any assistance or pointers are greatly appreciated!
Careful here. "Attestation" is the GRC specific use case of the underlying Assessment technology. Attestations won't make sense unless there's a control and compliance result you're trying to achieve (with SN's controls and compliance records!)
I believe in Fuji or Geneva they added the ability to have question dependency on Assessments. So when you pull up a question from an assessment (called a "metric"), you should see a column that says "depends on". This references another metric record (another question). Once you have a selected Depends On, another field will show up called "Display When", which will allow you to reference possible answers of the question you depend on...
Here's one I threw together quick on my demo instance...
Step 1 - define all the Class 1, 2, 3 questions on the assessment as if you were going to ask them all anyway.
Step 2 - for each question populate the dependency question and answer that will expose this metric.
Hope that helps. My assessment knowledge was hard won!
Careful here. "Attestation" is the GRC specific use case of the underlying Assessment technology. Attestations won't make sense unless there's a control and compliance result you're trying to achieve (with SN's controls and compliance records!)
I believe in Fuji or Geneva they added the ability to have question dependency on Assessments. So when you pull up a question from an assessment (called a "metric"), you should see a column that says "depends on". This references another metric record (another question). Once you have a selected Depends On, another field will show up called "Display When", which will allow you to reference possible answers of the question you depend on...
Here's one I threw together quick on my demo instance...
Step 1 - define all the Class 1, 2, 3 questions on the assessment as if you were going to ask them all anyway.
Step 2 - for each question populate the dependency question and answer that will expose this metric.
Hope that helps. My assessment knowledge was hard won!
