How to Implement the Entity Framework

Verity · ‎11-16-2022

Compile all known external regulations, internal policies, control objectives and risk statements. Review them to understand the scope of your risk and compliance activities and how to group entities (people, places, objects, or things that need to be monitored) to support those activities for example:
- Being subject to SOX regulations, you are likely to require a list of SOX Business Applications
- To assess process risk in the organization, you are likely to require lists of processes, business units, departments etc.
- To complete an IT security audit, you are likely to require a list of IT assets

Upload quality, ‘single source of the truth’ foundational data into the ServiceNow tables e.g., departments, business applications, etc. These tables are the data source used to create entities, risks, and controls in the GRC / IRM application. Avoid creating standalone data, this will save time later in reconciling data to other areas. Key tables include:

Table Name	Table Label	Table Description
core_company	Company	Company details
sys_user	Users	List of users in the organization
business_unit	Business Unit	Business units within the organization
cmn_department	Department	All departments
cmn_location	Location	Includes location data such as; Region, Country, State, City, Site, Building/Structure, Floor, Room
cmdb_ci_business_app	Business Application	A purchased or internally developed application.
cmdb_ci_business_process	Business Process	A process that is owned and carried out by the business and contributes to the delivery of a product or business service.
cmdb_ci_service	Business Service	IT Service that directly supports a Business Process (ITIL).
cmdb_ci_datacenter	Data Center	Facility used to house computer systems and associated components, such as telecommunications and storage systems.

Upload risk and control data including policies, authority documents, citations, control objectives, risk framework and risk statements.

Once these steps are complete, the entity framework should be created. Please see definitions of core components below:

Entity	Entity Type	Entity Class	Entity Class Rule	Entity Tier
Entities are people, places, objects, or things that are tracked for GRC activities such as managing risks and tracking control compliance etc.	Entity types are dynamic categories containing one or more entities of a similar type that match conditions against tables within ServiceNow.	An entity class is a tag for entities and allows GRC managers to organize entities for aggregation and reporting.	A rule that maps what class should be assigned to the entity when created from a specific table.	An entity tier assigns a level to the entity class hierarchy.

Create Entity Tiers to build the levels within the Entity Class hierarchy (optional) e.g. Tier 1: Business, Tier 2: Application, Tier 3: IT Asset. Tiers can also be used to logically group Entity Classes e.g. the ‘database’ and ‘server’ Entity Classes can be grouped together under an ‘IT asset’ Entity Tier.

Tip: Use the GRC Workbench for drag and drop interface to build and manage Entity Class hierarchy

Create Entity Classes to distinguish entities and organize them for reporting e.g. Department, Business Application, Business service. If available, Entity Classes can be associated to Entity Tiers in the Entity Class form.
Entity Classes are mandatory as of the San Diego release due to being critical for tagging Entities as well as being used in Advanced Risk Assessments to send assessments out in bulk to similar Entities e.g. for an IT Risk Assessment RAM, the applicable Entity Classes may include IT assets, business applications and servers.

Create Entity Class Rules to map tables to Entity Classes for automatic assignment of entities to entity classes. If Entities are created before this step, the Entity Class will have to be added manually.

Create Entity Types with Entity Filters to create Entities as well as automatically create risk and control instances in bulk for similar entities e.g. critical IT assets.

Create the Entity Hierarchy, essential for risk score roll-up for advanced risk assessments. This can be added using the ‘Hierarchy’ tab on each Entity record or managed using the GRC workbench in the ‘Dependency Map’ tab.