This is the Q&A transcript from
On-Demand Webinar.
Best Practices: Governance, Risk, and Compliance & Common Controls Hub
If you'd like to watch the Ondemand version - please click the register button.
Change is a constant for organizations — new regulations are introduced, companies acquire and divest other companies, partner ecosystems evolve, and new technologies are introduced into the corporate environment. Is your organization able to keep up with change? Are you able to effectively identify common controls and risks across your existing and new compliance obligations? As your compliance regime expands, what approaches are you using to streamline your control environment?
Join Vivian Tero and Eric Le Martet, from ServiceNow, and Craig Isaacs, from Unified Compliance, as they demonstrate how to use the UCF Common Controls HubTM (CCH) with ServiceNow Governance, Risk & Compliance (GRC) to streamline compliance controls and optimize your compliance, audit and risk management resources.
Topics covered during this webinar include:
- CCH account activation and integration with ServiceNow GRC
- Scope definition, customize Common Controls list, and update controls and risks
- Streamline compliance controls and risks across regulations, standards and legal obligations
- Identify and monitor changes in controls resulting from new and updated regulations, standards and mandates
Q: Do you offer a document mapping service?
A: Yes, under the right circumstances Unified Compliance will map documents for a fee. Also, with the introduction of UCF Mapper there are different roles to fit that need:
- Individual Mapping Contributors are part of the UCF Mapping Team and will be paid for their work
- Mapping Consultants and Professional Service Groups will map for their clients for a fee
- Mapping Providers are organizations that provide mapped documents to anyone for a fee
- Mapping Patrons are organizations that share free documents to a limited or unlimited audience
Q: It sounds like the UCF is probably the best approach to our control assessment and attestation process. Most recently, executives here want to ensure we are "NYDFS compliant" - the latest buzz-phrase. Same for HIPAA, etc....and it has always been like this. What is the best way for me to reassure executives that UCF is the best way to achieve this goal and not be chasing standards and regulations one-by-one?
A: Too often, organizations rely heavily on one particular standard for their compliance programs, but strict adherence to individual standards does not guarantee compliance. Every standard must be understood within the context of your actual requirements. A company which is relying heavily on a standard is almost certainly doing things it doesn't need to do--and not doing other things it must do for an effective program. For instance, ISO 27002 has 238 direct controls. The Sarbanes-Oxley Act, including the associated requirements, mandates 174 direct controls. What percent of the controls overlap? - only 16% of the controls in ISO 27002 directly overlap with SOX. That's only 38 of the 238 controls.
Q: If we are entitled to the free connection to the UCF, is there a point when we would need to purchase?
Subscriptions to the UCF (through the SaaS portal, the Common Controls Hub) expire November 2018 and can be renewed.
Q: How can we confirm we are entitled to use the UCF Common Controls Hub as an existing customer?
A: A free UCF Common Controls Hub account applies only to ServiceNow GRC customers on Helsinki 7+ and Istanbul with effective contract start dates on or before November 30, 2016. If this applies to you, you have a free UCF CCH account from December 1, 2016 to November 30, 2018. Customers must execute the following actions:
- Activate the Compliance UCF plugin (com.sn_comp_ucf)
- Submit a request on the ServiceNow HI Service Portal to validate the GRC subscription and set up a UCF-CCH account
- Use ServiceNow activation code to enroll for the UCF CCH account
- Integrate the UCF CCH account with your GRC instance
Your ServiceNow rep should be able to answer any further questions for you.
Q: What is the UCF?
The Unified Compliance Framework ® (UCF ®) is the world's largest compliance library database. It's the only framework that reduces compliance regulations to a simplified, manageable set of "harmonized" controls, as well as reducing the cost and complexity of regulatory compliance. Users can use the UCF to quickly and easily identify the minimum set of controls they need to comply with to meet their requirements, eliminate redundant controls across hundreds of regulations in order to comply once and demonstrate compliance to many different intersecting requirements simultaneously, and tie all controls to Audit Guidelines, Document Templates, Metrics, Roles, Information Classification, Research Site reports, and much more. Use the SaaS portal, the Common Controls Hub, to extract needed data from the UCF. The Unified Compliance Framework has the most comprehensive set of IT regulatory compliance controls available anywhere—from the actual issuing authority to the controls to the specific configuration or audit requirement—at a fraction of the cost and time it would take to do it yourself or with other resources.
Q: Will my Common Control framework vary based on industry/location etc.?
A: Yes, select the Authority Documents your organization needs to follow based on geography, subject matter, or simple search.
Q: Is the content we map proprietary to our organization or shared with others?
A: When using UCF Mapper, you determine who will have access to your work. Some customers will map for their own company's use only, while Consultants and Professional Service Groups will map for their clients for a fee, some customers will provide mapped documents to anyone who wants them for a fee; some organizations will share free documents to a limited or unlimited audience. Check here for further information: http://www.ucfmapper.com/overview/why-would-i-want-to-map-an-authority-document/
Q: Is there a list of standards currently supported by UCF (SSAE, PCI, etc.)
A: You may search for Authority Documents (statutes, regulations, safe harbors, audit guidelines, best practices, service level agreements, standards, contractual obligations, and any other documents that the organization must adhere to for compliance) currently mapped into the UCF by going here: https://www.unifiedcompliance.com/products/search-authority-documents/. You may search by date range—input Jan. 1, 2009 for the start date to the present date to view a list of all mapped Authority Documents.
Q: Which organization defined UCF? How was it compared against other frameworks?
A: Unified Compliance is a privately held company which took on the task of mapping all the frameworks into one huge database called the Unified Compliance Framework ® (UCF ®). The UCF provides a scientific approach to IT compliance that reduces cost, limits liability, and simplifies the compliance process. The UCF contains Controls from over 1,000 international regulatory requirements, standards, guidelines, and frameworks and is updated constantly. Unified Compliance's unique methodology transforms this massive compilation of data into a single set of straightforward requirements that clearly show the many points where multiple regulations overlap, enabling businesses to quickly create a customized set of controls that fully leverage their existing compliance policies, processes and tools. The data in the UCF is accessible through the SaaS portal, the Common Controls Hub.
Q: Is there training available to learn how to use UCF and map to our company's policies and controls?
A: Unified Compliance has teamed up with (ISC)2, an international nonprofit membership association renowned for their training and certification training programs, to provide an enhanced computer-based training (CBT) program to teach the compliance mapping process step-by-step. The training includes multimedia presentations, demonstrations, and hands-on experience. Compliance professionals will spend 8-10 hours learning to map Authority Documents correctly and accurately in a way that will satisfy auditors and regulators, while simplifying governance for their organization or clients. To learn more, go here: http://www.ucfmapper.com/overview/isc2-compliance-mapping-certificate-program/
Q: Does the UCF include control policies or controls for ISO/IEC 62443 Cyber Security for Industrial Automation and Control Systems?
A: We have not mapped the document you're looking for at this time, but you may request that we map it here: http://commoncontrolshub.com/support/
Q: When does ServiceNow plan to incorporate COBIT 5 into the available UCF?
A: Unified Compliance (as opposed to ServiceNow) would provide the mapping for COBIT 5 and we've had quite a few requests for it. We are working with ISACA to make that happen.
Q: So the auto-load creates citations from the authority documents selected? Then through the Mapper
(after being trained), we manually create our controls? Or are some controls automatically created?
Anything else auto created?
A: With a subscription to the UCF Common Controls Hub and the UCF API (which you might be entitled to through ServiceNow at no charge) based on the Authority Documents you select, you can bring in any data from the UCF database, including all the Common Controls (ServiceNow calls them Policy Statements). Your ServiceNow rep should be able to offer more of an explanation. UCF Mapper isn't necessary unless you want to add Authority Documents we haven't mapped yet or, by year-end, your own policy documents, into the UCF.
Q: Can we add in custom content if something is not covered by UCF and if so how? How do you remove UCF content we do not want in ServiceNow — i.e., if there is a regulation that does not apply to our company?
A: You will choose which data to import into ServiceNow GRC by the Authority Document lists you save, share, and import. UCF Mapper will be available soon and will allow you to add publically available content into the UCF. By year-end, you'll be able to use UCF Mapper to add custom content, like your company's policy statements, into the UCF for your private use.
Q: Are there consulting services from CCH to help implement?
A: When you subscribe to the UCF Common Controls Hub you receive free support from our support team and, in some cases, our account managers. It's really simple to create an Authority Document list in the Common Controls Hub, share it, and import that data into ServiceNow GRC. For ServiceNow GRC implementation questions, please contact your ServiceNow rep.
Q. Please cover the best practices regarding using/setting up the Profiles and Profile Types. Are they only to be used when looking to set up automatic controls? They seem to populate Controls at an unmanageable rate.
A. Profiles types are dynamic categories containing one or more profiles. Business logic automates the process of creating and categorizing any profiles in the system that meet the profile type conditions. Profile types are assigned to policy statements, which generate controls for every profile listed in the profile type.
Risk managers use profile types and profiles to monitor risk exposure and perform risk assessments.
Policy and compliance managers use profile types and profiles to create a system of internal controls and monitor compliance. You can create profile and profile types for better organizing your controls and risks. Once all the controls, risks and engagements are associated with a profile, profile owner can see all of them under his profile so he can manage them better.
Q. What does GRC stand for?
A. Governance, Risk, and Compliance. Thanks.
Q. Do you always need to use Profiles and Profile Types?
A. Profiles types are dynamic categories containing one or more profiles. Business logic automates the process of creating and categorizing any profiles in the system that meet the profile type conditions. Profile types are assigned to policy statements, which generate controls for every profile listed in the profile type.
Risk managers use profile types and profiles to monitor risk exposure and perform risk assessments.
Policy and compliance managers use profile types and profiles to create a system of internal controls and monitor compliance.
You can also add profiles to your engagement, which will bring in all the associated controls, risks, test plans and audit tasks automatically. Its beneficial to use profiles since all the components are connected to each other through profiles.
Q. what is UCF?
A. UCF stands for 'Unified Compliance Framework'. It is a third-party content provider. GRC UCF plugin enables importing of Authority Documents which defines external standard, best practice, statute, framework or regulation for which organizations may be required to achieve compliance. Authority documents in the UCF content are organized and mapped to their proper citations, which in turn are mapped to a common set of controls. In Istanbul onwards, users with a separate subscription to the Network Frontiers Unified Compliance Framework Common Controls Hub (UCF-CCH), can download content from the UCF-CCH for use as GRC authority documents, citations, controls, and policy statements. Users must have a UCF-CCH account to create shared lists and import them into ServiceNow.
Q. Hi, currently we don't use the GRC module to perform audit engagement. But we do use the legacy GRC (mainly observation and remediation tasks) to track internal/external recommendations. How can we do that in the new GRC module?
A. Observations and remediations are captured under issue in the new GRC application.
Issues are created in any of the following ways:
1) Automatically, if the indicator result is Failed or Not Passed.
2) Automatically, if the attestation result is Not Implemented.
3) Automatically, if the control test effectiveness is Ineffective and the state of the test is Closed Complete.
4) Manually to document audit observations, the intention of remediations, or to accept any problems.
Remediating an issue marks an intention to fix the underlying issue causing the control failure or risk exposure. Accepting an Issue marks an intention to create an exception for a known control failure or risk. Controls that are "Accepted" remain in a non-compliant state until the control is reassessed. In both of these cases, the Issue can be used to document observations during audits.
Q. What happened, if we use GRC on Geneva since before Nov 30, 2016 are we entitled for the free entitlement?
A. If your GRC effective contract date is before December 1, 2016, you are entitled to a free UCF CCH account for the period of December 1, 2016 through November 30, 2018.
Q. Can you describe the UCF integration with Jakarta
A. UCF integration in Jakarta is same as Istanbul.
Users with a separate subscription to the Network Frontiers Unified Compliance Framework Common Controls Hub (UCF-CCH), can download content from the UCF-CCH for use as GRC authority documents, citations, controls, and policy statements. Users must have a UCF-CCH account to create shared lists and import them into ServiceNow.
UCF integration requires that GRC is configured and users are a Common Controls Hub administrator. The UCF integration is an OAuth based integration requiring a user's CCH Client ID and Client Secret
Q. Can you let us know our primary contact for the co. who can assist with the plugin?
A. Contact ServiceNow customer support. They'll guide you through the process
Q. common control framework will vary based on industry/location etc. ?
A. Yes, select the Authority Documents your organization needs to follow based on geography, subject matter, or simple search
Q. How can we upload all existing observation and remediation tasks to the new GRC module?
A. Observations and remediations are captured under issue in the new GRC application.
Issues are created in any of the following ways:
1) Automatically, if the indicator result is Failed or Not Passed.
2) Automatically, if the attestation result is Not Implemented.
3) Automatically, if the control test effectiveness is Ineffective and the state of the test is Closed Complete.
4) Manually to document audit observations, the intention of remediations, or to accept any problems.
Remediating an issue marks an intention to fix the underlying issue causing the control failure or risk exposure. Accepting an Issue marks an intention to create an exception for a known control failure or risk. Controls that are "Accepted" remain in a non-compliant state until the control is reassessed. In both of these cases, the Issue can be used to document observations during audits.
Q. It sounds like UCF is probably the best approach to our control assessment and attestation process. Most recently, executives here want to ensure we are "NYDFS compliant" - the latest buzz-phrase. Same for HIPAA, etc. ...and has always been like this. What is the best way for me to ensure them that UCF is the best way to achieve this goal and not be chasing standards and regulations one-by-one?
A. With ServiceNow GRC and UCF you can follow an "assess once, apply to many" type of model whereby you can select the authority documents of interest to you and the policies/controls that are pertinent to your choices are automatically generated. You only need to validate compliance for these controls to cover the standards and regulations of interest to you. Most authority documents and framework have a great deal of commonality between them while they have controls that are exclusive. UCF does a nice job of aggregating the common controls along with the exclusive controls for the standards and regulations. This obviates the need (and eliminates the pains) of addressing authority documents one-by-one
Q. How updated is the UCF? As an example, do they have NIST 800-171 rev.1 ready to go?
A. In Fuji/Geneva, UCF would deliver quarterly updates, and customers would select the authority documents that they wanted to download through ServiceNow
Helsinki onwards, the CCH should always be up to date, and customers can pick the authority documents they want using a CCH shared list and download that shared list in ServiceNow
Here is a list of Authority Documents from UCF site:
http://ucf.unifiedcompliance.com/ADs.html
Q. What are the requirement to pass that certification that will allow you to add your specific control to your UCF View? A. The UCF administrator downloads shared lists from the UCF Common Controls Hub.
Role required: sn_comp_ucf_admin
To configure Oauth settings, the UCF administrator needs the Oauth admin role.
To download UCF authority documents, the list must be marked as Shared
Q. Did I understand correctly - I can map my policy statements (and standards) to UCF controls, thereby enabling an evaluation of our compliance to our policies and standards?
A. Authority documents in the UCF content are organized and mapped to their proper citations, which in turn are mapped to a common set of controls. The terminology between UCF and the GRC applications differ slightly - UCF controls are mapped to Policy Statements in GRC application
Q. Initially you mentioned you have taken an Asset centric approach. Has all the controls need to be manually defined or does ServiceNow framework assign defaul controls based on asset classes over which we can pile on further?
A. The controls (policy statements) do need to be manually defined or imported from some common control framework. But once you have those policy statements in place, you can create profile types based on your asset classes (e.g. all linux servers), associate them with your policy statement, and ServiceNow will create an individual control for each asset
Q. When will UCF finally provide NERC CIP frameworks? A. Yes, UCF supports NERC CIP-003-3.
Q. Say you have remediated the out of compliance control id and retest it to check whether it is in compliance does it automatically fill in these details for Audit. How does Audit work in correlation with compliance module? A. If you remediate a control, the control will be shown as compliant in the engagement. Audit works very closely with Policy and Compliance - you'll want to have controls, indicators, and control tests in place at minimum to take advantage of the capabilities that Audit offers
Q. This is great, but the control count is overwhelming when trying to set priorities. For example, you mentioned about 10K controls (I assume these 3K are focusing on operations and environment). Where does prioritization come in? For example, I know that implementing CIS (formerly SANS20) 20 can reduce my breach risk by over 90%. Any advice is appreciated
A. One doesn't have to use all the controls in the UCF. You only need to pick the authority document, framework or best practice of your choice and the pertinent controls will be generated. Think of the UCF as a "universal set" of controls that span multiple authority documents and frameworks. UCF supports CIS benchmarks. So all you need to do is select the appropriate CIS benchmark in GRC via UCF to validate compliance for UCF.
Q. How can it important data from Archer? Or exchange data?
A. The ServiceNow platform has extensive capabilities for integrating with systems using Web Services. See our documentation on inbound and outbound web services here: https://docs.servicenow.com/bundle/istanbul-servicenow-platform/page/integrate/web-services/referenc...
Q. Do I need a specific subscription for using UCF mapper ? The documents that I will map will be available to everyone ?
A. Users with a separate subscription to the Network Frontiers Unified Compliance Framework Common Controls Hub (UCF-CCH), can download content from the UCF-CCH for use as GRC authority documents, citations, controls, and policy statements. Users must have a UCF-CCH account to create shared lists and import them into ServiceNow.
UCF integration requires that GRC is configured and users are a Common Controls Hub administrator. The UCF integration is an OAuth based integration requiring a user's CCH Client ID and Client Secret
The shared lists you create in UCF will only be available to members of your organization. They will not be shared unless you desire to specifically "publish" a UCF Saved List
Q. What is the best way for an organization to determine which compliance control lists to utilize?
A. It is dependent upon the authority documents selected. The authority documents are based on which standards you are required to adhere to.
Q. Is there functionality in the ServiceNow GRC to conduct control self assessments - to determine if a control owner will say that the control is implemented according to company requirements?
A. Yes. Attestations are surveys that gather evidence to prove that a control is implemented. If the control's attestation field and respondents fields are set, then when a controls moves from the Draft state to the Attest state, a notification is sent to the attestation respondents to take the assessment. Control owner is added by default to this respondents field so control owner can perform self assessment.
Q. Does the UCF include control policies or controls for ISO/IEC 62443 Cyber Security for Industrial Automation and Control Systems?
A. Here is a list of Authority Documents supported by UCF:
http://ucf.unifiedcompliance.com/ADs.html Once Network Frontiers/UCF adds any authority document to the common controls hub, it is available through their API
Q. do controls map back to operations (CIs, incidents, etc?)
A. Yes. typically, controls would map to CIs through the profile; and they would map to incidents, change management etc. via indicators
Q. How can we confirm we are entitled to use this as an existing customer?
A. ServiceNow Customer Support can confirm whether you're entitled or not. In general, if you know that you purchased GRC prior to 11/30/2016, chances are you're entitled for using the UCF for the period of December 1, 2016 through November 30, 2018.
Q. Audit Management GRC. How evidences are being provided a maintained within GRC ? Task management how is being implemented though existing itsm service now ?
A. Evidence is provided in multiple ways. One is through indicator results, which are automatically associated with an engagement based on the audit period dates. The next way is through control testing. The other way is through various audit tasks: walkthroughs, interviews, and activities. Each of these capture some information pertaining to the audit.
Q. My company is migrating to ServiceNow for Help Desk and CMDB. How does the ServiceNow GRC tool integrate with those other functional areas?
A. GRC profiles are generated from CMDB tables and the profiles are mapped with CIs so there is a close integration between GRC and CMDB or other ITSM components
Q. How can a common control be defined? I mean by what mean can we determine that a control can be a common control.
A. As it relates to the UCF, a common control is simply a control that when compliant can "cover" multiple citations across multiple authority documents. For example, many regulations require that an organization has a change management process in place. So a control like "Manage the change management process" may help you to meet the multiple citations across multiple authority documents. UCF offers a library of "shared" controls which they have mapped to multiple Authority Documents to reduce the number of controls that need to be managed; they've done much of the work for you. You may still want to have your own "common controls". To do that, simply create a Policy Statement, and associate to all of the Citations which you feel will be covered by that policy statement
Q. Will external& internal audit request be able to utilize ServiceNow?
A. A notion of "external" audit was introduced in the Istanbul release. Users with the "external" auditor role will have access to complete engagements, closed tasks, and any tasks assigned to them
Q. What if the Catalogue is updated - will what you already integrated be lost or updated when uploading new content/ a new catalogue?
A. When the content is updated, you can simply download the latest changes from the UCF. Your information will not be lost
Q. Cobit 5 has been out for a very long time, why in this demo would Cobit 4.1 be displayed instead of the latest version?
A. We don't have control over what authority documents are provided by the UCF. Once Network Frontiers/UCF maps Cobit 5 framework and adds it to the common controls hub, it will be available through their API
Here is a list of Authority Documents from UCF site:
http://ucf.unifiedcompliance.com/ADs.html
Q. Is the content we map proprietary to our organization, or shared with others?
A. The shared lists you create in UCF will only be available to members of your organization. They will not be shared unless you desire to specifically "publish" a UCF Saved List
Q. can we add in custom content if something is not covered by UCF and if so how
A. Yes you can create your own Authority Documents, Citations, Policies and map them with controls
Q. how do you remove UCF content we do not want in service now - ie: if there is a regulation that does not apply to our company?
A. You can delete that particular Authority Document from ServiceNow under Policy and Compliance --> Authority Documents
Q. Can a common control be a common control for different Profiles? I am considering profiles as various customers.
A. Absolutely. In ServiceNow, a Control (what we call a Policy Statement) can apply to as many profiles as you like. Same is true for individual controls or "common" ones (controls that may cover multiple citations or multiple regulations)
Q. How does the mapper determine controls that are out of compliance?
A. While you can use the UCF to manage your compliance, by importing UCF controls into ServiceNow, you're able to specifically scope which controls are applicable for which target "things" in your organization (using profile types). You can leverage continuous monitoring through indicators, attestations, and issue management as a means of tracking compliance
Q. you talked about the instances of UCF AP for Dev/TEST/Prod. Can you state that again? Basically is an additional API required for each instance we have of SN?
A. In order to authenticate between ServiceNow and the UCF, the OAuth2 authentication framework which requires that each "endpoint" that's going to use UCF have a Client ID and Client Secret for authentication (for more technical details, see https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2). Once you've created a UCF account, you can contact ServiceNow customer support and inform them of the instances which you'd like to test or use UCF on. Customer support will then provide you with a Client ID and Client Secret for each instance
Q. So the auto-load creates citations from the authority documents selected? Then through the Mapper (after being trained), we manually create our controls? Or are some controls automatically created? Anything else auto created?
A. The imported Authority Documents have Citations under them and each of these Citation has Policy Statement which when applied to profiles will create control for that profile automatically
Q. Can we get a list of the authority documents we can select?
A. Once you log into UCF you will see that list. It keeps updating. But here is a link to the list published on UCF site:
