What is the GRC Entity Framework and how does it work?

Verity · ‎07-11-2022

Having the right Entity Framework in place is a critical step in setting up the risk and control framework in ServiceNow. This article will cover what entities are, why they are important and how they work in ServiceNow.

What it is

The entity framework consists of people, places, objects, or things that need to be monitored to manage risks, track control compliance and review as part of audit engagements. The entity framework makes up the foundation data of the GRC / IRM solution alongside policies, control objectives, risk statements and risk frameworks.

Examples of entities include:

- Departments such as Finance, Human Resources
- Business processes such as accounts payable, manufacturing operations
- IT assets such as LINUX server, Windows application
- Business services such as payments, digital banking

Why is it important

A mature, robust entity framework helps an organization create an integrated risk management program with automatic workflows and informed, data driven decision-making.
It is important that when scoping entities, high-quality and reliable data is used to create well-defined libraries (departments, processes, assets etc.) with clear relationships between them. Centralized libraries create consistent language and terminology when managing risk and compliance across the organization.
The level of granularity should be considered at the beginning of the entity scoping process, ensuring the organizational structure is available at the right level for risk and compliance activities. This will allow organizations to produce meaningful reporting and realize the full value of their ServiceNow investment.

How it works in ServiceNow

ServiceNow uses multiple entity framework components to build and organize people, places, objects or things that need to be monitored for risk and compliance.

These include:

- Entity
- Entity Type
- Entity Class
- Entity Class Rule
- Entity Tier

	Entity	Entity Type	Entity Class	Entity Class Rule	Entity Tier
What is it?	Entities are people, places, objects or things that are tracked for GRC activities such as managing risks and tracking control compliance etc.	Entity types are dynamic categories containing one or more entities of a similar type that match conditions against tables within ServiceNow.	An entity class is a tag for entities and allows GRC managers to distinguish between entities, add business context and organize for reporting.	A rule that maps what class should be assigned to the entity when created from a specific table within ServiceNow.	An entity tier assigns a level to the entity class hierarchy.
How does it work?	Created automatically from entity types or manually. Mapped to control objectives and risk statements to create risk and control instances. Can be associated to multiple entity types but only one entity class.	Creates entities using entity filters. Mapped to control objectives and risk statements to create risk and control instances automatically for all associated entities in bulk.	Tags entities across multiple entity types. Can be tagged to individual entities manually. Can be associated with entity tier.	Define the table name and entity class to be associated. When an entity is created for a specific table, the class is associated with that table automatically gets assigned to the entity.	A tier can be associated to several classes. N.B. This is specific to the entity class hierarchy (not entity hierarchy).
Optional / Mandatory	Mandatory to associate risks and controls in ServiceNow.	Optional but highly recommended.	Mandatory* *from San Diego release	Optional but recommended (create entity class and entity class rules before entity types)	Optional
Examples	Finance (department), ServiceNow (business application)	Critical IT Assets, All IT Assets	Department, Business Application, Business Service	Table = cmn_location Class = Location	Business Tier 1, Application Tier 2, IT Asset Tier 3

Which one should be setup first?

Pre-requisite: Compile all known external regulations, internal policies, control objectives and risk statements. Review them to understand the scope of your risk and compliance activities and how to group entities to support those activities for example being subject to SOX regulations, you are likely to require a list of SOX Business Applications which can be captured as an entity type = SOX Business Applications.

Upload quality, ‘single source of the truth’ data into the ServiceNow tables (see below) e.g. departments, business applications, etc. Avoid creating standalone data, this will save time later in reconciling data to other areas.
Create Entity Tiers to build the levels within the entity class hierarchy (optional)
Create Entity Classes to distinguish entities and organize them for reporting and associate to entity tiers if created.
Create Entity Class Rules to map tables to entity classes for automatic assignment of entities to entity classes
Create Entity Types with Entity Filters to create entities as well as automatically create risk and control instances in bulk for similar entities e.g. critical IT assets
Create additional Entities that do not require an entity type

Top tip: Use the GRC Workbench for drag and drop interface to build and manage entity class hierarchy

Example ServiceNow Tables:

Table name	Table Label	Table Description
core_company	Company	Company details
sys_user	Users	List of users in the organization
business_unit	Business Unit	Business units within the organization
cmn_department	Department	All departments
cmn_location	Location	Includes location data such as; Region, Country, State, City, Site, Building/Structure, Floor, Room
cmdb_ci_business_app	Business Application	A purchased or internally developed application.
cmdb_ci_business_process	Business Process	A process that is owned and carried out by the business and contributes to the delivery of a product or business service.
cmdb_ci_service	Business Service	IT Service that directly supports a Business Process (ITIL).
cmdb_ci_datacenter	Data Center	Facility used to house computer systems and associated components, such as telecommunications and storage systems.

Mike Spano · ‎08-03-2022

SUPER helpful. Thank you, Verity!!

Zind · ‎03-20-2023

I will like to connect with someone to get more examples. My organization just starting updating the cmdb tables. I read that creating entities outside the cmdb tables is not recommended. However, the cmdb tables are not mature yet and audits are still going.

Thanks

Nick T · ‎06-07-2023

In our case we have an Entity Framework that is drawn from the organisations' CMDB. However this information does not include all the relationships that we need within GRC e.g. we would like to map a group of business services (entities) to the 'On Premise' Entity Type and then for this to be mapped to a 'Data Centre' Entity Class. None of these relationships currently exist within the CMDB.

If we create these relationships within GRC for risk & control purposes only, do we create any problems for ourselves e.g. synching with CMDB because those relationships do not exist within CMDB?

Lee Childs · ‎06-07-2023

@Zind The entity structure can be what ever you need it to be to represent your organisation . In many organisations going down to the server or application is simply unworkable due to the numbers of controls and risks and impractical because in reality one team may manage many servers. The real question is how do you want to report and manage your risk and show your compliance. Is that by department , business unit , business capability / process ? Many of these are in the CMDB or more accurately in the CSDM model and the foundational data. The CMDB is a great place to start if the data is in a good state but not essential to provide value to the organisation.

I hope this helps.

John_Q · ‎06-07-2023

@Zind did you get the support you needed? Were you able to locate a resource to talk through your specific situation? If not let me know what organization you are with and we can find the Service Account Executive to help us find some resources to assist you.

@Nick T the relationships you make in the entities table in Risk do not feed back into the CMDB unless you build that return information. Also, Entity Type is used for automation, so when a new business service is added in the CMDB then through an entity filter the entity is auto generated in Risk and workflow is triggered for owners to relate risks and controls. Once it is in Risk you can assign it to an Entity Class, also by using an entity filter or manually but the main purpose of entity class is create reporting and workspace groupings for aggregation of information. There is no problem with making the relationships in Risk as long as you are not expecting the relationships to be visible through the CMDB or anywhere else that the business services data is used.

Also, I agree with Lee. A mature CMDB is not necessary to demonstrate value that is why entities can be established manually in Risk while the organization matures. Once it is ready to develop a mature CMDB through a CSDM with ITOM, ITAM, HR, and other employee workflows then the data can be reformatted to be pointed to the updated data model. This is a transformation question that we see often with customers and we develop implementation roadmaps to help them visualize how this transformation will take place.

Connor Levien · ‎10-25-2023

There is more guidance on the Entity structure now in one of the most recent posts with some prescriptive guidance on how to configure an entity structure. See the below blog post

https://www.servicenow.com/community/grc-articles/risk-management-prescriptive-guidance/ta-p/2710426