authority document/citations/control

cbryant · ‎05-04-2017

If I make the citation a different type (oe even a policy), is that just a string value and really has no value as a control in GRC?

myee · ‎07-11-2017

A Citation is a unique record different from an authority document or control. Citations are a specific subset of an authority and usually focuses on a specific theme or element of the Authority Document. The Control is a specific implementation to manage activities for the Policy, Authority Document, or Citation. Each one of these GRC object types are separate records and are not string values.

cbryant · ‎07-11-2017

if you reference the UCF subscription, each citation record is actually a control from the authority document; additionally, you can identify a citation as a control, but it has no value. The only value I have seen is to reference to a string value that is associated as a control and used to crosswalk different controls from frameworks. I do not think the design has thought about the industry standards and that everything in an UCF subscription is provided for free and 100% accurate (unlike UCF). The data is provided for free from the author and either in CSV or XML format already (and in theory ready for import) without a subscription.

myee · ‎07-11-2017

Chris,

I think I'm following you now. Are you referring to the Type field where you can change the type of the Citation:

If that's the case, yes this is really a label and doesn't provide any referential links to other GRC objects. Tbh, I've never used this field and ignore it. If you look at the docs page:

https://docs.servicenow.com/bundle/helsinki-it-business-management/page/product/grc-policy-and-compliance/task/t_CreateCitations.html

You'll see that SN says its an optional field and not used for processing. To your original post, just a label and doesn't inherently add any value.