We've updated the ServiceNow Community Code of Conduct, adding guidelines around AI usage, professionalism, and content violations. Read more

Best Practice for Adding in Citations

Go to solution
kryon
Tera Contributor

4 weeks ago

We are relatively new to the IRM Module.  What's the best practive for adding CCPA Citations into the IRM Module.  We use the Secure Control Framework controls as our Control Objectives in the IRM tool.  One control may be mapped to CCPA 7002(b) but another control may be mapped to 7002b5 and another may be mapped to 7002b4 etc.  
1. Do you created individual Citation records for all of 7002b OR individual records for each 7002b, 7002a, 7002b, 7002b1, 7002b2, 7002b3 etc...
2. If you do not created indivdual records, how do you link the Control Objective to 7002b4 and not all of 7002b?

 

thanks,

0 Helpfuls
  • 564 Views
1 ACCEPTED SOLUTION

Go to solution
JadaP
Tera Expert
In response to kryon

a week ago

I understand exactly what you’re working with now, your setup sounds solid. SCF controls as Control Objectives mapping to multiple CCPA Citations is exactly how the tool is designed to work, so you’re on the right track.


To answer your actual question about citation granularity: go granular now and create individual Citation records for each sub-section (7002(b)(4) and 7002(b)(5) as separate records rather than just 7002(b) as a parent).


Here’s why:
It’s much easier to roll up granular citations than to split a parent record after the fact. When your CCPA audit does come, auditors typically want to see specific sub-section coverage mapped to your controls, not just top-level parent citations. Having the granularity built in from the start means you can show exactly which control addresses exactly which requirement without scrambling to restructure mid-audit prep.


Citation records in ServiceNow are lightweight, so don’t worry about volume. Build it at the sub-section level, link them all to your SCF Control Objectives, and you’ll be in a much stronger position when that first audit comes around.


Happy to go deeper if you hit any snags during the build-out.

View solution in original post

6 REPLIES 6

Go to solution
SohamTipnis
Kilo Sage

3 weeks ago

Hi @kryon,

 

Can you please explain your requirement in a more detailed way?

 

If you find my answer useful, please mark it as Helpful and Correct ‌😊


Regards,
Soham Tipnis
ServiceNow Developer ||  Technical Consultant
LinkedIn: www.linkedin.com/in/sohamtipnis10

0 Helpfuls

Go to solution
kryon
Tera Contributor
In response to SohamTipnis

3 weeks ago

We have many Control Objectives (CO's) in the IRM Module that do not apply to our company.  Those CO's are mapped to many cybersecurity frameworks (like ISO 27002, PCI DSS, CCPA, GDPR etc).  I've provided a snip of the SCF that shows parts of CCPA 7004 apply to different CO's, so what is best practice?  
1. Should we have one CCPA record in the IRM Module for CCPA 7004, or
2. Should we have 5 records for CCPA 7004a1, 7004a2, 7004a3, 7004a4, and 7004a5?

If we only have one record for all of 7004, how are we supposed to know, when looking at (from the snip) Control Objective PRI-02 for example, that it only maps to 7004a1 and not all of 7004?  We THINK we should have individual records for the 7004 pieces, but is that best practice? 

Preview file
70 KB
0 Helpfuls

Go to solution
JadaP
Tera Expert

3 weeks ago

Hi there,

 

I want to make sure we're on the same page about how ServiceNow IRM structures compliance data, because I think there might be some confusion about where your SCF spreadsheet fits.

 

ServiceNow IRM hierarchy:

  1. Authority Document = CCPA (the regulation itself)
  2. Citations = CCPA sections like 7002(b)(5), 7003(a), 7004(a)(1)
  3. Control Objectives = YOUR organization's specific objectives (written in your language, tied to your policies)
  4. Controls = instances of those objectives assigned to your entities

The key point: Control Objectives need to be specific to YOUR organization - what YOU are actually doing to meet CCPA.

 

For example:

  • CCPA Citation 7002(b)(5): "Make data privacy notice available to individuals..." (regulatory language)
  • Your Control Objective: "Display privacy notice on customer portal homepage and account creation page" (your specific implementation)
  • SCF PRI-02: "Mechanisms exist to make data privacy notice(s) available..." (framework reference language)

Your SCF spreadsheet shows framework-to-regulation mapping, not your organization's Control Objectives.

 

So my questions to help you:

 

  1. Have you written your organization's Control Objectives yet? Or are you planning to use SCF descriptions as-is?
  2. How do you want to structure this?
    • Option A: Create your own Control Objectives → map to CCPA Citations → use SCF as reference
    • Option B: Use SCF descriptions as your Control Objectives → map to CCPA Citations
    • Option C: Something else
  3. What does your auditor expect to navigate? When they review CCPA compliance, do they:
    • Start with CCPA citations and trace to YOUR controls?
    • Review YOUR entity/control testing and trace back to CCPA?

Why this matters:

 

Auditors want to see what YOUR organization is doing - your processes, your controls on your systems. SCF is helpful as a starting point, but ServiceNow needs YOUR organization-specific Control Objectives assigned to YOUR entities.

 

Control Objectives roll up to the Citations that auditors trace. That's why they need to be organization-specific, not generic framework language.

 

Can you clarify where you are in this process? That'll help me give you a specific approach.

0 Helpfuls

Go to solution
kryon
Tera Contributor

2 weeks ago

We use Option B- the SCF Control, SCF# and SCF Descriptions make up our Control Objectives.  Like shown in the snip I provided above, PRI-02 Data Privacy Notice and its Control Description, is one of our Control Objectives.  They map to CCPA Citations.  We have not been audited for CCPA yet so I'm not sure what or how they'll expect to navigate.

0 Helpfuls