We've updated the ServiceNow Community Code of Conduct, adding guidelines around AI usage, professionalism, and content violations. Read more

Best Practice for Adding in Citations

Go to solution
kryon
Tera Contributor

4 weeks ago

We are relatively new to the IRM Module.  What's the best practive for adding CCPA Citations into the IRM Module.  We use the Secure Control Framework controls as our Control Objectives in the IRM tool.  One control may be mapped to CCPA 7002(b) but another control may be mapped to 7002b5 and another may be mapped to 7002b4 etc.  
1. Do you created individual Citation records for all of 7002b OR individual records for each 7002b, 7002a, 7002b, 7002b1, 7002b2, 7002b3 etc...
2. If you do not created indivdual records, how do you link the Control Objective to 7002b4 and not all of 7002b?

 

thanks,

0 Helpfuls
  • 563 Views
1 ACCEPTED SOLUTION

Go to solution
JadaP
Tera Expert
In response to kryon

a week ago

I understand exactly what you’re working with now, your setup sounds solid. SCF controls as Control Objectives mapping to multiple CCPA Citations is exactly how the tool is designed to work, so you’re on the right track.


To answer your actual question about citation granularity: go granular now and create individual Citation records for each sub-section (7002(b)(4) and 7002(b)(5) as separate records rather than just 7002(b) as a parent).


Here’s why:
It’s much easier to roll up granular citations than to split a parent record after the fact. When your CCPA audit does come, auditors typically want to see specific sub-section coverage mapped to your controls, not just top-level parent citations. Having the granularity built in from the start means you can show exactly which control addresses exactly which requirement without scrambling to restructure mid-audit prep.


Citation records in ServiceNow are lightweight, so don’t worry about volume. Build it at the sub-section level, link them all to your SCF Control Objectives, and you’ll be in a much stronger position when that first audit comes around.


Happy to go deeper if you hit any snags during the build-out.

View solution in original post

6 REPLIES 6

Go to solution
JadaP
Tera Expert
In response to kryon

a week ago

I understand exactly what you’re working with now, your setup sounds solid. SCF controls as Control Objectives mapping to multiple CCPA Citations is exactly how the tool is designed to work, so you’re on the right track.


To answer your actual question about citation granularity: go granular now and create individual Citation records for each sub-section (7002(b)(4) and 7002(b)(5) as separate records rather than just 7002(b) as a parent).


Here’s why:
It’s much easier to roll up granular citations than to split a parent record after the fact. When your CCPA audit does come, auditors typically want to see specific sub-section coverage mapped to your controls, not just top-level parent citations. Having the granularity built in from the start means you can show exactly which control addresses exactly which requirement without scrambling to restructure mid-audit prep.


Citation records in ServiceNow are lightweight, so don’t worry about volume. Build it at the sub-section level, link them all to your SCF Control Objectives, and you’ll be in a much stronger position when that first audit comes around.


Happy to go deeper if you hit any snags during the build-out.

Go to solution
SohamTipnis
Kilo Sage

a week ago

Hi @JadaP,

 

I guess this document will do; kindly go through it:

 

https://www.servicenow.com/docs/r/impact/accelerator-and-initiative-list/IRM-maturity-assessment.htm...

 

If you find my answer useful, please mark it as Helpful and Correct ‌😊


Regards,
Soham Tipnis
ServiceNow Developer ||  Technical Consultant
LinkedIn: www.linkedin.com/in/sohamtipnis10

 

0 Helpfuls