Category and Type fields for Policy Statements

Go to solution
vijo1
Kilo Contributor

‎03-14-2018 01:25 PM

for Policy Statements.  - what is the scope or definition of Category and Type  fields.  In other words, how best can one define values for these fields

0 Helpfuls
  • 3,074 Views
1 ACCEPTED SOLUTION

Go to solution
Shiva Thomas
Kilo Sage

‎04-18-2019 08:32 AM

Hi Vijo,

When I passed my CISSP certification (Certified Information Systems Security Professional), I had to learn those by heart for the exam! 😅

Policy Statements are templates used to automate the creation of Controls. So the following apply to both Policy Statements and Controls.

They are classifications for Controls, based on pseudo-standardised vendor-neutral definitions. Auditors and CISO will inquire about your "Preventative Controls" or browse a list of your "Administrative Controls".
Regulation like PCI-DSS (for credit card industry) or ISO-27001 will require you to classify your controls, and those out-of-the-box field are very useful for that.

In the out-of-the-box GRC solution they are not used for any automation, but can still be useful for the business, as non-functional classifications, or as trigger for specific workflows. In theory, those field use a nifty column type of GRC Choice that can allows your Risk and Compliance admins to edit the available values without the need of a ServiceNow admin!
Of course, if those fields are not required for your usage, feel free to remove them from the user-interface.

Here are a few definitions found when googling for "control types and categories CISSP" images:

find_real_file.png

find_real_file.png

find_real_file.png


Best regards from Switzerland
Shiva :¬,

If this reply assisted you, please consider marking it 👍Helpful or Correct.
This enables other customers to learn from your thread.

View solution in original post

3 REPLIES 3

Go to solution
Jai21
Mega Expert

‎03-15-2018 01:40 PM

Hi Vijo, 

Below is the table:

Category

List of options:

  • Acquisition or sale of facilities, technology, and services
  • Audits and risk management
  • Compliance and Governance Manual of Style
  • Human Resources management
  • Leadership and high level objectives
  • Monitoring and measurement
  • Operational management
  • Physical and environmental protection
  • Privacy protection for information and data
  • Records management
  • System hardening through configuration management
  • Systems continuity
  • Systems design, build, and implementation
  • Technical security
  • Third Party and supply chain oversight
  • Root
  • Deprecated
Classification

List of options:

  • Preventive
  • Corrective
  • Detective
Type

List of options:

  • Acquisition/Sale of Assets or Services
  • Actionable Reports or Measurements
  • Audits and Risk Management
  • Behavior
  • Business Processes
  • Communicate
  • Configuration
  • Data and Information Management
  • Duplicate
  • Establish Roles
  • Establish/Maintain Documentation
  • Human Resources Management
  • Investigate
  • IT Impact Zone
  • Log Management
  • Maintenance
  • Monitor and Evaluate Occurrences
  • Physical and Environmental Protection
  • Process or Activity
  • Records Management
  • Systems Continuity
  • Systems Design, Build, and Implementation
  • Technical Security
  • Testing
  • Training

 

for full information, 

https://docs.servicenow.com/bundle/kingston-governance-risk-compliance/page/product/grc-policy-and-compliance/reference/r_PoliciesAndProcedures.html#ariaid-title7

 

Best

Go to solution
vijo1
Kilo Contributor
In response to Jai21

‎03-16-2018 07:24 AM

Thanks, Jai

0 Helpfuls

Go to solution
Shiva Thomas
Kilo Sage

‎04-18-2019 08:32 AM

Hi Vijo,

When I passed my CISSP certification (Certified Information Systems Security Professional), I had to learn those by heart for the exam! 😅

Policy Statements are templates used to automate the creation of Controls. So the following apply to both Policy Statements and Controls.

They are classifications for Controls, based on pseudo-standardised vendor-neutral definitions. Auditors and CISO will inquire about your "Preventative Controls" or browse a list of your "Administrative Controls".
Regulation like PCI-DSS (for credit card industry) or ISO-27001 will require you to classify your controls, and those out-of-the-box field are very useful for that.

In the out-of-the-box GRC solution they are not used for any automation, but can still be useful for the business, as non-functional classifications, or as trigger for specific workflows. In theory, those field use a nifty column type of GRC Choice that can allows your Risk and Compliance admins to edit the available values without the need of a ServiceNow admin!
Of course, if those fields are not required for your usage, feel free to remove them from the user-interface.

Here are a few definitions found when googling for "control types and categories CISSP" images:

find_real_file.png

find_real_file.png

find_real_file.png


Best regards from Switzerland
Shiva :¬,

If this reply assisted you, please consider marking it 👍Helpful or Correct.
This enables other customers to learn from your thread.