- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā07-11-2019 04:01 AM
Hi All,
I am still in the learning phase of the GRC module. Please help me in understanding or clarifying the below -
Controls have attestation and Indicators. Based on attestation response, controls are marked either compliant or non-compliant.
Similarly, Risks have assessment and indicators. Risks can be in turn mapped to controls. Risk assessments calculate the risk score.
Policy and Compliance
Q1. Where does indicator come or fit in the control Life cycle ? or it can run anytime, draft, review, monitor etc. Options are available to run yearly, monthly etc. Should the control not be retired at the end of its life cycle.
Q2. Is control status also controlled by Indicator result, passed (control - complaint) or failed (control - non-complaint) ?
I do not see any change even if indicator is failed or passed. Control status remains same. Is Indicator just an add on for more information.
Q3. Can a control (or/and) have both attestation and indicators ? Attestation - I see is a mandatory stage in the control lifecycle.
Q4. In the Control indicator, method Basic, passes/failed field never gets changed, even after the execution and indicator result is updated. Only the "Last result passed" checkbox is checked or unchecked according to indicator result.
Q5. Control Lifecycle ends at retired. What if a reoccurring compliance check needs to be done for the profile with same set of policy statements say once in a quarter etc. Should we recreate and start all from the beginning ? Is my understanding correct ?
Risk Management -
Q1. Based on the risk assessments the risk scores are generated and the risks needs to be reviewed and monitored. Again here, how does indicator place itself, at what stage of lifecycle?
Q2. If indicators are failed, indicator tasks and issue in the risk is created. But the control status associated with risk has no change.
Thanks in Advance
Anitha
Solved! Go to Solution.
- Labels:
-
Policy and Compliance Management

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā07-15-2019 11:46 AM
Anitha,
Happy to provide a few answers for you.
P&C:
1. Indicators are not a mandatory aspect of any given control. They can be leveraged to monitor a control in-between attestation periods and therefore should be used during the Monitor phase of a control.
2. You should see the status change as failed indicator results can change a compliant control to non-compliant.
3. Yes, an attestation can be part of a regularly scheduled process within an organization. It can also be launched ad-hoc based on an issue or any other reason. Indicators can be automated or manual and can be leveraged to verify on a continuous basis that the control is performing as it should.
4. The Basic type of indicator is used to query other tables within ServiceNow. Let's say for example you're looking on TableA to see if there's any records in that table that match the name of the control you're currently looking at...the question becomes then what? If you do find results then is that a good or bad thing? The passed/failed field is used to determine whether the indicator should pass/fail if results are found based on what type of search/query you're creating. You might want results in some cases and therefore it should pass, and in other cases if you find any results then that's not a good sign and therefore you can set the Passed/Failed field to failed.
5. If that's the case then you can "un-retire" the control and set it back to the Attestation phase rather than creating a brand new control. This will show all historical data for the control and is recommended.
Risk:
1. Indicators can be used in the same way control indicators are used. Once a risk has been identified, assessed, and mitigation strategies have been set in place then you can use indicators to track and monitor the performance of that risk in between assessments.
2. Risk status and control status are not linked from Risk to Control - only from Control to Risk. A control that fails will have an impact on a risk but a risk that materialized does not necessarily mean that the control was not implemented correctly or that it failed.
Hope this helps,
Jorge

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā07-15-2019 11:46 AM
Anitha,
Happy to provide a few answers for you.
P&C:
1. Indicators are not a mandatory aspect of any given control. They can be leveraged to monitor a control in-between attestation periods and therefore should be used during the Monitor phase of a control.
2. You should see the status change as failed indicator results can change a compliant control to non-compliant.
3. Yes, an attestation can be part of a regularly scheduled process within an organization. It can also be launched ad-hoc based on an issue or any other reason. Indicators can be automated or manual and can be leveraged to verify on a continuous basis that the control is performing as it should.
4. The Basic type of indicator is used to query other tables within ServiceNow. Let's say for example you're looking on TableA to see if there's any records in that table that match the name of the control you're currently looking at...the question becomes then what? If you do find results then is that a good or bad thing? The passed/failed field is used to determine whether the indicator should pass/fail if results are found based on what type of search/query you're creating. You might want results in some cases and therefore it should pass, and in other cases if you find any results then that's not a good sign and therefore you can set the Passed/Failed field to failed.
5. If that's the case then you can "un-retire" the control and set it back to the Attestation phase rather than creating a brand new control. This will show all historical data for the control and is recommended.
Risk:
1. Indicators can be used in the same way control indicators are used. Once a risk has been identified, assessed, and mitigation strategies have been set in place then you can use indicators to track and monitor the performance of that risk in between assessments.
2. Risk status and control status are not linked from Risk to Control - only from Control to Risk. A control that fails will have an impact on a risk but a risk that materialized does not necessarily mean that the control was not implemented correctly or that it failed.
Hope this helps,
Jorge
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā07-15-2019 11:01 PM
Hi Jorge,
Thanks a ton for your detailed explanation ans clarifications on the questions I had in my mind.
I would re-visit and map your answers for a better understanding.
Regards,
Anitha