Hello Everyone,

I'm looking for answers to few basic questions on Control Testing.

What is the different between Control Indicators and Control Test? For control self assessment are we supposed to make use of Control Test of Control Indicators for making the control compliant or non-compliant?

For example - An organization has a list of common controls and one of them is, "Storing and Transmitting Passwords". From my understanding I would take this approach

1. Will create a Policy Statement for the Common Control "Storing and Transmitting Passwords". As Servicenow treats common controls Policy Statements. Define "Test Template" for the Policy Statement.

2. I will create Profile Types (Oracle Servers, Linux Servers, Windows Servers) and based on profile filter, tag profiles.

3. Will associate the Policy Statement to the Profile Types and the Policy Statement becomes a control for each Profile under those three Profile Types. Along with that, Test Template would get converted into Test Plan for each control associated with a Profile.

My question and confusion

 For testing the control "Storing and Transmitting Passwords" there might 3 to 4 Test Points to be evaluated. Such as

1. Verify the evidence to ensure the passwords are not transmitted in clear text, non-expiring password are encrypted before transmission

2. Review the evidence to ensure the password entry fields are masked

3. Validate the usage of algorithm for hashing passwords prior to storage

and the control is supposed to be compliant only when all the three Test Points are passed. And this control is supposed to be tested for every profile under three profile types(Oracle, Linux, Windows). While the test points are generic, evidence collection for each of the test points would differ for each profile type.

Considering I would want to implement control self assessment on Servicenow, how would I go about it? what should be considered as Indicators and what should be defined as Test Plan?

Thanks and Regards,

Swayam