Controls Objectives to Entity Types

Go to solution
JahanzebB
Mega Guru

‎07-27-2020 10:40 AM

After we have defined an Entity Type filter, we need some guidance on Entity Scoping> Adding related Controls Objectives. 

Here is what I understand:

1. When a Policy is added to an Entity Type, all of the Controls Objectives from the Policy are added to the Entity Type> Controls Objectives. Let's call this the Data Center Entity type. 

a) I have a policy for Data Center Security and can add this policy to this Entity Type. This will give us all of the Entity Type> Controls Objectives for Data Centers. 

The issue that I run into: 

1. Let's say I have a Controls Objective that is associated with 3 different Policies.

a) Does this follow best practice within ServiceNow : One Controls Objective repeated across different Company Policies?

b) What is the best way to decide which Policy to add to this Entity Type? Should we just manually add all of the Controls Objectives? 

Thanks,

Jahanzeb

find_real_file.png

find_real_file.png

Preview file
153 KB
Preview file
91 KB
Preview file
114 KB
Preview file
55 KB
0 Helpfuls
  • 3,889 Views
1 ACCEPTED SOLUTION

Go to solution
Dexter Parre_o
ServiceNow Employee
ServiceNow Employee

‎07-27-2020 09:18 PM

Hi,

Please see my answers:

1.Does this follow best practice within ServiceNow?

Yes, a control objective can be mapped to multiple policies. 

2. What is the best way to decide which Policy to add to this Entity Type? Should we just manually add all of the Controls Objectives?

There are two ways you can create controls, by mapping the entity type to a policy or by mapping the entity type to a control objective. If you do the first one, a control will be created for each entity in the entity type for all control objectives under that policy. However, if some or at least one of the control objectives under the policy doesn't apply to the entity type, then you go for the second one. A policy may have control objectives mapped to different entity types.

Regards,

Dexter

View solution in original post

5 REPLIES 5

Go to solution
Ashutosh Munot1
Kilo Patron
Kilo Patron

‎07-27-2020 10:56 AM

HI,

a) Does this follow best practice within ServiceNow : One Controls Objective repeated across different Company Policies?  My experience which i will share: We can have one control shared by different policies. Only thing is it will create one more control but specific to that policy and entity it is attached to.

b) What is the best way to decide which Policy to add to this Entity Type? Should we just manually add all of the Controls Objectives? We do it manually on entity type as it helps us to defined which control objective is more closely coupled with this entity type.

 

Thanks,
Ashutosh

Go to solution
JahanzebB
Mega Guru
In response to Ashutosh Munot1

‎07-29-2020 06:09 AM

Hi @Ashutosh Munot ,

 

a) Thank you for sharing your experience. I can see how the controls created are specific to the policy and entity. Also, we can view the Controls > Controls Objectives > Policies to see which policies mapped to the controls objectives. I know there is no limit when adding records to related lists. From your experience, what is the maximum number of Controls that you have added to an Entity Type? 

b) Got it! Makes perfect sense. 

 

Just a quick follow-up questions. I noticed that when Controls or Risks are auto-generated when added to an Entity type and are set to Draft state. Let's say we decide to manually remove one of those Controls or Risks from the Entity Type. When a risk is removed, it still shows under the Entity > Downstream risks but is set to Retired. Considering removing these Retired records when we first setup our Risk Framework. Any issues with removing these Retired Risks when first setting up Entity types? 

 

Thanks,

JB

0 Helpfuls

Go to solution
Dexter Parre_o
ServiceNow Employee
ServiceNow Employee

‎07-27-2020 09:18 PM

Hi,

Please see my answers:

1.Does this follow best practice within ServiceNow?

Yes, a control objective can be mapped to multiple policies. 

2. What is the best way to decide which Policy to add to this Entity Type? Should we just manually add all of the Controls Objectives?

There are two ways you can create controls, by mapping the entity type to a policy or by mapping the entity type to a control objective. If you do the first one, a control will be created for each entity in the entity type for all control objectives under that policy. However, if some or at least one of the control objectives under the policy doesn't apply to the entity type, then you go for the second one. A policy may have control objectives mapped to different entity types.

Regards,

Dexter

Go to solution
JahanzebB
Mega Guru
In response to Dexter Parre_o

‎07-29-2020 06:17 AM

Hi @Dexter Parreño ,

 

a) Thank you for confirming. I know there is no limit when adding records to related lists. From your experience, what is the maximum number of Controls that you have added to an Entity Type? 

b) Got it! Makes perfect sense. We have many Controls Objectives under the policy that do not apply to the entity type, so in our case we need to go for the second option. 

Just a quick follow-up questions. I noticed that when Controls or Risks are auto-generated when added to an Entity type and are set to Draft state. Let's say we decide to manually remove one of those Controls or Risks from the Entity Type. When a risk is removed, it still shows under the Entity > Downstream risks but is set to Retired. Considering removing these Retired records when we first setup our Risk Framework. Any issues with removing these Retired Risks when first setting up entity types? 

 

Thanks,

JB

0 Helpfuls