Controls Objectives to Entity Types

Go to solution
JahanzebB
Mega Guru

‎07-27-2020 10:40 AM

After we have defined an Entity Type filter, we need some guidance on Entity Scoping> Adding related Controls Objectives. 

Here is what I understand:

1. When a Policy is added to an Entity Type, all of the Controls Objectives from the Policy are added to the Entity Type> Controls Objectives. Let's call this the Data Center Entity type. 

a) I have a policy for Data Center Security and can add this policy to this Entity Type. This will give us all of the Entity Type> Controls Objectives for Data Centers. 

The issue that I run into: 

1. Let's say I have a Controls Objective that is associated with 3 different Policies.

a) Does this follow best practice within ServiceNow : One Controls Objective repeated across different Company Policies?

b) What is the best way to decide which Policy to add to this Entity Type? Should we just manually add all of the Controls Objectives? 

Thanks,

Jahanzeb

find_real_file.png

find_real_file.png

Preview file
153 KB
Preview file
91 KB
Preview file
114 KB
Preview file
55 KB
0 Helpfuls
  • 3,890 Views
1 ACCEPTED SOLUTION

Go to solution
Dexter Parre_o
ServiceNow Employee
ServiceNow Employee

‎07-27-2020 09:18 PM

Hi,

Please see my answers:

1.Does this follow best practice within ServiceNow?

Yes, a control objective can be mapped to multiple policies. 

2. What is the best way to decide which Policy to add to this Entity Type? Should we just manually add all of the Controls Objectives?

There are two ways you can create controls, by mapping the entity type to a policy or by mapping the entity type to a control objective. If you do the first one, a control will be created for each entity in the entity type for all control objectives under that policy. However, if some or at least one of the control objectives under the policy doesn't apply to the entity type, then you go for the second one. A policy may have control objectives mapped to different entity types.

Regards,

Dexter

View solution in original post

5 REPLIES 5

Go to solution
Dexter Parre_o
ServiceNow Employee
ServiceNow Employee
In response to JahanzebB

‎07-29-2020 06:04 PM

Hi,

A) You mean the maximum number of Control Objectives (not Controls) that can be mapped to Entity Types? I would suppose that you can add as many as you want and the limit should be equivalent to the max number of records a table can hold (since the mapping is stored in a m2m table).

B) I would suggest you retire a control/risk instead of removing them. However, if all the controls/risk you want to retire all belong to a specific entity, better to revise the entity type filter so that it wouldn't capture the unnecessary entities that would create the unnecessary controls/risks. I believe there are no issues removing them but as I've said, better to correct your entity type filter...i think this is the root cause of your issue.

Regards,

Dexter