Difference between Attestations and Manual Indicators

David347
Tera Contributor

‎11-24-2022 01:26 AM

Can someone explain the value of manual indicators in comparison to Attestations. They seem to do similar things.

 

I will break this down into two areas to help my understanding.

 

Situation: I have a control objective applied to 100 devices where I need them to state that they have Anti Virus (AV) on there machines. The Anti Virus is centrally managed so non of the users can add, disable or uninstall the AV.

 

I send the attestation to the control owner who states that all 100 devices have it installed. I then set the attestation to repeat in a months time.

 

I want to setup manual indicators to check on the devices.

 

1. Who is doing the indicator? (Control Owner or end users?)

2. Do I send out 100 indicators or is it more an audit, random section of devices?

3. What do I put in the message for them to confirm?

 

Thank you in advance

0 Helpfuls
  • 1,044 Views
6 REPLIES 6

Kalyani Jangam1
Mega Sage
Mega Sage

‎11-24-2022 03:39 AM

Hi @David347 

1. Who is doing the indicator? (Control Owner or end users?)

ans=>Role required: compliance_admin or compliance_manager, risk_admin or risk_manager, audit_admin or audit_manager

 

2. Do I send out 100 indicators or is it more an audit, random section of devices?

=>Please refer below link once

https://docs.servicenow.com/en-US/bundle/tokyo-governance-risk-compliance/page/product/grc-policy-an...

 

for more information you can check below docs also

https://docs.servicenow.com/bundle/tokyo-governance-risk-compliance/page/product/grc-indicators/task...

0 Helpfuls

David347
Tera Contributor
In response to Kalyani Jangam1

‎11-24-2022 06:10 AM

I have looked at the guide, it doesnt make sense to me. This is why I asked in question form to get a better understanding.  Unfortunately its not very helpful.

0 Helpfuls

rajeeshraj
Tera Guru

‎11-25-2022 08:34 AM

Hello

 

1. Indicators must be assigned to the device owner
2. Indicators are used for continuous monitoring of controls, if the antivirus is centrally managed and cannot be added/modified/removed by device owner, then you can strategically pick random devices (maybe a device owner owns 20 devices, in this case, select random 2 0r 3)
**if these devices are present in ServiceNow (in one of the CMDB tables), then you do not need manual indicators, you can use basic indicators which will automatically query the CMDB tables
3. What message you need to mention in the indicator is what you want the device owner to confirm, if you want to them to confirm Anit virus is installed, then message should be along that line
Yoou can take a look at out of box indicator templates for examples
the table name of indicator templates is "sn_grc_indicator_template", search for records where the "Instruction" is not empty

 

rajeeshraj_0-1669394039609.png

 

 

 

0 Helpfuls

David347
Tera Contributor
In response to rajeeshraj

‎11-25-2022 08:43 AM

Ok, so the indicators are more to test the waters and confirm that its in place. So out of the 100, I might test 20/30% of them to see if its installed.

I understand how this could be automated with a basic indicator, but if it is manual, then it would be easier just do a gap analysis of the cmdb and AV tool to see what is installed.

So, its basically like unofficial/internal auditing?

0 Helpfuls