Difference between Attestations and Manual Indicators

David347
Tera Contributor

‎11-24-2022 01:26 AM

Can someone explain the value of manual indicators in comparison to Attestations. They seem to do similar things.

 

I will break this down into two areas to help my understanding.

 

Situation: I have a control objective applied to 100 devices where I need them to state that they have Anti Virus (AV) on there machines. The Anti Virus is centrally managed so non of the users can add, disable or uninstall the AV.

 

I send the attestation to the control owner who states that all 100 devices have it installed. I then set the attestation to repeat in a months time.

 

I want to setup manual indicators to check on the devices.

 

1. Who is doing the indicator? (Control Owner or end users?)

2. Do I send out 100 indicators or is it more an audit, random section of devices?

3. What do I put in the message for them to confirm?

 

Thank you in advance

0 Helpfuls
  • 1,050 Views
6 REPLIES 6

rajeeshraj
Tera Guru
In response to David347

‎11-25-2022 09:04 AM

Well indicators are not used for audit, but rather for continuum monitoring

If you have a policy or external regulation that says all devices must have anti-virus, then Indicators are used to make sure the device has AV, if not an issue is created for the device owner. The device owner can either install the AV and then resolve the issue or ask for an exception to the policy or external regulation.

 

A control test will be used for the audit.

 

Please see this youtube vide that explains Attestations, Indicators, and Control tests in detail, I hope this helps

https://www.youtube.com/watch?v=m4IwW-IukIc

Controls: Attestations, Indicators and Control Tests explained
Controls: Attestations, Indicators and Control Tests explained
youtube.com/watch?v=m4IwW-IukIc
17 minutes to clarify and disambiguate once and for all the concepts and terminology around Controls, Attestations and Tests. These are so important to make the best of ServiceNow's GRC solution.This video tutorial is essential before GRC Fundamentals training, after training, before ...
0 Helpfuls

Ahmed Drar
Tera Guru
Tera Guru

‎11-26-2022 02:00 AM

Hi @David347 

  • Attestation should be sent to the control owner to ensure control is implemented - attestation is a pre-monitoring activity 
  •  indicator creation is part of the continuous monitoring of control. You can think about it like someone watching a control and periodically checking whether the control is in place really or not. your indicators don't have to be assigned to the control owner, it's really up to the org to decide that. the assignee can be a service owner, department head

 

I hope this helps.

Ahmed

Please mark my answer as Correct / Helpful based on the Impact.