Dynamic Control Owners in IRM Control Objective based on Entity linked user roles

Pranav Parmar1 · ‎01-31-2024

In current IRM setup, Entity owner is global across the board which we can understand from reporting perspective. However, Control objective owners are tied to the entity owners by default which is not common across industry.

To explain more see below image in our use case:

We have common entity Business Application class which is owned by the BA Owner and Database owned by the DB Service Owner. However there are various Control frameworks like Sox, Secure Dev, NIST etc. and each of these frameworks, we have many control objectives tied to the same entities as above.

The problem is there is no way to add the Control Owners dynamically based on the entity mapping dynamically. E.g. For Sox related controls, the Control owner must be selected from a Business Application record and it links to the Support Manager of the BA where as for the NIST related controls for the same Business App, it links to the Development manager in the control owner.

Currently there is no way we can define the Control owners based on the entity or entities mapped to a specific field on the mapping. How do we achieve as we are talking of thousands of Controls / Entities?

Pranav Parmar1 · ‎01-31-2024

Connor Levien · ‎01-31-2024

@Pranav Parmar1 it is a bit hard to understand what you are trying to achieve but there are a few ways you could tackle this.

Option 1: You could create a new field on the Control objective to capture what role the control should apply to. Then you can create additional fields on the entity to capture the individuals who are responsible for each role. Then you can create a flow on the Control that when it is created it can check the control objective of which role should own it and then check the corresponding field on the entity and find the user and assign it to the right user.

Option 2: Assuming I am understanding what you want to achieve you can actually break the entity down into more granular entities. For example if Entity A Business Application depends on a database you could create a new database entity. That way the Business Application is owned by the BA and the child entity is owned by the DB Service Owner. Then you can apply the DB controls to the DB entity and the DB Service Owner will automatically be assigned correctly. If you set up your entity hierarchy correctly, the controls at the DB level will automatically role up the Business application as well. This is the more OOTB and recommended approach. Please see the below white paper for more guidance.

https://www.servicenow.com/community/grc-articles/risk-management-prescriptive-guidance/ta-p/2710426

Pranav Parmar1 · ‎02-04-2024

Hey Connor

thanks for the response. I guess i did not explain the problem properly. Let me try again with example:

1. have an Entity called Big Bang which is of type Business application and owner of entity is mapped to Owned by attribute in BA table

2. this entity is tied to 3 different control objectives from various frameworks. Each control objective can have a different owner e.g CO1 is linked to Support Manager of Entity type BA vs CO2 is linked to Service Manager of Entity type BA.
3. in IRM Control objectives there is no way I can define which field I can map from Entity mapped table to Control owner. There is no way we can add fields on entities as per framework, the control owners change for same entity however the owners are linked to one of the existing field in CMDB table.

hope this explanation helps.

thanks

Siddharth9 · ‎02-06-2024

there is no automated way and no standard ways across industry to standardize it. Would suggest providing alternate options to clients to handle this. One option is to create list report with inline editing option enabled. Client can filter relevant controls and assign new control owners as deemed fit.