Dynamic Control Owners in IRM Control Objective based on Entity linked user roles

Pranav Parmar1
Tera Contributor

‎01-31-2024 07:44 AM - edited ‎01-31-2024 07:46 AM

In current IRM setup, Entity owner is global across the board which we can understand from reporting perspective. However, Control objective owners are tied to the entity owners by default which is not common across industry. 

 

To explain more see below image in our use case:

PranavParmar1_0-1706715953509.png

 

 

We have common entity Business Application class which is owned by the BA Owner and Database owned by the DB Service Owner. However there are various Control frameworks like Sox, Secure Dev, NIST etc. and each of these frameworks, we have many control objectives tied to the same entities as above. 

 

The problem is there is no way to add the Control Owners dynamically based on the entity mapping dynamically. E.g. For Sox related controls, the Control owner must be selected from a Business Application record and it links to the Support Manager of the BA where as for the NIST related controls for the same Business App, it links to the Development manager in the control owner. 

 

Currently there is no way we can define the Control owners based on the entity or entities mapped to a specific field on the mapping. How do we achieve as we are talking of thousands of Controls / Entities? 

0 Helpfuls
  • 831 Views
6 REPLIES 6

Connor Levien
ServiceNow Employee
ServiceNow Employee
In response to Pranav Parmar1

‎02-06-2024 12:34 PM

@Pranav Parmar1 I would create a new field on the control objective to flag which role the control objective should apply to. Then I would create a flow on the Control table that after a control is created to check the related control objective's new field and depending on which role has been selected, look at the related entity, and then the applies to record and get the user specified in the field on the underlying table.

0 Helpfuls

Anand-Pandu1
Tera Contributor

‎02-12-2024 10:25 AM

I thin you are looking for changing owners for control attestation. Though owner is different you can open a control record and change control attestation recipient. This is what we end up doing it. Or you can create custom entity (not tied to cmdb table) and assign control objective to custom entity with owner. 

0 Helpfuls