Hello Everyone,

I would like to know your opinion or get help with Entities and which ones to generate to make Risk and Compliance manageable.

The thing is that some of the customers have not used Entities in the past, and their risks were "in the wind," not really specifying what may be impacted. Most of their risks sound like a risk to the company itself, and that’s it. They see the benefit of having entities to specify the risks, BUT they also have a huge problem defining the entities so they don’t end up from 500 risks to a few thousand by applying statements to everything that may be affected.

Some cases are really easy since we don’t have that many entities, for example, departments. They know that this statement describes the risk that all departments should assess. That way, we will have entities per department, and then the risks and controls on each department. Still manageable, I guess. There are not thousands of departments.

BUT if we start talking about IT CIs like servers, now we are elsewhere. Some of the companies are managing thousands of these, and it’s not really manageable to have a few risks and controls for each server, right? So I was thinking that we should not generate an entity per each server, but instead go up in the CMDB hierarchy and say we have Linux Servers and Windows Servers, or even just Servers.

Example: 

I have 1,000 servers.
It’s nonsense to create an entity for each of them, attaching control objectives and statements, and generating thousands of risks and controls. I don’t think it’s necessary to be so granular anywhere. That is, I would go one level higher in the CMDB and say that I will have two entities: Windows Servers and Linux Servers.
In my opinion, this level of granularity is enough for the customer and is definitely better.

My question are

1. Is my approach and understanding how to properly design entities correct ? 
2. if an entity is meant to represent an entire table and not specific records in the CMDB, then I cannot use the source record because the "Windows server" is not a record; it’s just a cmdb class that contains records. Does this mean that I create an entity without a record and name it the same as it is in the CMDB? Do you think this is a good approach? Or how else could this be solved?

I understand that some entities can be managed in the standard way if there aren’t hundreds or thousands of them, like departments, etc. However, with these IT CIs, I’m concerned that it might not be manageable.

I would appreciate any input or if anyone has dealt with this before. Thanks a lot!