entity relationships in GRC are very confusing

alexrozov
Tera Expert

Hi All,

 

I'm trying to properly understand how everything is working with regards to entity relationships.

I'm trying many different scenarios and I cannot understand the logic.

reading through the documentation and going through the videos on entity scoping has also not provided me with the understanding I'm looking for.

 

Here is what I have:

We have a set of entity classes and entities defined

all our entities are members of an entity class

We have a dependency class model build through the GRC workbench

 

Here are a few things I did figure out (hopefully I'm right)

- linking classes in the dependency model does not create any relationships between entities. these should be created either through the workbench or by updating upstream entities/down stream entities on the entity form related lists.

If I try to add upstream entities or downstream entities the OOTB filter filters entities based on the classes defined in the dependency model. I can change the filter and I can create any relationship to any entity

I wanted for example to link a business service entity which is in a business tier to a data center entity which is an IT tier so I changes the filter and created the relationship

 

- Once I define downstream entities for an entity the system automatically updates the downstream risks and downstream controls related list on the entity.

I think it brings all risks and controls that are linked to the entity that was added as a downstream entity

 

Once the relationships are defined I think I should be able to relater risks to downstream risks and to related risks to controls and vice versa.

when I'm on the control form looking at the risks related list and vice versa I'm expecting to see an add button.

It looks as if this button only appears if there are downstream risks/controls defined for the entity. But I have not been able to see this working consistently

I can't understand exactly when the add button appears and when it is hidden

and if I can see the button and I click it I can't really understand what risks/controls are shown. In this window the filter is not available and I can't change it

 

I'm also trying to understand if all of this is somehow dependent on CMDB relationships, but I could not see this

 

 

If there is some detailed explanation of how all of this is working. what is dependent on what and what affects what

 

thanks

 

1 ACCEPTED SOLUTION

Eric Le Martre4
Kilo Guru

Hello Alex,

I wanted to respond to your question about possible link between the relationships built in the CMDB and those in the Risk Workbench. I can confirm that there are NO relations between these 2 out of the box.

But Belasis has built an App that exactly does that: automatically importing existing CMDB relationships as Entity Relationships, for those Assets that exist as GRC Entities. And it actually does the same with Organisation entities relationships with existing relationships between Companies, Business Units, Departments, etc...

Please contact me at Eric@Belasis.com if you want a demo.

The App just got certified and should be published on the Store early next week.

Best REgards

Eric

View solution in original post

7 REPLIES 7

Eric Feron
Moderator
Moderator

Hi @alexrozov ,

We just published a tutorial that should help:

Entity Types, Classes and Tiers for GRC: What they are and how to use them (15 minutes).

I strongly advise that you also view the other tutorials as advised in the video (they are all here).

Let us know how this works for you.

Cheers.

Hi Eric,

 

As always the videos are great.

It still did not answer all my questions but I have spent more time doing some tests and here is my current understanding. I would love to get your feed back on this.

 

when I look at relating risks to controls - 

1. It can be done on the control objective to risk statement level - my customer did not want to implement this so I did not investigate this option

2. It can be done on a risk to control level - only risks and controls that have the exact same entity can be related. If an entity only has risks but no controls or vice versa the add button on the related list will not even be shown

 

when I look at a risks and I look at upstream / downstream risks

In order to relate risks to each other as upstream or downstream risks I first need to relate the entities to each other.

so I need to go to the entity (or the GRC workbench) add other entities to the upstream / downstream entities related lists.

this will automatically populate the downstream risks and downstream controls with all relevant risks and controls and then when I go to a specific risk I can relate upstream risks and downstream risks based on the entity relationship

 

when I look at an entity and I have downstream entities defined

the related lists on downstream risks and downstream controls are automatically populated.

The downstream risks - impacts how risks can be related.

Is there any impact of the downstream controls related list? or it is just presented there to show the relationships but it has no other impact anywhere else?

 

and one last question (for now:))

CMDB relationships do not have any impact what so ever on the entity relationships I can build, correct?

 

 

SanjivMeher
Kilo Patron
Kilo Patron

This is my understanding so far after working in GRC module for past 6 months.

 

Entities hold the ownership information for control/risk/audit. If you want to create control or risk, the ownership should be defined in entity. You can utilize the same entity in control, risk or audit.

Entity Groups, which we dont use, can store similar types of entities. For ex, if you have a control, which should be created for all application owner, you can create an Entity Group and create an entity filter to automatically pull the Application and its owner. I didn't find it useful when you dont have a CMDB in ServiceNow.

Entity Class can be used as tags. If an entity is an Application or Business Service etc. You can create entity class relationship to identify, if an entity class is non-compliant, which upstream entity is impacted.

 

You can again create upstream or downstream entities, to understand the dependency and the compliance score for an entity.

 

Also adding risk to control, i think it was done as part of risk module. If there is a control objective mapped to a risk statement, you can associate controls of the same control objective to the risk, while responding to a risk to identify compliance score which will result in Calculated Risk score.


Please mark this response as correct or helpful if it assisted you with your question.

Hi @Sanjiv Meher ,

when you say "Entity Group", do you mean "Entity Type"?

Thanks.