GRC - Application customization

swayam1 · ‎05-09-2018

Hello Everyone,

I am pretty new to the Servicenow GRC platform. I am trying my hands on the developer instance by installing the plugins

such as - Audit, Policy and Compliance and UCF.

My questions are both technical as well as funcational

Functional Questions

1. The Policy Statements get auto converted to Controls for each Profile under a Profile Type. This is with an assumption that the Common Controls from the UCF library is used. Once these controls are applied to individual Profiles, how would the self-assessment for these controls happen? i mean as such is there any option for the control owners to select a control and do self assessment? Or it's just the asset(profile) owner goes to the Profile record, clicks on Control Test tab and creates a Control Test Record and does a self assessment ?

2. How does Internal and External Audit happen on those controls?

3. Is there and option to do focused assessments (SoX or PCI or GLBA) on a set of scoped applications/assets? For example - SoX ITGC test gets conducted every years for a bunch of scoped applications. how would sevicenow approach for that?

Technical Questions

1. I am trying to update/alter the modules such as Citations, Policy Statements, Controls etc by going to the Form Designer mode. However there is no option to edit any of the fields on the form. The entire form is frozen. Is it because of the Developer Instance?

2. How do i get to know the logic behind derive the Compliance scope? it's a range of numbers that get derived based on a variety of parameters. As the Form Designer is not allowing me to update or check any back end configuration, i was wondering how do i get to know the over all logic of calculating those scores?

If I could get some help then that would be great! 🙂

Regards,

Swayam

Richard Taylor1 · ‎05-10-2018

Hi Swaya,

Functional

1) Policy Statements don't require a UCF underpinning but it is better if that is the foundation for your Control framework. The Control Assessments are automatically sent out to the Attestation Respondent when the Control moves into the Attest state.

2) However you want it to happen. You can use the Audit module directly and assign the Engagements/Tasks to the Internal or External Auditors but normally the second line of defence would use a set of GRC and/or PA Indicators to test the controls and then display results in a dashboard. This isn't strictly auditing but is part of the dataset that an audit would require.

3) That could be done via an Audit Engagement e.g "SOX Audit" where you add the desired set of controls etc into the Audit scope

Technical

1) Hard to say without seeing the instance, are you in the Admin role? and what scope are you in?

2) Not sure exactly what you mean by Compliance scope? and numbers? Do you mean the Compliance dashboards?

hth

Thanks

R

swayam1 · ‎05-14-2018

Hi Richard,

The problem statement is, we are defining a set of common control (being harmonized across 10 odd standards and regulation such as ISO 27001, PCI, SOX, SOC1, HIPAA etc.) It's basically common language for a set of base line controls satisfying a list of regulations.

The next job is to define test points for each of these controls. i.e. how these controls are supposed to be tested.

For example -

Control Area - Screening to Prior Employment

Control Description - Screening procedures should define criteria and limitations for verification reviews, e.g. who is eligible to screen people and how, when and why verification reviews are carried out. Screening of employees/contractors prior to employment should take into account all relevant privacy, protection of personally identifiable information and employment based legislation, and should, where permitted.

Test Points -

1. Satisfactory character references
2. Accuracy and completeness of CV
3. Academic and professional qualifications
4. Identity verification (e.g. SSN, passport number etc.)
5. Credit history, criminal background check

Here we will have to test 5 different things to make the control compliant or non-compliant. However if we look at Servicenow approach, a "Control" would inherit a "Test Plan" from a "Test Template", which is in turn associated with a Policy Statement/Common Control.

While doing a "Control Test", it copies the "Test Plan" associated with the control and then allows the user to provide a response(Effective/In Effective). "Control Test" automatically inherits the content from the associated "Test Plan".

In my case I would need multiple "Test Plans" (In the given example, we need 5 such test plans) and I need to create 5 "Control Test"s for the control to be tested. and based on how many "Control Test" s are effective or in effective, overall compliance score would be derived at the control level.

Is it something we can achieve on Servicenow?

T1 to T5 are the 5 tests that are supposed to be performed for a control to be tested.

If you could give some hint, then that would be great 🙂

Thanks and Regards,

Swayam

Richard Taylor1 · ‎05-16-2018

Hi Swaya,

So, it depends on how likely you are to (re)use the individual data points across multiple Policy Statements.

If each one is going to be re-used across multiple PSs, then one way of doing it is that each test should probably be its own Indicator with

- many indicators to one control for the purposes of that control but also

- many to many between that indicator and controls as a whole (so it is testing once and complying many times)

If you are just trying to test 5 things to come up with a composite result, then that process should be run with a manual indicator with all 5 of the tests recorded as separate process steps but only one final result "Pass" or "Fail")

Note that I've not mentioned using the Test/Plans as these can't be assigned to anyone OOTB so aren't a "Task" as such.

Again, depending on what you're trying to achieve, you could also use Assessment Metrics, one for each of the 5 questions.

There is overlap now in GRC amongst various artefacts in my opinion, with this and Risk Response Tasks/Issues etc but it can depend on exactly what you're trying to do. I'm sure others may well disagree with my approach but it's up to you to decide what's best for you.

hth

r

swayam1 · ‎05-18-2018

Thanks again Richard!

Basically we are trying to implement Control Self Assessment process for one of our customers on Servicenow. We have defined 130 Information Security Controls under various domains such as Access Control, Physical Security, SDLC, Encryption etc.

We also have defined the test points/attributes based on which these are going to be tested from Control Self Assessment Point of view.

As you have rightly said, "Test Plan" consolidates the test attributes for a control in terms of Design and Operating Effectiveness expectations. But in my case, we have multiple test points to evaluate for a control against scoped assets and then make the control compliant or non complaint based on how many test attributes are passed.

From solution design stand point would be fair to assume the following?

1. Common Controls to be created in Policy Statements

2. Profile Types are defined and filters are applied to associated relevant profiles

3. Apply Policy Statements/Common Controls on the Profile Types

4. Individual Profiles inherit the Policy Statement as controls.

5. Indicators are defined for each test attribute for every control. i.e. if there are 5 different things to be tested then there would be 5 indicators for the Control.

If the above approach is alright, then what would be the self-assessment process? i.e. how would a control owner/application/asset owner[most of the times an application/asset owner would own the controls associated with the asset/profile]. How will the individual indicators be assessed for a control from self assessment point of view?

I am struggling a bit to visualize the overall technical approach.

Hoping to get some help 🙂

Regards.

Swayam