GRC implementation in ServiceNow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2018 03:49 AM
Hi All,
We are in the process of implementing the GRC Module within ServiceNow. I would like to know the process and flow of GRC. If anyone already implemented GRC, please help me to understand the process.
Thanks in advance..
Thanks & Regards,
Sandhya
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-25-2018 05:59 AM
The GRC applications in ServiceNow are fairly complex. You need to have an understanding of ServiceNow and GRC. There is a GRC Fundamentals class that is available (and that I teach :-)) that provides a very good basis for getting started in implementing GRC. There is also a Risk and Compliance Implementation course that should be going live in Q4.
Here are a few pointers:
- There is a lot of work required to set up GRC and this is mostly not IT work. The normalization and identification of what risks and controls a company wants to manage and who should manage them can be massive.
- The Policy and Policy Statement tables are used to set up templates from which to create the controls.
- The Risk Framework and Risk Statement tables are used to set up templates from which to create risks.
- Controls and Risks are created by applying a Profile Type to the Policy Statement or Risk Statement. It is technical possible to apply the Profile Type at the Policy and Risk Framework level - but that is not what is happening in the real world. Applying it at the statement level provides more granularity.
- Profile Types need to be set up. These define who will be managing the controls and risks. They should (if possible) be based on a table in ServiceNow - like one of the cmdb one (business serivces, or servers or applications) or one of the core ones like company or location or department.
- Once the statements are set up and the Profile Types are applied - then controls and risks will have been generated.
- There is a workflow associated with each of these and that is where the day-to-day work occurs for compliance users and risk users.
Hope this gets you started. And would love to see you in class!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-26-2018 11:58 PM
Hi Jan,
Thanks for your reply and information.
Thanks & regards,
Sandhya
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-10-2018 08:07 AM
So, what you are saying, and correct me if I am wrong, 🙂 is that in order for us to know how to implement and administer the GRC module, we need to take the course for an extra fee?
Is there any step by step implementation guide on ServiceNow that would have this without taking the course? As an Admin/Developer this is a little crazy.
Tom
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-17-2018 06:58 AM
Hi Stene,
In simple words :
Policy and Compliance has Authority Documents > Citations > Policy > Policy Statements > Control (Policy Statement + Profile ).
Authority Docs (AD) can be imported using the UCF integration eg: ISO, CoBit Frameworks etc
Citations are more descriptive part of Authority Documents
Policy - this can be standalone organisational policies and can also be linked to citations or AD.
Policy statements - Policy and Policy statements are many to many relationships. Remember, terminology is bit different here in servicenow.
Controls from legacy grc is considered to be policy statement in ServiceNow 🙂
You can setup a profile type (profile filters related list will help you to do it) - Profiles can be generated depending on the filter conditions on Profile filters. [Profile filters are available from Kingston, rest of the versions , you can create a profile types only from a single table at a time]
Once you link the profile type with your Policy statement, Control are generated automatically ( make sure the attribute 'create controls automatically' is set to true on your policy statement)
Controls can be attested based on the questionnaire attached on the Attestation attribute. An attestation is created automatically when control is pushed to attest phase. you can assess the attestation from 'My attestation'. Attestations are sent to the respondents in the attestation stage.
Depends on the response , controls are set to compliant/non compliant (status) and state will be set to Review automatically.
If control is non compliant, it automatically creates an Issue. Issue can either be re mediated or accepted in Respond phase. If remediated (Response=Remediate) then Controls is set abck to compliant automatically once the issue is closed.
Thanks,
Ashik
