GRC indicators

Syed14
Mega Guru

Hi.

I want to know about the Indicators and indicators templates inside Governance, Risk and Compliance (GRC). I know from the documentation that Indicators monitor a single control or risk and Indicator templates allow the creation of multiple indicators for similar controls or risks. 

 

What I want to know how we can effectively used the indicators in GRC ? and why the indicators are used.

 

Thanks

1 ACCEPTED SOLUTION

Shiva Thomas
Kilo Sage

Hi Syed,

Indicators can be automated (= Scripted result) or manual (= Task assigned to someone, ending with a state of Passed or Failed). 

Examples of automated indicators would be check that all Servers in the CMDB are up to date, or that all LDAP passwords are less than 3 months old.
One example of manual indicator would be to ask the network admin that annual Network Penetration Test were conducted and the results attached to the task.

Indicator Results are used to trigger the creation of GRC Issues (Task to determine if some remediation is required), if a result indicates Failed or Not Passed. Assessment also can be used to achieve the same usage, but in the form of a questionnaire.
Indicator Templates can be linked to Policy Statements, or to Risk Statements, to automatically create Indicator for your Controls, or Risks.

Controls' status is also automatically calculated by the linked Indicator Results... And that may affect any linked Risks.
Risk's Calculated Risk Score is adjusted automatically by the Risk's Indicators results. There is a Indicator Failure Factor field in the Risk table that display the impact of those.

Please note that Indicators are not weighted. So, when looking at their impact on a Control or Risk they will all be considered equally. Indicators are not executed when Risks and Controls are in Retired state.

I hope this help!

Best regards from Switzerland
Shiva, ServiceNow Architect and GRC Expert :¬,

If this reply assisted you, please consider marking it 👍Helpful or Correct.
This enables other customers to learn from your thread.

View solution in original post

5 REPLIES 5

Alberto Consonn
ServiceNow Employee
ServiceNow Employee

Hi,

here you will find some interesting Use Cases of GRC:

https://www.inry.com/insights/five-use-cases-for-servicenow-grc/

I would suggest you to watch the following video tutorial as well:

https://www.youtube.com/watch?v=uEZDEPI4MrU

If I have answered your question, please mark my response as correct so that others with the same question in the future can find it quickly and that it gets removed from the Unanswered list.

Thank you

Cheers
Alberto

Hi Alberto Consonni

I am also looking similar information. I have watched this video before can you point out the exact location in the video where they are creating indicators and been used in GRC module ? 

Also on the other link there are two words indicators and that's it. Please read the question again. We are only interested in GRC indicators and how to use them?

 

Thanks

ifti

 

Shiva Thomas
Kilo Sage

Hi Syed,

Indicators can be automated (= Scripted result) or manual (= Task assigned to someone, ending with a state of Passed or Failed). 

Examples of automated indicators would be check that all Servers in the CMDB are up to date, or that all LDAP passwords are less than 3 months old.
One example of manual indicator would be to ask the network admin that annual Network Penetration Test were conducted and the results attached to the task.

Indicator Results are used to trigger the creation of GRC Issues (Task to determine if some remediation is required), if a result indicates Failed or Not Passed. Assessment also can be used to achieve the same usage, but in the form of a questionnaire.
Indicator Templates can be linked to Policy Statements, or to Risk Statements, to automatically create Indicator for your Controls, or Risks.

Controls' status is also automatically calculated by the linked Indicator Results... And that may affect any linked Risks.
Risk's Calculated Risk Score is adjusted automatically by the Risk's Indicators results. There is a Indicator Failure Factor field in the Risk table that display the impact of those.

Please note that Indicators are not weighted. So, when looking at their impact on a Control or Risk they will all be considered equally. Indicators are not executed when Risks and Controls are in Retired state.

I hope this help!

Best regards from Switzerland
Shiva, ServiceNow Architect and GRC Expert :¬,

If this reply assisted you, please consider marking it 👍Helpful or Correct.
This enables other customers to learn from your thread.

Hi Shiva,

 

When you state that indicator tasks are assigned, in my world the assignment goes to the control owner. What role issues the Pass/Fail? Is that the control owner or is that a compliance manager function?

Question #2 - OoB the indicator task remains open until when? The next run or until control owner closes? 

 

Thanks

 

Paula