GRC Policy and Compliance Control frequency-Event Driven working principle
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-26-2019 01:15 AM
Hello,
What is the working principle or what is the impact of this choice value "Event Driven" associated with Frequency field in control form(sn_compliance_control) table?
This is part of Policy and Compliance module.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-26-2019 04:07 PM
Hi Balaji,
Out of the box the Frequency field is informative only. There is no automation to have controls automatically assessed based on that field.
I believe ServiceNow was not able to implement such a feature because there is too much divergence on how each company manage their controls.
Adding automation of the controls assessment for a specific customer would be an obvious customization to do.
Using the existing Frequency field would be a nice element to use for configuration of the automation.
The “Event Driven” choice would be for any non regular life cycle.
Some examples would be a control that is re-assessed every time a Security Officer is hired, after merging legal entities, after a fire, after receiving a threat, or at every leap year. Typically, in such cases, the workflow to trigger the re-assessment of the controls would be manual.
I hope this help!
∴
Best regards from Switzerland
Shiva :¬,
If this reply assisted you, please consider marking it 👍Helpful.
This enables other customers to learn from this thread.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2019 12:22 AM
Hi Shiva,
Thanks for your response.
Yes, there is no OOB functionality available for control frequency. However, we override the scheduled job running on Frequency field in profile table named "Control attestations nightly run" to r.un it based on the frequency field in the control.
Like you've stated, "Event Driven" would be for any non regular life cycle which involves manual intervention. However, we came across a scenario where the control frequency was set as "Event Driven" but system automatically moved control to "Attest" state from "Review" state. We couldn't reason out the cause of this change.
Would there be any other trigger for this to happen?
Regards
Balaji
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2019 03:16 AM
Hello Babaji,
If your Control (or Policy Statement) is linked to an Assessment, that could be your issue.
When the control enter the "Attest" state, Assessments instance are generated for each Assessment Recipients.
When the Assessment Recipient completes the assessment, the Control go automatically from "Attest" to "Review".
The goal is for the Control's owner to review the answers and have a chance to react based on the content.
Once everything is fine, the Owner is expected to move the Control to "Monitor" manually.
∴
Best regards from Switzerland
Shiva :¬,
If this reply assisted you, please consider marking it 👍Helpful.
This enables other customers to learn from this thread.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2019 04:07 AM
Thanks for your response, Shiva.
The scenario is, control moved to "Assess" state while it was in "Review" state.
And, What would be the intended purpose of "Monitor" state? So far, I had trouble drawing the practical line between "Review" and "Monitor" state.
Regards,
Balaji
