HITRUST in ServiceNow GRC

Go to solution
kurtiskeling
Giga Contributor

‎05-22-2019 12:17 PM

Has anyone found a way to import or add HITRUST and associated controls and citations to the ServiceNow GRC environment?   

Thank you.

  • 2,111 Views
1 ACCEPTED SOLUTION

Go to solution
Jan Spurlin
ServiceNow Employee
ServiceNow Employee

‎05-29-2019 05:29 AM

HITRUST is not available from UCF. However, you can leverage some of the transform maps from the UCF integration to import the HITRUST Authority Doc and Citations.  Copy the transform maps and edit them to work with the HITRUST data.  This will give you at least a starting point and see what fields get imported when using UCF.  You probably won't be able to use the last one the Citation to Control - because that is a unique feature offered by UCF.

Note that the one called Default Control Transform imports data into the Policy Statement table.  In UCF what they call "Control" we call "Policy Statement" (aka Control Objective, Control Template, or Requirement - there doesn't seem to be an industry standard on what to call this.)  I also am not familiar with HITRUST to know if they break their citations down into controls or not.

 

find_real_file.png

View solution in original post

Preview file
58 KB
6 REPLIES 6

Go to solution
Zind
Tera Contributor
In response to Jan Spurlin

‎03-16-2023 09:31 PM

Any 2023 updates on this inquiry? 

0 Helpfuls

Go to solution
Zind
Tera Contributor

‎05-22-2024 11:42 AM

hi @kurtiskeling  Have you found any info on how to incorporate HiTrust reqs.?  I am in the process to define a process. It all depends on what your organization wants to measure. I started in a test environment setting up the citations as the HITRUST reqs. then manually mapped to our policies. What I noticed is that the Attestations will be on the Control objectives that are mapped to those citations. so, you will encounter multiple controls objectives for ONE citation.    So, if you are planning to set up an Attestation specific to the Citation, with no mapping to multiple control objectives, then I suggest putting that Citation as a Control Objectives instead so you can send Attestation to the control owners.  Just draw your workflow and analyze the results, especially how dashboards will display the data and how the Issues will be created if the control owner fails the attestations. Key point- you cannot create an Attestation from a Citation; It has to be from a Control Objective record. Unless if your relation is 1 Citation to 1 control objective and not 1 Citation to many control objectives. 

0 Helpfuls