Understanding Compliance Score in ServiceNow GRC

In ServiceNow GRC, the Compliance Score provides insights into how well the organization is adhering to defined control objectives and how those controls are being enforced across various entities (like Windows Servers). This article walks through a step-by-step example to help understand how these scores are calculated and interpreted.

Step-by-Step Example

1. Create an Entity Class

• Create a new Entity Class: Windows Servers.
  
  

  

   

2. Define the Entity Type

• Create an Entity Type named Windows Servers.

• Add an Entity Filter with the table: cmdb_ci_win_server, along with an appropriate condition to filter relevant CI records.

3. Initial Compliance Score

• At this point, the Compliance Score for the Entity Type is 0%, as no control objectives or assessments have been added yet.

• Click Update Entities from Filters, to create associated Entities.

4. Add Control Objectives

• Add two Control Objectives. 

  • Ensure Security Patches Are Applied Within 7 Days of Release
  • Enforce Password Expiry Every 30 Days

  Their initial Compliance Score is also 0% since no controls have been assessed.

Control Objective Example 1: Ensure Security Patches Are Applied Within 7 Days

5. Control State Changes

• Open the Control Objective: Ensure Security Patches Are Applied Within 7 Days of Release.

• From the Related List, move four associated Controls to the Attest state.

   

   

6. GRC Task Updates

• In GRC Tasks, mark:

  First three controls as Compliant 

• Fourth control as Non-Compliant
  
  

  

7. Compliance Score Calculation – Control Objective

• Return to the Control Objective. The Compliance Score is now updated to 75%.

Formula:
(Compliant + Non-Compliant) / (Total Controls excluding Draft)
= (10 + 10 + 10 + 0) / 40 = 75%

8. Impact on Entity Type Compliance Score

• The Windows Servers Entity Type now also shows a 75% Compliance Score.

⚠️It's important to note that the Control Objective Compliance Score and the Entity Type Compliance Score are calculated differently.

How Entity Type Compliance Score is Calculated

• The score is based on how many Controls associated with each entity have met the conditions.

• Example breakdown:

  • 1st, 2nd, and 3rd Entities: Controls are Compliant → 100%

  • 4th Entity: Control is Non-Compliant → 0%

    

     

     

     

Formula:

(Compliant score of Entities) / (Total compliance Score [Excluding Draft Controls on Entities])
(100 + 100 + 100 + 0) / (100 + 100 + 100 + 100) = 75%

Control Objective Example 2: Enforce Password Expiry Every 30 Days

9. Additional Control State Changes

• Move two Controls to Attest state.

• From GRC Tasks, mark both as Non-Compliant.

   

  

   

10. Compliance Score – Control Objective

• Compliance Score remains 0%.

Calculation:
(0 + 0) / 20 = 0%

11. Updated Entity Type Score

• The Windows Servers Entity Type score drops to 50% after accounting for both Control Objectives.

   

   

Entity breakdown:

• 1st & 2nd Entities: One control Compliant out of two → 50%

• 3rd Entity: One control Compliant, one in Draft → 100%

• 4th Entity: One Control is Non - Compliant, one in Draft →0%

Formula:
(50 + 50 + 100 + 0) / 400 = 50%

Summary

• Control Objective Compliance Score: Measures how well a single rule is being Compliant across associated Entities.

• Entity Type Compliance Score: Reflects how many rules (Control Objectives) are being Compliant for the associated Entity type.

If the above information helps you, Kindly mark it as Helpful.
Regards,
Najmuddin.