How is possible assign different weights to different controls attestation's answers?

Valerio M_ · ‎06-04-2019

Hello,

the final goal of my question is the compliance score % in policy statements.

In my understanding and implementation in servicenow, every policy statements are evaluated through the attested controls related to statements. For example, if the policy says: "you have to completely open the door in order to get in the car", the control will ask "Have you completely open the door?".

In this very dummy scenario, the answers option will be "yes, 75%, 50%, 25%, no". In this case, I'd assign a weight of 1 for the answer yes, 0.75 0.5 0.25 and 0 for no. In order to do that, I've created a custom assessment metric type using the attestation designer. In details: 1 metric category (weight: 10, order 100, metric: 1 > method: assessment, weight 100, min 0 max 1, scale definition high, field type likert 5 with 5 value from 5 to 1.)

Given that, in the metric configuration, you should insert the correct answer to assign the scored value (1-5). In this case, only one answer will have assigned the associated value (e.g. I configure as correct answer "yes" > one interviewed click "50%" > result: status non-compliant, 0 as score.)

How can I take into the account all the different weighted value associated to the different answers? Can I use the compliance module for that?

Thanks in advance

Shiva Thomas · ‎06-04-2019

Hi Valerio,

I don't think that possible under the current version of the Assessment engine. The engine is set to return a binary result of "compliant/non-compliant", as the Control's Status is a binary answer. Since Control's status is binary, Attestations will also returns a "compliant/non-compliant" binary answer.

Individual Policy Statement, and the related Controls, may have different weights. Those relative weights will be used for the Risk calculation. The calculated risk scores (ALE, Risk factor, Score) are based on the aggregated compliance of the individually weighted controls. Risk's Control compliance is a percentage.

Here are some architectural design you could use...

Consider that any Attestation with a less that 100% answer is not compliant at all. Then configure scripted automatisation (business rule or workflow) to trigger the creation of Issue tasks, from Risks, if the "Control compliance" value is less that 75%.
You may also consider triggering Issue tasks at the Control level. A workflow triggered on Assessments completion may generate Issues linked to the control if use a specific Assessment Template and some specific metric question match your criteria. The drawback is that if a Compliance Manager edit the template, your automatisation script may break.
Consider bypassing the Attestation engine, and simplify the process for controls where a single question/answer is required. Refer to my answer in that thread.
I don't recommend trying to bypass the "binary" side of Control's Status/Attestations. It would require to bypass the Risk assessment engine that represents hundreds of lines of code, if not thousands. Doing such customization may involve high maintenance cost in the future.

∴
Best regards from Switzerland
Shiva :¬,

If this reply assisted you, please consider marking it 👍Helpful or ✅Correct.
This enables other customers to learn from your thread.

Jorge G_ · ‎06-04-2019

As Shiva stated, the Control Status is a binary answer and any in between values aren't really allowed. However, another option to Shiva's is using Indicators to solve this use case.

Typically indicators are used to monitor a control and not as a formal attestation of a control. Using a variant of your example, the control may state that "the door needs to be completely closed to avoid burglars". An indicator can check on it on a daily basis returning answers like yours such as "closed, 75% closed, 50% closed, 25% closed, not closed". Based on those responses, then you can have an attestation on a quarterly basis that asks "is the door closed and preventing burglars?". At that time, the response has to be binary but the respondent can leverage the indicator data to determine the actual response on that based on what has been collected over time and not just on that specific day.

Shiva Thomas · ‎06-04-2019

Thank you Jorge! That's another useful suggestion. ^_^

Indicators can be scripted tasks (example: Count how many computers with vulnerable software are in the CMDB, correct answer should be zero) or manual tasks (example: Please check that the sealed envelope with the Domain Admin password is still in the safe). I wrote a detailed description here: GRC Indicators

This thread may be relevant should you decide to investigate this approach: I need to assign an Indicator Task to a different assignee than the Control Owner

∴
Best regards from Switzerland
Shiva :¬,

If this reply assisted you, please consider marking it 👍Helpful or ✅Correct.
This enables other customers to learn from your thread.

Valerio M_ · ‎06-06-2019

Hi Jorge,

thanks for your workaround. Very helpful!

Using the "indicators way", is it possible to have dynamic changes on the compliance level?

In my understanding, I should check the indicators responses in order to change compliance % in the overview dashboard. Moreover, I should create 5 indicators for a single control that means that the owner has to answer two different forms (control + indicator).

Am I right with these assumptions?

Thanks in advance