- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2019 10:49 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-20-2019 01:29 AM
Hi Balaji,
Indicator: A metric used to collect data to monitor controls and risks, and collect audit evidence.
Note that Indicators are not weighted, unlike Controls. When looking at their impact on a Control or Risk they will all be considered equally.
Indicator Templates can be created for Policy Statements (aka Control templates) or Risk Statement (aka Risk templates) to automatically create Indicators for related Controls and Risk.
Issue: Any potential problem linked to a GRC record (Profiles, Policy Statements, Risk Statements, Controls, or Risks). This allow for the followup of analysis, decisions, and possible remediations tasks. Open issues are considered a risk and compliance threat until they are closed.
Issue lifecycle:
Issues are assigned and Analysed to identify causes and add additional information.
A Response is requested to make the decision to remediate or accept the Issue.
Once the issue has been remediated or accepted, it can be Reviewed by managers.
Issue creation triggers:
- Indicator Results: if a result indicates Failed or Not Passed. This is where issues and indicators interact.
- Attestations: if a Control Attestation returns the result Not Implemented.
- Control Tests: if Control effectiveness is Ineffective and the state of the test is Closed Complete.
- Manual: Issues can be manually created by any manager or admin role as well as by audit users.
- Continuous Monitoring may programmatically create Issues based on Configuration Test scanning results.
Example:
As per NIST recommendation, a Policy Statement specify that passwords should be updated at least every 3 month, with technical controls to enforce this.
An automated indicator check the last update date of every administrator account in the domain. If the Indicator fail, the Control is set automatically as "Non-Compliant", an Issue is created and assigned automatically for investigation, and the related calculated Risks are automatically increased until the Issue is closed.
∴
Best regards from Switzerland
Shiva, ServiceNow Architect and GRC specialist
If this reply assisted you, please consider marking it 👍Helpful or ✅Correct.
This enables other customers to learn from your thread.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2019 11:21 PM
Hi Balaji,
go through below link hope it will help you :
https://www.servicenowelite.com/blog/2016/8/5/grc
NOTE: Mark correct or helpful if it helps you.
Warm Regards,
Raj patel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-20-2019 01:29 AM
Hi Balaji,
Indicator: A metric used to collect data to monitor controls and risks, and collect audit evidence.
Note that Indicators are not weighted, unlike Controls. When looking at their impact on a Control or Risk they will all be considered equally.
Indicator Templates can be created for Policy Statements (aka Control templates) or Risk Statement (aka Risk templates) to automatically create Indicators for related Controls and Risk.
Issue: Any potential problem linked to a GRC record (Profiles, Policy Statements, Risk Statements, Controls, or Risks). This allow for the followup of analysis, decisions, and possible remediations tasks. Open issues are considered a risk and compliance threat until they are closed.
Issue lifecycle:
Issues are assigned and Analysed to identify causes and add additional information.
A Response is requested to make the decision to remediate or accept the Issue.
Once the issue has been remediated or accepted, it can be Reviewed by managers.
Issue creation triggers:
- Indicator Results: if a result indicates Failed or Not Passed. This is where issues and indicators interact.
- Attestations: if a Control Attestation returns the result Not Implemented.
- Control Tests: if Control effectiveness is Ineffective and the state of the test is Closed Complete.
- Manual: Issues can be manually created by any manager or admin role as well as by audit users.
- Continuous Monitoring may programmatically create Issues based on Configuration Test scanning results.
Example:
As per NIST recommendation, a Policy Statement specify that passwords should be updated at least every 3 month, with technical controls to enforce this.
An automated indicator check the last update date of every administrator account in the domain. If the Indicator fail, the Control is set automatically as "Non-Compliant", an Issue is created and assigned automatically for investigation, and the related calculated Risks are automatically increased until the Issue is closed.
∴
Best regards from Switzerland
Shiva, ServiceNow Architect and GRC specialist
If this reply assisted you, please consider marking it 👍Helpful or ✅Correct.
This enables other customers to learn from your thread.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2021 07:10 AM
Hi Shiva,
I am trying to access a field value on 'Indicator Template Form' from 'Issue Form'.
Is there a way I could access the values of Indicator template on Issue Form. I would like to see them on Issue Form.
I would not like to make changes to Script Include that creates or Updates Issues.
Thanks,
Lavanya
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-21-2020 07:48 AM
Hi Shiva Thomas,
The indicator failed, but an issue was not created for the failures as expected. It looks like the indicators will not create a new issue until existing open issues are closed. Can I generate a new Issue whenever a Control Indicator fails?
Thanks
