How to avoid incorrect compliance scores?

per ahlstrom
Tera Contributor

‎04-02-2023 12:56 PM

 

Hi there, 

 

I wonder how the rest of you have solved this challenge...? 

 

We have several legislations to follow (authority documents). We are also following ISO 27002. The citations from the authority documents are mainly relevant for the entity type applications.

 

However, the different legislations are only applicable to a small percentage of all applications we use. For instance, the national security act is applicable to some applications. GDPR is applicable to many but not all applications. The European Union's NIS-directive applies to some applications.

 

All legislations and standards share some common controls. For instance taking backups. Therefore we create a control objective stating that backups shall be taken for all applications. And link citations from the authority documents to this control objective. 

 

However, this makes the compliance score quite useless. As all citations get the same compliance score. The problem is that a citation may be relevant for only a handful of applications. But the compliance score is calculated on attestations for all applications.

 

I hope I've made the challenge somewhat understandable. And that someone has found a way of avoiding having to create identical control objectives that applies to different entities of the same entity type. 

 

Thanks for any advice! 

0 Helpfuls
  • 343 Views
1 REPLY 1

Rajesh_Singh
Kilo Sage
Kilo Sage

‎04-03-2023 06:13 AM

@per ahlstrom 

 

Based on your description, it seems like you're trying to manage compliance requirements from multiple legislations and standards across various applications, but encountering challenges with the compliance score calculation in ServiceNow GRC. Here are a few suggestions to help you better manage the compliance requirements and improve the accuracy of the compliance score.

  1. Leverage Inheritance Groups: Inheritance groups in ServiceNow GRC allow you to bundle control objectives and policies that are applicable to a group of entities (in your case, applications). By creating inheritance groups for applications subject to specific legislations or standards, you can assign control objectives only to those applications that fall under the respective groups.

  2. Use Application Scope: Instead of creating control objectives that apply to all applications, you can create control objectives that apply to specific applications based on their scope. This will help you better manage the control objectives and their applicability, resulting in more accurate compliance scores.

  3. Enhance Compliance Score Calculation: Customize the compliance score calculation to take into account the relevance of a citation to an application. You can achieve this by adding weightage factors to the citations based on the number of applications they apply to. This will help you differentiate between citations that apply to a small number of applications and those that apply to a larger number of applications, giving you a more accurate compliance score.

  4. Utilize Risk-based Compliance: Consider adopting a risk-based approach to compliance management. This involves prioritizing your control objectives and citations based on their impact on your organization's overall risk posture. By focusing on high-risk areas and allocating resources accordingly, you can improve the effectiveness of your compliance management efforts.

  5. Review and Update Control Objectives Periodically: Regularly review and update your control objectives to ensure that they remain relevant and effective. This includes updating citations and control objectives based on changes in legislations, standards, and your organization's risk landscape.

If you found my response helpful or applicable, please consider marking it as correct or helpful to assist others who may be seeking the same information.

---------------
Regards,
Rajesh Singh
0 Helpfuls