In what states is control compliancy state determined?

Michael Oosten1
Tera Expert

According to the IRM training guide Controls in the Draft, Retired or Not Applicable state are not included in the Control Objective Compliance Score Calculation.

However, possible states of Controls are: draft, attest, review, monitor, retired, so Not Applicable is not even a Control state.

In the Policy & Compliance Properties there are two properties that seem to be related:
- States for which the control is active (the first state is the default active state): draft, assess, review, monitor
- States for which control is inactive (the first state is the default inactive): retired

Note the "attest" state vs "assess" state. And why do we need two properties, one should be enough?

However, in practice it seems to me that all controls, except for controls in "retired" state are used in compliance score.

Can someone explain what the OoB behaviour is we should see, and what the P&C Properties do?

Thanks!

1 ACCEPTED SOLUTION

Michael Oosten1
Tera Expert

After talking to ServiceNow support about this question, here's the response:

  • Business Rule: Manage active/Inactive for state change (/sys_script.do?sys_id=98d11482c3001200dd921a4112d3ae61) is triggered on Insert or Update of Control record
  • It checks the state of the Control against the two properties:
    • States for which the control is active (the first state is the default active state): draft, assess, review, monitor
    • States for which control is inactive (the first state is the default inactive): retired
  • ... it then sets the "Active" flag accordingly.
  • Only Active controls are considered when calculating the compliance score. The compliance score calculation does not look at State.
  • The property "States for which the control is active" contains the word "assess". This is incorrect and ServiceNow will fix this in a future release. This should be "attest".
  • The sentence "the first state is the default active state" refers to scripts that activate or deactivate controls. E.g. when an entity becomes inactive, the related controls will become inactive as well, and the State of the control moves to the first state in "States for which control is inactive (the first state is the default inactive): retired" - in this case retired. And when a new control is created, it's created in the state draft, in this case: "States for which the control is active (the first state is the default active state): draft, assess, review, monitor".
  • So, if, for example, you want draft to be an inactive state, make sure to add it after retired in the list: "States for which control is inactive (the first state is the default inactive): retired, draft". Otherwise, deactivating the entity would move the control to draft instead of retired.

Regards,
Michael

View solution in original post

4 REPLIES 4

Ahmed Drar
Tera Guru
Tera Guru

Hi Michael,

Not Applicable is not a state, it is actually a status. every control has a state and status. here are possible statuses for a control:

  • Compliant
  • Non-Compliant
  • Not Applicable

Please mark my answer as Correct / Helpful based on the Impact.

Michael Oosten1
Tera Expert

Hi,

Yes, I'm aware of that... However, the Risk and Compliance Implementation - Orlando guide says on pg 153: "Draft, Retired, or Not Applicable are not included in the calculation", so that's inconsistent.

 

The real question is in which states are Controls actually included in the calculations? And is that answer influenced by the Policy and Compliance Properties?

I think what they meant is this: - Controls that are in Draft state or Retired state or that have a status of Not Applicable are not included in this calculation.

 

Please mark my answer as Correct / Helpful based on the Impact

Michael Oosten1
Tera Expert

After talking to ServiceNow support about this question, here's the response:

  • Business Rule: Manage active/Inactive for state change (/sys_script.do?sys_id=98d11482c3001200dd921a4112d3ae61) is triggered on Insert or Update of Control record
  • It checks the state of the Control against the two properties:
    • States for which the control is active (the first state is the default active state): draft, assess, review, monitor
    • States for which control is inactive (the first state is the default inactive): retired
  • ... it then sets the "Active" flag accordingly.
  • Only Active controls are considered when calculating the compliance score. The compliance score calculation does not look at State.
  • The property "States for which the control is active" contains the word "assess". This is incorrect and ServiceNow will fix this in a future release. This should be "attest".
  • The sentence "the first state is the default active state" refers to scripts that activate or deactivate controls. E.g. when an entity becomes inactive, the related controls will become inactive as well, and the State of the control moves to the first state in "States for which control is inactive (the first state is the default inactive): retired" - in this case retired. And when a new control is created, it's created in the state draft, in this case: "States for which the control is active (the first state is the default active state): draft, assess, review, monitor".
  • So, if, for example, you want draft to be an inactive state, make sure to add it after retired in the list: "States for which control is inactive (the first state is the default inactive): retired, draft". Otherwise, deactivating the entity would move the control to draft instead of retired.

Regards,
Michael