- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-07-2022 04:04 AM
According to the IRM training guide Controls in the Draft, Retired or Not Applicable state are not included in the Control Objective Compliance Score Calculation.
However, possible states of Controls are: draft, attest, review, monitor, retired, so Not Applicable is not even a Control state.
In the Policy & Compliance Properties there are two properties that seem to be related:
- States for which the control is active (the first state is the default active state): draft, assess, review, monitor
- States for which control is inactive (the first state is the default inactive): retired
Note the "attest" state vs "assess" state. And why do we need two properties, one should be enough?
However, in practice it seems to me that all controls, except for controls in "retired" state are used in compliance score.
Can someone explain what the OoB behaviour is we should see, and what the P&C Properties do?
Thanks!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-10-2022 06:53 AM
After talking to ServiceNow support about this question, here's the response:
- Business Rule: Manage active/Inactive for state change (/sys_script.do?sys_id=98d11482c3001200dd921a4112d3ae61) is triggered on Insert or Update of Control record
- It checks the state of the Control against the two properties:
- States for which the control is active (the first state is the default active state): draft, assess, review, monitor
- States for which control is inactive (the first state is the default inactive): retired
- ... it then sets the "Active" flag accordingly.
- Only Active controls are considered when calculating the compliance score. The compliance score calculation does not look at State.
- The property "States for which the control is active" contains the word "assess". This is incorrect and ServiceNow will fix this in a future release. This should be "attest".
- The sentence "the first state is the default active state" refers to scripts that activate or deactivate controls. E.g. when an entity becomes inactive, the related controls will become inactive as well, and the State of the control moves to the first state in "States for which control is inactive (the first state is the default inactive): retired" - in this case retired. And when a new control is created, it's created in the state draft, in this case: "States for which the control is active (the first state is the default active state): draft, assess, review, monitor".
- So, if, for example, you want draft to be an inactive state, make sure to add it after retired in the list: "States for which control is inactive (the first state is the default inactive): retired, draft". Otherwise, deactivating the entity would move the control to draft instead of retired.
Regards,
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-14-2022 11:04 AM
Hi Michael,
Not Applicable is not a state, it is actually a status. every control has a state and status. here are possible statuses for a control:
- Compliant
- Non-Compliant
- Not Applicable
Please mark my answer as ✅ Correct / Helpful based on the Impact.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2022 05:59 AM
Hi,
Yes, I'm aware of that... However, the Risk and Compliance Implementation - Orlando guide says on pg 153: "Draft, Retired, or Not Applicable are not included in the calculation", so that's inconsistent.
The real question is in which states are Controls actually included in the calculations? And is that answer influenced by the Policy and Compliance Properties?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2022 07:23 AM
I think what they meant is this: - Controls that are in Draft state or Retired state or that have a status of Not Applicable are not included in this calculation.
Please mark my answer as ✅ Correct / Helpful based on the Impact
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-10-2022 06:53 AM
After talking to ServiceNow support about this question, here's the response:
- Business Rule: Manage active/Inactive for state change (/sys_script.do?sys_id=98d11482c3001200dd921a4112d3ae61) is triggered on Insert or Update of Control record
- It checks the state of the Control against the two properties:
- States for which the control is active (the first state is the default active state): draft, assess, review, monitor
- States for which control is inactive (the first state is the default inactive): retired
- ... it then sets the "Active" flag accordingly.
- Only Active controls are considered when calculating the compliance score. The compliance score calculation does not look at State.
- The property "States for which the control is active" contains the word "assess". This is incorrect and ServiceNow will fix this in a future release. This should be "attest".
- The sentence "the first state is the default active state" refers to scripts that activate or deactivate controls. E.g. when an entity becomes inactive, the related controls will become inactive as well, and the State of the control moves to the first state in "States for which control is inactive (the first state is the default inactive): retired" - in this case retired. And when a new control is created, it's created in the state draft, in this case: "States for which the control is active (the first state is the default active state): draft, assess, review, monitor".
- So, if, for example, you want draft to be an inactive state, make sure to add it after retired in the list: "States for which control is inactive (the first state is the default inactive): retired, draft". Otherwise, deactivating the entity would move the control to draft instead of retired.
Regards,
Michael
