Indicator template

Riya17 · ‎06-06-2019

Does each policy statement have an indicator template? Also when the indicators are generated, what would be the next step?

G Balaji · ‎06-07-2019

Indicator templates are applied to policy statements and the indicators are associated with the controls generated from respective policy statements.

Indicator templates are used when you've data collected in SNOW tables or through manual tasks assigned to an user that'd determine control compliance.

Controls are used to determine the compliance status of policy statement by means of attestation or indicators.

Once the controls are generated, compliance manager or GRC admin defines control attributes(fields) and hence owning group as well. I couldn't find out any functionality around "Owning group" except that it's used to define which group would be owning the control. The context for owning group or owner is, OOB control owner is the user who is responsible for sharing the necessary evidence, attestation or perform tasks to ensure control compliance. For eg. if there is a control for BGV check for newly-onboarded employee, HR executive would be the control owner and HR group would be owning group.

Based on the attestation values, control moves to compliant state or remains in non-compliant state. If it's in non-compliant state, indicator tasks that could ensure the control compliance could be created and make the control as compliant. This happens in "Review" state of control.

OOB frequency of control is set at profile level through a scheduled job. However, you could tweak to set the control frequency at control level. Controls which are not in "Draft" and "Attest" could be perioedically defined to move to "Attest" state. For eg. For the same BGV control, you could set the frequency as "Monthly" through a schedule job and check the compliance status through attestation or indicators.

Hope this helps.

View solution in original post

John Gilaspy · ‎06-06-2019

Each Policy Statement has it's own Indicator Template, if one is appropriate. I've found that the majority of controls lack the corresponding data in ServiceNow (at least initially), for most of my clients, to run indicators against. If you have the data to make an indicator useful, after the Control is created, you can add the indicator to the control using the template, and then customize the indicator if necessary.

Riya17 · ‎06-06-2019

I'm new to GRC, please excuse my ignorance but does it mean that the indicators are optional?

If there is no data for the controls, what do I need to do?

What happens when I add the indicator template to the control?

G Balaji · ‎06-06-2019

Yes,indicators are optional. And, one could also use manual indicators if required which means that there is no need to wait to get populated in SNOW platform to define and leverage automated indicators.

Please share your business-case as well if you've any other questions. Because, indicators could be defined for control as well as risk.

Riya17 · ‎06-07-2019

Balaji,

Thanks for enlightening me, that was very useful.

So in what scenarios do we need to add an indicator template and what are the benefits of adding one. What happens if we don't use one.

Once controls are generated, what happens next? Who chooses the owning group within the Control (please see the screenshot)?

I'm still trying to understand at the moment, I'll share my business case once I get a clear understanding on this.

Thanks