Issue triage record producer and UI script - guidance on how to configure

dheerajg
Tera Contributor

This question relates to how we can configure the ‘report risk issue’ record producer and the subsequent issue triage functionality that needs to be performed by Risk Managers/SMEs.

 

OOTB context

  • The 'Report Issue' record producer form has a list of choices that exist OOTB for the 'issue_type' field. These choices have corresponding values (integers) that map to the 'Classification' field in the issue triage [sn_grc_advanced_triage] table. 
  • ServiceNow has defined a Client Script that modifies fields in the issue triage table when the issue type is changed (e.g. by the Risk Manager performing the triage). The script enforces certain fields to be completed and hides others that are not necessary based on specific conditions. For example:
    • All issues that are classified as 'Risk' require a Risk Statement/Risk to be linked. This field is only displayed when the source type is classified as a risk issue.
    • All issues that are classified as 'Compliance' require an Entity/Control Objective/Control to be linked. Specifically, if the option selected is:
      • Non-compliance to a regulation, it enforces an Authority Document to be linked.
      • Non-compliance to a policy, it enforces a Policy to be linked.

These fields are only displayed when the source type is classified as a Compliance Issue.

 

Requirements

  • There are new 'issue_type' choices that need to be defined. 
  • When the issue was being triaged and the user attempted to change the issue type, the Client Script is still referring to the original OOTB issue type. Therefore, unless 1 specific issue type ('Other') was being selected, the record producer script was always classifying it as a ‘Compliance’ issue. However, the client script (which still references the OOTB issue type fields that are disabled) is providing all the dropdown options in the ‘Results’ field (including the ability to 'confirm as a new risk issue' even though the Risk/Risk Statements field was disabled). 
  • Therefore, when 'confirmed as a new risk issue’ was being selected, it kept enforcing a Risk Statement to be added (but the field was hidden by the Client Script). 

I am keen to understand best practice on how to proceed. Should the client script be modified when there are new issue types?

0 REPLIES 0