My control is exempt - should an isssue be created ?

Colin Anderson · 3 weeks ago

I have an exempt control through an active Policy Exception.

So, I know that my Control should remain in a compliant state if a scripted control indicator fails.

I run my scripted indicator which fails.

My control remains compliant, so that's great 🙂

However, an Issue is still created from the indicator failure, and the issue is in the NEW state - therefore requiring work and attention from the issue management team.

Isn't this a mismatch ?

Is this OOB behavior ?

I would like to suppress Issue creation when the control is exempt.

Please can you help with your advice/experience on this subject ?

Colin.

Rakesh Chigari · 3 weeks ago

Hi @Connor Levien

I agree with your point "you don't need to customize any of the scripts and create a more upgrade safe way of handling your requirement"

Few more clarification understand ServiceNow thought process behind design

1. If a control is exempted, it itself means there is already a problem exist, but we have accepted it with exception so i don't see any point in running indicator and create issue against, for the same reason control assessments are also cancelled when control is exempted

2. Any reason why ServiceNow allow to run indicators on controls in any state, what is the point in running a control which is in draft state.

Connor Levien · 3 weeks ago

Just because a control is exempt doesnt mean you don't want automated assurance to run. For example, assurance team can require automated assurance to continue to run on exempt controls so that when they do control testing the indicator data is available for their testing. Additionally, having the indicator run and close the issues when the problem has been rectified can help teams validate remediation of the issues while the control is exempt.

This is the same for draft controls, controls can be prescribe to teams and systems that second line team enforce monitoring of. This is why they run in draft and exempt status as it is often needed for second line teams to continue to monitor and for 1st line teams to confirm when the issue is rectified.

Control attestations are cancelled when a control is exempt or moves to draft as they are entirely a first line activity where as indicators can be from any of the three lines of defence and just because the 1st line team has received a temporary exemption doesnt mean you want to stop monitoring the control

Rakesh Chigari · 3 weeks ago

Got it, Thanks @Connor Levien

Colin Anderson · 3 weeks ago

Hi Conner, Rakesh,

Thanks again for your input.

I'm reading a few confliction opinions :

automated assurance (indicators) should still run when a control is exempt (I agree with this)
a flow should be configured to deactivate indicators for exempted controls

My problem is :

My organization has hundreds of controls owners.
If a Control Owner spends time creating a well designed policy exception for his control, and then a week later he receives an email notification that an Issue has been created on his control - this will cause frustration and confusion.

Thus far, I see 2 options which would help us, and would appreciate your thoughts again !

a flow should be configured to deactivate scripted indicators for exempted controls, however we miss the automated indicator results
- This could work - as Rakesh says - we know the indicator would fail anyway
customization to suppress Issue generation from scripted indicator failure, if exempt

Connor Levien · 3 weeks ago

@Colin Anderson Only thing to say for the first one is you can auto close the issue if it is raised against a control which is exempt and put comments on why it is exempt, it will keep re-openning it each time it finds the information but you can set a flow to auto close the issue again if the linked control is exempt