Need help avoiding duplicate controls.

Roger Grim
Tera Contributor

‎01-05-2023 08:20 AM

We are in the process of adding our frameworks, policies and regulatory documents.  Then we will parse these into citations and into control objectives.  

Of course many of the control objectives are looking for the same conditions, for example say the policy and a regulation both require that default passwords are changed.  We want to have this tested then the results of that test applied to both the policy and regulation and not have two controls for the same thing be tested twice.

Where do you tie these duplicate requirements together so those testing only get one notice to test but you can record the result in both the policy and regulatory requirement?

Is this done at the control objective level or the control level?

Thank you in advance

0 Helpfuls
  • 751 Views
4 REPLIES 4

Community Alums
Not applicable

‎01-05-2023 11:07 PM

Hi @Roger Grim ,

 Please share the screenshots of the Duplicate Controls.

As these controls gets generated as per Entity types. So for each entity you might see same Control being applied which looks duplicated but it's not.

This is by design.

 

0 Helpfuls

Roger Grim
Tera Contributor
In response to Community Alums

‎01-06-2023 06:09 AM

Thank you for replying but I don't have any example to share as we have just began to enter control objectives.  I see us running across this issue as many frameworks and regulatory documents have the same requirements.  For example, both the CSC and PCIDSS require that network devices' default passwords need to be changed.  We want to enter the control objectives such that when the related control is tested the result updates both the CSC and PCIDSS.  

 

0 Helpfuls

Anish Reghu
Kilo Sage
Kilo Sage

‎01-05-2023 11:35 PM

In ServiceNow, you can tie duplicate requirements together at the control objective level by creating a single control objective that encompasses both requirements. This will allow you to test the requirement once and apply the result to both the policy and regulatory requirement.

To do this, you can follow these steps:

  1. In the Compliance module, go to the Control Objectives tab.

  2. Click the New button to create a new control objective.

  3. In the New Control Objective form, enter a name and description for the control objective that encompasses both the policy and regulatory requirement.

  4. In the Controls related list, add both the policy and regulatory requirement as controls for the control objective.

  5. Click the Submit button to save the control objective.

Now, when you test the control objective, the result will be applied to both the policy and regulatory requirement. This will allow you to test the requirement once and record the result in both the policy and regulatory requirement.

You can also tie duplicate requirements together at the control level by creating a single control that encompasses both requirements. However, this approach may not be as effective as creating a single control objective, as it will not allow you to test the requirement once and apply the result to both the policy and regulatory requirement.

Kindly mark the response as Correct or Helpful if it helps.

Cheers,

Anish



0 Helpfuls

Roger Grim
Tera Contributor
In response to Anish Reghu

‎01-06-2023 06:16 AM

When I get to step 4, I don't see how I enter policy and regulatory requirement as controls for the control objective.

In our test environment I have created a new control objective, default passwords and in the description I noted this relates to a framework, CSC , and a regulatory item under, PCIDSS.  This is what is entered.

-PCIDSS Vendor published defaults should not be used for system passwords and other security parameters
-CSC Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.

Since these are group under the control objective I don't see where in the underlining control I note the two items again.

Thank you.

0 Helpfuls