Only one control is allowed for each pair of entity and control objective

bhayanichandan · ‎07-15-2020

Hi,

We have business scenario where multiple controls to be created for one pair of control objective & entity.

For E.g.

Control objective = "Review event logs, Intrusion Detection System reports, security incident tracking reports, and other security logs regularly". ( relates to two different citations ).

Entity = IT ( say department )

There are two adhoc controls required against each citation for same entity & control objective however ServiceNow control form has validation of " Only one control is allowed for each pair of entity and control objective".

The business data have more of same scenarios blocked due to the validation. Please assist on moving further.

Thanks & Regards

Chandan Bhayani

Nicklas Jepsen · ‎07-15-2020

Hi Chandan,

I would suggest keeping your control objective "Review event logs, Intrusion Detection System reports, security incident tracking reports, and other security logs regularly", as a parent control objective, and then create seperate child control objectives for each of the controls you wish. You can then connect the entities to the child control objectives.

This approach uses the OOB design and should fulfill the business goals.

Best regards,

Nicklas Jepsen

View solution in original post

Nicklas Jepsen · ‎07-15-2020

Hi Chandan,

I would suggest keeping your control objective "Review event logs, Intrusion Detection System reports, security incident tracking reports, and other security logs regularly", as a parent control objective, and then create seperate child control objectives for each of the controls you wish. You can then connect the entities to the child control objectives.

This approach uses the OOB design and should fulfill the business goals.

Best regards,

Nicklas Jepsen

bhayanichandan · ‎07-20-2020

Thanks @Nicklas Jepsen ,

This really helped. Last follow up query is " Should the internal polices be related to child control objective or parent from best practice point view ?

Regard

Chandan Bhayani

Nicklas Jepsen · ‎07-21-2020

Hi Chandan

Perfect 🙂

It is always better to have more explicit Control Objectives than ones that combine multiple requirements.

Because you have already made the relation between the parent control objective and the children, the answer to your question depends more on who will be reading the internal policies. If they are to be published on the knowledge base as GRC policies and read by common users, it might be enough to only include the parent control objective. If the policy is to be read by control owners, it might make more sense to link directly to the child control objectives. The reason being, if you are using the standard policy template, then the names of the related control objectives will be added to the description of the policy.

I.E. it depends on how much information you want to put into the policy. If the child control objectives are descriptive, it might save some time to simply link to these in the policy instead of writing a block of text in the policy.

Best regards,

Nicklas Jepsen

Prashanth Velam · ‎01-30-2023

For a Business Scenario, we are trying to link multiple entities to a particular key control. I did a search for some articles and found this one. It looks like we can not associate multiple entities to the same control based OOTB.

Is there any way we can achieve this? We want to have controls at the business entity level that also apply to processes the business entity owns. The Control (which is a singular activity undertaken once) needs to be able to be reported through two difference lens – the lens of the business entity and the lens of the Business Process which may sit across different business entities. Any inputs are appreciated.

Thanks in advance!