Policies, Control Objectives, and UCF

VF123 · ‎02-08-2024

I am pretty much at a standstill with our implementation of policy and compliance. We purchased licensing for the UCF plugins and brought them in to our instance. What has us stalled out is where to put the specific requirements. For example, we require passwords to be 12 characters long, 1 upper, 1 lower, etc. however, we have other regulations that require passwords to be 15 characters long, 1 upper, 1 lower, etc. We cannot put this level of detail in the control objectives because of the UCF integration. So, I'm kind of left wondering if we should have separate policies for each of the regulations... but that seems like it would be more work and confusing to end users.

So, my question is, how do other organizations using UCF as their control objectives with multiple compliance regulations document their specific requirements?

Community Alums · ‎02-08-2024

Hi @VF123 ,

Let's understand something first for UCF, UCF brings in the external Regulations/Standards/frameworks applicable for your organization.

Now, the example you gave"we require passwords to be 12 characters long, 1 upper, 1 lower, etc. however, we have other regulations that require passwords to be 15 characters long, 1 upper, 1 lower, etc.", this cannot be treated as External , this example is your internal regulation which the employees need to abide by, so you will need to create Policies here.

It works more like a knowledge article,Advantage of this KB Article generation approach is - You can modify what type of content to be captured in a particular Type. You can set rules of retiring those articles too based on Valid to field with adding of some approvals.

You can use Templates for different types of policy.

1. Based on the Type selected, the Policy Text field have a different pre-defined text and open to user input space.

2. As the policy flows, it takes reviews and approvals from necessary people and move to published state.

3. In Published state, to store the data dynamically based on the Type selected, we use KB article generation. Which you can restrict to a particular Knowledge base selection.

VF123 · ‎03-12-2024

Thank you. Can you show me an example of what the wording used within the policy text for my password example? Also, is there a easy way to determine which control objectives are mapped to specific authority docs/citations? For example, i only want to associate control objectives that are mapped to IRS Pub 1075 to my policy. Right now, I have to map a couple, check the policy to see if those are the correct control objectives. If they aren't, I have remove them and try again.

Anushree Randad · ‎04-08-2024

Hi @VF123,

UCF brings common control objectives which maps to various regulations. If your requirement is slightly different from control objective coming from UCF, there are different ways of managing them:

You can create your own policy and control objectives under that policy to specify your organization specific requirements
You can use same control objective from UCF, but add additional details on the implemented controls to mention you requirement for 12 characters long, 1 upper, 1 lower password, and create a separate control for 15 characters long, 1 upper, 1 lower password requirement

To answer your last question around finding control objectives mapped to a specific authority document/citation, you can view citations linked to control objectives as shown in the below screenshot. The m2m table between control objective and citations will provide you those details. Let us know if you have more questions.

Thanks,

Anushree

Senior Manager, Product Management, Risk BU

ServiceNow