POLICY & COMPLIANCE QUESTION

Damon12 · ‎01-06-2020

Are policy written from citations?

Are authority document a framework

can an organization have more than one framework/authority documents

How is control objective related or connected with control?

Please, I need a layman's explanation

once UCF is activated, are all these automatically populated ( authority documents, citation, control objective )

Thank you

Jorge G_ · ‎01-07-2020

Hi Damon,

You got it somewhat right, but let me use the same format you used to explain it further, plus a real life example.

Authority Document = Framework = PCI DSS

Citations = Section or Area of PCI DSS = Requirement 1: Install and maintain a firewall

Citations = Section or Area of PCI DSS = 1.1 Establish and implement a firewall

Control Objective = Procedure or guideline = Implement a firewall

In the example above, the Control Objective will have much more details around how the control should be implemented and even assessed.

------------

Policy = Internal mandate = Security Policy

Control Objective = Implement a firewall

A policy is almost the same as an Authority Document with the exception that it stems from internal guidance rather than external regulations.

-----------

Once the governance has been set in place then it's time to go ahead and implement it. You do that via controls. A control is an instance of a Control Objective after it has been applied to an entity.

Let's say that we have 2 data centers, one in New York and the other in Boston. You need to establish firewalls per PCI and your own internal policy so you create two controls.

Control Objective = Implement a firewall

Entity = NY Data Center

Control = Implement a firewall in NY Data Center

Control Objective = Implement a firewall

Entity = Boston Data Center

Control = Implement a firewall in Boston Data Center

Finally, once the controls start being assessed and monitored via indicators, the results are aggregated and rolled up to the chain. In this example, if both of these controls are passing then that would reflect at both the Security Policy level, as well as the PCI DSS level.

Hope this helps!

View solution in original post

SeanBarrett · ‎01-07-2020

Hi Damon - I think I can help... Let me provide my input inline to your questions:

Are policy written from citations?

A policy is your organization's internal mandate that control objectives can be related to. Control objectives will be created from and related to citations.

Are authority document a framework?

Yes, and if you're using an integration to UCF, this document and relevant content can be imported in to ServiceNow.

Can an organization have more than one framework/authority documents?

Absolutely, this is part of the value proposition. UCF harmonizes common controls across multiple authority documents, allowing a customer to test once and show compliance to many. For example, a control to have password complexity requirements on systems may be related to both NIST and PCI. By remaining compliant with this control, you're showing compliance on both.

How is control objective related or connected with control?

Control objectives are like templates...once the template is bound to an entity (asset), an individual control is created in ServiceNow. There's several activities that can be managed on that control (i.e. attestation, continuous monitoring, etc).

Once UCF is activated, are all these automatically populated (authority documents, citation, control objective)

The integration supports a mapping to automatically populate the content in to ServiceNow. There may be a process to validate and commit the import, but it's simple.

I hope this helps!

Sean

Jorge G_ · ‎01-07-2020

To expand on Sean's great explanation, there are two sources for why an organization must do something. The first is from an external source which in ServiceNow we call an Authority Document. An Authority Document may be broken down into sections which we call Citations. Finally, the part of the regulation which states the what needs to be done is a Control Objective. For example, we might have an Authority Doc for NIST, a Citation for Access Control, and a Control Objective for Password Strength Requirements. Finally, as Sean stated, the Control Objective gets mapped to an Entity and that becomes the Control. For example, our Password Strength Requirement control objective applied to a particular Windows Server.

The second is from internal mandates which we call Policies. Typically, policies are written to support a business objective or business strategy. Policies can also have sections within it, but that part of the policy which again tells you the what needs to be done is mapped to a Control Objective. In the case where you have an Acceptable Use policy, with a section around Access Control, and a Control Objective for Password Strength Requirement then the same Control Objective coming from the Authority Document can be used.

Damon12 · ‎01-07-2020

Thank you Jorge,

This is my analysis and please tell me if I am wrong or correct me.

Authority Document = Framework

Citations = Best Practices/Regulations of the framework

Control Objective = Procedure or guideline of each citation of the authority document

policy = internal mandate or rule created based on a control objective

control = action or step taken to ensure compliant of the policy

I have problems understanding control. Please help with a real or an example in a layman's term, I picked a control objective and chose an entity type which automatically generates a control. I clicked on the control and I attest to it. Then the policy and attestation became compliant after answering the questions correctly.

What happens if the result of the attestation is no, which means the control & policy will be non-compliant?, Will the indicator automatically generate, or how and when will the indicator show up.

Also regarding attestation, why is this a necessity, why does the response of the assessment determine if the policy is compliant or not. I am just a little confused because if I am attesting to a control as "yes the control is in place" which makes the control-compliant, and the policy compliant also before it gets to the state of monitor, what is then the use of the control itself being in the monitor state if it has already been attested and it is already compliant.

Jorge G_ · ‎01-07-2020

Hi Damon,

You got it somewhat right, but let me use the same format you used to explain it further, plus a real life example.

Authority Document = Framework = PCI DSS

Citations = Section or Area of PCI DSS = Requirement 1: Install and maintain a firewall

Citations = Section or Area of PCI DSS = 1.1 Establish and implement a firewall

Control Objective = Procedure or guideline = Implement a firewall

In the example above, the Control Objective will have much more details around how the control should be implemented and even assessed.

------------

Policy = Internal mandate = Security Policy

Control Objective = Implement a firewall

A policy is almost the same as an Authority Document with the exception that it stems from internal guidance rather than external regulations.

-----------

Once the governance has been set in place then it's time to go ahead and implement it. You do that via controls. A control is an instance of a Control Objective after it has been applied to an entity.

Let's say that we have 2 data centers, one in New York and the other in Boston. You need to establish firewalls per PCI and your own internal policy so you create two controls.

Control Objective = Implement a firewall

Entity = NY Data Center

Control = Implement a firewall in NY Data Center

Control Objective = Implement a firewall

Entity = Boston Data Center

Control = Implement a firewall in Boston Data Center

Finally, once the controls start being assessed and monitored via indicators, the results are aggregated and rolled up to the chain. In this example, if both of these controls are passing then that would reflect at both the Security Policy level, as well as the PCI DSS level.

Hope this helps!