POLICY & COMPLIANCE QUESTION

Damon12 · ‎01-06-2020

Are policy written from citations?

Are authority document a framework

can an organization have more than one framework/authority documents

How is control objective related or connected with control?

Please, I need a layman's explanation

once UCF is activated, are all these automatically populated ( authority documents, citation, control objective )

Thank you

Jorge G_ · ‎01-07-2020

Hi Damon,

You got it somewhat right, but let me use the same format you used to explain it further, plus a real life example.

Authority Document = Framework = PCI DSS

Citations = Section or Area of PCI DSS = Requirement 1: Install and maintain a firewall

Citations = Section or Area of PCI DSS = 1.1 Establish and implement a firewall

Control Objective = Procedure or guideline = Implement a firewall

In the example above, the Control Objective will have much more details around how the control should be implemented and even assessed.

------------

Policy = Internal mandate = Security Policy

Control Objective = Implement a firewall

A policy is almost the same as an Authority Document with the exception that it stems from internal guidance rather than external regulations.

-----------

Once the governance has been set in place then it's time to go ahead and implement it. You do that via controls. A control is an instance of a Control Objective after it has been applied to an entity.

Let's say that we have 2 data centers, one in New York and the other in Boston. You need to establish firewalls per PCI and your own internal policy so you create two controls.

Control Objective = Implement a firewall

Entity = NY Data Center

Control = Implement a firewall in NY Data Center

Control Objective = Implement a firewall

Entity = Boston Data Center

Control = Implement a firewall in Boston Data Center

Finally, once the controls start being assessed and monitored via indicators, the results are aggregated and rolled up to the chain. In this example, if both of these controls are passing then that would reflect at both the Security Policy level, as well as the PCI DSS level.

Hope this helps!

View solution in original post

Damon12 · ‎01-08-2020

Thank you so much for this clarification.This is really helpful.
Now,

Regarding Control, Attestation, Indicator and Control Test.

For example:

Authority Document: NIST
Citation: Validity of employee email password should not exceed 120-180days
control objective: change the maximum age of employee email password
policy: change password every 60days with 8 alphanumerical character including 1upper and lower case
control1: change the maximum age of employee email password for james
control1: change the maximum age of employee email password for john

Once an entity is specified and a control is generated.
The next thing will be for the owner to attest. When exactly, or at what point is the owner of the control meant to attest a control. I asked because,look at my example of control for james and john. Will the control be attested to anytime from the 61st day or within the 60 day, or how will the owner know that the password gas been changed within the 60 day grace period or changed after the 60 day grace period.
I know my questions is arround indication also but i just want you to help me allign my example and questions arround:

Control
Attestation
Indicator

Please can i also get your email

Damon12 · ‎01-07-2020

Thank you Sean,

This is my analysis and please tell me if I am wrong or correct me.

Authority Document = Framework

Citations = Best Practices/Regulations of the framework

Control Objective = Procedure or guideline of each citation of the authority document

policy = internal mandate or rule created based on a control objective

control = action or step taken to ensure compliant of the policy

I have problems understanding control. Please help with a real or an example in a layman's term, I picked a control objective and chose an entity type which automatically generates a control. I clicked on the control and I attest to it. Then the policy and attestation became compliant after answering the questions correctly.

What happens if the result of the attestation is no, which means the control & policy will be non-compliant?, Will the indicator automatically generate, or how and when will the indicator show up.

Also regarding attestation, why is this a necessity, why does the response of the assessment determine if the policy is compliant or not. I am just a little confused because if I am attesting to a control as "yes the control is in place" which makes the control-compliant, and the policy compliant also before it gets to the state of monitor, what is then the use of the control itself being in the monitor state if it has already been attested and it is already compliant.

Eric Feron · ‎01-08-2020

Hi Damon, you will find a lot of "layman's language" explanations here.

In particular, I recommend that you spend a few minutes reviewing:

The Unified Compliance Framework and ServiceNow (21 minutes).

The Unified Compliance Framework (UCF) helps you save time and keep your business compliant with key regulations. Here is an overview of how UCF and ServiceNow work together so you can get started quickly and effectively.

Go to tutorial

Entities (fka Profiles) in a few words: All places, people and things that... (10 minutes).

On the occasion of the renaming of Profiles to Entities for the New York release, we take another look at the concept and boils it all down to a few words and some very practical examples. "All people, places and things that....."

Go to tutorial

Controls: Attestations, Indicators and Control Tests (17 min).

Make sure you set up your Indicators and do not edit your Attestations, or you will run into trouble. Make sure you view this tutorial to understand Controls and set them up right. If not, you may not get the best from your application.

Go to tutorial

If nothing else, these will help you master the terminology. It is not straight forward 😉