Risk and Control Self Assessment

dhruvin · ‎03-23-2017

Hello,

I am trying the build a proof of concept for risk and control self assessment (RCSA) on ServiceNow. I understand some of the functionality is available out of box but i am having difficulty in connecting it all together for the RCSA.

RCSA process flow:

1) Identify assets (Servers/databases etc.)
2) Assign risks to the assets
3) Perform Inherent risk assessment
4) Pick controls to address the risks
5) Check for control effectiveness
6) Calculate residual risk
7) Document findings
😎 Create/trigger remediation tasks

Any inputs on this would be very helpful.

paulgerts · ‎04-07-2017

Hi Dhruvin,

The basic steps you'll need to follow are as follows, based on your RSCA process-flow:

1) create profile-types based on your assets > profiles will be auto-generated

2) create a risk framework + associated risks > assign risk framework to profile type > individal risks will be auto-generated

3) open each individual Risk to perform the inherent risk assessment

4) create controls to mitigate the risk (either from Policy&compliance module or directly from risks) > link controls to risks

5) Control effectiveness can be assessed/checked by creating indicators and linking them to the controls. Setting the type to either manual or basic.

6) Residual risk will be calculated automatically based on the input from #3

7) Findings are registered in the issues module. They are generated either automatically (based on indicator results) or manually.

😎 Remediation tasks are registered in the issues as well, see the different tabs in the records form.

You can find many of the instructions for the above tasks in the Docs-pages : https://docs.servicenow.com/bundle/helsinki-it-business-management/page/product/grc-enterprise/refer...

Governance, Risk, and Compliance (GRC)

Hope this helps!