UCF Mandates. Implied and implement control mapping in servicneow

Ashish Arovind2 · ‎05-04-2023

Hello Everyone

I am currently trying to understand how UCF citations and controls are getting mapped in servicnenow and i am stuck in one issue.

I see some citations in UCF which have multiple controls under them.

I want to understand how servicneow is mapping them.

for example:

Lets say this is the citation that needs to be imported in servinceow.

Source CCID Description
3.1.1 multiple mandates 820 XYZ
3.1.1 multiple mandates 1160 ABC

The citation has same name but has multiple mandates.

How will OOB servicnow process handle this.

1. Is servicenow creating multiple control objectives for mandates and mapping them under one citations?
2. Is servicneow creating multiple controls and mapping them under citation without creating control objective?

UCF terms are Citations , mandates , implied controls and implement controls. Is there any mapping or comparison of these to servicenow's citaiton , control objectives and controls.

Can anyone help me in understanding this.

@Community Alums @Rajesh_Singh @Jan Spurlin @Naveen Kumar4 @sachin_namjoshi

Regards
Ashish Arovind Raj

Community Alums · ‎05-04-2023

Hi @Ashish Arovind2 ,

The UCF based cititations would have control objectives associated with it :

Then it would follow the process of attaching the Entity Type to the control objective and the controls would get created automatically for all the entities which are part of the entity type.

You can associated multiple Control Objectives and child citations.

Sometimes UCF has control objectives already associated with the respective citation.

Jan Spurlin · ‎05-04-2023

There is good information in product docs about the integration to UCF. Check out this article and the ones that follow it:

https://docs.servicenow.com/bundle/utah-governance-risk-compliance/page/product/grc-ucf-import/conce...

It is also good to know what gets imported from UCF into ServiceNow - this table provides that info:

What doesn't get imported from UCF is what they call the control instance. In ServiceNow the equivalent is the control - but we generate it by applying Entity Types to the Control objective.

Sometimes you will see citations duplicated in the citations table - and then when you look at the details you discover that they are related to different control objectives. This can happen when the original citation. is complex and really needs to be broken down into separate parts to measure it.

anithanarayan · ‎05-04-2023

Hi Jan,

The above response helps.

However, there is a particular ask or scenario -

There are a lot of citations with multiple mandates. I also understand recommends UCF recommends separating these mandates and the Common Controls are also mapped to the mandates.

Q1. How is the above scenario managed with the ServiceNow OOTB IRM processes ?

Q2. Do we have the option in ServiceNow to capture the different mandates of a citation with the UCF API integration? Where (which table) would the mandates be stored and how are the Control objectives mapped ?

Thank You.

Regards,

Anitha

Jan Spurlin · ‎05-05-2023

@anithanarayan I do not know the answer to your question. I am reaching out to others that know the integration better than me to see if I can get an answer. It may take a couple of days to find a response.