UCF Value Add

John C
Tera Contributor

‎03-30-2023 06:54 AM

Hello GRC Community,

 

I have a question around the Unified Controls Hub integration with ServiceNow. Our team is exploring the use of UCF to help automate some of our current manual control efforts. Our team has already created a fairly robust controls library in SNOW (roughly 200+). However, all of our controls are mapped back to manually created control objectives based on internal Policy that is cited back to industry frameworks. The manual effort to support continuous Authority Document updating and Control mappings is becoming increasingly complex. While we understand the value of leveraging UCF, we are hesitating to implement due to our already existing control structure. 

 

Does anyone have success stories around implementing the integration while also having a controls program in place? It would be great to hear from or even connect with others who might have ran into this situation.

 

Thanks in advance for the assistance!

John Cordero

  • 532 Views
3 REPLIES 3

Zind
Tera Contributor

‎03-30-2023 08:41 AM

Thank you for posting, John.  Our team is in the same situation.  Controls are mapped to contrlol  objectives from internal policies.  Agree, the manual mapping of the control objectives to the Citations > Authority Docs can be  complex and time consuming. On top of it, there is a compliance score for Citations  and  Authority Docs.   We are seeking for some guidance as well on the design of it for proper functionality and useful results.  

0 Helpfuls

Rajesh_Singh
Kilo Sage
Kilo Sage

‎03-30-2023 09:18 PM - edited ‎03-30-2023 09:19 PM

@John C 

 

Here are two strategies to reduce manual effort:

  1. Leverage Custom Scripting or ServiceNow IntegrationHub: You can develop a custom script or leverage IntegrationHub to automate the mapping process. This script or integration should be designed to do the following:

    a. Retrieve the external regulations and citations imported from UCF.

    b. Identify the relevant internal policies and manually created control objectives that correspond to the citations. c. Create the mappings between the citations and the existing control objectives based on pre-defined rules or criteria.

This approach will require some initial development effort, but it can significantly reduce the manual effort in mapping the citations to control objectives.

  1. Utilize Machine Learning or Natural Language Processing (NLP): Another approach to automate the mapping process is to leverage machine learning or NLP techniques. By using these techniques, you can analyze the text of the external regulations, citations, and existing control objectives, and identify the most relevant matches based on semantic similarity.

Here's a high-level process to implement this approach:

a. Import the external regulations and citations from UCF into your ServiceNow instance.

b. Use a machine learning or NLP library (e.g., SpaCy, NLTK, or TensorFlow) to process and analyze the text of the citations and the existing control objectives.

c. Develop a similarity metric to determine the most relevant matches between citations and control objectives.

d. Create the mappings between the citations and the existing control objectives based on the similarity scores.

Please note that this approach will require expertise in machine learning and NLP, and the quality of the mappings will depend on the accuracy of the similarity metric.

By implementing either of these strategies, you can reduce the manual effort involved in mapping the UCF imported citations to your existing manually created control objectives. It's important to consider the trade-offs and the required development effort for each approach and choose the one that best suits your organization's needs and resources.

If you found my response helpful or applicable, please consider marking it as correct or helpful to assist others who may be seeking the same information.

---------------
Regards,
Rajesh Singh

Rajesh_Singh
Kilo Sage
Kilo Sage
In response to Rajesh_Singh

‎03-30-2023 11:32 PM

@John C  There is another strategy, which is less coding, 

 

  1. Utilize GRC matching rules: Once you have imported the data, you can create matching rules to automatically relate the imported citations to your existing control objectives. This can be based on keywords, phrases, or specific identifiers that are present in both the citation and control objective. While this may not eliminate all manual work, it can significantly reduce the effort required to map the citations to control objectives. (Import UCF citations using Import Set. Develop a script to match citations with control objectives based on predefined criteria. Customize matching criteria as needed. Schedule the script to run periodically using ServiceNow's Scheduled Script Execution.)

  2. Implement a phased approach: Instead of trying to map all the citations at once, you can break the process into smaller, manageable phases. Identify the most critical or high-priority citations and start with mapping those first. This will allow you to refine the process and identify any issues or bottlenecks, which can then be addressed before moving on to the next set of citations.

  3. Collaborate with UCF experts: Engage with UCF experts, either internally or externally, to help you understand the best way to map citations to your control objectives. These experts can help you identify similarities between your existing control objectives and the imported citations and may suggest best practices for mapping. (https://www.ucfmapper.com/professional-compliance-mapping/)

 

If you found my response helpful or applicable, please consider marking it as correct or helpful to assist others who may be seeking the same information.

---------------
Regards,
Rajesh Singh