What determines the STATUS of a control in GRC?

juliesutton
Mega Expert

I have a policy with an associated control objective, control, indicator template and indicator.  The indicator shows passing as the last result.  What changes the status of the control itself?  It shows non-compliant?  Is that tied to the attestation?

Thanks,

Julie Sutton

1 ACCEPTED SOLUTION

SanjivMeher
Kilo Patron
Kilo Patron

The Control Status is dependent on both Indicator task result as well as attestation result.

So if the attestation was failed, control becomes non-compliant

Or if the indicator task failed, control becomes non-compliant.

In any case an issue is created. So you should check, if there is an issue still open. 

Even if the last indicator task was passed, there could be an old indicator task, which was failed and its corresponding issue is still open, which is keeping the control non-compliant.


Please mark this response as correct or helpful if it assisted you with your question.

View solution in original post

12 REPLIES 12

Does that mean OOB that the status should change based on the indicator results?

You can use UI actions based on your control objects to update control status.

 

find_real_file.png

 

Regards,

Sachin

Dexter Parre_o
ServiceNow Employee
ServiceNow Employee

Hi Julie,

The following makes a control non-compliant:

  • When the attestation result is Not Implemented, which will create an issue
  • If an indicator result for that control is Failed or Not Passed, which will create an issue
  • If there is an existing control test (tied to the control) in Closed Complete state and the Control Effectiveness is Ineffective, which will create an issue
  • If an issue has been manually created regarding that control
  • If you have some continuous monitoring processes that automatically create an issue due to the control being non-compliant or not effective

It could be that the control has a non-resolved issue which is why it is still non-compliant even though the indicator's last result is Passed. Try to check the Issues tab in the control form.

Regards,

Dexter

Phil Swann
Tera Guru
Tera Guru

Further to Dexter's very detailed account, just be aware of the recent enhancements to Issue Source!

 

You need to take into account the full scope of issues which may exist on a control; and what their sources are. the Issue API will try and ensure that existing issues are re-used to avoid generation of multiple issues, so the sources field will be used to 'stack' the various failures. 

It will never close an ad-hoc issue automatically, except by Control Test effectiveness from Audit. Control Tests will reign supreme, so a successful control test can close all other open issues.

 

There is a property which handles whether to close indicator failures automatically. 

 

But generally speaking if a Control fails attestation, the source of the newly generated issue will be attestation failure. When the attestation passes, it will close the issue and set control to compliant. 

If in the meantime, an indicator fails, the source will be updated. If while the indicators are failing, the attestation passes, the source of attestation fail will be removed but it will still be noncompliant while the indicator is taken care of!! 

 

juliesutton
Mega Expert

I've checked everything I can think of.  There are no issues, the indicator is passing, the CO is in Monitor state.  We did skip the attestation, so maybe that's it?

What is the script that updates the status?  We are OOB with the scripts (I've added only a field to the table for tracking purposes).  

This is a manual indicator, does that matter?  The indicator task is closed and the indicator result shows passing.