What is use of Key Control checkbox on Control form. Is there any logic written on it?

Prateek Gupta3
Mega Guru

‎01-04-2022 12:10 PM

Hi All,

I am having two questions as below:

1.  Can anyone please help in understanding the use of Key Control field on Control form.

2.  We have multiple controls from different authority documents which can be overlapping. Is there any way to comply with one control and automatically other related controls from another Authority documents will also get complied with. (Here, I am not able to use Citation and Control Objectoive mapping because I need to maintain control objective and controls for all the Authority Documents). Also, how can I store mapping between controls of multiple Authority douments. 

 

Thanks in advance.

 

Thanks,

Prateek Gupta

0 Helpfuls
  • 646 Views
3 REPLIES 3

Jan Spurlin
ServiceNow Employee
ServiceNow Employee

‎01-04-2022 12:23 PM

Key Control is an attribute that does not have any specific logic in the baseline related to it.

Concerning your second point - the whole reason we have two sets of tables (Authority Docs/Citations) and (Policies/Control Objectives) is to do exactly what you are asking. The regulations should be populated in the Authority Docs/Citations tables.  If there are duplicate citations across multiple authority documents, then you relate them all to one Control Objective.  When you manage the controls the results will roll back up to the Control Objective, then to the Citation and Authority Doc.

Prateek Gupta3
Mega Guru
In response to Jan Spurlin

‎01-04-2022 12:49 PM

Hi Jan, Can you please guide on the implications if we go only by creating control objectives without having policy. The reason is, customer is not having any categorization of control objectives. Thanks, Prateek
0 Helpfuls

Jan Spurlin
ServiceNow Employee
ServiceNow Employee
In response to Prateek Gupta3

‎01-04-2022 03:57 PM

That's a complicated question, but I'll try and answer.

Control Objectives do not have any type of workflow associated with them. They follow the review and approval flow of the policy they are attached to. So, if there is no policy; then either there is no workflow - or you have to do it via customization.

Not using policies means that they won't be doing any policy acknowledgments, but that may be okay.

The Valid from and to dates are on the policy - so there is no way to know when to review the control objectives.

This is where having someone with risk or compliance experience on your implementation team could help. It sounds like they just want to manage controls - and really aren't looking at the bigger picture for their organization.

Hope that helps.

0 Helpfuls