What the the following tables used for?

KrithikaV
Tera Expert

Hi, 

 

What are the following tables used for?

Control Objective to Configuration Control

sn_compliance_m2m_policy_statement_confguration_control

Control Objective to item

 sn_compliance_control_objective_item

Control Objective to Control Objective

 sn_compliance_m2m_policy_stmt_policy_stmt

Control objective requirement

 sn_compliance_policy_stmt_requirement

 

1. What is an control objective requirement? 

2. Why and when do we add records to control objective to control objective? When we set parent-child relationship for control objective, only the control objective table gets inserted. When is the table - control objective to control objective used?

3. What are items and configuration control? How are they related to control objective?

 

Thanks in advance.

 

2 ACCEPTED SOLUTIONS

Satishkumar B
Giga Sage
Giga Sage

@KrithikaV 

https://docs.servicenow.com/bundle/xanadu-governance-risk-compliance/page/product/grc-policy-and-com...

1. Control Objective Requirement (sn_compliance_policy_stmt_requirement):

  • This table holds the specific requirements that must be met to fulfill a control objective. In ServiceNow, a control objective defines a high-level goal or standard that an organization must meet, often driven by regulatory, legal, or internal policy requirements. The Control Objective Requirement table captures the detailed criteria, rules, or actions necessary to achieve these objectives. Each control objective may have one or more associated requirements that guide how the objective should be implemented or assessed.

2. Control Objective to Control Objective (sn_compliance_m2m_policy_stmt_policy_stmt):

  • This table is used to create relationships between different control objectives. While parent-child relationships between control objectives are typically managed directly within the Control Objective table (using parent fields), the Control Objective to Control Objective table is used when you need to define more complex or non-hierarchical relationships between control objectives.
  • When is it used?: This table is utilized when you need to define relationships that are not just parent-child but could involve dependencies, equivalencies, or other types of connections between control objectives. This is useful in complex GRC frameworks where control objectives are interrelated in various ways that need to be explicitly captured.

3. Items and Configuration Control:

  • Control Objective to Item (sn_compliance_control_objective_item):
    • This table links control objectives to specific items (such as assets, applications, or other configuration items in the CMDB). The relationship indicates that these items are within the scope of the control objective, meaning that the objective's requirements apply to them.
  • Control Objective to Configuration Control (sn_compliance_m2m_policy_statement_configuration_control):
    • This table links control objectives to specific configuration controls. In ServiceNow, configuration controls typically refer to settings, policies, or configurations applied to items that need to be monitored or enforced to ensure compliance. For instance, a configuration control might enforce encryption settings on servers, and the control objective ensures that these settings are applied and maintained.

Relation to Control Objectives:

  • Items are the entities to which the control objectives apply. For example, if a control objective is to ensure secure communication, the items might be network devices or software that facilitate communication.
  • Configuration Controls represent specific configuration settings or policies that need to be enforced on these items to meet the control objective.

 

…………………………………………........................................................................................
Please Mark it helpful 👍and Accept Solution !! If this helps you to understand.

…………………………………………........................................................................................

View solution in original post

HIROSHI SATOH
Mega Sage

Control Objective to Configuration Control (sn_compliance_m2m_policy_statement_confguration_control)
This table is used to link a control objective with a configuration control. It manages how a particular control objective relates to a specific configuration control.

Control Objective to item (sn_compliance_control_objective_item)
This table is used to associate a control objective with a specific item (e.g., an asset or CI). It tracks how a control objective relates to items associated with certain risks or compliance areas.

Control Objective to Control Objective (sn_compliance_m2m_policy_stmt_policy_stmt)
This table is used to link control objectives to each other. It manages how one control objective affects or relates to another control objective.

Control objective requirement (sn_compliance_policy_stmt_requirement)
This table is used to define specific requirements related to a control objective. It specifies which requirements each control objective should meet.

 

1. What is a Control Objective Requirement?

A Control Objective Requirement (Table: sn_compliance_policy_stmt_requirement) defines the specific requirements that a control objective must meet. In the context of Governance, Risk, and Compliance (GRC), it details the specific actions or procedures necessary to comply with certain regulations or standards.
For example, a control objective related to information security might have a requirement like "Passwords must be at least 8 characters long." This requirement supports the control objective and explains how to achieve compliance.

2. Why and when do we add records to "Control Objective to Control Objective"?

The Control Objective to Control Objective table (Table: sn_compliance_m2m_policy_stmt_policy_stmt) is used to define relationships between multiple control objectives. This is used when multiple control objectives need to be interconnected to achieve specific risk or compliance goals.

Why and When:

  • Why: To clearly define the relationships between control objectives and understand how they work together to achieve overall compliance or risk management. This ensures that controls across the organization function consistently.
  • When: This is used mainly when control objectives are interdependent or have a parent-child relationship. The table is not just for simple parent-child relationships but is also used when there are specific interactions or dependencies between related control objectives.

Note: When simply setting up a parent-child relationship, the control objective table is typically used directly. This table is used when more complex relationships are necessary.

3. What are Items and Configuration Control? How are they related to Control Objectives?

Items and Configuration Control represent the actual objects or processes related to a control objective.

  • Items:

    • What: Items refer to actual entities related to a specific control objective, such as assets, configuration items (CIs), or documents.
    • Relation to Control Objectives: Control objectives define the rules or guidelines that apply to these items. Items are critical elements for risk management or compliance, and control objectives assess whether they are being properly managed.
  • Configuration Control:

    • What: Configuration control refers to specific controls that manage the settings of systems or processes, such as security configurations or network settings.
    • Relation to Control Objectives: Control objectives ensure that these configurations are appropriate and meet the criteria needed to minimize risk. For example, if a control objective states that "All devices must have the latest patches applied," the configuration control would be the specific settings or procedures that ensure this happens.

These elements provide the technical and physical foundation that supports the execution of control objectives.

View solution in original post

3 REPLIES 3

Satishkumar B
Giga Sage
Giga Sage

@KrithikaV 

https://docs.servicenow.com/bundle/xanadu-governance-risk-compliance/page/product/grc-policy-and-com...

1. Control Objective Requirement (sn_compliance_policy_stmt_requirement):

  • This table holds the specific requirements that must be met to fulfill a control objective. In ServiceNow, a control objective defines a high-level goal or standard that an organization must meet, often driven by regulatory, legal, or internal policy requirements. The Control Objective Requirement table captures the detailed criteria, rules, or actions necessary to achieve these objectives. Each control objective may have one or more associated requirements that guide how the objective should be implemented or assessed.

2. Control Objective to Control Objective (sn_compliance_m2m_policy_stmt_policy_stmt):

  • This table is used to create relationships between different control objectives. While parent-child relationships between control objectives are typically managed directly within the Control Objective table (using parent fields), the Control Objective to Control Objective table is used when you need to define more complex or non-hierarchical relationships between control objectives.
  • When is it used?: This table is utilized when you need to define relationships that are not just parent-child but could involve dependencies, equivalencies, or other types of connections between control objectives. This is useful in complex GRC frameworks where control objectives are interrelated in various ways that need to be explicitly captured.

3. Items and Configuration Control:

  • Control Objective to Item (sn_compliance_control_objective_item):
    • This table links control objectives to specific items (such as assets, applications, or other configuration items in the CMDB). The relationship indicates that these items are within the scope of the control objective, meaning that the objective's requirements apply to them.
  • Control Objective to Configuration Control (sn_compliance_m2m_policy_statement_configuration_control):
    • This table links control objectives to specific configuration controls. In ServiceNow, configuration controls typically refer to settings, policies, or configurations applied to items that need to be monitored or enforced to ensure compliance. For instance, a configuration control might enforce encryption settings on servers, and the control objective ensures that these settings are applied and maintained.

Relation to Control Objectives:

  • Items are the entities to which the control objectives apply. For example, if a control objective is to ensure secure communication, the items might be network devices or software that facilitate communication.
  • Configuration Controls represent specific configuration settings or policies that need to be enforced on these items to meet the control objective.

 

…………………………………………........................................................................................
Please Mark it helpful 👍and Accept Solution !! If this helps you to understand.

…………………………………………........................................................................................

Sid_Takali
Kilo Patron
Kilo Patron

Hi @KrithikaV These tables are installed with Components installed with Policy and Compliance Management. 

[sn_compliance_m2m_policy_stmt_policy_stmt_rqmt]  :

Many-to-many relationship table that is used to manage relationships between control objective and control objective requirement.

 

[sn_compliance_policy_stmt_requirement]  : 

Stores the requirement number and the requirement description of a control objective requirement.

 

Have a look at this docs https://docs.servicenow.com/bundle/xanadu-governance-risk-compliance/page/product/grc-policy-and-com... 

https://docs.servicenow.com/bundle/xanadu-governance-risk-compliance/page/product/grc-policy-and-com... 

 

 

HIROSHI SATOH
Mega Sage

Control Objective to Configuration Control (sn_compliance_m2m_policy_statement_confguration_control)
This table is used to link a control objective with a configuration control. It manages how a particular control objective relates to a specific configuration control.

Control Objective to item (sn_compliance_control_objective_item)
This table is used to associate a control objective with a specific item (e.g., an asset or CI). It tracks how a control objective relates to items associated with certain risks or compliance areas.

Control Objective to Control Objective (sn_compliance_m2m_policy_stmt_policy_stmt)
This table is used to link control objectives to each other. It manages how one control objective affects or relates to another control objective.

Control objective requirement (sn_compliance_policy_stmt_requirement)
This table is used to define specific requirements related to a control objective. It specifies which requirements each control objective should meet.

 

1. What is a Control Objective Requirement?

A Control Objective Requirement (Table: sn_compliance_policy_stmt_requirement) defines the specific requirements that a control objective must meet. In the context of Governance, Risk, and Compliance (GRC), it details the specific actions or procedures necessary to comply with certain regulations or standards.
For example, a control objective related to information security might have a requirement like "Passwords must be at least 8 characters long." This requirement supports the control objective and explains how to achieve compliance.

2. Why and when do we add records to "Control Objective to Control Objective"?

The Control Objective to Control Objective table (Table: sn_compliance_m2m_policy_stmt_policy_stmt) is used to define relationships between multiple control objectives. This is used when multiple control objectives need to be interconnected to achieve specific risk or compliance goals.

Why and When:

  • Why: To clearly define the relationships between control objectives and understand how they work together to achieve overall compliance or risk management. This ensures that controls across the organization function consistently.
  • When: This is used mainly when control objectives are interdependent or have a parent-child relationship. The table is not just for simple parent-child relationships but is also used when there are specific interactions or dependencies between related control objectives.

Note: When simply setting up a parent-child relationship, the control objective table is typically used directly. This table is used when more complex relationships are necessary.

3. What are Items and Configuration Control? How are they related to Control Objectives?

Items and Configuration Control represent the actual objects or processes related to a control objective.

  • Items:

    • What: Items refer to actual entities related to a specific control objective, such as assets, configuration items (CIs), or documents.
    • Relation to Control Objectives: Control objectives define the rules or guidelines that apply to these items. Items are critical elements for risk management or compliance, and control objectives assess whether they are being properly managed.
  • Configuration Control:

    • What: Configuration control refers to specific controls that manage the settings of systems or processes, such as security configurations or network settings.
    • Relation to Control Objectives: Control objectives ensure that these configurations are appropriate and meet the criteria needed to minimize risk. For example, if a control objective states that "All devices must have the latest patches applied," the configuration control would be the specific settings or procedures that ensure this happens.

These elements provide the technical and physical foundation that supports the execution of control objectives.