How to safe a lot of use case data for a policy exception?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-13-2025 12:07 PM
Hello Community!
My question is rooted in a use case which we implement in Policy & Compliance Management. I'll try to explain as best as I can in a fictional use case.
Use Case
Policy: Reports are not allowed to contain personal data. (Reports are being created in different tools of our company, other than ServiceNow. Do not think of SN reports.)
Policy Exception: Sometimes there absolutely is no other way than to have a report containing personal data. These reports will be approved/denied by a group of approvers via PEs.
So far so good. Now for the tricky part!
This group of approvers wants to persist a lot of use case data when a PE is processed. The approved/denied reports including the additional data have to be published publicly in our company. E.g. in a dashboard in our SN instance.
Additional data could be something like:
* department that created the report
* department that uses the report
* report name
* report description
* report justification
* tool in which the report was created
* report number
* conditions under which the report containing personal data is being allowed to be used
* ...
Some of the additional data can be persisted in the PE fields, but not all of it in a sensible manner.
Question
Is there a way how we can persist the additional data so that it can be published afterwards? (e.g. in a list view)
Condition: I do not want to create a new table in order to persists this additional data.
Option: We are open to divide the additional data onto different components than just a Policy Exception, as long as we can publish them coherently afterwards. Maybe we have to even leave the context of PCM and use another application from GRC?
I hope I could articulate our conundrum comprehensibly.
Best regards and thank you in advance for your help! 🙂
Max
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-13-2025 11:38 PM
After additional research I begin to wonder, if an "exception questionnaire" could be the best solution for my problem?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2025 09:14 AM
Not too familiar with the Exception Questionnaire yet, but if the Personal Data is in here and not on the PER, you should make this Confidential and not have anything on the Policy Exception.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2025 09:13 AM
I suggest using the "Confidentiality" flag on the Policy Exceptions which contain personal Data. This allows you to control who will have visibility to the records.
For reporting, you should be able to pull in the fields as noted, as long as you've configured them to be allowed when the record is marked Confidential. Only the Allowed users/groups would be able to see those fields, otherwise it would be blank.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-23-2025 10:52 PM
Hello Mehernosh.
Personal data is in the reports which are not compliant to the policy. In the policy exception there is no personal data.