Entity Scoping: How GRC Community experts do it (28 min).

Eric Feron · ‎05-19-2020

Four GRC Community contributors and experts share their tips and experience to help you plan and structure your Entities, Entity Types, Entity Classes. 17 tips from those who have done it so many times before.

This is a must see whether you are about to get started with your Entity Scoping exercise or reviewing your existing structure.

I promise you that after watching this, you will be so comfortable doing (or reviewing) your own Entity Scoping.

Speakers:

Eric Le Martret

Rafaël Cardoso

Philip Swann

Scott Ferguson

(This is the edited recording of the excellent May 15, 2020 virtual meeting).

Video contents:

00:01 Introduction

00:31 Eric Le Martret.

00:56 Tip 1: Good quality data will help.

02:17 Tip 2: Focus on the items that matter.

03:34 Tip 3: Get the right level to make it all manageable (make sure Entities are items that are owned by someone).

05:54 Tip 4: Crawl, walk, run.

06:20 Tip 5: Examples of Entity Types: Companies, Business Units, Departments, Business Services, Applications, Servers, Vendors, Business Processes...

06:59 Philip Swann.

07:30 Tip 6: Leverage the GRC Choice Table.

07:57 Demo.

10:33 Tip 7: Setup your Entity Classes early. Entity Class Rules, Advanced Risk Assessment, Risk Hierarchy, GRC Workbench, Reporting.

12:08 Tip 9: Differences between Entity Type and Entity Class. An Entity can be in several Types, but only in one Class.

12:53 Rafaël Cardoso.

13:00 Tip 9: Set Entity Class Rules, Classes and Types.

13:26 Tip 10: Set your long term roadmap, what is your goal.

14:17 Tip 11: Start with ServiceNow's out of the box samples and grow from there.

14:50 Scott Ferguson.

15:10 Tip 12: Simply define the places, people and things that you want to manage: Entities.

18:54 How to define your Entity Types (slides).

21:27 Tip 13: Entity Types are categories of places, people and things that you want to manage.

21:55 Tip 14: The right Control will get automatically assigned to the right Entity.

22:16 So, how many Entity Types should their be in the end?

24:21 Entity Classes: essential or optional? (demo)

24:33 Tip 15: Classes will become increasingly important. An Entity can be in several Types, but only in one Class.

25:05 Tip 16: Entity Classes are used to assess across Entity Types.

26:19 Eric Le Martret.

26:35 Tip 17: Classes are used for aggregation and roll-ups.

26:40 Scott Ferguson. The Workbench. Risk roll-ups (demo).

28:00 Conclusion.

For any question, please post below.

Pranav Bhagat · ‎05-19-2020

Thank you for sharing .I just love this application. I also wrote some articles on GRC .

Link to my articles:

Please do share your feedback.

jing3 · ‎05-27-2020

I would add one other TIP:

If there is no good CMDB to use, one can always start with creating Entity Manually (uncheck 'refers to existing record' on entity). Use the Entity Type the same way as before. This would get the project started and get the most benefits of out of GRC. Automate Entity creation when time is ready.

Rushikesh Mandh · ‎05-28-2020

These tips are imperative from the process standpoint as entity scoping can be the most time consuming & confusing activity in a GRC implementation if there's a lack of clarity.

Very much appreciated & looking forward to more good stuff! Thank you!

Phil Swann · ‎05-28-2020

Thanks Jing great point, additionally the ability to build 'manual' Entity Types (without Entity Filter, using Entities > Edit) even with Entities which might have already been generated!

Regarding the Independent Entities filter specifically this is a great addition since NY, but before embarking on this route I like to discuss the exit strategy. How to move back to a 'proper' entity, as and when they start to surface in the platform data. Any thoughts on that?