Eric Feron
Moderator
Moderator

New GRC users have a lot to learn to make the best of the GRC product for their own particular use cases.​

"After playing in GRC for a couple weeks and going through the various training materials, I have a few questions."​

We recommend to select and hire an implementation partner, to take the recommended training, to view the free tutorials available on the community but there are always questions that linger, clarifications that are needed to really feel comfortable with the various features of the product.

With the help of GRC community experts, we take a look at some of these questions.

 

Video contents:

00:01 Introductions

01:16 Is it normal/acceptable to NOT have Controls assigned to every entity in an entity type? Tip: Control Owners can remove Controls attributed to them because of an Entity Type. Not typical.

04:18 Is it normal/acceptable to have a lot of Entity Types? Tip: Start simple, "crawl, walk, run ".

05:50 It doesn’t look like any authority documents/citations were loaded with the SOX Content pack.

06:47 Entity Filters - I’m having trouble understanding their purpose, and what is the impact if the filters aren’t created? Tips: Use Entity Filters to create new Entities (beyond those that are provided). It is possible to have more than one Entity Filter.

09:42 Entity Classes - Are these just an additional reporting/filtering aid or do they play any additional roles? Workbench is a very powerful tool that leverages Entity Classes. Entity Classes are first used for reporting. Entity Classes are also used to build a representation of the aggregation journey. Link Entity Classes so they roll up through the organization (using workbench).

14:09 Have you seen any other companies start with their risk framework in determining their use cases/phases and/or what pitfalls do you see with this approach? Tip: Build your data and system so they can be used for future use cases. Tip: Undertake a GRC readiness Assessment (check the tutorial on the forum).

20:27 There was an error message at the top of the Authority Documents screen “Invalid policy or risk framework”. Is this an error you’re familiar with?

21:32 Conclusion

 

Many thanks to Eric Le Martret, Raphaël Cardoso and Jagan Rao.

Comments
Community Alums
Not applicable

Thanks a lot Eric for the invite! If you have any issue or doubt regarding the topics, please give us a shout

Maros Takac1
Tera Contributor

@Eric Feron would you be able to shed some light on a less discussed topic of "Entity Tiers". How do they fit into the overall entity landscape ? do they drive any logic/business rules ? Furthermore, Entity Class rules are currently table based only. We need to set up two standard entity classes "Vendor" and "Company", both being stored in the same "core_company" table. Using the existing entity class rules, it is impossible to differentiate between Vendors and Companies unless we customize and introduce the condition builder field... Has anyone raised this before as an issue/design limitation ?

Many thanks

Maros

 

Eric Feron
Moderator
Moderator

Hello Maros,

to answer your question appropriately we need to know a little more about your implementation:

 

1- What version of the software are you using?

2- Has it been heavily customized or mostly out of the box?

 

Let's please start with this.

Thank you,

EF

Maros Takac1
Tera Contributor

Hello Eric,

1. We are currently on New York

2. with regards to GRC, we are very much out of box

Cheers

Maros

dsarazen
Kilo Contributor

"We recommend to select and hire an implementation partner, to take the recommended training...." My Company has refused to do this. Are we just wasting our time trying to learn it all on our own? Spreadsheets just seem so much more doable. 

Eric Feron
Moderator
Moderator

Hello @dsarazen ,

The opportunity cost of not having a solid implementation partner exceeds the cost of the partner (or ServiceNow's professional services).

Having said that, there are examples of customers that successfully implemented on their own.

We dont really have a roadmap for these scenarios because they are quite rare.

It sounds like you are headed own that route. There are lots of resources available to you. The free tutorials here are designed to help and this community will be your daily companion...

It is however essential that you take and your teams follow the training classes.

Let us know how you progress.

E

dsarazen
Kilo Contributor

Thank you for the response.

Anushree Randad
ServiceNow Employee
ServiceNow Employee

Hi Maros,

The entity tiers are used for creating entity hierarchy. Based on the tiers and the entity classes associated with those tiers, you would be able to relate upstream and downstream entities. For e.g., if you have 3 tiers and associated entity classes as follow:

'Business Services' Entity Class --> Associated with 'Business' Tier (Tier level - 10)

'Business Applications' and 'Business Processes' Entity Classes --> Associated with 'Applications' Tier (Tier level - 20) And

'Computers' and 'Software Assets' Entity Classes --> Associated with 'IT assets' Tier (Tier level - 30)

Based on the tier level, the classes can be related to each other in a hierarchy. So in above case, the hierarchy will look like this:

Level 1 - Business Services

Level 2 - Business Applications, Business Processes

Level 3 - Computers, Software Assets

So when you are building the entity hierarchy, you can only see upstream and downstream entities to associate with based on the defined tiers and related classes. 

Let me know if this is not clear, or if you have more questions.

Also you made a great point about having a condition builder for creating a class.We haven't heard of this request from any other customer as yet, but I will make a note of it for future consideration.

 

Thanks,

Anushree Randad

Principal Product Manager - GRC

ServiceNow

Version history
Last update:
‎06-18-2020 04:34 PM
Updated by: