New GRC users have a lot to learn to make the best of the GRC product for their own particular use cases.
"After playing in GRC for a couple weeks and going through the various training materials, I have a few questions."
We recommend to select and hire an implementation partner, to take the recommended training, to view the free tutorials available on the community but there are always questions that linger, clarifications that are needed to really feel comfortable with the various features of the product.
With the help of GRC community experts, we take a look at some of these questions.
01:16 Is it normal/acceptable to NOT have Controls assigned to every entity in an entity type? Tip: Control Owners can remove Controls attributed to them because of an Entity Type. Not typical.
04:18 Is it normal/acceptable to have a lot of Entity Types? Tip: Start simple, "crawl, walk, run ".
05:50 It doesn’t look like any authority documents/citations were loaded with the SOX Content pack.
06:47 Entity Filters - I’m having trouble understanding their purpose, and what is the impact if the filters aren’t created? Tips: Use Entity Filters to create new Entities (beyond those that are provided). It is possible to have more than one Entity Filter.
09:42 Entity Classes - Are these just an additional reporting/filtering aid or do they play any additional roles? Workbench is a very powerful tool that leverages Entity Classes. Entity Classes are first used for reporting. Entity Classes are also used to build a representation of the aggregation journey. Link Entity Classes so they roll up through the organization (using workbench).
14:09 Have you seen any other companies start with their risk framework in determining their use cases/phases and/or what pitfalls do you see with this approach? Tip: Build your data and system so they can be used for future use cases. Tip: Undertake a GRC readiness Assessment (check the tutorial on the forum).
20:27 There was an error message at the top of the Authority Documents screen “Invalid policy or risk framework”. Is this an error you’re familiar with?
@Eric Feron would you be able to shed some light on a less discussed topic of "Entity Tiers". How do they fit into the overall entity landscape ? do they drive any logic/business rules ? Furthermore, Entity Class rules are currently table based only. We need to set up two standard entity classes "Vendor" and "Company", both being stored in the same "core_company" table. Using the existing entity class rules, it is impossible to differentiate between Vendors and Companies unless we customize and introduce the condition builder field... Has anyone raised this before as an issue/design limitation ?
"We recommend to select and hire an implementation partner, to take the recommended training...." My Company has refused to do this. Are we just wasting our time trying to learn it all on our own? Spreadsheets just seem so much more doable.
The opportunity cost of not having a solid implementation partner exceeds the cost of the partner (or ServiceNow's professional services).
Having said that, there are examples of customers that successfully implemented on their own.
We dont really have a roadmap for these scenarios because they are quite rare.
It sounds like you are headed own that route. There are lots of resources available to you. The free tutorials here are designed to help and this community will be your daily companion...
It is however essential that you take and your teams follow the training classes.
The entity tiers are used for creating entity hierarchy. Based on the tiers and the entity classes associated with those tiers, you would be able to relate upstream and downstream entities. For e.g., if you have 3 tiers and associated entity classes as follow:
'Business Services' Entity Class --> Associated with 'Business' Tier (Tier level - 10)
'Business Applications' and 'Business Processes' Entity Classes --> Associated with 'Applications' Tier (Tier level - 20) And
'Computers' and 'Software Assets' Entity Classes --> Associated with 'IT assets' Tier (Tier level - 30)
Based on the tier level, the classes can be related to each other in a hierarchy. So in above case, the hierarchy will look like this:
Level 1 - Business Services
Level 2 - Business Applications, Business Processes
Level 3 - Computers, Software Assets
So when you are building the entity hierarchy, you can only see upstream and downstream entities to associate with based on the defined tiers and related classes.
Let me know if this is not clear, or if you have more questions.
Also you made a great point about having a condition builder for creating a class.We haven't heard of this request from any other customer as yet, but I will make a note of it for future consideration.
