ServiceNow Certified Implementation Specialist - Integrated Risk Management preparation video series

VaranAwesomenow · ‎10-18-2023

ServiceNow CIS IRM is a very good exam to test your knowledge of ServiceNow IRM related modules, in this youtube playlist I have covered the notes that I have created as part of exam preparation.

I have also created a set of bookmarks for quick reference of various useful content that helps in exam preparation.

Link to Youtube playlist

Bookmarks

Notes

**************************ServiceNow CIS IRM Certification Notes**************************
Document, content and item

DRA-PuRe
A DRAcula that only likes to drink PuRe blood
DRA-PuRe

1. ServiceNow store releases
Version numbers 16.0.3 Feb 2023
2. Exam Prep
irm fundamentals
irm implementation
classic risk fundamentals
audit management implementation
3. GRC labels and names
Label| Class
entity class -> sn_grc_profile_class
entity type -> sn_grc_profile_type
entity -> sn_grc_profile
control objective -> sn_compliance_policy_statement

servicenow term -> Alternate terms
Control objective -> Control , control template, requirement, policy statement
entity -> scope def, scope object, target, profile
entity Type -> entity group
Control -> control instance
Risk Statement -> risk template
Issue -> findings

GRC maturity level and usecases
1. 0 - Manual -> spreadsheets
2. 1- Basic -> semi automated IRM process, adoption limited to IRM Orgs, mostly bottom up, documented centrally managed policy and
compliance.
3. 2- Repeatable -> visibility and performance ->
Expand IRM to 2-3 usecases,
Adoption expansion to process and control / risk owners,
monitoring on point in time basis
visibility through dashboards & PA
start top-down leveraging entity engine.
4. 3-Managed -> predict and prioritize ->
IRM implemented in 4-5 usecases
Mature existing usecases with further automated capability
cross-functional process automation
continous rel-time monitoring of control performance, risk scoping, reduction in admin overhead etc.
5. 4- Optimized ->integrated enterprise wide
IRM fully adopted in 4-5 usecases
risk aware enterprise and embedded controls
management by the risks
continous control monitoring & continous risk assessment across multiple platforms
single Risk & control framework across the enterprise available at all stakeholders (LoBs, management, etc)

Usecase :
4-6 weeks to hear response from management

Roles :
Technical consultants
Risk and compliance experts
Primary Stake holder -> compliance /RCM project team -> Project lead (head of compliance), compliance Manager, Compliance analyst
-> Risk project team -> Project lead (head of risk)-> Risk manager -> Risk analyst
-> Platform admin -> platform dev -> cmdb + foundation data owners -> internal audit
frequently used tables for import or integration ->
Authority Document
Citation
Control Objective -> customers control matrix or Risk register
Risk Statement
Evaluate current state
Now create
prioritize journey
action items
use case examples
Greefield project -> Private to public
Replace legacy systems -> build from existing
ucfmapper.com
https://www.pwc.co.uk/services/risk/governance-risk-and-compliance.html

Sample Implementation Approach
******************************
1. Phase 1 -> Regulatory Guidance, Policy lifecycle management, Control mapping, control attestation, data setup
2. Phase 2 -> control testing, issues management, policy exceptions
3. phase 2/3 -> risk register, risk framework
4. phase 3 -> risk assessment, continuous monitoring
5. phase 4 -> risk (loss) events

Now on Now
**********
835K savings annually via automated workflows
$2.6M Saved annually automating end-to-end GRC processes
160 policies managed and published via portal
66% reduction in quarterly control certification
50% reduction in time to perform control testing with continuous monitoring
85% reduction in the time needed to track status, thanks to real-time reporting and dashboards
90% reduction in coordination efforts with external auditors now using ServiceNow GRC to gain direct,
transparent access to all our GRC data

Minimum role requirement to see GRC apps and modules -> sn_grc.business_user earlier versions 14.x snc_internal

GRC Role matrix :
Compliance Developer [ GRC Developer(sn_grc.developer)] ->
Compliance Admin (sn_compliance.admin) [GRC Admin (sn_grc.admin)] ->
Compliance Manager (sn_compliance.manager) [GRC Manager sn_grc.manager]
Compliance User (sn_compliance.user) [GRC user sn_grc.user]
Compliance Reader (sn_compliance.reader) [GRC Reader sn_grc.reader]

Risk Admin (sn_risk.admin) [GRC Admin (sn_grc.admin)]
Risk Manager (sn_risk.manager) [GRC Manager sn_grc.manager]
Risk User (sn_risk.user) [GRC user sn_grc.user]
Risk Reader (sn_risk.reader) [GRC Reader sn_grc.reader]

RCM Regulatory Change Management Admin
sn_grc_reg_change.admin -> contains sn_grc_reg_change.it_admin and sn_grc_reg_change.manager
sn_grc_reg_change.it_admin -> Doesnt contain RCM manager role

Application administrators (Technical / Tactical) ->
Compliance Admin
RCM Admin
Risk Admin (contains sn_risk_advanced.ara_admin)

sn_grc.x shouldnt be directly assigned to anyone except for developers
Attestation creator -> used for creating GRC attestation metric type (contains assessment admin role)
Risk assessment creator -> used for creating grc risk assessment metric type (contains assessment admin role)
GRC admins can do everything that GRC managers for their area can do

Compliance team (Low technical / medium non-technical / medium strategic / low tactical)
compliance manager
compliance user

RCM team (Low technical / medium non-technical / medium strategic / low tactical)
RCM manager , RCM user

Risk team (Low technical / medium non-technical / medium strategic / low tactical)
Risk manager, Risk user

Enable Intrusion -> trigger is bypassed and user has to provide the starting record.

GRC business user role (sn_grc.business_user)
Issue owner
issue triage submission and request
evidence request tasks
evidence request manager approvals
observation respondent
approver and assessor of advanced risk assessment
read access on risk statement, risk assessment, scope, rating criteria, ARA, risk event config

how its assigned
customers (upgrading)
auto applied to all users performed grc operation in last 90 days
adding future users will require process.
customers (initial install)
all users need a process to get a role

integration scenarios between GRC and other Now products
Ex: Vulnerabilty user with sn_grc.business_user role can request a policy exception from GRC:Policy and compliance management

Implementation stakeholders
Board of directors
IT steering committee
CISCO or CRO
Audit committee
all levels of management
full-time team
Implementer
tech consultant
business process analyst
client
servicenow dev team
part-time team
Implementer
risk and compliance experts
OCM
architect
Client
Risk and compliance experts
CMDB process owner
Foundation data process owners
Internal audit experts

GraphMl Image of various modules

ARA Roles
Risk Admin (sn_risk.admin)
Risk manager (sn_risk.manager)
Risk User (sn_risk.user)
Risk reader (sn_risk.reader)
ARA Reader (sn_risk_advanced.ara_reader)
ARA creator (sn_risk_advanced.ara_reader)
GRC Business user
ARA Assessor (sn_risk_advanced.ara_assessor)
ARA Approver (sn_risk_advanced.ara_approver)
ARA Admin (sn_risk_advanced.ara_admin)

workspace roles
compliance workspace
sn_compliance_ws.corporate_compliance_manager
sn_compliance.manager
sn_compliance_ws.coporate_compliance_analyst
sn_audit.manager
sn_compliance_ws.coporate_compliance_analyst
sn_compliance.user
sn_audit.user

risk workspace
sn_risk_workspace.it_risk_manager, sn_risk_workspace.operational_risk_manager,
sn_risk.manager
sn_compliance.manager
sn_audit.manager
sn_risk.workspace.business_op_risk_manager
sn_risk.user
sn_audit.user
sn_compliance.user

Loading data
Manual entry
Manual
HTML
Import
Transform Maps
Multisource TYpes
JDBC
HTTP/FTP
Excel
CSV
XML
customer provided spreadsheets, data sources like SAP etc
Content providers
subscription to 3rd party providers
REST / SOAP
Provide both primary and relationship records
GRC: content UCF
Edgile ARC
Risk spotlight OpRisk Library
LexisNexis
Accelerators
content and functionality for activities performed on provided content
implementer can config post installation
GRC:NIST CSF usecase accelerator
GRC:Technology Controls Monitoring accelerator
GRC:Cybersecurity controls accelerator
GRC:SOX content pack
GRC:Continuous authorization monitoring

GRC Policy and Compliance Integrator Application
common framework to import content from 3rd party to GRC policy and compliance management
on store
staging tables and transformation
sn_grc_cim.admin role

SLAs (Service level agreements)
GRC: Profiles & GRC :Advanced Core -> Incident task, issue, issue triage, remediation task, evidence request
GRC: Policy & compliance : Policy exception, Acknowledgement campaign
GRC:Risk Management, GRC :Advanced risk -> Risk response task (acceptance, avoidance, mitigation or transfer), risk mitigation task, risk event
risk event task
GRC:Regulatory change management : Regulatory task, regulatory change task, action task

Notifications
Policy acknowledgment campaign reminders
GRC mobile application notifications on pending approval requests
Policy exceptions notifications
Issue notifications (triage issues and issues)

Security and visibility considerations
1. Employees sn_compliance.user role outside of compliance team shouldnt be able to see our NIST compliance.
2. Managers and above should see cost of specific risks occurring to business, only senior execs should be able to see aggregated
risk reports.
3. clearly identify compliance issues that require followup or investigation.
Options
ACL customization
new filetered list views
new modules with specific role access
generated read ACL for appropriate tables
Business rule customization
before query business rule
restrict row access
should be used in conjunction with ACL rule to restrict field level account
ex: return only certain records if you are member of a group x or have group x role.

User hierarchy
*************
Managers can see records of those users who report to them.
System properties to be configured
GRC Profiles : sn_grc.enable_user_hierarchy_access_control
sn_grc.user_hierarchy_sync_frequency
sn_grc.batch_size_to_sync_user_hierarchy
Supported tables
sn_grc_user_hierarchy
sn_grc_user_hierarchy_configuration

List layout changes
User hierarchy 1, user hierarchy 2, hierarchy status are 3 fields tat get added example : issue table.
status of user hierarchy -> awaiting processing, processed
processed if issue manager is listed
once proecssed any one in User hierarchy 1 can see, user hierarchy 2 can see.
Business rule : Set issue usr hrchy status and raise event
sn_grc.business_user_role
sn_grc.business_user_lite
user hierarchy -> sn_grc_user_hierarchy table, field Hierarchy contains list of users who are in users hierarchy

Confidentiality
***************
enable sn_grc.enabled_record_confidentiality once enabled cant be turned off
Module -> GRC Confidential records
All Risk events, Enagements, All Audit tasks, observations, issues, remediation tasks, evidence request tasks, policy exceptions.
sn_grc.confidential_user role can see all modules

Confidentiality tab on forms
include allowed users and allowed groups
write access required to mark record Confidential
notifications are sent
auto-population of allowed users
user that sets the Confidentiality flag is added to allowed users group
additional users are automatically added depending on the table
TO enable Confidentiality **system administrator** should navigate to policy and compliance -> administration -> GRC properties
Application scope : GRC:Profiles
Check system property enable system level Confidentiality

Entity scoping
**************
Entity type -> grouping of entities and each type has its own owner.
Departments and vendors, applications & business services, Databases & servers
Use entity filters to create entity types
When entity type is applied to control objective controls are created, control owner will be same as entity owner.
When entity type is applied to risk statement risks are created, risk owner will be same as entity owner.

Entity classes ->
How to get risk and compliance posture for all my business applications across all divisions in the business
Entity classes are used to tag entities
Way to tag entities across different entity types
classes can roll up into one another
Department, Business app, business services, servers, databases
Use GRC Workbench

Tiers
Risk posture for most important items across all divisions in the business
Hierarchy levels
Associated to several classes
Applies to all entities in that class
How lower tier entities are affecting higher tier entities
Any tier 1 class or entity will be upstream to the T2 classes (entities)

Business tier 1, application tier 2, IT asset tier 3, etc

Creation sequence
Create Tiers
Create class rules and classes
associate classes with Tiers

Create types
Create entity filters (automatically create entities)

Newly created entities get automatically tagged with the right class and tier (can also be done manually)

Identify data sources for entities
document tiers, classes and types
run your entity scoping workshop

Entity scope definition (Entity type) is related to specific risk statement and control objective relevant to their unique condition.
Entity types
1. Contains financial data
2. Is Internet facing
3. Contains Customer Data

Starting points
1. Review regulations applicable to customer
2. Places, people, things need to be compliant
3. role /teams /business units are responsible
4. describe existing framework used for controls and risks
5. review existing risk register and control Library
6. define areas to audit/ current gaps and existing auditable units

approaches
1. Operational
-> scoping is done at specific CI level, individual user, project
2. Strategic
-> scoping is done at services / business processes

Entity generation to entity ownership
1. Determine which tables you should use when scoping
2. research source table data for accuracy and integrity

Entity filters Entity type entities
1. Core_company vendors hotels
2. cmn_department Department HR, Accounts
3. cmn_location Travel branches Travel branch locations
4. cmdb_ci_service business services payment handling
5. cmdb_ci_db_instance CTA databases CTA primary, CTA replication
6. sys_user_group senior travel consultant employees involved in pilot
cmdb_ci_group
sysapproval_group
7. cmdb_ci_business_process Customer support payment handling

which tables are core tables
1. cmn_
2. sys_
3. core_

system property -> frequency of syncing the entity owner to source record

Entity filter and entity ownership sync
Default owner, use owner field, source field for owner, auto-update owner, empty owner
Reference existing servicenow tables
entity class is a requirement when using an entity filter
when record matches filter condition entities will be created
when a record no longer match filter conditions one of the two will happen
1. entities related to single entity type
All controls, risks and other related records will be set to retired.
2. entities related to multiple entity types
Only the records related to the entity type where the entity is no longer valid will be retired.
the entity will not be inactivated.
multiple filters can be defined for an entity type
Scheduled job : GRC Cleanup Invalid Entities -> Delete entities tat are no longer active and will delete any and all related records
on entity record select auto-update entity owner to keep it in sync with source record owner.
Entity classes
Create entity classes to show relationships between tables or objects you are tracking that otherwise dont exist elsewhere in
ServiceNow
similar to tags stored in a field on entity
can be setup in a hierarchy
not related to entity types
can be setup later in implementation process.
entity management -> Define roll up of entities, controls, risks
regulatory change -> entity classes determine which entities can be assigned an impact assessment
impact assessment help determine if an event is applicable to the organization
risk assessment -> RAM (templates) are defined for an entity class.
Taxanomy -> categorization
Company organization structure
Cost center structure
business capabilities
business strategies -> execution
business services
internal services provided
services provided to customers
business processes
geo organization
Entity class configuration
Setup classes
entity class rule -> Run only on new entities
manual update
GRC workbench depedency model -> only available in classic UI
builds relationship between entity classes
not all business services will roll up to all Departments
use depedency map to create specific relationship
Entity classes are used to create upstream and downstream relationships
entity type doesnt allow data to be rolled up into different structure.

In order to enable ARA enable system property -> migrate to advanced risk assessments -> Yes
Advanced risk assessments -> administration -> Properties
Class rule :
Risk -> Administration -> Class rules
Table and Class are fields on class rule
Class rule assigns class to entities
After class rule is created run Scheduled job GRC Profile Generation
Risk -> Scoping -> All Entities

How to bulk update entity class
Policy and compliance -> Administration -> Bulk Update Entity Class

Table structure

GRC: Profiles
GRC: Policy and Compliance
GRC: Risk Management
GRC : Profiles GRC : Policy and compliance GRC: Risk Management
Document (sn_grc_document) Authority Document Risk framework
Policy

Content Control Objective Risk Statement
sn_grc_content Citation

item Control Risk
sn_grc_item

Any objects such as BRs, client scripts defined for parent table applies to child tables
Document, content and item are tables in GRC: Profiles scope tables in Policy and compliance, risk management extend tables
from GRC Profiles

Entity Type
sn_grc_profile_type
entity filter
sn_grc_enrichment_query
entity type to entity
sn_grc_m2m_profile_profile_type
Entity
sn_grc_profile
Entity Class

Common tables
GLobal GRC : Profiles
task indicator task
base indicator sn_grc_base_indicator
indicator
planned task issue

GRC : Policy and compliance Setup
Setup users, groups and roles
Set properties
Configure policy and policy exception workflow states, forms, user access and automation
Configure policy acknowledgment campaigns, define response captures, audiences and frequencies
Configure control workflow states, forms, user access and automation for attestation outcomes
create policies, control objectives and control indicators
configure workspaces and reports
Primary Table relationships
Content (sn_grc_content)
Authority document -----> Citation
sn_compliance_authority_document 1:M sn_compliance_citation
M:M
Policy M:M Control Objective ---> (1:M) Item (sn_grc_item)
sn_compliance_policy sn_compliance_policy_statement Control (sn_compliance_control)

Policies, control objectives, citations can be nested to parent-child
single control objective can be related to multiple Policies
single control objective can be related to multiple citations -> Test once and satisfy many
authority documents and citations are optional
authority documents and controls cant be nested into parent and child relationship

Entity type(sn_grc_profile_type) -> Entities
M:M Risk statement (sn_risk_definition) (GRC:Risk)
1:M Risk (sn_grc_risk)
M:M Control Objective (sn_compliance_policy_statement) (GRC: Policy and compliance)
M:M Indicator template (sn_grc_indicator_template) (GRC: Profiles)
1:M Indicator (sn_grc_indicator)
1:M Control (sn_compliance_control) M:M Indicator
control attestation
asmt_assessment_instance (Global)
Issues (sn_grc_profile) grc:profiles

control table is primary table where most of the daily compliance work happens
control must be related to entity
entity can be scoped with multiple controls
issues, control attestation, risks provide supporting documentation about control
control can be related to multiple issues, control attestations and risks

Control objective to control objective -> sn_compliance_m2m_policy_stmt_policy_stmt
control objective to citation -> sn_compliance_m2m_statement_citation
control objective to entity type -> sn_compliance_m2m_statement_profile_type
control objective to indicator template -> sn_grc_m2m_ind_temp_count

Review script includes
AssessmentStrategy
PolicyAcknowledgmentUtil
ComplianceUtils
ControlGeneratorStrategy
ComplianceScoreCalculator

Policy record life cycle
Draft, (sn_compliance.user)
Review, (sn_compliance.manager)
Awaiting Approval (approval) (all approvers must approve)
Published,
retired (sn_compliance.manager)

Policy types ->policy, procedure, standard, plan, checklist, framework, template

Control Objective record
Category -> Classification -> Type
Source / Source ID

Policy life cycle : exceeds valid to date
Default 30 days after the valid to date (sn_compliance.policy_expire_to_review_timer)
If no reviewers are on the policy it gets set to draft

Policy authoring workflow using Office 365
architecture
Activate microsoft onedrive plugins
microsoft onedrive spoke for document service framework
microsoft onedrive spoke
microsoft Azure AD spoke
multiprovider document services framework
New tables
GRC document versions
sn_irm_shared_cmn_document_version
Document access
sn_irm_shared_cmn_document_access
Updated tables
Policy (sn_compliance_policy)
system properties
select a file sharing service to host documents and attachments
One Drive, None..
Setup connection record
Connection name, url, credential information
Assign required role
mp_document_user

policy and compliance -> administration -> GRC Properties
Total number of questions allowed in a same response type grouped assessment + number of questions in one assessment * number of assessments.
policy and compliance -> administration -> Properties
no of days after reaching a policy valid to date in which the expired policy will automatically move from published state value to draft/review state
default = 30 days
Default duration for which policy exception can be requested
default = 30 days
How to limit policy approvers to a specific group ?
Create script include tat returns group members
Apply reference qualifier to only query users that are returned by the script include

Policy acknowledgment campaign life cycle
New -> Pending acknowledgment -> closed -> canceled
configuration
create audience -> Compliance Manager
setup campaign -> Compliance user
set properties -> compliance admin
respond to requests
view responses & status -> compliance reader

create audience -> user , groups, user filters
Table architecture
Policy (sn_compliance_policy) -> Extends Document table
Acknowledgement campaign -> Extends task table
(sn_compliance_policy_acknowledgement)
Acknowledgement -> doesnt extend any table
(sn_compliance_policy_acknowledgement_instance)
audience
(sn_compliance_audience)
audience to user -> User (sys_user)
(sn_grc_m2m_audience_user)
audience to groups -> Group (sys_user_group)
(sn_grc_m2m_audience_user_group)
audience to audience filters
(sn_grc_m2m_audience_filter)
audience filter
(sn_grc_audience_filter)

Policy Exception
start -> Request a policy exception -> Verification rule -> Approval rule
(sn_grc.business_user) approve / reject / one time extension
From self-service ->employee center
compliance workspace
policy exceptions module
control objective record
issue record -> Issues in draft or retired cant be selected
Enable other apps by registering
them with integration registry
tables
GRC-based exceptions Non-GRC app exceptions
integration registry no integration needed required
target table
entity mapping
exception questionnaire
Exception questionnaire not available optional
questions
conditions
veritifcation rules optional optional
by application
user and or groups
approval rules optional required
by application
conditional
user and or groups

policy exception flows
Generate initial approvals for policy exception
Trigger is based on substate field
substate is set based on BR -> Set Policy exception Substate
generation verification based on info in verification rule record
exception requests submitted via service portal bypass this approval
workflow -> Policy Exception runs to set controls associated to exception as exempt
80% of exception period -> generates an event for notification -> Exception period passed 80%
requestor can submit extension
if valid to date is reached workflow sets the state of exception to closed.

Generate final approvals for policy exception

If policy exception is raised from within GRC and there are no verification rules or approver rules setup then the exception will be processed
using only the approval flow. there is step in the flow to identify the approvers by getting the owners of CIs tat are impacted on the exception

Policy exception can also be raised from non-grc apps such as HR - case, vul response - vulnerable item, PPM - risk
Life cycle -> New
integration registry users can require policy exceptions directly from SN apps which are routed to compliance manager.
any user with sn_grc.business_user can request a policy exception from employee center
substate: Pending verification -> verification rules to verify accuracy and completeness of policy exception request.
Analyze
Risk rating determined during analyze state
compliance manager can choose to add impacted controls, approve, request review, request more info or request approval
Review
requester or risk manager can submit more info in comments tab
compliance manager reviews request if more info is added
awaiting approval
policy exception request is set to control owners and requesters manager unless approval ruls were created
approved
exceptions can be approved by compliance manager
control owner can request for an extension
closed
compliance manager can manually move exception to closed

Control Objective
Inactive -> Active
Follows policy record lifecycle
can be associated with more than one policy
can scope with entity types /entities only when Active
create controls automatically when enabled.
serves as template for generating control records.
can be related to other template records
Test templates
Indicator templates
performance analytics templates

Compliance score calculation
External Authority
Authority document
Citation Policy
Control Objective
Entity A Entity B Entity C
Control A Control B Control C
Fail Pass Pass
[Sum of (Weight of compliant controls) / Sum of (weight of all controls)]* 100
Draft controls are not part of calculation

All entities dont have same weight
all controls are not in same state at same time

Control record
Life cycle
Draft - Role : sn_complianceuser to modify / edit controls and move into attest state.
Attest - control owners are assigned by default to attest tat a control is implemented.
Only designated owner should attest, its not recommended for admin to impersonate and attest,
if owner is not available return control and reassign.
Review - moves to review after attestation, require sn_compliance.manager role to move from review to monitor or return to draft
Monitor - Indicators may be scheduled in monitor state.
Controls are not edited in monitor state
updates are made based on indicator activity
Retired - controls retire when compliance is no longer needed, indicators wont run in retire state.
if scoped entity becomes inactive control is retired
compliance Manager can retire a control manually

in attest an attestation is active and sent to control owner
**when attestation is completed the control remains in review state until the compliance member reviews the attestation results
if control is moved back to draft the attestation is canceled
in monitor indicators monitor the control status and evaluate an organisations compliance
Create multiple controls for same entity
by default only one control per entity from a given control objective
This feature allows for granularity at control level while keeping control objective associattion.
create new controls with unique names, scoped with existing entity
can assign different control owner for granular controls
unique controls are included in compliance score
follows item generation logic : if entity is retired both auto created and manually created controls get retired.
Name of control must be unique when creating multiple controls for same entity.

Consolidated attestation
Global scope
Assessment instance
Fields added by GRC
Grouped assessment name
Related control or risk
Process status
Group type - same or different responses
GRC: Profiles scope
Assessment grouping criteria
Script includes
GRCAssessmentUtilsBase
creates the group
GRCAssessmentClientUtils
Group Preview
Business rules
Global scope
handle assessment group reassignment
GRC: Profiles scope
Remove from group if canceled
update children when parent is complete

Issue group rules
policy and compliance -> administration -> Issue group rules
set is default to true / false
Change default attestation
perform dictionary override on control objective -> Attestation field

Evidence collection
primarily supports audit but available in compliance
assigned users can provide evidence from service portal
audit functionality is more robust than compliance functionality
differs from indicator template
evidence collection usecase
can be created adhoc
doesnt automatically impact control status
supports a control Test
can be a multi-group effort
includes baseline process flow with validation that the request has been fulfilled
manual indicator usecase
occurs on a set schedule and frequency
results could change the control status to compliant or non-compliant
typically sent to control owner
control owner marks an indicator task as complete and closes it without outside party validation
Evidence collection for a control
Prepare evidence request
step-by-step
start -> open a control in any state
new from evidence request related list and answer questions
request management record created
place holder record with prefix = EVR created in draft state
each individual request is added as a collection detail with prefix ECD

Process evidence request
Open EVR record in draft state
select request evidence UI action
evidence tasks are generated with prefix EVD
EVD records appear in the evidence related list on the control once generated
Evidence request allows the control owner to view the status of all connected evidence tasks (EVD) records in one place.

Evidence collection lifecycle
After EVD is created control owner can provide information or request approval from someone in their org
Request can request for more info after they receive completed EVD or accept evidence which will close EVD record.
Two personas
Control Owner -> send info
authority docs, policies, citations, controls, control objectives, control tests, entities, issues
Audit Entity Owner -> send info
authority docs, policies, citations, controls, control objectives, control tests, entities, issues

Table architecture
evidence request (sn_grc_advanced_evidence_request) ------ > Evidence (sn_grc_advanced_evidence_response)
GRC:Advanced Core GRC:Advanced Core
EVR EVD -> Evidence for field has reference to control, control test, control objective etc

Evidence detail
sn_grc_advanced_evidence_collection_details
GRC:Advanced Core
Evidence for field has reference to control, control test, control objective etc

Regulatory change management
****************************
management of regulatory, policy and / or procedural changes that apply to an organization.
$342 billion in banking fines and $850 B erased in profits.
Process flow
change identification
change implementation
change communication
compliance source monitoring
applicability assessment
assessment impact

GRC integration with RSS feeds
external feed 1 -> feed registry -> transformation -> get internal Taxanomy -> regulatory alert
external feed 2 -> feed registry -> transformation -> get internal Taxanomy -> regulatory alert
PCI website
news room -> industry bulletins

processing RSS feeds
RCM manager assigned incoming regulatory alert record to RCM coordinator
state : new
analyzed by rcm coordinator
new impect assessment -> Yes -> state : impact assessment
to Entity owner
-> No
state : in progress
-> is alert applicable by rcm coordinator
-> No -> state : canceled
-> yes -> relate citation, change task auto generated -> assign change task to RCM manager
-> RCM coordinator respond to change task and create action tasks -> compliance teams completes and closes action tasks -> closes change task
-> risk team completes and closes action tasks -> closes change task
action task is generated for each related control objective automatically generated

RCM architecture
1.Provider [sn_grc_reg_change_provider] Connection & Credential alias [sys_alias]
RSS feed integration to regulatory change
Feed source [sn_grc_rss_feed_source]
flow designer flow [pull rss feed to regulatory change]
regulatory change management [sn_grc_reg_change_regulatory_feed]

Primary table relationships --- processing a feed
state : new
needs impact assessment -> Yes -> state : impact assessment entity owner completes impact assessment
-> regulatory event impact context [sn_grc_reg_change_regulatory_event_impact_context]
->regulatory impact assessment [sn_risk_advanced_risk_assessment_instance]
where table = RCM context
state : In progress regulatory alert [sn_grc_reg_change_regulatory_feed]
is alert applicable -> Yes -> change task auto generates regulatory change task [sn_grc_reg_change_regulatory_task]
-> assign change task to the RCM coordinator
-> responds to change task and creates action tasks
-> action task for each related control objective auto generated action task [sn_grc_reg_change_regulatory_action_task]

RCM config feed process
Taxanomy configuration
5 categorization classes provided in baseline
regulatory bodies
content types
jurisdictions
themes
sectors
to assign and manage feeds
can be used to auto assign feeds
additional categorization classes can be added
value should be Updated
hierarchical
related to a provider
multiple values within each category can be assigned to a provider
incoming RSS records are assigned the Taxanomy values
lexisnexis, regology, Thomson Reuters
Configure the assessment
requires admin or risk admin role
leverages RAM available in advanced risk assessment -> risk assessment methodology
RAM is an object-based assessment
-> factors, weightings, qualitative rating criteria are configurable
event impact context
-> single inherent assessment -> legal, reputational, financial, business

Risk Overview
Classic vs advanced
Classic risk assessment advanced risk assessment
area GRC:Risk management GRC:Advanced Risk
Statement Hierarchy Single Level Multi Level
Risk rollup None assessment risk score rollup
assessments No impact to risk score determines risk score and customer controls the formula to calculate
risk score
only scoped risks can be assessed scoped risk and objects can be assessed
all assessment questions must be either allows mixture of question types
qualitative or qualitative integrates with other servicenow applications

It is possible to leverage advanced risk multi-level hierarchy with classic risk assessments.

Configuration steps
1. review and update properties -> dev team / admin team responsibility
2. review and update categories -> risk team provides content, dev team / admin team responsibility
3. create import template for risk statements from existing risk register -> risk team provides content, dev team / admin team responsibility
4. identity / create indicator templates and associate to risk statements -> risk team provides content, dev team / admin team responsibility
5. identity and associate mitigating control objectives to risk statements -> risk team provides content
6. Scope entity types with risk statements -> risk team provides content
7. setup risk assessment methodologies and relate to entity classes -> risk team provides content, dev team / admin team responsibility

Risk analogy
1. inherent risk -> risk without mitigation actions
2. mitigation actions -> actions taken to decrease risk
3. residual risk -> risk tat remains after mitigation action is taken

Primary tables
GRC:Risk management

Document sn_grc_document (GRC:Profiles) Content sn_grc_content (GRC:Profiles)
Risk Framework sn_risk_framework (GRC:Risk Management) risk statement sn_risk_definition (GRC:Risk Management)
(Risk Framework Not relevant when using advanced risk,
risk values dont rollup to framework)
Item sn_grc_item (GRC:Profiles)
Risk sn_risk_risk (GRC: Risk Management)

indicator template sn_grc_indicator_template ---M:M ---- indicator sn_grc_indicator Issue
1
1 Risk assessment instance (GRC:Advanced Risk)
M 1
: :
M M
1 risk response task sn_risk_response_task (GRC:Risk)
1
risk statement sn_risk_definition ----0:M -- Risk sn_risk_risk (GRC:Risk)
1
1
M
:
M
1
1
entity type sn_grc_profile_type ---M:M ---- entity sn_grc_profile control

When you dont migrate to advanced risk then the record life cycle for risk will appear in risk record.
After migration the lifecycle appears in the risk assessment record.

Classic risk score methodology:
measurement of risk
likelyhood impact
scoring methods
qualitative (Low - High)
impact and likelyhood
quantiative ($200K - $600K)
SLE and ARO
ALE and Risk score
ALE = Impact X Likelihood
if there are no controls or indicators then calculated ALE = residual ALE
Non-compliant controls and failed indicators
classic risk score calculation
(residual ALE + {[inherent ALE - Residual ALE] * [ calculated risk factor / 100]})

risk criteria matrix
-> used to map qualitative to quantitative
navigation : Risk -> Administration -> Risk criteria

Configuration ->
Assessment types
-> Risk -> Administration -> assessement types

classic risk assessment with GRC: advanced risk features
by default scoring method is quantitative, can be set to qualitative by system properties

Type of risk
inherent
residual
Calculated

tolerance status
tolerance management config
Admin
max number of levels for risk hierarchy
default = 5
compare risk tolerance
default = sum
content - risk team
acceptable and max ALE values
risk statements
entities
classic risk assessment
can only assess a scoped risk
single assessment method : qualitative or quantiative
depends on a single risk rating scale
qualitative assessment still depends on relating the value to currency
evaluating risk tolerance is currently only available with classic risk assessments in Utah is available for advanced risk

Primary tables
GRC:Advanced Risk
factor sn_risk_advanced_factor
group factor sn_risk_advanced_group_factor
Risk assessment methodology sn_risk_advanced_assessment_methodology 1:1 child factor sn_risk_advanced_sub_factor
1:M assessment type sn_risk_advanced_assessment_type ------M:M ------- Manual factor sn_risk_advanced_manual_factor
inherent assessment sn_risk_inherent_assessment Base automated factor sn_risk_advanced_automated_factor
control assessment sn_risk_control_assessment Automated scriped factor sn_risk_advanced_automated_script_factor
residual assessment sn_risk_residual_assessment Automated query factor sn_risk_advanced_automated_query_factor
sn_risk_advanced_asmt_type_m2m_factor

Key personas for workspaces
GRC: Risk workspace application

operational risk manager (sn_risk_workspace.operational_risk_manager)
contains sn_risk.manager,sn_compliance.manager, sn_audit.manager
performs risk assessments, view heatmaps of risk assessments, view risk events related data
IT risk manager (sn_risk_workspace.it_risk_manager)
contains sn_risk.manager,sn_compliance.manager, sn_audit.manager
identifies risks to assess, create key risk indicators, manages risk responses
Business operational risk manager (sn_risk_workspace.business_op_risk_manager)
contains sn_risk.user,sn_compliance.user, sn_audit.user
manage risk posture of their specific BUs

Risk Heatmap workbench
Primary tool for risk reporting & analysis
Primary personas
risk managers, analysts, risk owners / business managers

Options for finding uncertainities
1. identify and automate risk generation
Develop a holistic enterprise risk program
identify and analyze threats and vulnerabilities -IT and operational risk
risk statements are related to entity types, which generate scoped risks ->create hierarchical relationships for management

2. gather information from entity owners / stake holders
can some risks get missed
who can provide more insight when new entities are generated
what if an entity has a unique set of risks not relevant for its entity type
is there a case for standard risks
possible use case for risk identification questionnaire
to discover risks that dont derive from a regulation or are unique to an entity use risk identification questionnaire

risk identiification
can be used for entity onboarding to identify risks
risk identification questionnaire
stored in assessment metric types
setup metric categories, metrics and weighting
select table and conditions for assessable records
application assessment questionnaire included in baseline

**risk identification configuration
set configuraiton level as entity class or table
set the target table
select identification questionnaire and respondent type
determine additional properties

Advanced Risk assessment

ARA Roles
Risk Admin (sn_risk.admin)
Risk manager (sn_risk.manager)
Risk User (sn_risk.user)
Risk reader (sn_risk.reader)
ARA Reader (sn_risk_advanced.ara_reader)
ARA creator (sn_risk_advanced.ara_reader)
GRC Business user
ARA Assessor (sn_risk_advanced.ara_assessor)
ARA Approver (sn_risk_advanced.ara_approver)
ARA Admin (sn_risk_advanced.ara_admin)

In order to add ARA roles during upgrade enable system property : glide.ui_schedule_slushbucket_save_for_group_roles

Implementation team uses risk register spreadsheet to build risk assessment methodology for operational risk assessment

RAM uses qualitative scoring

Factor types
Manual factors -> requires human responses because questions are subjective and diffucult to determine based on data.
Automated factors -> automatically fetch data from servicenow tables or databases and from publicly available data
automated scripted factors -> use scripts to define how factor will fetch data, which is then used to fill in assessment responses
Group factors -> are manual or automated factors that are grouped to create a combined score.
Each assessment is comprised of individual questions defined in RAM called factors and each has its own contribution.
factors can contribute to either numerical risk score (qualitative contribution) or could be used for calculating annual loss expectancy (ALE) values (quantiative contribution)

factor contribution type can be qualitative, quantiative or both

factors cannot be grouped until they are published

Configure RAMs beyond factors

Enable advanced risk assessment
In order to enable ARA enable system property -> migrate to advanced risk assessments -> Yes
Advanced risk assessments -> administration -> Properties
migration affects following forms
risk
entity
risk statement
Installing GRC: Advanced risk assessment doesnt automatically enable ARA.
Class rule :
Risk -> Administration -> Class rules
Table and Class are fields on class rule
Class rule assigns class to entities
After class rule is created run Scheduled job GRC Profile Generation
Risk -> Scoping -> All Entities

Risk form classic vs advanced
Classic -> contains assessment, scoring, response sections, Calculated score field
Advanced -> assessment summary (a new section will be available)
When migrated to ARA assessment, scoring, response sections, Calculated score field are removed
assessment summary (a new section will be available), in this section assessment scores are displayed along with the risk response
if multiple methodologies are used for risk assessment system picks default methodology from selected entity class.
primary risk assessment methodology can be defined on the entity class.

Risk form classic vs advanced
Classic -> assessment field, default scores section and risk rollup and tolerance section are removed with ARA
Advanced -> related links options removed. New related list, aggregate risk added

RAM confiugration set Assessment context
Assess
an assessment can assess a risk scoped with an entity or any servicenow record
application entity classes
if assessing a risk, select entity classes to use this RAM
primary RAM is set on entity class records.
Table
appears when assess field is set to Object

RAM configuration select assessment types
1. Inherent risk
risk levels without controls or mitigating actions
2. control effectiveness
assessment effectiveness of mitigating controls to prevent, detect or correct the risk
3. residual risk
leftover risk after implementation of controls

when RAM template is defined it can include a single assessment type or any combination of the three available assessment types.
During ARA assessor can assess three different assessment types, these are inherent risk, control effectiveness and residual risk.

RAM configuration reference information
this section appears only if the assess field has the value Risk
enabling these options shows the reference information in the risk assessment instance.
show related risk events
show related risk indicators
show open issues
show related risk indicators
Other configurations
RAM configuration
Allow override of results: option to enable users to override the computed scores and ALE during risk assessment.
Show previous assessments: option to show the previous assessments on risk assessment instance.
advanced reminder (days): the number of days before the due date in which assessor gets a notification.
Risk identification : method to identify risks in the risk assessment scope
Copy of previous reponses: option to copy factor responses and comments whenever a reassessment is performed.
Enable risk response: optinon to enable the risk response tab on risk assessment instance for risk based assessments
overdue reminder (Days) : number of days after due date during which reminder emails will be sent

Rollup configuration
risk statement aggregation : how should multiple assessments of same RAM roll up ?
quantiative -> Sum, Average, Max, Minimum
Qualitative -> Average, Max, Minimum
Associate factors to assessment types

RAM configuration on each assessment type record configuration options
inherent assessment ->
assessment contribution
qualitative
quantiative
scoring logic
calculated method to derive risk score from factor answers
qualitative rating criteria
translate the risk score to a risk rating
control effectiveness ->
control assessment options
general or specific
control identification (applies when assessing specific controls)
from library & ad-hoc options
consequences
qualitative rating criteria
residual assessment ->
calculation basis
residual factor responses
calculation based on inherent risk and control effectiveness
options - matrix, substract or divide
matrix

Builiding a RAM
determine factors and contribution
Create RAM in Draft
Build out assessment types
complete configuration

Baseline IT risk assessment methodology details this applies to business apps, hardware, software IT assets
inherent risk + Impact + likelihood

impact
insignificant
minor
moderate
major
catastrophic

likelihood
rare
unlikely
possible
likely
almost certain
rating criteria conversion
0-2 -> very low
3-4 -> low
5-9 -> moderate
10-16 -> High
17-25 -> Very High

Control assessment
control effectiveness
ineffective
needs improvement
effective
overall control effectiveness
0-1 -> effective
1.1 - 2 -> partially effective
2.1 -3 -> Effective

Residual risk
matrix of inherent and control

RAM maintenance

RAM rules and notes
maintenance type rule notes
change RAM components components that dont imact risk score are editable example RAM changes
that dont impact risk scoring even when RAM is published reference info, other config options
example factor changes
factor guidance can be Updated
choice field display values can be edited
change RAM components published RAMs with assessments in monitor or closed in non-prod
that impact risk scoring state cant be edited assessment instances should be deleted if in monitor or retired state
assessments in other states shud be canceled
in prod
a new RAM should be developed when old RAM is retired
assessment instances will be closed
assessment instances can only be canceled if not in cancel from my assessable entities - related list
monitor state
assessments are closed when new assessments in baseline assessments cant be manually closed
are intiated

Setting the primary RAM
primary field on entity class field
an entity can be assessed in conjunction with a number of risks
each of those risks can be assessed using different RAMs
to determine which summary appears on the entity record system looks at the primary field on entity class record
an entity class can have only one primary RAM
primary risk assessment methodology also controls lifecycle of risks linked to entity, this is essentially main methodology
used to report risk posture
since risk rating is a subjective assessment different stake holders may have different perspective,
its important to capture that through use of multiple RAMs
auditors assessment of risk may be different from enterprise risk management perspective
in workspace users can toggle between different RAMs to see different view points

Risk roll up configuration
rollup by entity and by risk statement
risk rollup is displayed as aggregate and its displays in format defined in RAM
summary info can be found n set of aggregated risk reports
detailed info can be found on risk statement and on entity records

RAM configuration
Object-based assessment
event-driven adhoc
users can perform the assessment users can perform the assessment through a UI action
based on some event. 1. set RAM assessment context to Object
requires setting up of APIs 2. identify table for object
createRiskAssessment 3. create UI action on table
getRiskAssessmentResults 4. configure UI action
recommended to use either flow designer 5. assessment can then be initiated from UI action button the record
or a business rule to leverage APIs

It is also possible on a risk-based assessment through trigger-based risk assessment

Risk evaluation and treatment

advanced risk assessment life cycle
assessment type states match RAM definition
ready to assess -> when assessment is scoped for a risk or an object the first state is ready to assess
A delegate can be assigned for the risk assessor for a specific amount of time
requires sn_risk_advanced.ara_creator role to initiate an assessment and assign the assessor
requires sn_risk_advanced.ara_assessor role to assess
assessment types -> depending on RAM def, states: inherent assessment, control assessment, residual assessment are included in lifecycle
requires sn_compliance.user role to create controls and add controls ad-hoc or from library during control
assessment state
Respond -> respond is optional state tat is configured in RAM
awaiting approval -> optional, requires sn_risk_advanced.ara_approver role to approve
monitor -> risk assessment is automatically moved to this state after assessment is approved
Roles needed to perform ARA tasks
sn_risk_advanced.ara_creator
sn_risk_advanced.ara_reader
sn_risk_advanced.ara_approver
sn_risk_advanced.ara_assessor

Riak record workflow with advanced risk assessment
risk progresses through states based on risk assessment outcomes from primary RAM
Draft -> risk is created in draft state, objective in this state is to map and identify the risk pertaining to your org
if you modify the entity or the primary RAM for a risk the state of risk gets updated based on primary RAMs latest assessment.
assess -> state of risk when advanced risk assessment is intiated and being performed.
respond -> state of risk when risk response task is in progress, once risk response task is closed then risk is automatically moved to monitor state
monitor -> state of risk when risk has been assessed and the response task is closed
if KRIs are defined through GRC: Metrics they are executed to monitor the risk
retired -> state of the risk when risk is no longer valid but the org wants to keep a system of record for audit purposes.

Risk treatment
ready to assess -> assessment types -> respond -> awaiting approval -> monitor
response value determines the type of task that gets assigned to risk response task
risk response records are manually created while risk is in respond state
accept -> risk acceptance
mitigate -> risk mitigration
avoid -> risk avoidance
transfer -> risk transfer

risk response lifecycle
draft, wip, review, closed

risk response workflow is not available for object assessment
baseline my approvals module is only available for users with approver_user role.
4 risk tables extend sn_risk_advanced_task table.

RISK Integrations
******************
leveraging advanced risk assessment engine
GRC:Privacy management GRC:Regulatory change management
Identify assets that pose the highest risks assess impact of a Regulatory change with an impact assessment (RAM)
and ensure appropriate levels of controls
are implemented to mitigate those risks

Perform ARAs with limited set of features

privacy management users can only
have two active risk assessment methodologies
with limited ARA

Project risk management
PPM + Advanced Risk
APM + Advanced Risk

APM integration
(Application owner) business app is created ->
auto creates entity in GRC
-> initiates the questionnaire to application owner
-> respond to questionnaire (app owner)
-> review responses (risk manager)
-> review and signoff inherent risks (business owner)
-> based on inherent rating, additional controls are mapped
-> executes recommendation engine to suggest policies, risk and citations
->maps corresponding risks, policies and citations (risk manager)
->auto maps corresponding controls

-> maps baseline control which needs to be implemented
-> works with stake holders to implement the controls (app owner)
-> attest the controls implementation (app owner)
-> responds to manual control indicators (app owner)
-> monitor app risk and compliance with OOB dashboards (risk manager)

continuous monitoring design
Determine monitoring scenarios
configure indicator templates
-> associate indicator templates with control objectives and or risk statements to generate control and or risk indicators when scoped
-> execute indicators for real-time monitoring results of controls / risks

Monitoring usecases
1. customer service
-> Data subject rights requests
-> market conduct research
2. employee experiences
-> ethical compliance
-> workforce resilience
3. digital / IT transformation
-> cyber risk & security controls
-> continuously monitor IT compliance
-> continuous monitor IT risk
-> ensure devops app compliance
4. legal & finance
-> financial compliance monitoring
-> manage privacy Risk & compliance
Technology controls content pack
1. continously monitor 109 CIS & ISO 27002 - based control points in now products
contains
authority documents for CIS controls
assoicate citations policy and control objectives for 191 CIS controls
191 indicator templates both basic and manual mapped to UCF IDs
meant to improve cyber-hygiene and successful operation of information security management system (ISMS)

Compliance data source registry (CDSR)
policy as a Code Engine (PaCE)
ability to associate control objectives with equivalents policy / check from other SN apps
ability to generate entities and controls based on association to understand compliance posture
ability to request policy exceptions from other SN apps
automated reviews and compliance monitoring due to automated checks and controls = reduction in manual reviews
automated audit evidence collection
real-time risk and compliance visibility
increased velocity of employee workflows
configuration compliance
continuous controls monitoring for config compliance
configuration compliance
secure configuration assessment application
this app aggregates scan results from integrations with configuration scanning apps -> Qualys, Tenable, Rapid7 etc
Risk
continously monitor the imported scan results from 3rd party apps to validate compliance and manage risk against various
standards

continuous compliance monitoring
better together confiugration compliance and security operations
property sn_compliance_auto_create_profile_and_control
if user closes an issue on GRC side it may reflect an invalid compliance state since the issue state depends on scan results
coming in from config compliance
if an entity is already created the integration will use existig entity. if an entity does not exist one is auto created
from Qualys (or other monitoring tool)
continuous risk monitoring
lower first line burden through automated control testing
auto test operational effectiveness on periodic basis
use data from across the SN ecosystem to systematically gather and store evidence
escalate issues to control owners when a failure condition is detected
reuse CCM results for audit testing
better together with vulnerability response and security operations
continuous monitoring
better together with HRSD

indicator architecture and config
3 types
manual
Basic
script
indicator templates will be associated with one or more control obj or risk statements
a template cant be related to both control obj and risk statement
basic indicators can leverage servicenow tables in non-grc scoped apps
when levraging non-grc tables indicator template must identify a cross reference field back to entities

GRC: Metrics
Future of risk continuous monitoring
1. enables threshold based monitoring of key risks and controls and alerts respective owners on changes to risks and controls.
2. automate mundane metric data collection tasks which saves employee time.
3. efficently monitors and shares risk info across the org

indicators vs metrics

indicators -> primarily used for automated continuous control assessments and not risk and control monitoring
primarily designed & needed for continuous control assessments & hence not part of metrics
metrics -> unique features and aligns to risks & control monitoring

key types of metrics
KRIs
KCIs
KPIs

Explore and configure issues
issue overview and architecture
issue management
issue intake and triage
issues can include operational risk events, regulatory compliance violations, security breaches etc
issues can be identified by any of the 3 lines of defense, as well as by external sources such as consumer complaints or regulatory examples
Life cycle
New -> Analyze -> Review (Optional) -> closed

single point of entry for end users to report a compliance / risk issue from employee center based on various questions, an issue can be identified
as compliance / risk issue or risk event, if capability is installed.

GRC business user role is contained by other roles such tat it is ultimately included in compliance and risk user and manager and admin roles
Triage user
Triage Manager
-> admin -> issue rating
GRC Business User
GRC admin -> admin -> properties

Primary Table relationships
**************************
GRC: Advanced Core and GRC: Profiles

Task (Global)
Triage (GRC: Advanced Core) Planned Task (Global)
sn_grc_advanced_triage sn_grc_issue
Issue Triage Issue (GRC Profiles)
sn_grc_advanced_issue_triage sn_grc_issue

Issue management
Issue triage
-> significant data driven options
Classification
issue type
->
->
significant number of notifications in baseline
Issue
-> minimal record life cycle in baseline
-> no approval process
rules associated with issue grouping
some notifications in baseline
optional : setup evidence collection
Issue configuration
GRC: Profiles scope
policy and compliance -> administration -> GRC Properties
due date auto population based on issue rating
sn_grc.auto_populate_due_date_based_on_issue_rating
Auto close when all remedation tasks are closed
sn_grc.automatically_close_issue_when_all_tasks_closed
GRC: Advanced Core Scope
Issue Triage -> Administration -> Properties
sn_grc_advanced.enable_my_issues_hide_my_reported_issues
default : Yes
Setting to No
skips issue triage process
users can create issues directly
impacts both service portal and employee center

self-reported triage issue configuration
triage issue assignment rules
guideline to customize self-reported issue triage
1. issue types drive where the triage issue appears
2. portal form - record producer -report issue (GRC: Advanced Core)
modify questions presented to user
initial assignment at Classification
3. client script - on change action for issue type

Issue configuration
-> Smart issue assignment
configuration steps
Install GRC: Predictive intelligence [sn_grc_pred_intel]
train the solution def
set the issue assignee suggestion based on property to similarity analysis
[sn_grc_pred_intel:issue_assignee_suggest]
machine learning solution for prediction of issue assignee
[sn_grc_pred_intel.mi_solution_for_issue_assigned_to]
default value : ml_x_sn_grc_pred_intel_global_similarity_solution_definition_for_assigned_to_for_issue
navigation : predictive intelligence -> similarity -> solution definitions

Regulatory change management - To Do
************************************
Classic Risk fundamentals
*************************
covered above in risk section

Audit management essentials
****************************
An audit provides a “window” into GRC data, specific to the engagement the auditor is reviewing.

The objectives of audit management are to ensure that:

risks are appropriately identified and quantified
controls are designed in a way that effectively reduces the identified risks
controls are properly monitored for operating effectiveness
control deficiencies are identified and remediated
The Audit Management and Advanced Audit Management applications allow users to plan and schedule audits,
conduct resource planning, scope engagements, conduct audit activities, review continuous monitoring results, and report findings.

During Audit entity will be picked and not entity type
when audit is scoped to a specific entity then all the risk and compliance data is leveraged Audit report to share the findings

Advanced audit
audit plans
auditable units
milestones
observations
PPM integration for resource planning

Audit Plans and Engagements

An audit plan helps to manage different types of audits in a periodic manner and group engagements in a logical manner.
An audit engagement is an audit project that may include audit tasks that accomplish a set of objectives or goals.

Audit engagement -> scoped with auditable unit or entity
selecting an entity automatically associates all
risk related to entity to Enagement
controls related to entity to engagement
test plans related to controls to engagement
indicator results related to controls to engagement
audit tasks
provide documented evidence that the associated control is operating correctly.
possible types of tasks
control tests
interviews
walkthroughs
activities
test templates and plans
test plan is audit test tat applies to control
design test
operation test

audit engagement lifecycle
scope
validate and plan
field work
awaiting approval
follow-up
closed

personas
audit manager (sn_audit.manager) -> sn_grc.manager + sn_audit.user
audit user sn_audit.user -> sn_grc.user + sn_compliance.user + sn_risk.reader
External Auditor - sn_audit.external_auditor
finance manager (auditee)
audit admin (sn_audit.admin) -> sn_audit.manager + sn_grc.admin
audit developer (sn_audit.developer) -> sn_audit.admin + sn_grc.developer
engagement project manager (sn_audit_advanced.engagement_project_manager ) -> sn_audit.manager + resource_manager + it_project_manager

Auditor - sn_audit_ws.auditor -> sn_audit.user role

Audit supervisor - sn_audit_ws.supervisor -> sn_audit_ws.auditor + sn_audit.manager

common configuration request for external auditors
grant external auditors direct access to audit management

auditable units -> sn_audit_advanced_auditable_unit
Entities are automatically created from the Entity Filter for the sn_audit_advanced_auditable_unit table
data can be imported to audit units via data load
risk assessments -> Advanced risk assessment can further enhance audit processes
common controls ->
common control feature was introduced to reduce the proliferation of the shared controls and allow the
inheritance of the control test results or the results of the control compliance by other entities.

Primary and Reliant Entities

A common control has a primary entity associated with it. Other entities associated with this common control are then
referred to as the reliant entities.

However, the primary entity of that common control is not scoped into the engagement automatically just because the reliant entity was.

When audit tasks, such as an interview, are created or reassigned, a notification is sent to the assigned user.
A notification is also sent when the task reaches 75% of its planned duration.
These are the only base system notifications for audit management.

Milestones

Milestones are created for an engagement to track the progress of the engagement.
part of advance audit
Pending Patch

There could be many risks associated with a pending patch update. Instead of opening an issue for each risk, all of these risks could be
related to one issue.

Issue Relationship Configuration

If a risk is related to an issue, then the entity of that risk will automatically be associated to that issue.
Through GRC Administration > Issue Relationship Configuration, administrators can control which items will be automatically
related to an issue.
Audit Report Templates

To access the audit report templates, navigate to Audit > Audit Report Templates
Enable Record Confidentiality

Enable the sn_grc.enable_record_confidentiality system property in the GRC: Profiles application scope.

GRC regulatory change management essentials
******************************************
On average, an organization adheres to three to ten regulations.
Regulations are stored in the Authority document [sn_compliance_authority_document] and
Citation [sn_compliance_citation] tables.
Relationships are mapped between citations and an organizations policies and control objectives,
which are stored in the Policy [sn_compliance_policy] and Control objective [sn_compliance_policy_statement] tables.

GRC fundamentals
****************

Authority document -> Name, version, date
-> paragraphs are called citation
PCI citation -> Authorizing visitors where card holder data is maintained.
Control Objective -> Policy
-> some are driven by one or multiple regulations
-> Org culture
-> To be related to citiation that it addresses
-> compliance is measured at control objective
Risk framework -> Risk
-> wat risk to manage
Entity types -> entities
-> locations
-> vendor
-> entity classes
control / risk are generated
scoping -> control objective scoped with entity type -> location
risk and control owners -> monitor and review
-> test plans and indicators
-> monitor controls
indicator templates
indicator
-> manual
-> automated
issue
assessments -> Control attestation
-> Risk assessment
risk response task
-> manage, mitigate, avoid, accept
Orgs relate controls to risks
control effectiveness allows owners to identify areas tat have risks.

audit management -> select entities not entity types
scoped with specific entities

Advanced audit
-> audit plan
-> PPM integration for resource planning

Compliance team
Compliance admin
sn_compliance.admin
compliance manager
sn_compliance.manager
compliance user
sn_compliance.user

Regulatory change management
regulatory change admin
sn_grc_reg_change.admin
regulatory change manager
sn_grc_reg_change.manager
regulatory change user
sn_grc_reg_change.user

Risk team
risk admin
sn_grc_risk.admin
risk manager
sn_grc_risk.manager
risk user
sn_grc_risk.user

Audit team
audit admin
sn_audit.admin
audit manager
sn_audit.manager
audit user
sn_audit.user

GRC business users
complete activities that compliance and risk teams need to do.
application owner, head of government sales, application owner
sn_grc.business_user

workspaces
compliance workspace -> compliance manager
Risk workspace -> risk manager
audit workspace -> audit manager
360 degreee view of control objective

Create an entity framework
people, place or objects that need to be monitored in order to manage risk, track control compliance and reviewed as
part of audit Enagements.

Relationship b/w entities, entity types and entity classes
entity types and entities are used to scope an organization.
entity types are dynamic categories containing one or more entities.
they are associated to policies, control objectives, risk frameworks and risk statements
entities can belong to more than one entity type.
entity classes
entity can be part of many entity types but can be part of only entity class
entity types can have entities that belong to various entity classes
can have their own hierarchy
entity tiers
way to logically group entity classes and then filter reporst by those groupings.
Entity types
Its recommended to use core tables while creating entity types
cmn_ , sys_ , cmdb_ci , core_
values of class, owner and other fields that are defined in entity filter will be passed to respective entities generated via that entity filter.

ServiceNow Certified Implementation Specialist - Integrated Risk Management preparation video series

Ask the Experts: UI Builder

Platform Academy: Unlocking the Power of Controller Building in UI Builder

Crafting Clarity: Customizing Now Assist Analytics