Xanadu |
- Upload policy document from your local machine to Microsoft OneDrive
- Upload a Microsoft Word document that exists in your local machine to Microsoft OneDrive and link the document with the policy. You can access the document from any device and enable multiple users to collaborate on the policy document.
- Create and associate a policy text document in Google Drive
- Integrate your ServiceNow instance with Google documents to manage documents in Google Drive. Create a Word document in Google Drive that you can access through a browser and store in Google Drive. You also have the option to create a Microsoft Word document that you can manage in Google Drive.
- Upload policy document from your local machine to Google Drive
- Upload a Microsoft Word document that exists in your local machine to Google Drive and link the document with the policy to enable multiple users to collaborate on the policy document.
- Upload policy document from your local machine to Microsoft SharePoint
- Upload a Microsoft Word document that exists in your local machine to Microsoft SharePoint and link the document with the policy to enable multiple users to collaborate on the policy document.
- Policy authoring using Microsoft SharePoint
- Monitor and revise your organization's policies at regular intervals to maintain their relevance and compliance. Integrating Microsoft Word document files with multiple Microsoft SharePoint sites helps your policy owners, reviewers, and approvers to author, modify, and maintain different versions of a policy text and thus retain its history. You can also collaborate on policy
drafting and review processes. The policy text is updated automatically. You can copy and paste text from a document into the Policy text field in HTML and then convert it to a PDF format.
- Using CRI assessment questions to profile an entity
- Perform a CRI tiering assessment for an entity to determine its tier, and then perform a CRI assessment for that entity. Based on the response to the CRI questionnaire from the assessor, the compliance status of each mapped
control to a question is determined. The overall compliance score of the entity is also calculated.
- User role enhancements in Policy and Compliance Management
- Respond to policy acknowledgments and request a policy exception from the Employee Center portal with the employee operator role.
|
Yokohama |
- Calculate compliance score and roll up to entity
- View a comprehensive compliance score at the entity level that includes all the child entities rolled up to the parent entity along with the compliance score of the parent entity's direct controls.
- Elimination of duplicate citations from UCF Shared list download
- Eliminate duplicate citations associated with the authority documents when you download UCF content. You can retain one citation as active and mark the duplicate citations as inactive. Move the control objectives of the
duplicate citations to the active citation, and update the duplicate citation records with the Source ID of the active citation.
- Improve compliance workspace performance
- Improved the performance of the compliance workspace by removing the issue widget to ensure a faster and smoother user experience. You can still access issue details from the "Issues Overview" section.
- Entity based access
- Entity based access aims to provide a more granular approach to data access, ensuring that users can only access data through entity-based access. The entity-based access has been enabled for controls, attestations and
policy exception to control mappings. Administrators can grant access to an entity's related records by adding users or user groups, or by using entity user fields for entity-based access configuration.
- Deduplication of control objectives
- Using Generative AI, identify and recommend similar control objectives. You can choose to accept a control objective as duplicate, dismiss those that are not similar, or retain a control objective as primary in which details
from all other similar control objectives are merged. Additionally, the system automatically copies related records, including policies and risk statements, to ensure comprehensive information is maintained in one location
after retiring the accepted control objectives.
|
Zurich |
- Association of citations to controls
- In many compliance frameworks, a single control objective may be referenced by multiple citations across different standards, regulations, or policy requirements. Without proper association management, organizations risk
duplicating controls, misinterpreting coverage, or inaccurately reporting compliance. The association of citations to controls feature addresses this challenge by enabling users to associate controls with citations directly.
When this feature is enabled, compliance scores update dynamically based on the status of directly associated active controls.
- Enhancements to control objectives rationalization process
- The following enhancements have been introduced to the rationalization process of control objectives:
- Rationalization process is now automatically created when selecting the Rationalize button in the control objective page.
- The recommendation workflow has been simplified into a two-step process: Step 1 identifies duplicates by accepting or dismissing recommendations; Step 2 finalizes by retaining one recommendation or creating a new common
control objective.
- Approvals for the rationalization process are skipped for owners who are reviewers, and levels where all reviewers are owners are automatically approved.
- Owners and approvers can add comments and justifications directly on recommendation cards and reply to existing comments.
- The user interface has been updated with better navigation, quick summaries, visual improvements, and clear error messages.
- Citation impact analysis and updates with Now Assist for IRM
- When a citation’s description or supplemental guidance is updated, Now Assist identifies related control objectives that might be affected. It reviews these control objectives to determine whether the descriptions or
guidance need changes and provides suggested updates. Users can review, provide feedback, and approve these updates directly in the Now Assist panel, ensuring that citation changes are reflected in associated control
objectives.
- Enhancements to control objectives and controls
-
The following enhancements have been introduced to control objectives and controls:
- The Control objective requirements option provides a granular layer under a control objective. When each control objective has multiple statements, each statement becomes a control objective requirement.
- The Create control requirements option generates control requirements automatically for every control generated under an entity type.
- The Attestation at control requirement level enables attestation at a granular level for individual control requirements within a control.
- Enhancements to policy exception and extension requests
- The following enhancements have been introduced:
- For policy exception and extension requests, approvers can now view key details, such as justification, reason, and validity period, within a pop-up before approving or rejecting a policy exception or policy exception
extension.
- For manual indicators, if the associated control is marked as exempt, no indicator task is generated.
- When a policy exception is in the Analyze state and the Awaiting Requested Information sub-state, the interface now includes a Send Information button that allows the requester to provide additional details or
clarifications requested by the approver.
- Previously, an issue-based exception required a linked policy or control objective for additional approvals. Now, it requires any one of the following: a linked policy, control objective, or control. The control must be
linked to the policy exception itself, not just to the issue.
- GRC Approval Configurator
-
The GRC Approval Configurator can now be used to manage both policy exception and extension approvals. It allows verification, approval, and extension rules to be defined based on state, sub-state, and other filter
conditions, with support for multiple user groups and multi-level approvals. This enhancement provides greater flexibility in assigning appropriate approvers at each level based on defined conditions, facilitating structured
and collaborative reviews. For extension approvals, users can now configure multiple approvers, overcoming the previous limitation of a single default approver (Compliance Manager).
- Common Control Objective Creation
- Use Generative AI to merge similar control objectives into a single, consolidated common control objective. The system automatically populates the name, description, and guidance fields from the accepted duplicates,
eliminating the need to manually select a primary control objective.
- Entity based record access rules to secure new records
-
When entity based record access rules are enabled on the Entity Based Access Configuration Properties page, any newly created controls, control attestations, indicators, and indicator tasks associated with a configured
entity will automatically inherit the entity-based access (EBA) value from that entity. Previously, users had to run bulk access updates to apply EBA restrictions whenever new objects were created.
Additionally, when a standard control is converted to a common control, the Entity based access restriction option is inactive by default. Users can manually enable the EBA option for common controls
directly from the Access Settings section in the Details tab of the respective control.
|
Australia |
- Early availability
- Control objective workflow
- After upgrading Policy and Compliance Management to 22.0.1, the new Control objective workflow feature introduces a structured lifecycle for managing control objective records. This feature is controlled by the Enable Control Objective
Workflow property under Policy and Compliance > Properties and is disabled by default.
- Key highlights:
- When disabled, only the State field is added to control objective records. Active records show Published, inactive records show Retired, and new records default to Draft.
- When enabled, control objectives move through: Draft, Review, Approved, Current version, and Retired. The following new fields are also introduced: State, Effective date, Revision type, and Record nature.
- Editing a published control objective creates a working draft, keeping the published record active until approved changes are published.
- Users must select a revision type: Major or Minor. A Major revision moves associated controls back to Draft. A Minor revision applies updates without moving controls back to Draft.
- The Owner and Owning Group fields control who can edit the control objective and perform workflow actions.
- Rationalizing control objectives
- After upgrading Policy and Compliance Management to 22.0.1, both Unified Compliance Framework (UCF) control objectives and non-UCF control objectives can be rationalized together. Key highlights include:
- Recommendation cards show a Source field to indicate whether it originates from UCF or a non-UCF source.
- As UCF control objectives cannot be deactivated, the Identify Duplicates and Finalize sub-states guide the users to retain the UCF control objective. Any UCF recommendations that are not retained are automatically
dismissed when the user requests review.
- Only one UCF control objective can be retained at a time. If you retain a different UCF control objective, the previously retained one is automatically dismissed.
- When rationalization is complete, the retained UCF control objective stays active, accepted non-UCF recommendations are deactivated, and any dismissed UCF control objectives remain active and unchanged.
|