Please use docs.servicenow.com for the latest documentation.

This site is for reference purposes only and may not be accurate for the latest ServiceNow version

Governance, Risk, and Compliance

From Wiki Archive
Jump to: navigation, search
Note
Note: This article applies to Fuji and earlier releases. For more current information, see Governance, Risk, and Compliance (GRC) at http://docs.servicenow.com

The ServiceNow Wiki is no longer being updated. Visit http://docs.servicenow.com for the latest product documentation.

Overview

The Governance, Risk, and Compliance (GRC) application supports:

Note
Note: The Core GRC Components [com.snc.governance_core] plugin includes components used by the Governance, Risk, and Compliance (GRC) [com.snc.governance] plugin. These components include GRC Risks, Risk Criteria, Remediation Tasks, Policies, Standards, and Standard Operating Procedures. The Core GRC Components [com.snc.governance_core] plugin does not include support for Authority Document management, Unified Compliance Framework (UCF) integration, Control management, Control testing, or Auditing Activities. To leverage these capabilities, install the Governance, Risk, and Compliance (GRC) [com.snc.governance] plugin.


GRC Process

The GRC process involves these phases:

Documentation

The documentation phase involves creating controls for your Governance, Risk and Compliance audits. Users with the grc_admin role can import authority documents from an external standards provider, or create custom controls.

Authority Documents

An authority document is a document that defines the external standards, frameworks, or regulations that a process must use. These are stored as references, from which policies can be defined. Create your own authority documents or download and import the UCF authority documents you want into GRC.

Citations

The authority document can be broken up into citations that can be interrelated using configured relationships. In this way, not only can the authority document be viewed as a whole, but the relationships between different sections can be mapped to better record how the authority document is meant to be implemented.

The same relationship mechanism can be used to document relationships across authority documents. This is important because different sources address the same or similar controls and objectives.

Controls

A control is a process to mitigate risk, enforce a mandated policy statement, and address the directive of an authority document. The control may have one or many control tests associated with it. This ensures that the control is effective and provides continued compliance. Controls can also be directly associated with citations to map an organization's internal controls to those mandated by the authority document.

Policy Creation

A policy document defines an internal practice that processes must follow. The Policy [grc_policy] table extends Knowledge [kb_knowledge]. Each policy is stored in the knowledge base and can be accessed in the same way as any other published article.

To manage elements of the policy, the policy can be associated with:

Policy Scope

Scope is the effective level to which a policy, standard, or SOP applies. This could refer to a location, business unit, or anything that is important to the organization. In versions prior to the Fuji release, these levels were called Entities.

Monitoring and Verification

Monitoring and verifying the GRC process involves validating controls and tests with audits and evaluating risks.

Risks

A risk is a definition of the possible consequence of failing to comply with a policy. Risks are rated based on risk criteria that can be used to calculate a risk approach. The risk approach calculation is based on risk approach rules that typically use the values contained in the Significance and Likelihood fields in the Risk Criteria [grc_risk_criteria] table. This table contains a Display value field to allow for text values and a weighting, which can be used to define the risk approach rules.

After the risks are defined, they can be associated with controls to identify how they are being mitigated.

Control Tests and Definitions

A control test definition determines how and when a control test is performed, including execution steps and expected results. Condition collections can be created with associated conditions to define advanced control test logic. Each time the control test is performed, a control test instance is generated as a task to be executed, according to the control test definition.

Audits

An audit definition establishes a set process for validating controls and control tests. From the definition, audit instances can be generated as a task to power the audit.

Once generated, audit instances can reference any existing evidence of compliance by associating previously executed control tests with the control test definitions that have been established in the audit.

During the audit process, audit observations can be recorded by the auditor to track the gathered information. The auditors can use these observations to create remediation tasks.

During the audit process, an administrator can create and assign remediation tasks that need to be performed before and during an audit. In addition, audit requirements associate citations to the audit, allowing auditors to track compliance or non-compliance with the original regulations.

If the latest evidence is not recent enough, click Execute Now in the Control Test Definition form to execute a control test instance. This action creates the control test instance and automatically associates it to the audit. The control test instance record also has the Generate from audit field populated with the audit number, so that it is clear that the test was created from an audit and not manually.

Reporting

GRC provides three reporting portals that deliver reports to specific users related to the GRC elements assigned to them or their groups.

Menus and Modules

GRC application menu
  • My GRC: Displays all available GRC reports in the portal to users with the grc_admin role. This module is available starting with the Fuji release.
  • My GRC Audits: Displays all available audit reports in the portal to users with the grc_audit_definition_admin or grc_internal_auditor role. This module is available starting with the Fuji release.
  • My GRC Controls: Displays all available control reports in the portal to users with the grc_test_definition_admin or grc_process_owner role. This module is available starting with the Fuji release.
  • Policies: Displays a list of policies that contains documents describing internal practices that processes must follow.
  • Standards: Displays a list of standard policy classes that you can use to define policies at a specific level in an organization.
  • Standard Operating Procedures: Displays a list of standard operating procedure (SOP) policy classes that you can use to define policies at a specific level in an organization.
  • Risks: Displays a list of risks that define the potential consequences of ignoring policies.
  • Controls: Contains modules that display all controls or those controls associated with the logged in user or the logged in user's group.
  • Control Tests: Contains modules that display all control tests or those tests associated with the logged in user or the logged in user's group.
  • Remediation: Contains modules that display all remediation tasks or those tasks associated with the logged in user or the logged in user's group.
  • Audit: Contains modules that display all audits or those audits associated with the logged in user or the logged in user's group. Also displays an Overview portal containing audit-related reports.
  • Observations: Contains modules that display all audit observations or those observations associated with the logged in user or the logged in user's group.
  • Authority Documents
  • Administration
    • Scopes: Displays the list of scopes that define the various levels available for policies, standards, and SOPs. In versions at Eureka and earlier, this module is called Entities.
    • Risk Criteria: Displays the list of risk criteria.
    • Risk Approach Rules: Displays the list of risk approach rules.
    • Control Test Definitions: Displays the list of control test definitions.
    • Condition Collections: Displays the list of condition collections.
    • Conditions: Displays the list of predefined conditions.
    • Audit Definitions: Displays the list of audit definitions.
    • Filters: Displays the list of active certification filters. This functionality is available starting with the Dublin release.
    • Templates: Displays the list of certification templates of audit type Compliance. This functionality is available starting with the Dublin release.
    • UCF Update Status: Displays the status of the last UCF update, by phases. This module is available starting with the Fuji release.
    • Import UCF Content: Initiates the download or update of UCF authority documents. Download or update UCF authority documents and select content for import into GRC tables. This module is available starting with the Fuji release.
    • Properties: Displays the GRC properties, including UCF import settings. This module is available starting with the Fuji release.

Activating Governance Risk and Compliance

Administrators can activate the Governance, Risk and Compliance plugin. Additional plugins are activated as needed. This plugin provides demonstration data.

Note
Note: The Core GRC Components [com.snc.governance_core] plugin includes components used by the Governance, Risk, and Compliance (GRC) [com.snc.governance] plugin. These components include GRC Risks, Risk Criteria, Remediation Tasks, Policies, Standards, and Standard Operating Procedures. The Core GRC Components [com.snc.governance_core] plugin does not include support for Authority Document management, Unified Compliance Framework (UCF) integration, Control management, Control testing, or Auditing Activities. To leverage these capabilities, install the Governance, Risk, and Compliance (GRC) [com.snc.governance] plugin.



Enhancements

Fuji

  • GRC supports the use of UCF authority documents in GRC authority documents, citations, and controls. Administrators use a dedicated interface to select and import specific authority documents that contain the guidance they need. GRC tracks UCF versions and enables administrators to view changes before importing a new version of a document. An approval process ensures that only those documents currently used by the organization for compliance are imported into GRC tables.
  • A type of survey called an attestation allows an organization to evaluate its compliance with its policies. An attestation is created in a control test definition and sent to users who execute company policy or manage compliance standards. GRC gathers and displays results from each control test based on the configured scoring criteria. Administrators can create an assertion on the attestation that contains requirements, admonitions, or directions related to the questions, and then require recipients to certify that they have read and complied with the policy with a signature.
  • Attestation scorecards display the responses from each survey by recipient, question, or category and provide yearly or quarterly comparisons. Scorecards are dynamically updated by the system.
  • GRC provides reporting on compliance, controls, and audits. Audit reports are driven by database views, which enable reporting on joined tables. Three report portals deliver reports to specific users, by role, related to the GRC elements assigned to them or their groups.
  • The system automatically generates calculated links between authority documents, citations, policies, and risks in any hierarchy you establish. This feature creates indirect links between GRC elements that update dynamically and enable the system to roll up results from control tests for reporting purposes.
  • GRC automatically executes any control test definition associated with an audit definition when the audit instance is created.

Dublin

  • Control test definitions support the use of certification filters and templates to define the scope and conditions for control tests. Templates enable an administrator to define attribute conditions for any table in ServiceNow.
  • Demonstration data provided with the Dublin release enables customers to audit vendors for non-disclosure agreements (NDA). You can substitute filters and templates for the existing condition collection functionality, but you must create your own records. ServiceNow does not provide NDA demonstration data for the new elements.