Control assessment based on GRC attestation template

  • Release version: Washingtondc
  • Updated January 25, 2024
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Control Assessment Based on GRC Attestation Template

    This guide provides an alternative method for attesting controls using the GRC attestation template in ServiceNow's Policy and Compliance Management. The smart assessment feature allows for a more efficient evaluation process compared to traditional methods. To utilize this feature, specific prerequisites must be met, including enabling the smart assessments system property.

    Show full answer Show less

    Key Features

    • Prerequisites: Users must have the following scoped applications: Smart Assessment Core, Smart Assessment Migration Tools, Smart Assessment Connected, and Smart Assessment Designer.
    • Enabling Smart Assessments: The system property "Enable smart assessments on control" must be set to true.
    • Role-Based Access: Different user roles have specific capabilities, such as responding to attestations, viewing and editing templates, and creating template categories.
    • Control and Objective Management: Controls can be automatically generated based on control objectives, and the attestation method can be updated as needed.

    Key Outcomes

    Setting the system property to enable smart assessments allows for streamlined control management and assessment. When controls move to the Attest state, assessments are triggered, and notifications are sent to relevant stakeholders. Successful attestations lead to compliance, while failures result in non-compliance and issue creation. Users can respond to attestations from various portals, including the Employee Center, Risk Portal, and Compliance Workspace.

    You can select the option to attest controls using an assessment method. This assessment is an alternative method to the classic assessment that is based on ServiceNow AI Platform method of assessment.

    Pre-requisites to enable smart assessment in Policy and Compliance Management

    Smart assessment scoped applications
    The base system ships the GRC smart assessment template to the users when the GRC: Policy and Compliance Management (sn_compliance) plugin is installed. However, the following scoped applications are required:
    1. Smart Assessment core (sn_smart_asmt)
    2. Smart assessment Migration tools (sn_smart_asmt_mig). For more information, see Migrate a legacy metric type to an assessment template
    3. Smart Assessment Connected (sn_smart_assessment_connected)
    4. Smart Assessment Designer (sn-smart-assessment-builder). For more information, see Using the template designer
    Enable smart assessments system property
    The Enable smart assessments on control system property must be set to true if you want to assess the controls using the assessment method based on GRC attestation template. For more information on the system property, see Enable smart assessments on control.
    Migrate the template
    Create a new template in Smart Assessment Engine. For more information, see Creating an assessment template from legacy assessment metric types.

    Access control limitations for smart assessment user roles

    sn_grc.business_user and sn_grc.business_user_lite
    As logged in users they can respond to attestations in My Attestations on the Task page of Compliance Workspace, Risk Portal, and Employee Center.
    sn_compliance_ws.corporate_compliance_manager and sn_compliance_ws.it_compliance_manager
    Can view and edit the templates.
    sn_compliance.attestation_creator
    Can create template category and template migration.
    sn_compliance.user
    Can read all the assessments related to control category.

    Assessment template category and migration tables

    Assessment template categories [sn_smart_asmt_template_category]
    The Category role field has the configuration of the minimum reader role required to read the template of this category. The role must contain sn_smart_asmt.template_reader role.
    Assessment template migrations [sn_smart_asmt_mig_template_migration]
    Used to migrate the existing source metric type and template category to the new assessment template format.

    Impact of attestation method on control objective and control generation

    When the Enable smart assessments on control system property is set to true and the Control objective record has the value Attestation in the Attestation method field, then all the controls that are generated for this control objective record after attestation has values defaulted from the control objective. The Attestation method field value defaults to Attestation.

    Note:
    The old control objectives will have default assessment method as classic assessment. If you would like to explore smart assessment method, then you should make necessary changes to either the control objective or the control. The control can be updated only if it does not have any control objective. After you create a new record, you can either opt the classic attestation or attestation as your attestation method.
    • If the control objective is associated with the control, then the generated control inherits the Attestation method and Attestation field values.
    • If a control is created from a control objective, the Attestation methodand the Attestation fields are pre-populated, if the control objective has values in these fields.
      Note:
      The controls are automatically created if the Create controls automatically option is enabled for the control objective.

      The Attestation method field is read only. However, you can edit the Attestation field and select a different template for attestation. Any changes done to the control objective are automatically updated in the associated controls.

    • After the control is saved and attested, the Attestations related list appears in the Control record. This related list displays all Assessment instances that are in Open and Completed states.

      If the assessment method is changed from Classic attestation to Attestation in the control objective record, then the changes are reflected in all the control records generated for the control objective. Up until the control moves to the Attest state, the Attestation method and Attestation field values can be updated.

    • If the control was previously generated opting the classic attestation method, then the Classic attestation related list has the details of all completed attestations.
    • If the control is moved to the Draft state by selecting the Return to Draft button, all the assessments that were active are canceled. Similarly, if the control retires, all related assessments are canceled as well.
    • If the control is marked Exempt owing to a policy exception, all the associated assessments are canceled. However, if the Exempt option is cleared for the control and if the control is in the Attest state, then the assessments are re-triggered. And, all the fields in the Attestation section of the control becomes read only.
    • If a policy is associated to the control objective, and the policy is published, then all the fields of the control objective form become read only.
    • When the control moves to the Attest state, the assessments are triggered. An email notification is sent to the control owner and the attestation respondents of the control, with the subject line referencing the new attestation name of the control number and the due date by which the attestation must be completed.
    • If an attestation fails for one of the controls generated from a control objective, then the control becomes non-compliant and an issue is created. Or, if the control has an issue that already exists, then the Issue source field is updated. If the control moves to the Attest state and if the attestation passes, then the existing issues are closed, and the control becomes compliant.