Manage controls

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Manage controls

    Controls are specific implementations of control objectives within your organization’s Governance, Risk, and Compliance (GRC) framework. Managing controls effectively requires rationalizing, consolidating, and defining the controls that matter most to your business before fully implementing them in the ServiceNow GRC application.

    Show full answer Show less

    Rationalize Your Controls

    • Review and refine your controls regularly instead of bulk uploading all controls to avoid outdated or ineffective measures.
    • Evaluate controls based on their impact on business objectives and their effectiveness in preventing or detecting risk.
    • Consider replacing complex or redundant controls with simpler, more efficient alternatives that also reduce process overhead and enhance IT performance.
    • When defining controls, ensure each control is associated with an entity, which is a mandatory field on the Control form. Missing or disabled entities can cause inaccurate calculations and controls should be retired if their associated entities are disabled.

    Consolidate Your Controls

    Identify and eliminate redundant controls across multiple regulatory frameworks (such as SOX, GLBA, AML) by cross-mapping common controls. This consolidation creates a unified control framework that simplifies audits while preserving necessary mappings.

    Define Controls and Business Rules

    Establish business rules upfront to configure your GRC system effectively. This includes:

    • Identifying controls and their owners
    • Defining control tests and expected results
    • Setting test and control frequencies
    • Identifying risks based on impact and likelihood
    • Preparing attestations, assessments, questionnaires, and gathering required evidence
    • Designing use cases for system interactions and access
    • Mapping authoritative sources to policies, procedures, controls, and risks

    Entity-Based Access

    ServiceNow provides an Entity-Based Access framework for granular data access management. Administrators can assign access to entity-related records by adding users or groups or configuring entity user fields. Users with appropriate roles and entity qualifications gain access to key tables such as Control, Attestation, and Policy Exception to Control. This approach enhances security and ensures users only see relevant control data.

    Controls are specific implementations of a control objective. Retired controls do not appear in the list. Before defining controls, take time to rationalize, consolidate, and define the important controls in your organization.

    Rationalize your controls

    If you upload all your controls in bulk, you are missing the opportunity to refine and streamline your controls set. As your business changes, and your IT data, processes, and technology improve, replace outdated controls and procedures when you implement your GRC application. Consider the following:
    • How does this control affect my business objective?
    • Is this control actually preventing or detecting risk?
    • Is there a different control you can place that better protects your business?
    • Is there a control you can put in place that reduces process overhead and improves IT performance while also mitigating risk?
    • Can a complicated control be replaced with a simpler more effective control?
    Note:
    When you define controls manually or when you import them from the Unified Compliance Framework (UCF), an entity is associated with the controls. It is a mandatory field on the Control form. If, however, you import controls from a source other than the UCF, you may encounter controls that do not have associated entities. It is important that you return to the Control form and add an entity to the control. Missing entities can cause unreliable results in calculations. Also, if you encounter a control with an entity that has been disabled, the control should be retired.

    Consolidate your controls

    Look for opportunities to consolidate controls. Look for common, repeated controls across multiple regulatory authorities of frameworks (for example, SOX and GLBA and AML). Avoid operating a single control multiple times for each regulation, by cross-mapping controls and eliminating the redundant ones. This process establishes a single consolidated set of controls = control framework, performing and preserving the cross mapping of controls is critical for audits.
    Figure 1. Industry regulations and requirements overlap
    Industry regulations and requirements overlap

    Define controls and business rules

    The business rules you define up front, establish the GRC configuration settings later. Be prepared to:
    • Identify controls and control owners
    • Define control tests and expected results
    • Establish test and control frequencies
    • Identify risks: impact and likelihood
    • Prepare attestations, assessments, questionnaires, and required evidence
    • Compose likely use-cases (who needs to interact with or view the contents of the GRC system and for what purposes)
    • Map authoritative sources to policies, to procedures, to controls, and to risks
    Note:
    The Entity Based Access provides a framework for more granular approach to management of data access to objects associated with an entity. Administrators can grant access to an entity's related records by adding users or user groups, or by using entity user fields for entity-based access configuration. For more information, see Entity Based Access. When a user is qualified based on these configurations and has the minimum required roles, they will have access to the following tables:
    • Control
    • Attestation
    • Policy exception to control