NIST CSF tables
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of NIST CSF tables
The NIST CSF tables in ServiceNow GRC provide structured tracking and management of cybersecurity activities aligned with the NIST Cybersecurity Framework. These tables enable customers to monitor targets, activities, gaps, controls, risks, issues, action plans, and indicators comprehensively within the platform.
Show less
Key Tables and Their Practical Use
- Target [sngrctarget]: Acts as a core shared entity for GRC applications and use-case content packs, uniquely linking to specific entities for tracking cybersecurity-related attributes.
- NIST CSF Activity [snirmnistcsfnistcsfactivity]: Tracks cybersecurity activities relevant to each target, facilitating gap analysis by identifying gaps, non-compliant controls, risks, issues, failed indicators, and associated action plans.
- Gaps [snirmnistcsfm2mpolicystatenistcsfact]: Records control objectives not yet implemented, useful for reporting and drilling down into unaddressed cybersecurity areas.
- Non-compliant Control [snirmnistcsfm2mcxontrolsnistcsfact]: Tracks controls that are implemented but found non-compliant, aiding in compliance reporting and issue management.
- Risk [snirmnistcsfm2mrisksnistcsfactivities]: Associates risks with implemented controls, providing visibility into risk exposure related to cybersecurity objectives.
- Issue [snirmnistcsfm2missuesnistcsfact]: Captures issues linked to controls and associated risks, supporting detailed issue tracking and metrics.
- Action Plan [snirmnistcsfm2mremediationnistcsfact]: Tracks remediation tasks identified for issues, enabling structured plans for resolving cybersecurity weaknesses.
- Failed Indicators [snirmnistcsfm2mindicatorsnistcsfact]: Monitors failed indicators related to targets, controls, or risks, assisting in performance and compliance evaluation.
- Related Control Objectives [sncompliancem2mpolicystmtpolicystmt]: Manages associations between control objectives at the same level, supporting complex relationship mapping beyond simple parent-child hierarchies.
Key Outcomes
By leveraging these NIST CSF tables, ServiceNow customers can:
- Effectively track and manage cybersecurity activities aligned to NIST CSF standards.
- Identify and analyze gaps and non-compliance issues systematically.
- Maintain clear associations between risks, controls, issues, and remediation efforts for comprehensive governance.
- Enhance reporting capabilities and drill-down analysis to support decision-making and continuous cybersecurity improvement.
- Integrate various cybersecurity elements cohesively within the ServiceNow GRC environment to meet compliance and risk management goals.
A few tables are impacted by the NIST CSF guidance.
| Table | Purpose |
|---|---|
| Target [sn_grc_target] | Target is a core table of design to be shared component among the ServiceNow GRC application and GRC use-case content packs.Target is like entity in its purpose, but is used to track any attributes specific to use-case content packs. No two target records can reference the same entity at any time. |
| NIST CSF Activity [sn_irm_nist_csf_nist_csf_activity] | NIST CSF Activity table is used to track cybersecurity activity relevant for a target. The activity also helps in performing gap analysis that identifies the gaps, non-complaint controls, risks, issues, failed indicators and action plans for a cybersecurity activity. |
| Gaps [sn_irm_nist_csf_m2m_policy_state_nist_csf_act] | Gaps table in NIST CSF is used to track control objectives that aren’t yet implemented as gaps. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Gaps to Targets. |
| Non-compliant Control [sn_irm_nist_csf_m2m_cxontrols_nist_csf_act] | Non-compliant Control table in NIST CSF is used to track controls that are identified as non-compliant. Only cybersecurity control objectives as defined by the framework core which are implemented as controls and non-compliant are tracked. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Non-compliant Controls to Targets. |
| Risk [sn_irm_nist_csf_m2m_risks_nist_csf_activities] | Risk table in NIST CSF is used to track risks that are associated with controls that have been implemented for cybersecurity control objectives as defined by the framework core. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Risks to Targets. |
| Issue [sn_irm_nist_csf_m2m_issues_nist_csf_act] | Issue table in NIST CSF is used to track issues that are associated with controls that have been implemented for cybersecurity control objectives as defined by the framework core. Issues of risks associated with these controls are also included in the metric. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Issues to Targets. |
| Action Plan [sn_irm_nist_csf_m2m_remediation_nist_csf_act] | Action Plan table in NIST CSF is used to track the action plans that are identified for the issues. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Action Plans (remediation tasks) to Targets. |
| Failed Indicators [sn_irm_nist_csf_m2m_indicators_nist_csf_act] | Failed indicators table in NIST CSF is used to track the failed indicators of the target and the control or risk. This table comes handy for reporting and drill down purposes. It's an m2m table that associates Failed Indicators to Targets. |
| Related Control Objectives [sn_compliance_m2m_policy_stmt_policy_stmt] | Related Control Objectives table in NIST CSF is used to track the associations between control objectives. In base implementation, parent and child control objectives are supported, but this table introduces a concept to relate the control objectives at the same level. |