Linking automatically generated issues to a control in Many-to-many relationship

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Linking Automatically Generated Issues to a Control in Many-to-Many Relationship

    This content explains how to link automatically generated issues to controls within a many-to-many relationship in ServiceNow. It highlights the differentiation between manually created and automatically generated issues using the Originator flag, which is vital for tracking the source of issues effectively.

    Show full answer Show less

    Key Features

    • Issue Generation: Issues can be automatically generated due to control test failures, control attestation failures, or control indicator failures. Each failure type updates the Issue source field with specific tags, aiding in tracking.
    • Originator Flag: This flag determines whether an issue is automatically generated or manually created. It is essential for managing multiple issues linked to a control and is automatically set during the installation of the latest plugin.
    • Conflict Management: When linking multiple automatically generated issues, conflicts may arise if the source of issue generation is inconsistent. The Originator flag helps manage this by indicating the type of issue linked.

    Key Outcomes

    By utilizing the functionality to link issues effectively, ServiceNow customers can maintain compliance and track the status of controls more efficiently. The automatic tagging of issues enables clearer reporting on non-compliance reasons, facilitating better decision-making and accountability within the organization.

    You can link an automatically generated issue that belongs to a different control as a related issue to a control. The Originator flag helps you to differentiate those control issues that were automatically generated from the controls that were manually created.

    Manually created and automatically generated issues

    Note:
    You can identify the origin of an issue whether it was automatically generated or manually created after you link the issue from one control to another only in a control form.

    You can create an issue manually for a control when you click the New button in the Issues related list of a Control form. For manually created issues, see Manually create GRC issues.

    However, issues are also automatically generated when there are:
    Control test failure
    If there’s a control test which is linked to a control and when one of the test is marked ineffective and closed, then the control becomes non-compliant. As a result, an issue is automatically generated. Control tests can be design test or operational test which can be marked ineffective and the tests can be common across all controls.
    Control attestation failure
    When the user who is an attestation respondent of a control rejects the control, then the status of the control becomes non-compliant and an issue is automatically generated.
    Control indicator failure
    Similarly, when a control indicator fails, the control becomes non-compliant and an issue is automatically generated.

    The source of the issue generation for one or more of the three failures can be tracked with the tags in the Issue source field of the Issue details. If there is a control test failure, the Issue source field is updated with a tag, Control Test Failure. If the issue was created manually, then the Issue source tag is Ad-Hoc.

    When a control's status moves to non-complaint, all the reasons for non-compliancy are pulled from the Issue source field and displayed as Reasons for non-compliance in the Status widget of the control's Overview page.
    Figure 1. Reasons for non-compliance
    List of reasons for a control's non-compliance.

    Handling more than one automatically generated issue while linking to a control

    You can add an automatically generated issue that belongs to another control, to a control in an m2m relationship using the Add button. However, adding an automatically generated issue from another control to a control with an existing automatically generated issue conflicts the source of the issue generation. To track the source of issue generation, a back-end flag, Originator, is used. It is a true or false flag and is false, by default. Originator is flagged true or false, if:
    • An automated issue of another control is associated to the current control, then the Originator is false.
    • It is a manual issue of the current control, then the Originator is false.
    • It is an automated issue of current control then the Originator is true.
    1. When there is an issue that exists with Originator as true, and if a control failure happens, the Issue source field of the issue is updated with the source of the issue. For example, there’s an issue with originator as true already present and the issue source is Control test failure. If another control failure happens, such as control attestation failure, then the Issue source is updated with two tags, namely Control test failure and Control attestation failure.
    2. When there is no issue present with Originator as true, and if one of the three control failures happens a new automated issue with originator as true is created. For example, if there's a control attestation failure for a particular control that has no issue linked to the control with the originator as true, then a new automated issue with Issue source as control attestation failure is created and the originator is true.

    Data migration

    The logic behind flagging an issue as automatically generated or manually created with the Originator flag is handled automatically when you install the latest plugin. For all automated issues linked to existing controls, the originator flag is true in the m2m records between the control and the issue.