Manage policies and control objectives

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Manage policies and control objectives

    The Policies and Procedures module provides comprehensive information regarding policy approvals, policies, and control objectives within the Governance, Risk, and Compliance (GRC) framework. It enables compliance managers to catalog, publish, and manage internal policies while ensuring adherence to business processes and standards.

    Show full answer Show less

    Key Features

    • Policy Approval Process: Policies undergo a strict approval process with defined states: Draft, Review, Awaiting Approval, Published, and Retired. Each state dictates who can modify the policy and its progression towards publication.
    • Policy Validity: Compliance managers set the duration of policy validity, ensuring regular reviews. Policies automatically revert to Draft/Review state upon expiry based on defined parameters.
    • Control Objectives: Compliance managers create and categorize control objectives that guide operations. Control objectives can be linked to policies and citations for comprehensive compliance management.
    • Acknowledgment Campaigns: After publication, campaigns can be initiated to ensure employees acknowledge compliance with policies.
    • Templates for Publishing: GRC managers can create article templates for consistent policy presentation in the knowledge base.

    Key Outcomes

    By effectively managing policies and control objectives, ServiceNow customers can ensure compliance, minimize risks, and maintain a standard of governance within their organization. The structured process allows for clear visibility into policy statuses and streamlined management of compliance activities.

    The Policies and Procedures module contains overview and detailed information related to policy approvals, policies, and control objectives.

    Policies

    Compliance managers catalog and publish internal policies that define a set of business processes, procedures, and or standards.

    Policy approval process

    Policies are part of a strict approval process that ensures compliance and reduces exposure to risk. When a policy is published, it is automatically incorporated in the approval process. Compliance managers set the length of time that policies are valid, ensuring that the team reviews the policy often to affirm its validity. Policies have a type, such as a policy, procedure, standard, plan, checklist, framework, or template.

    The image depicts the approval process flow that is shown at the top of each policy record.

    Table 1. Policy approval states
    State Description
    Draft All policies start in Draft state. In this stage, all compliance users can modify the policy and control objectives.
    Review The owner, owning group, and reviewers can modify the policy and control objectives and send it on to the next state.
    Awaiting Approval The policy is read only in this state. Approved policies transition to the Published state. Unapproved policies return to Review. If no approvers are identified on the policy form, the state is skipped and the policy is published without an approval.
    Published Approved policies are automatically published to a template-defined KB article, and the policy remains in a read-only state. The Valid to field on the policy form defines how long the policy is valid.
    Note:
    After the policy is published and when the valid to date on the policy is reached, then based on the value of the Number of days after reaching a policy "Valid to" date in which the expired policy will automatically move from its Published state back to a Draft/Review state property, the policy moves back to the Draft/Review state. For example, if the value of the property is 10, then the policy moves back to review state 10 days after the valid to date is reached.

    When a policy reaches the end of the Review state and is Approved for publishing, it is automatically published to the GRC knowledge base (as defined in Policy and Compliance > Administration > Properties). The Article template field on the policy form defines the style of the published policy.
    Retired When a policy is put into the Retired state, its associated KB article is removed.

    Control objectives

    Compliance managers catalog the control objectives and generate controls from those control objectives.

    Note:
    UCF refers to control objectives as controls. When UCF data is imported, controls are imported into the control objectives table.