Control assessment based on GRC attestation template

  • Release version: Xanadu
  • Updated August 1, 2024
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Control Assessment Based on GRC Attestation Template

    This feature enables ServiceNow customers to perform control assessments using a smart attestation method based on the GRC attestation template, which leverages the ServiceNow AI Platform. This method offers an alternative to the classic assessment approach, allowing for more automated and intelligent control evaluations within the Policy and Compliance Management application.

    Show full answer Show less

    Key Features

    • Smart Assessment Prerequisites: Requires installation of the GRC: Policy and Compliance Management plugin along with scoped applications including Smart Assessment Core, Migration Tools, Connected, and Designer.
    • System Property: The “Enable smart assessments on control” system property must be set to true to activate the smart assessment method.
    • Template Migration: Legacy metric types can be migrated to new assessment templates ensuring continuity and modernization of assessment processes.
    • Role-Based Access: Different user roles are defined for creating, managing, responding, and viewing attestations and templates, facilitating controlled and secure access to assessment data.
    • Impact on Control and Control Objective Records: When smart assessment is enabled, controls generated from control objectives inherit attestation-related field values, with automatic synchronization of changes between control objectives and controls.
    • Assessment Lifecycle Management: Attestations trigger notifications, can be responded to via Employee Center, Risk Portal, and Compliance Workspace, and influence control compliance status and issue creation or closure.
    • Interface Enhancements: Updated forms and widgets provide visibility into attestation statuses and 360° relationship views for comprehensive compliance management.

    Practical Application for ServiceNow Customers

    By enabling the smart assessment method based on the GRC attestation template, customers can:

    • Automate and streamline control assessments using AI-driven templates.
    • Easily migrate existing legacy assessment metrics to modern templates without losing data continuity.
    • Leverage role-specific access to manage and respond to control attestations securely.
    • Ensure consistent compliance tracking with automatic updates to controls and control objectives.
    • Receive timely email notifications to facilitate prompt attestation responses and compliance actions.
    • Manage control lifecycle events such as draft returns, retirements, exemptions, and reactivations with corresponding impact on assessments.
    • Access attestation responses conveniently through multiple ServiceNow portals tailored for different user roles.

    Next Steps

    • Install required scoped applications and enable the smart assessment system property to start using this method.
    • Migrate legacy assessment templates to the new format using the provided migration tools.
    • Assign appropriate roles to your users based on their responsibilities in managing and responding to attestations.
    • Configure control objectives and controls to use the attestation method and monitor assessment statuses and compliance outcomes.

    You can select the option to attest controls using an assessment method. This assessment is an alternative method to the classic assessment that is based on ServiceNow AI Platform method of assessment.

    Pre-requisites to enable smart assessment in Policy and Compliance Management

    Smart assessment scoped applications
    The base system ships the GRC smart assessment template to the users when the GRC: Policy and Compliance Management (sn_compliance) plugin is installed. However, the following scoped applications are required:
    1. Smart Assessment core (sn_smart_asmt)
    2. Smart assessment Migration tools (sn_smart_asmt_mig). For more information, see Migrate a legacy metric type to an assessment template
    3. Smart Assessment Connected (sn_smart_asmt_conn)
    4. Smart Assessment Designer (sn_smart_asmt_desg). For more information, see Using the template designer
    Enable smart assessments system property
    The Enable smart assessments on control system property must be set to true if you want to assess the controls using the assessment method based on GRC attestation template. For more information on the system property, see Enable smart assessments on control.
    Migrate the template
    Create a new template in Smart Assessment Engine. For more information, see Creating an assessment template from legacy assessment metric types.

    Access control limitations for smart assessment user roles

    sn_grc.business_user and sn_grc.business_user_lite
    As logged in users they can respond to attestations in My Attestations on the Task page of Compliance Workspace, Risk Portal, and Employee Center.
    sn_compliance_ws.corporate_compliance_manager and sn_compliance_ws.it_compliance_manager
    Can view and edit the templates.
    sn_compliance.attestation_creator
    Can create template category and template migration.
    sn_compliance.user
    Can read all the assessments related to control category.

    Assessment template category and migration tables

    Assessment template categories [sn_smart_asmt_template_category]
    The Category role field has the configuration of the minimum reader role required to read the template of this category. The role must contain sn_smart_asmt.template_reader role.
    Assessment template migrations [sn_smart_asmt_mig_template_migration]
    Used to migrate the existing source metric type and template category to the new assessment template format.

    Impact of attestation method on control objective and control generation

    When the Enable smart assessments on control system property is set to true and the Control objective record has the value Attestation in the Attestation method field, then all the controls that are generated for this control objective record after attestation has values defaulted from the control objective. The Attestation method field value defaults to Attestation.

    Note:
    The old control objectives will have default assessment method as classic assessment. If you would like to explore smart assessment method, then you should make necessary changes to either the control objective or the control. The control can be updated only if it does not have any control objective. After you create a new record, you can either opt the classic attestation or attestation as your attestation method.
    • If the control objective is associated with the control, then the generated control inherits the Attestation method and Attestation field values.
    • If a control is created from a control objective, the Attestation method and the Attestation fields are pre-populated, if the control objective has values in these fields.
      Note:
      The controls are automatically created if the Create controls automatically option is enabled for the control objective.

      The Attestation method field is read only. However, you can edit the Attestation field and select a different template for attestation. Any changes done to the control objective are automatically updated in the associated controls.

    • After the control is saved and attested, the Attestations related list appears in the Control record. This related list displays all Assessment instances that are in Open and Completed states.

      If the assessment method is changed from Classic attestation to Attestation in the control objective record, then the changes are reflected in all the control records generated for the control objective. Up until the control moves to the Attest state, the Attestation method and Attestation field values can be updated.

    • If the control was previously generated opting the classic attestation method, then the Classic attestation related list has the details of all completed attestations.
    • If the control is moved to the Draft state by selecting the Return to Draft button, all the assessments that were active are canceled. Similarly, if the control retires, all related assessments are canceled as well.
    • If the control is marked Exempt owing to a policy exception, all the associated assessments are canceled. However, if the Exempt option is cleared for the control and if the control is in the Attest state, then the assessments are re-triggered. And, all the fields in the Attestation section of the control becomes read only.
    • If a policy is associated to the control objective, and the policy is published, then all the fields of the control objective form become read only.
    • When the control moves to the Attest state, the assessments are triggered. An email notification is sent to the control owner and the attestation respondents of the control, with the subject line referencing the new attestation name of the control number and the due date by which the attestation must be completed.
    • If an attestation fails for one of the controls generated from a control objective, then the control becomes non-compliant and an issue is created. Or, if the control has an issue that already exists, then the Issue source field is updated. If the control moves to the Attest state and if the attestation passes, then the existing issues are closed, and the control becomes compliant.