Control assessment based on GRC attestation template

  • Release version: Yokohama
  • Updated January 30, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Control assessment based on GRC attestation template

    This feature allows ServiceNow customers to perform control attestations using a smart assessment method based on the GRC attestation template. It offers an alternative to the classic assessment approach by leveraging the ServiceNow AI Platform for more efficient and automated control evaluations within Policy and Compliance Management.

    Show full answer Show less

    Prerequisites and Setup

    • The GRC: Policy and Compliance Management (sncompliance) plugin must be installed.
    • Several scoped applications are required for smart assessments, including Smart Assessment core, Migration tools, Connected, and Designer applications.
    • The system property Enable smart assessments on control must be set to true to activate the smart assessment method.
    • Existing legacy assessment templates can be migrated to the new smart assessment format using provided migration tools.

    User Roles and Access Control

    • Business user roles (sngrc.businessuser and sngrc.businessuserlite) can respond to attestations via My Attestations in various portals such as Compliance Workspace, Risk Portal, and Employee Center.
    • Compliance managers can view and edit assessment templates.
    • Attestation creators can manage template categories and perform migrations.
    • Users with the compliance user role can read assessments related to control categories.

    Assessment Template Management

    Assessment templates are organized into categories that control access based on user roles. Migration tables facilitate converting legacy metric types and templates to the new assessment template format, ensuring smooth transition to smart assessments.

    Impact on Controls and Control Objectives

    • When smart assessments are enabled and the control objective uses the Attestation method, newly generated controls inherit attestation fields and default values from their control objectives.
    • Controls linked to control objectives reflect changes automatically, including updates to the attestation method and template selections.
    • Changes to attestation methods affect all associated controls until they move to the Attest state, after which fields become read-only.
    • Controls can be moved back to Draft state to cancel active assessments, and retiring or exempting a control cancels related assessments.
    • If a policy associated with a control objective is published, the control objective form fields become read-only.

    Assessment Lifecycle and Notifications

    • Moving a control to the Attest state triggers assessments and sends email notifications to control owners and respondents with attestation details and due dates.
    • Failed attestations mark controls as non-compliant and create or update related issues.
    • Successful attestations close existing issues and mark controls as compliant.
    • Assessment responses can be completed via Employee Center, Risk Portal, or Compliance Workspace task pages.

    User Interface and Visualization

    Controls and control objectives have updated forms and attestation widgets to support smart assessments. Additionally, a 360° Relationship Visualization feature enables comprehensive viewing of control attestations within Policy and Compliance Management.

    You can select the option to attest controls using an assessment method. This assessment is an alternative method to the classic assessment that is based on ServiceNow AI Platform method of assessment.

    Pre-requisites to enable smart assessment in Policy and Compliance Management

    Smart assessment scoped applications
    The base system ships the GRC smart assessment template to the users when the GRC: Policy and Compliance Management (sn_compliance) plugin is installed. However, the following scoped applications are required:
    1. Smart Assessment core (sn_smart_asmt)
    2. Smart assessment Migration tools (sn_smart_asmt_mig). For more information, see Migrate a legacy metric type to an assessment template
    3. Smart Assessment Connected (sn_smart_asmt_conn)
    4. Smart Assessment Designer (sn_smart_asmt_desg). For more information, see Using the template designer
    Enable smart assessments system property
    The Enable smart assessments on control system property must be set to true if you want to assess the controls using the assessment method based on GRC attestation template. For more information on the system property, see Enable smart assessments on control.
    Migrate the template
    Create a new template in Smart Assessment Engine. For more information, see Creating an assessment template from legacy assessment metric types.

    Access control limitations for smart assessment user roles

    sn_grc.business_user and sn_grc.business_user_lite
    As logged in users they can respond to attestations in My Attestations on the Task page of Compliance Workspace, Risk Portal, and Employee Center.
    sn_compliance_ws.corporate_compliance_manager and sn_compliance_ws.it_compliance_manager
    Can view and edit the templates.
    sn_compliance.attestation_creator
    Can create template category and template migration.
    sn_compliance.user
    Can read all the assessments related to control category.

    Assessment template category and migration tables

    Assessment template categories [sn_smart_asmt_template_category]
    The Category role field has the configuration of the minimum reader role required to read the template of this category. The role must contain sn_smart_asmt.template_reader role.
    Assessment template migrations [sn_smart_asmt_mig_template_migration]
    Used to migrate the existing source metric type and template category to the new assessment template format.

    Impact of attestation method on control objective and control generation

    When the Enable smart assessments on control system property is set to true and the Control objective record has the value Attestation in the Attestation method field, then all the controls that are generated for this control objective record after attestation has values defaulted from the control objective. The Attestation method field value defaults to Attestation.

    Note:
    The old control objectives will have default assessment method as classic assessment. If you would like to explore smart assessment method, then you should make necessary changes to either the control objective or the control. The control can be updated only if it does not have any control objective. After you create a new record, you can either opt the classic attestation or attestation as your attestation method.
    • If the control objective is associated with the control, then the generated control inherits the Attestation method and Attestation field values.
    • If a control is created from a control objective, the Attestation method and the Attestation fields are pre-populated, if the control objective has values in these fields.
      Note:
      The controls are automatically created if the Create controls automatically option is enabled for the control objective.

      The Attestation method field is read only. However, you can edit the Attestation field and select a different template for attestation. Any changes done to the control objective are automatically updated in the associated controls.

    • After the control is saved and attested, the Attestations related list appears in the Control record. This related list displays all Assessment instances that are in Open and Completed states.

      If the assessment method is changed from Classic attestation to Attestation in the control objective record, then the changes are reflected in all the control records generated for the control objective. Up until the control moves to the Attest state, the Attestation method and Attestation field values can be updated.

    • If the control was previously generated opting the classic attestation method, then the Classic attestation related list has the details of all completed attestations.
    • If the control is moved to the Draft state by selecting the Return to Draft button, all the assessments that were active are canceled. Similarly, if the control retires, all related assessments are canceled as well.
    • If the control is marked Exempt owing to a policy exception, all the associated assessments are canceled. However, if the Exempt option is cleared for the control and if the control is in the Attest state, then the assessments are re-triggered. And, all the fields in the Attestation section of the control becomes read only.
    • If a policy is associated to the control objective, and the policy is published, then all the fields of the control objective form become read only.
    • When the control moves to the Attest state, the assessments are triggered. An email notification is sent to the control owner and the attestation respondents of the control, with the subject line referencing the new attestation name of the control number and the due date by which the attestation must be completed.
    • If an attestation fails for one of the controls generated from a control objective, then the control becomes non-compliant and an issue is created. Or, if the control has an issue that already exists, then the Issue source field is updated. If the control moves to the Attest state and if the attestation passes, then the existing issues are closed, and the control becomes compliant.