Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Manage control indicators

Manage control indicators

Continuous monitoring involves activities related to identifying and creating key risk and controls indicators. Supporting information can be collected for those indicators through automatic data collection or manual tasks. Indicator results are then used to create issues for controls, update risk scores, and provide supporting information for audit activities and control testing.

Indicators
Indicators collect data to monitor controls and risks, and collect audit evidence. Indicators monitor a single control or risk.
Indicator templates
Indicator templates allow the creation of multiple indicators for similar controls or risks.

Compliance overview

The Compliance module contains compliance overview information, and lists of your authority documents and citations.

Overview

The Compliance Overview is available to compliance administrators and compliance managers, providing an executive view into compliance requirements, overall compliance, and compliance breakdowns.

Table 1. Compliance Overview reports in the base system
Name Visual Description
Compliance Requirements Donut chart Select a wedge to focus on a specific compliance area.
Overall Compliance Donut chart Displays the overall compliance of all the control requirements in the system. Selecting a specific wedge in the previous widget brings that area into focus.
Profile Drop down list Select one or more profiles to view and compare their compliance across multiple items.
Control State Check list Select or clear check boxes to view filter reports by control state.
Compliance by Authority Document Bar Chart Compare level of compliance depending on the selected profile and/or authority document.
Compliance breakdown Multi-level Pivot View a breakdown of control compliance by related authority documents and policies.
Non Compliant Profiles Column Chart Count of non-compliant control requirements grouped by profile.

Authority Documents

Authority documents define policies, risks, controls, audits, and other processes to ensure adherence to the authoritative content.

Each authority document is defined in a record and the related lists on that record contain the individual conditions of the authority document.

The relationships of these authority document related list items are visible in the GRC Workbench in the Policy and Compliance Management application.

Citations

Citations contain the provisions of the authority document, which can be interrelated. Citations break down an authority document into manageable themes.

You can create citations or import them from UCF authority documents and then create any necessary relationships between the citations.

Create a control indicator

Indicator data for controls, risk, and audit evidence are measured differently depending on the GRC application.

Before you begin

Role required: compliance_admin or compliance_manager

Procedure

  1. Navigate to one of the following locations:
    • Policy and Compliance > Indicators > Indicators.
    • Risk > Indicators > Indicators.
    • Audit > Indicators > Indicators.
  2. Select New.
  3. Fill in the fields on the form, as appropriate.
    Table 2. Indicator
    Field Description
    Number Read-only field that is automatically populated with a unique identification number.
    Active Check box that determines whether the indicator is active.
    Name Name of the indicator.
    Item The related control or risk.
    Template The related indicator template.
    Applies to The profile related to the Item.
    Owner The indicator owner.
    Owning group The group that owns the indicator.
    Override Template Click to override the indicator template associated to this indicator
    Last result passed Read-only field indicating whether last result passed.
    Schedule
    Collection frequency Select the collection frequency for indicator results. Indicator tasks and results are generated automatically based on the indicator schedule.
    Next run time Read-only field that is automatically populated with the next collection time for indicator results.
    Method
    Type Results can be gathered manually using task assignment or automatically using basic filter conditions, Performance Analytics, or a script.
    • Manual
    • Basic
    • Script
    Short Description If Type is Manual, this field is present. Brief description of the issue.
    Instructions If Type is Manual, this field is present. Instructions for the collection of indicator results.
    Value Mandatory If Type is Manual, this field is present.
    Passed/Failed If Type is Basic, this field is present. Indicator passes or fails.
    PA Threshold If Type is PA Indicator, this field is present. The associated PA Threshold.
    Script If Type is Script, this field is present. Script that obtains the desired system information.
    Supporting Data
    Table Use supporting data to gather supporting evidence from other applications.
    Supporting data fields Supporting data fields based on the selected table.
  4. Click Submit.

Create a GRC indicator template

Compliance or risk managers create indicator templates from which many indicators can be created.

Before you begin

Role required:
  • compliance_admin or compliance_manager
  • risk_admin or risk_manager
  • audit_admin or audit_manager

Procedure

  1. Navigate to one of the following locations:
    • Policy and Compliance > Indicators > Indicator Templates.
    • Risk > Indicators > Indicator Templates.
    • Audit > Indicators > Indicator Templates.
  2. Select New.
  3. Fill in the fields on the form, as appropriate.
    Table 3. Indicator template
    Field Description
    Name Name of the indicator.
    Active Check box that determines whether the indicator template is active.
    Content The related policy or risk statement.
    Schedule
    Collection frequency Select the collection frequency for indicator results. Indicator tasks and results are generated automatically based on the indicator schedule.
    Next run time Read-only field that is automatically populated with the next collection time for indicator results.
    Method
    Type Results can be gathered manually using task assignment or automatically using basic filter conditions, Performance Analytics, or a script.
    • Manual
    • Basic
    • PA Indicator
    • Script
    Short Description If Type is Manual, this field is present. Brief description of the issue.
    Instructions If Type is Manual, this field is present. Instructions for the collection of indicator results.
    Value Mandatory If Type is Manual, this field is present.
    Passed/Failed If Type is Basic, this field is present. Indicator passes or fails.
    PA Threshold If Type is PA Indicator, this field is present. The associated PA Threshold.
    Script If Type is Script, this field is present. Script that obtains the desired system information.
    Supporting Data
    Collect Supporting Data Check to gather supporting evidence from other applications.
    Table The supporting data table.
    Supporting Data Fields The fields from the supporting data table to be considered.
    Criteria Select filter conditions.
    Use reference field Select to use the reference field.
    Reference field

    Creates a join between the supporting data table and the profile's applies to table.

    For example, if the profile table is cmdb_ci_computer and the supporting data table is incident, you could have a supporting data query named incident with critical priority. In this example, each indicator execution returns all critical incidents.

    Now suppose you are interested in finding critical incidents linked to the profile CEO’s laptop. You already have an indicator on a control related to this profile.

    In this case:
    1. Select the reference field Configuration item from the incident table.
    2. The supporting data query becomes: All critical incidents, where the configuration item = CEO’s laptop.

    In this manner, the indicator is specific to the profile of the control it is attached to.

    Note: This reference field is useful only when the supporting data table has a reference to the profile’s table.
    Sample size

    Limits the number of records retrieved from the supporting data table.

    For example, a basic indicator could query a large table, returning thousands of records with each indicator execution. You do not need to save all of them; just a sample of those records are enough.

    So, if you enter a sample size of 100, only 100 records are saved, even if the query returns thousands.

  4. Click Submit.