Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Establish profile scoping for policies and controls

Establish profile scoping for policies and controls

Understanding how various parts of the organization are related to each other provides a more comprehensive risk assessment process. Stakeholders can discern how risks in different parts of the organization and at different levels of the organization impact each other. The scoping of profiles is permitted in each of the GRC applications, but the GRC Workbench, which provides a visual presentation of those dependencies, is only activated for use with Risk Management.

What is Profile Scoping?

Profile scoping provides a way to allocate risks and controls at different levels. Profile scoping involves the following elements:
Profile Classes
Profile classes allow GRC managers to separate profiles for better distinction. For example, Business Service Profiles, Department Profiles, Business Unit Profiles, and the like. Reports can be filtered to define relationships between the different profile classes. A profile class defines what a profile actually is. Profiles can belong to many profile types but a profile can have only one profile class (for example, Business Service).
Profile classes can roll up to each other, leading to the development of the dependency model. See What is GRC dependency modeling and mapping?
Profile Types
Profiles types are dynamic categories containing one or more profiles. Business logic automates the process of creating and categorizing any profiles in the system that meet the profile type conditions. Profile types are assigned to policy statements, which generate controls for every profile listed in the profile type.
Profiles
Profiles are the records that aggregate GRC information related to a specific item. Each profile is associated with a single record from any table in the instance. Profiles cannot be created for items that do not have a record in a table in the platform.

Who uses Profile Scoping?

  • Policy and compliance managers use profile scoping to create a system of internal controls and monitor compliance.
  • Risk managers use profile scoping to monitor risk exposure and perform risk assessments.

Example of Profile Scoping

In this scoping example, the profile types contain the following profiles:
  • Global Office Locations
    • Los Angeles Office
    • New York Office
    • Berlin Office
  • North American Office Locations
    • Los Angeles Office
    • New York City Office
  • European Union Office Locations
    • Berlin Office

How do profiles relate to Policy and Compliance Management?

Profile scoping provides a systematic assignment of policy statements to controls and maintains relational and hierarchical connections between those controls. Profiles can be a many to many relationship. Profile types are the high-level categories and profiles are the individual items that can be associated to the profile type.
In this Policy and Compliance scoping example:
  • policies and policy statements are assigned to profile types
  • controls are created based on the profiles and associated policy statements
Note: Policy statements can be created without a policy, but must be assigned a profile type. Controls can be created without an associated policy or policy statement, but must be assigned to a profile.

What is GRC dependency modeling and mapping?

Upstream and downstream relationships can be created between profiles to develop the dependency map. The scoping of profiles is permitted in each of the GRC applications, but the GRC Workbench, which provides a visual presentation of those dependencies, is only activated for use with Risk Management.

Figure 1. Dependency modeling and mapping

Dependency modeling

Dependency modeling ensures that an organization establishes a uniform definition of risk across the enterprise. The dependency model defines what relationships are allowed between different types of areas in the organization. This enables more effective risk normalization and aggregation by allowing stakeholders to more effectively compare and contrast risk appetite and exposure at various levels of the enterprise.

Creating a dependency model involves creating profile classes and defining how classes are structured in relation to each other using the Roll up to field.

Dependency mapping

Once dependency modeling is complete, you can build out a dependency map to define how different parts of the organization are related to each other. The dependency map represents what profile relationships actually exist. For example, you could specify that certain projects and business services could affect the HR department, which would in turn affect the enterprise.

Defining the dependency map involves creating profiles, defining the profile class for each profile, then relating profiles to each other by specifying the upstream/downstream relationship.

Create a profile class

GRC managers create profile classes representing the types of things that will be part of the dependency model. Reports can be filtered to define relationships between the different profile classes.

Before you begin

Role required: sn_grc.manager

About this task

A profile class defines what a profile actually is. It differs from a profile type (for example, Business Services and Critical Business Services), in that a profile can belong to many profile types but a profile can have only one profile class (for example, Business Service).

Procedure

  1. Navigate to one of the following locations:
    • Policy and Compliance > Scoping > Profile Classes
    • Risk > Scoping > Profile Classes
    • Audit > Scoping > Profile Classes
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Table 1. Authority Document
    Field Value
    Name Name of the profile class.
    Roll up to Select dependencies to other profiles. Useful for reporting how your lower-level operational risks impact corporate-level risks.
    Is Root Select the check box to indicate that this is the highest level class.
    Note: Only one root class is allowed and it cannot roll up to another class.
  4. Click Submit.

Create and edit a profile type

Administrators or managers in any of the GRC-related applications, create profiles types from which profiles are generated. Profiles types are dynamic categories containing one or more profiles. Business logic automates the process of creating and categorizing any profiles in the system that meet the profile type conditions. Profile types are assigned to policy statements, which generate controls for every profile listed in the profile type. Profile types can also be assigned to risk statements, which generate risks for every profile listed in the profile type, as well.

Before you begin

Role required: sn_compliance.admin or sn_compliance.manager, sn_risk.admin or sn_risk.manager, sn_audit.admin or sn_audit.manager

Procedure

  1. Navigate to one of the following locations:
    • Policy and Compliance > Scoping > Profile Types.
    • Risk > Scoping > Profile Types > .
    • Audit > Scoping > Profile Types > ..
  2. Do one of the following actions:
    OptionDescription
    To create a new profile type Click New.
    To edit a profile type Open the profile type from the list.
  3. Fill in the fields on the form, as appropriate.
    Table 2. Profile type
    Name Description
    Name* The name of the profile type.
    Description An explanation of the profile type with any additional information about the profile type that a user will find helpful.
    Table* The table from which the profile type conditions identify the records to create profiles.
    Condition Filter conditions to restrict which profiles belong to a specific profile type.
    Use owner field Select the check box to indicate that a default owner field should be used when generating new profiles.
    Default owner The field on the table specifying the person who owns any new profiles generated from the profile type.
    Default profile class Set the default profile class.
    Generated profiles copy this default profile class under the following conditions:
    • when the profile’s class is empty and it’s associated to a profile type that has a default profile class
    • when a profile is created under a profile type that has a default profile class
    The existing profile's class is updated under the following conditions:
    • The profile type's table changes
    • The profile type's condition changes
    • The profile type's active field is ik;8,'
    • The profile type's default profile class changes
    Note: * indicates a mandatory field.
  4. Click Submit.

Generate a profile from a profile type

Profiles are generated automatically from profile types in any of the GRC-related applications.

Before you begin

Role required: sn_compliance.admin or sn_compliance.manager, sn_risk.admin or sn_risk.manager, sn_audit.admin or sn_audit.manager

Procedure

  1. Navigate to one of the following locations:
    • Policy and Compliance > Scoping > Profile Types.
    • Risk > Scoping > Profile Types.
    • Audit > Scoping > Profile Types.
  2. Open a Profile Type record from the list.
  3. Add or modify any conditions, as necessary.
    Changing the Table, changes the number of records matching the condition.
  4. Assign the Owner field.
  5. Click Update.
    A profile is generated for every record that matches the filter condition.

Set a profile's class

Set the profile class for a profile to relate the profile to others.

Before you begin

Role required: sn_grc.manager

Procedure

  1. Navigate using any of the following options.
    • Policy and Compliance > Scoping > All Profiles.
    • Risk > Scoping > All Profiles.
    • Audit > Scoping > All Profiles.
  2. Open the profile record from the list.
  3. Set the class field to the desired class.
  4. Click Update.

Assign profiles to classes

GRC managers assign profiles to classes for the filtering of reports and to define relationships between the different classes of business services.

Before you begin

Role required: sn_compliance.manager

Procedure

  1. Navigate to one of the following locations:
    • Policy and Compliance > Scoping > All Profiles.
    • Risk > Scoping > All Profiles.
    • Audit > Scoping > All Profiles.
  2. Open the profile record from the list.
  3. Assign the Class.
  4. Click Update.

Relate profiles to each other

Create relationships between profiles to build out the dependency map and better understand how controls and risks affect each other and how they affect the enterprise.

Before you begin

Role required: sn_grc.manager

Procedure

  1. Navigate using any of these options.
    • Policy and Compliance > Scoping > All Profiles.
    • Risk > Scoping > All Profiles.
    • Audit > Scoping > All Profiles.
  2. Open the profile record from the list.
  3. Perform one of the following actions:
    OptionDescription
    To specify that the current profile is downstream of another profile Click the Add button in the Upstream profiles related list.
    To specify that the current profile is upstream of another profile Click the Add button in the Downstream profiles related list.
  4. Select the desired profiles to relate the current profile to and click Create Relationship.

Result

The profiles displayed after clicking the Add button on the Upstream profiles or Downstream profiles related lists are limited based on the current profile's class and the defined dependency model.
Note: If there are no eligible profiles which can be related to the current profile, then the Add button is not displayed on the Upstream profiles or Downstream profiles related lists.

Deactivate a profile

When a profile is deactivated, all the controls related to that profile are retired, and the indicators and test plans associated to those controls are marked inactive.

Before you begin

Role required: grc_manager

The owner of the profile can edit the profile record and deactivate it.

Procedure

  1. Navigate to one of the following locations:
    • Policy and Compliance > Scoping > All Profiles.
    • Risk > Scoping > All Profiles.
    • Audit > Scoping > All Profiles.
  2. Open the profile record from the list.
    • If the Active check box is selected, then the profile is active.
    • If the Active check box is not selected, then the profile is inactive.
  3. Click Update.
    • All associated controls change to Retired state.
    • All the indicators and test plans associated with the retired control are marked inactive.

Reactivate a profile

When a profile is reactivated, associated controls and risks return to the draft state and the indicators and test plans return to active.

Before you begin

Role required: grc_manager

The owner of the profile can edit the profile record and reactivate it.

Procedure

  1. Navigate to one of the following locations:
    • Policy and Compliance > Scoping > All Profiles.
    • Risk > Scoping > All Profiles.
    • Audit > Scoping > All Profiles.
  2. Open the profile record from the list.
  3. In the profile, select the check box marked Active.
  4. Click Update.
    All associated controls, risks, indicators, and test plans are reactivated. All associated controls and risks are also set to Draft.