Use UCF Common Controls Hub to manage compliance frameworks

Compliance administrators can download content from Network Frontiers Unified Compliance Framework (UCF) for use as GRC authority documents, citations, controls, and policy statements. The documents can be updated on pre-defined intervals.

Users must have a UCF Common Controls Hub account to create shared lists and import them into the ServiceNow® instance.

For more information on Unified Compliance Framework (UCF), see https://www.unifiedcompliance.com.
Warning: All data imported from UCF Authority Documents is read-only and must be protected. Do not customize the authority documents, citations, or policy statements on any UCF fields transformed into GRC tables.

Getting Started with the UCF Common Controls Hub

Network Frontiers released a new method for allowing authenticated users to download content from the UCF Common Controls Hub (CCH) website. Users require a separate subscription to the Network Frontiers Unified Compliance Framework Common Controls Hub (UCF-CCH) to download UCF content.

For customers whose GRC entitlement date is before December 1, 2016, you are entitled to a free UCF CCH account for the period of December 1, 2016 through November 30, 2018.

For customers on Helsinki (Patch 7 and above), or Istanbul, and whose GRC entitlement date is December 1, 2016 or after, you must contact UCF-Common Control Hub to arrange for a subscription, if your organization plans on using Unified Controls Compliance as the provider of your controls library. For more information about establishing a UCF CCH account, see Unified Compliance Framework.
Note: A subscription to UCF-CCH is not required for using the GRC Policy & Compliance application.
Table 1.
If your organization's GRC entitlement date is Tasks
BEFORE December 1, 2016
  1. Activate Compliance UCF.
  2. Create HI Request for GRC subscription validation free UCF-CCH account.
  3. Configure the UCF integration.
  4. Download a UCF shared list.
AFTER December 1, 2016
  1. Sign up for a UCF CCH account and customize your basic subscription to include API Access.
  2. Activate Compliance UCF.
  3. Create HI Request for UCF-CCH account integration information.
  4. Configure the UCF integration.
  5. Download a UCF shared list.

Authority document and shared list imports

Every authority document already imported into the ServiceNow® instance must be in any shared list you wish to import from the UCF CCH. This prevents inconsistencies between what is in the UCF CCH (which may have changed) and what you’ve already imported.
Figure 1. Shared list import successful
Figure 2. Shared list import unsuccessful

An error is rendered since SOX is not being reimported within this Shared List.

UCF and GRC terminology differences

Authority documents in the UCF content are organized and mapped to their proper citations, which in turn are mapped to a common set of controls. The terminology between UCF and the GRC applications differ slightly as explained in the following table.

Table 2. Terminology differences
UCF GRC application
Authority Document Authority Document
Citation Citation
Control Policy Statement

Activate Compliance UCF

The GRC: Compliance UCF (com.sn_comp_ucf) plugin is available as a separate subscription.

Before you begin

Role required: admin

About this task

This plugin includes demo data and activates related plugins if they are not already active.

Procedure

  1. Navigate to System Definition > Plugins.
  2. Find and click the plugin name.
  3. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link.

    If the plugin depends on other plugins, these plugins are listed along with their activation status.

    If the plugin has optional features that depend on other plugins, those plugins are listed under Some files will not be loaded because these plugins are inactive. The optional features are not installed until the listed plugins are installed (before or after the installation of the current plugin).

  4. (Optional) If available, select the Load demo data check box.

    Some plugins include demo data—Sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good practice when you first activate the plugin on a development or test instance.

    You can also load demo data after the plugin is activated by clicking the Load Demo Data Only related link on the System Plugin form.

  5. Click Activate.

What to do next

For customers whose GRC entitlement date is before December 1, 2016, a free UCF CCH account is included for the period of December 1, 2016 through November 30, 2018. See Create HI Request for GRC subscription validation free UCF-CCH account.

For customers on Helsinki (Patch 7 and above), or Istanbul, and whose GRC entitlement date is December 1, 2016 or after, you must contact UCF-Common Control Hub to arrange for a basic account subscription with API access.
Note: API access is required to download UCF content from the UCF-CCH.
For more information about establishing a UCF CCH account, see Unified Compliance Framework.

Create HI Request for GRC subscription validation free UCF-CCH account

For customers whose GRC entitlement date is before December 1, 2016, a free UCF CCH accountis included for the period of December 1, 2016 through November 30, 2018.

Before you begin

Role required: admin

Procedure

  1. After activating the Compliance UCF plugin, sign in to the Hi Service Portal.
  2. Click Get Help.

  3. Click Create an Incident.

  4. Select Issue Type Request.

  5. Select Category Hi Administration.
  6. Describe the issue and provide the following information:
    • Enter "I have activated the new GRC: Compliance UCF (com.sn_comp_ucf) plugin. I am requesting that you validate my subscription and open a UCF CCH account on my behalf".
    • Include your company name and company account number.
    • Include the requester’s name, business email address and phone number.
    Note: By providing your company and requester contact information, you authorize ServiceNow® customer service to contact and share that information with Network Frontiers, a third party, in order to complete your UCF CCH account enrollment.
  7. Attach screen shots, logs, etc., as necessary.
  8. Select affected instances. Enter your company's GRC instance.
  9. What is the business impact? Select your answer.
  10. How many users does this affect? Select your answer.
  11. When did you experience this issue? Select today's date.
  12. Click Report the issue.
    ServiceNow® HI customer support initiates the UCF-CCH account creation and enrollment process and will contact the requester when the process is complete.

What to do next

Configure the UCF integration

Create HI Request for UCF-CCH account integration information

For customers on Helsinki (Patch 7 and above), or Istanbul, and whose GRC effective contract date is December 1, 2016 or after, you must contact UCF-Common Control Hub to arrange for a subscription, if your organization plans on using Unified Controls Compliance as the provider of your controls library. For more information about establishing a UCF CCH account, see Unified Compliance Framework.

Before you begin

Sign up for a UCF CCH account and customize your basic subscription to include API Access.

Role required: admin

Procedure

  1. After activating the Compliance UCF plugin, sign in to the Hi Service Portal.
  2. Click Get Help.

  3. Click Create an Incident.

  4. Select Issue Type Request.

  5. Select Category Hi Administration.
  6. Describe the issue and provide the following information:
    • Enter "I have activated the new GRC: Compliance UCF (com.sn_comp_ucf) plugin. I have already subscribed to the UCF CCH. I am requesting that you provide me with the necessary OAuth information to complete the integration."
    • Include your company name and company account number.
    • Include the requester’s name, business email address and phone number.
    Note: By providing your company and requester contact information, you authorize ServiceNow® customer service to contact and share that information with Network Frontiers, a third party, in order to complete your UCF CCH account enrollment.
  7. Attach screen shots, logs, etc., as necessary.
  8. Select affected instances. Enter your company's GRC instance.
  9. What is the business impact? Select your answer.
  10. How many users does this affect? Select your answer.
  11. When did you experience this issue? Select today's date.
  12. Click Report the issue.
    ServiceNow® HI customer support initiates the OAuth integration process and will contact the requester with the integration information.

What to do next

Configure the UCF integration

Configure the UCF integration

UCF integrates with your ServiceNow instance through an authentication process which validates your subscription. On the UCF Configuration form, select the type of authentication, then enter a UCF-provided API key or a ServiceNow-provided OAuth2 client and secret.

Before you begin

Role required: sn_comp_ucf.admin and oauth_admin
Note: If you are using Oauth authentication, only the UCF Oauth administrator has access to the system Oauth tables. The user must give the UCF Oauth administrator role to the GRC UCF administrator, so the UCF administrator can set up UCF configuration page.

UCF integration requires that GRC is configured and users must be a Common Controls Hub administrator.

The configuration page for the global domain is loaded by default. If you are using

The configuration page for the global domain is loaded by default. If you are using Domain Separation, delete the default configuration page, and create one specific to your domain.

Procedure

  1. Navigate to Policy and Compliance > Administration > Unified Compliance Integration.
  2. Click the UCF configuration.
  3. Fill in the fields on the form, as appropriate.
    Table 3. UCF Configuration
    Field Description
    Shared List The shared list to be imported.
    Note: Shared lists appear subscription authentication.
    Authentication type API Key or Oauth.
  4. Perform one of the following actions:
    Authentication MethodActions
    For API Key authentication
    1. Enter the API key in the API Key field.
    2. Select a shared list and click Save Configuration.
    For Oauth authentication
    Note: If using Oauth authentication, only the UCF Oauth administrator has access to the system Oauth tables. The user must give the UCF Oauth administrator role to the GRC UCF administrator, so the UCF administrator can set up UCF configuration page.
    1. Enter the Client ID, provided by ServiceNow® HI customer support. See Create HI Request for GRC subscription validation free UCF-CCH account or Create HI Request for UCF-CCH account integration information for information.
      Note: Configuration information is specific to the ServiceNow® instance. Be sure to enter accurate information for any test, development, or production instances you are using. Do not include spaces in the entry.
    2. Enter the UCF OAuth Client ID, provided by ServiceNow® HI customer support. See Create HI Request for GRC subscription validation free UCF-CCH account or Create HI Request for UCF-CCH account integration information for information.
      Note: Configuration information is specific to the ServiceNow® instance. Be sure to enter accurate information for any test, development, or production instances you are using. Do not include spaces in the entry.
    3. Enter the OAuth2 profile to use for downloading. The default is the United Compliance Framework Default Profile that is installed with the UCF plugin. This field does not typically need to be changed.
    4. Enter the Redirect URL, provided by ServiceNow® HI customer support. For example, https://mycompany.service-now.com/oauth_redirect.do

      See Create HI Request for GRC subscription validation free UCF-CCH account or Create HI Request for UCF-CCH account integration information for information.

      Note: Configuration information is specific to the ServiceNow® instance. Be sure to enter accurate information for any test, development, or production instances you are using. Do not include spaces in the entry.
    5. Right-click the form header and click Save.
    6. In the UCF Integration dialog that appears, click Request New Token.
      Note: For initial configuration, a user with an UCF administrator account performs this step.
    7. Enter your Common Controls Hub credentials to log in.
      Note: For initial configuration, a user with an UCF administrator account performs this step.
    8. In the application authorization message that displays, click Authorize.
    9. Select a shared list and click Save Configuration.

What to do next

If UCF introduces new fields and content, administrators can use staging tables and transform maps to accommodate those changes to UCF data formats. This is an advanced configuration and not required. The following import sets and tables can be configured to customize the UCF download logic.

Table 4. Staging table [extends from import set row table: import_set_row] used for UCF integration
Staging table Description
UCF Authority Document [sn_comp_ucf_authority_document] The UCF Authority Document staging table is used to store authority documents that are downloaded from the UCF Common Controls Hub
UCF Citation [sn_comp_ucf_citation] The UCF Citation staging table is used to store citations that are downloaded from the UCF Common Controls Hub
UCF Control [sn_comp_ucf_control] The UCF Control staging table is used to store controls that are downloaded from the UCF Common Controls Hub
UCF Citation to Control [sn_comp_ucf_m2m_control_citation] The UCF Citation to Control staging table is used to store citation to controls that are downloaded from the UCF Common Controls Hub
Table 5. Transform maps used for UCF integration
Transform maps Description
Default Authority document transform Transforms data from the UCF Authority document staging table into the Authority Document table
Default Citation Transform Transforms data from the UCF Citation staging table into the Citation table
Default Control transform Transforms data from the UCF Control staging table into the Policy Statement table
Control to Citation transform map Transforms data from the UCF Citation to Control table into the Policy Statement to Citation table
.

Download a UCF shared list

In order for compliance managers to download UCF authority documents from the UCF CCH, the list must be marked as Shared. When updating Authority Documents or adding new ones, you must update all your authority documents to ensure that the common controls framework remains in sync with the authority documents you are using.

Before you begin

Role required: sn_compliance_admin or sn_compliance_manager

Note: The current design of UCF supports the downloading of mandated and implied controls. The downloading of implementation controls is not supported. See the Unified Compliance Documentation How do I distribute an authority document list to other accounts?
Warning: All data imported from UCF Authority Documents is read-only and must be protected. Do not customize the authority documents, citations, or policy statements on any UCF fields on the GRC tables.

Procedure

  1. Navigate to Policy and Compliance > Administration > Unified Compliance Integration.
  2. Click the UCF configuration.
  3. Configure the UCF integration, if necessary.
  4. Click Import Shared List.
    A progress bar shows the progress of downloading and importing the documents.
    You may encounter any of the following errors:
    Table 6. UCF Shared List Errors
    Error Explanation Resolve
    If the internet connection is lost for any reason, this message appears.
    1. Click Import Shared List to download again.
    If the selected UCF Shared List that you are downloading does not include all the authority documents you have already downloaded, this message appears.
    1. Return to the CCH and verify that the Shared List you are trying to download includes all the Authority Documents from the original import to your instance.
    2. Click Import Shared List to download again.
  5. Click Review Changed Records to review the list of changed records.

    Authority documents in the UCF content are organized and mapped to their proper citations, which in turn are mapped to a common set of controls. The terminology between UCF and the GRC applications differ slightly as explained in the following table.

    Table 7. Terminology differences
    UCF ServiceNow GRC application
    Authority Document Authority Document
    Citation Citation
    Control Policy Statement