Use UCF Common Controls Hub to manage compliance frameworks

Compliance administrators can download content from Network Frontiers Unified Compliance Framework (UCF) for use as GRC authority documents, citations, controls, and policy statements. The documents can be updated on pre-defined intervals.

Users must have a UCF Common Controls Hub account to create shared lists and import them into the ServiceNow® instance.

For more information on Unified Compliance Framework (UCF), see https://www.unifiedcompliance.com.
Warning: All data imported from UCF Authority Documents is read-only and must be protected. Do not customize the authority documents, citations, or policy statements on any UCF fields transformed into GRC tables.

Getting Started with the UCF Common Controls Hub

Network Frontiers released a new method for allowing authenticated users to download content from the UCF Common Controls Hub (CCH) website. Users require a separate subscription to the Network Frontiers Unified Compliance Framework Common Controls Hub (UCF-CCH) to download UCF content.

For customers whose GRC entitlement date is before December 1, 2016, you are entitled to a free UCF CCH account for the period of December 1, 2016 through November 30, 2018.

For customers on Helsinki (Patch 7 and above), or Istanbul, and whose GRC entitlement date is December 1, 2016 or after, you must contact UCF-Common Control Hub to arrange for a subscription, if your organization plans on using Unified Controls Compliance as the provider of your controls library. For more information about establishing a UCF CCH account, see Unified Compliance Framework.
Note: A subscription to UCF-CCH is not required for using the GRC Policy & Compliance application.
Table 1.
If your organization's GRC entitlement date is Tasks
BEFORE December 1, 2016
  1. Activate Compliance UCF.
  2. Create HI Request for GRC subscription validation free UCF-CCH account.
  3. Configure the UCF integration.
  4. Download a UCF shared list.
AFTER December 1, 2016
  1. Sign up for a UCF CCH account and customize your basic subscription to include API Access.
  2. Activate Compliance UCF.
  3. Create HI Request for UCF-CCH account integration information.
  4. Configure the UCF integration.
  5. Download a UCF shared list.

Authority document and shared list imports

Every authority document already imported into the ServiceNow® instance must be in any shared list you wish to import from the UCF CCH. This prevents inconsistencies between what is in the UCF CCH (which may have changed) and what you’ve already imported.
Figure 1. Shared list import successful
Figure 2. Shared list import unsuccessful

An error is rendered since SOX is not being reimported within this Shared List.

UCF and GRC terminology differences

Authority documents in the UCF content are organized and mapped to their proper citations, which in turn are mapped to a common set of controls. The terminology between UCF and the GRC applications differ slightly as explained in the following table.

Table 2. Terminology differences
UCF GRC application
Authority Document Authority Document
Citation Citation
Control Policy Statement

Activate Compliance UCF

The GRC: Compliance UCF (com.sn_comp_ucf) plugin is available as a separate subscription.

Before you begin

Role required: admin

About this task

This plugin includes demo data and activates related plugins if they are not already active.

Procedure

  1. Navigate to System Definition > Plugins.
  2. Find and click the plugin name.
  3. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link.

    If the plugin depends on other plugins, these plugins are listed along with their activation status.

    If the plugin has optional features that depend on other plugins, those plugins are listed under Some files will not be loaded because these plugins are inactive. The optional features are not installed until the listed plugins are installed (before or after the installation of the current plugin).

  4. (Optional) If available, select the Load demo data check box.

    Some plugins include demo data—Sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good practice when you first activate the plugin on a development or test instance.

    You can also load demo data after the plugin is activated by clicking the Load Demo Data Only related link on the System Plugin form.

  5. Click Activate.

What to do next

For customers whose GRC entitlement date is before December 1, 2016, a free UCF CCH account is included for the period of December 1, 2016 through November 30, 2018. See Create HI Request for GRC subscription validation free UCF-CCH account.

For customers on Helsinki (Patch 7 and above), or Istanbul, and whose GRC entitlement date is December 1, 2016 or after, you must contact UCF-Common Control Hub to arrange for a basic account subscription with API access.
Note: API access is required to download UCF content from the UCF-CCH.
For more information about establishing a UCF CCH account, see Unified Compliance Framework.

Create HI Request for GRC subscription validation free UCF-CCH account

For customers whose GRC entitlement date is before December 1, 2016, a free UCF CCH accountis included for the period of December 1, 2016 through November 30, 2018.

Before you begin

Role required: admin

Procedure

  1. After activating the Compliance UCF plugin, sign in to the Hi Service Portal.
  2. Click Get Help.

  3. Click Create an Incident.

  4. Select Issue Type Request.

  5. Select Category Hi Administration.
  6. Describe the issue and provide the following information:
    • Enter "I have activated the new GRC: Compliance UCF (com.sn_comp_ucf) plugin. I am requesting that you validate my subscription and open a UCF CCH account on my behalf".
    • Include your company name and company account number.
    • Include the requester’s name, business email address and phone number.
    Note: By providing your company and requester contact information, you authorize ServiceNow® customer service to contact and share that information with Network Frontiers, a third party, in order to complete your UCF CCH account enrollment.
  7. Attach screen shots, logs, etc., as necessary.
  8. Select affected instances. Enter your company's GRC instance.
  9. What is the business impact? Select your answer.
  10. How many users does this affect? Select your answer.
  11. When did you experience this issue? Select today's date.
  12. Click Report the issue.
    ServiceNow® HI customer support initiates the UCF-CCH account creation and enrollment process and will contact the requester when the process is complete.

What to do next

Configure the UCF integration

Create HI Request for UCF-CCH account integration information

For customers on Helsinki (Patch 7 and above), or Istanbul, and whose GRC effective contract date is December 1, 2016 or after, you must contact UCF-Common Control Hub to arrange for a subscription, if your organization plans on using Unified Controls Compliance as the provider of your controls library. For more information about establishing a UCF CCH account, see Unified Compliance Framework.

Before you begin

Sign up for a UCF CCH account and customize your basic subscription to include API Access.

Role required: admin

Procedure

  1. After activating the Compliance UCF plugin, sign in to the Hi Service Portal.
  2. Click Get Help.

  3. Click Create an Incident.

  4. Select Issue Type Request.

  5. Select Category Hi Administration.
  6. Describe the issue and provide the following information:
    • Enter "I have activated the new GRC: Compliance UCF (com.sn_comp_ucf) plugin. I have already subscribed to the UCF CCH. I am requesting that you provide me with the necessary OAuth information to complete the integration."
    • Include your company name and company account number.
    • Include the requester’s name, business email address and phone number.
    Note: By providing your company and requester contact information, you authorize ServiceNow® customer service to contact and share that information with Network Frontiers, a third party, in order to complete your UCF CCH account enrollment.
  7. Attach screen shots, logs, etc., as necessary.
  8. Select affected instances. Enter your company's GRC instance.
  9. What is the business impact? Select your answer.
  10. How many users does this affect? Select your answer.
  11. When did you experience this issue? Select today's date.
  12. Click Report the issue.
    ServiceNow® HI customer support initiates the OAuth integration process and will contact the requester with the integration information.

What to do next

Configure the UCF integration

Configure the UCF integration

After ServiceNow® HI customer support provides you the UCF-CCH account integration information the OAuth integration process and will contact the requester with the integration information.After Create HI Request for UCF-CCH account integration informationThe UCF integration is an OAuth-based integration requiring a user's CCH Client ID and Client Secret.

Before you begin

Role required: sn_comp_ucf.admin and oauth_admin
Note: Only the UCF Oauth administrator has access to the system Oauth tables. The user must give the UCF Oauth administrator role to the GRC UCF administrator, so the UCF administrator can set up UCF configuration page.

UCF integration requires that GRC is configured and users must be a Common Controls Hub administrator. The UCF integration is an OAuth based integration requiring a user's CCH Client ID and Client Secret.

The configuration page for the global domain is loaded by default. If you are using Domain Separation, delete the default configuration page, and create one specific to your domain.

Procedure

  1. Navigate to Policy and Compliance > Administration > Unified Compliance Integration.
  2. Click the UCF configuration.
  3. Fill in the fields on the form, as appropriate.
    Table 3. UCF Configuration
    Field Description
    Shared List The shared list to be imported.
    Client ID The UCF OAuth Client ID, provided by ServiceNow® HI customer support. See Getting Started with the UCF Common Controls Hub for information.
    Note: Configuration information is specific to the ServiceNow® instance. Be sure to enter accurate information for any test, development, or production instances you are using. Do not include spaces in the entry.
    Client Secret The UCF OAuth Client Secret, provided by ServiceNow® HI customer support. See Getting Started with the UCF Common Controls Hub for information.
    Note: Configuration information is specific to the ServiceNow® instance. Be sure to enter accurate information for any test, development, or production instances you are using. Do not include spaces in the entry.
    Oauth2 Profile The OAuth2 profile to use for downloading. The default is the United Compliance Framework Default Profile that is installed with the UCF plugin. This field does not typically need to be changed .
    Redirect URL Enter the Redirect URL, provided by ServiceNow® HI customer support. For example, https://mycompany.service-now.com/oauth_redirect.do

    See Getting Started with the UCF Common Controls Hub for information.

    Note: Configuration information is specific to the ServiceNow® instance. Be sure to enter accurate information for any test, development, or production instances you are using. Do not include spaces in the entry.
  4. Right-click the form header and click Save.
  5. In the UCF Integration dialog that appears, click Request New Token.
    When configuring the UCF instance for the first time, a user with an UCF administrator account should request the new token.
  6. Enter your Common Controls Hub credentials and log in.
    The first time the UCF administrator logs into UCF, a n application authorization message displays, click Authorize.
  7. Select a shared list and click Save Configuration.

What to do next

If UCF introduces new fields and content, administrators can use staging tables and transform maps to accommodate those changes to UCF data formats. This is an advanced configuration and not required. The following import sets and tables can be configured to customize the UCF download logic.

Table 4. Staging table [extends from import set row table: import_set_row] used for UCF integration
Staging table Description
UCF Authority Document [sn_comp_ucf_authority_document] The UCF Authority Document staging table is used to store authority documents that are downloaded from the UCF Common Controls Hub
UCF Citation [sn_comp_ucf_citation] The UCF Citation staging table is used to store citations that are downloaded from the UCF Common Controls Hub
UCF Control [sn_comp_ucf_control] The UCF Control staging table is used to store controls that are downloaded from the UCF Common Controls Hub
UCF Citation to Control [sn_comp_ucf_m2m_control_citation] The UCF Citation to Control staging table is used to store citation to controls that are downloaded from the UCF Common Controls Hub
Table 5. Transform maps used for UCF integration
Transform maps Description
Default Authority document transform Transforms data from the UCF Authority document staging table into the Authority Document table
Default Citation Transform Transforms data from the UCF Citation staging table into the Citation table
Default Control transform Transforms data from the UCF Control staging table into the Policy Statement table
Control to Citation transform map Transforms data from the UCF Citation to Control table into the Policy Statement to Citation table
.

Download a UCF shared list

In order for compliance managers to download UCF authority documents from the UCF CCH, the list must be marked as Shared. When updating Authority Documents or adding new ones, you must update all your authority documents to ensure that the common controls framework remains in sync with the authority documents you are using.

Before you begin

Role required: sn_compliance_admin or sn_compliance_manager

Note: The current design of UCF supports the downloading of mandated and implied controls. The downloading of implementation controls is not supported. See the Unified Compliance Documentation How do I distribute an authority document list to other accounts?
Warning: All data imported from UCF Authority Documents is read-only and must be protected. Do not customize the authority documents, citations, or policy statements on any UCF fields on the GRC tables.

Procedure

  1. Navigate to Policy and Compliance > Administration > Unified Compliance Integration.
  2. Click the UCF configuration.
  3. Configure the UCF integration, if necessary.
  4. Click Import Shared List.
    A progress bar shows the progress of downloading and importing the documents.
    You may encounter any of the following errors:
    Table 6. UCF Shared List Errors
    Error Explanation Resolve
    If the internet connection is lost for any reason, this message appears.
    1. Click Import Shared List to download again.
    If the selected UCF Shared List that you are downloading does not include all the authority documents you have already downloaded, this message appears.
    1. Return to the CCH and verify that the Shared List you are trying to download includes all the Authority Documents from the original import to your instance.
    2. Click Import Shared List to download again.
  5. Click Review Changed Records to review the list of changed records.

    Authority documents in the UCF content are organized and mapped to their proper citations, which in turn are mapped to a common set of controls. The terminology between UCF and the GRC applications differ slightly as explained in the following table.

    Table 7. Terminology differences
    UCF ServiceNow GRC application
    Authority Document Authority Document
    Citation Citation
    Control Policy Statement