Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • Madrid
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Use the UCF Common Controls Hub to manage compliance frameworks

Log in to subscribe to topics and get notified when content changes.

Use the UCF Common Controls Hub to manage compliance frameworks

The UCF Common Controls Hub® (CCH) is a Software-as-a-Service portal that allows retrieval of regulatory data from the underlying Unified Compliance Framework®. Compliance administrators can download content to use as GRC Authority Documents, citations, controls, and policy statements. The documents can be updated on pre-defined intervals. You must have a CCH account to create shared lists and import them into the ServiceNow® instance. API access is also required to download UCF content from the CCH.

If your organization wants to use the CCH as the source for your GRC regulatory content and controls library, you can purchase a subscription and API access from Common Controls Hub. For more information, see Unified Compliance Framework.

Note: The previous arrangement for free access to UCF content inclusive of your GRC license ended November 30, 2018. All customers need to purchase a subscription from UCF directly.
Warning: All data imported from UCF Authority Documents is read-only and must be protected. Do not customize the Authority Documents, citations, or policy statements on any UCF fields transformed into GRC tables.

Getting Started with the UCF Common Controls Hub

Note: A subscription to UCF-CCH is not required for using the GRC Policy and Compliance Management application. It is only necessary for using UCF content as Authority Documents.
  1. Sign up for an account and customize your Basic subscription to include API Access.
  2. Activate Compliance UCF.
  3. Create HI Request for UCF-CCH account integration information.
  4. Configure the UCF integration.
  5. Download a UCF Shared List.

Authority Document and shared list imports

When importing updates to Authority Documents from CCH, each Shared List must include all previously imported Authority Documents. This prevents inconsistencies between what is in the CCH (which may have changed) and what you’ve already imported to your ServiceNow® instance.
Figure 1. Shared list import successful
graphic shows all authority documents reimported with the new one
Figure 2. Shared list import unsuccessful
graphic shows a mismatch of the imported authority documents

An error is rendered since SOX is not being reimported within this Shared List.

UCF and GRC terminology differences

Authority Documents in the UCF content are organized and mapped to their proper citations, which in turn are mapped to a common set of controls. The terminology between the UCF and the GRC applications differ slightly as explained in the following table.

Table 1. Terminology differences
UCF GRC application
Authority Document Authority Document
Citation Citation
Control Policy Statement

Activate Compliance UCF

The GRC: Compliance UCF (com.sn_comp_ucf) plugin is available as a separate subscription.

Before you begin

Role required: admin

About this task

This plugin includes demo data and activates related plugins if they are not already active.

Procedure

  1. Navigate to System Definition > Plugins.
  2. Find and click the plugin name.
  3. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link.

    If the plugin depends on other plugins, these plugins are listed along with their activation status.

    If the plugin has optional features that depend on other plugins, those plugins are listed under Some files will not be loaded because these plugins are inactive. The optional features are not installed until the listed plugins are installed (before or after the installation of the current plugin).

  4. (Optional) If available, select the Load demo data check box.

    Some plugins include demo data—Sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good practice when you first activate the plugin on a development or test instance.

    You can also load demo data after the plugin is activated by clicking the Load Demo Data Only related link on the System Plugin form.

  5. Click Activate.

What to do next

If your organization wants to use UCF Common Controls Hub as the source for your controls library, you can purchase a subscription from the ServiceNow Store or see Common Controls Hub. For more information, see Unified Compliance Framework.

Create HI Request for UCF-CCH account integration information

After establishing your UCF-CCH account, use the ServiceNow Portal to initiate the account integration process.

Before you begin

Sign up for a account and customize your basic subscription to include API Access.
Note: The previous arrangement for free access to UCF content inclusive of your GRC license ended November 30, 2018. All customers need to purchase a subscription from UCF directly.
Role required: admin

Procedure

  1. After activating the Compliance UCF plugin, sign in to the Hi Service Portal.
  2. Click Get Help.

    Get help icon shown

  3. Click Create an Incident.

    create an incident icon

  4. Select Issue Type Request.

    issue type selection shown

  5. Select Category Hi Administration.
  6. Describe the issue and provide the following information:
    • Enter "I have activated the new GRC: Compliance UCF (com.sn_comp_ucf) plugin. I have already subscribed to the CCH. I am requesting that you provide me with the necessary OAuth information to complete the integration."
    • Include your company name and company account number.
    • Include the requester’s name, business email address and phone number.
    Note: By providing your company and requester contact information, you authorize ServiceNow® customer service to contact and share that information with Network Frontiers, a third party, in order to complete your UCF CCH account enrollment.
  7. Attach screen shots, as necessary.
  8. Select affected instances. Enter your company's GRC instance.
  9. What is the business impact? Select your answer.
  10. How many users does this affect? Select your answer.
  11. When did you experience this issue? Select today's date.
  12. Click Report the issue.
    ServiceNow® HI customer support initiates the OAuth integration process and will contact the requester with the integration information.

What to do next

Configure the UCF integration

Configure the UCF integration

The UCF integrates with your ServiceNow® instance through an authentication process which validates your subscription. On the UCF Configuration form, select the type of authentication, then enter a UCF-provided API key or a ServiceNow-provided OAuth2 client and secret.

Before you begin

Role required: sn_comp_ucf.admin and oauth_admin
Note: If you are using Oauth authentication, only the UCF Oauth administrator has access to the system Oauth tables. The user must give the UCF Oauth administrator role to the GRC UCF administrator, so the UCF administrator can set up UCF configuration page.

UCF integration requires that GRC is configured and users must be a Common Controls Hub administrator.

The configuration page for the global domain is loaded by default. If you are using

The configuration page for the global domain is loaded by default. If you are using Domain Separation, delete the default configuration page, and create one specific to your domain.

Procedure

  1. Navigate to Policy and Compliance > Administration > Unified Compliance Integration.
  2. Click the UCF configuration.
  3. Fill in the fields on the form, as appropriate.
    Table 2. UCF Configuration
    Field Description
    Shared List The shared list to be imported.
    Note: Shared lists appear subscription authentication.
    Authentication type API Key or Oauth.
  4. Perform one of the following actions:
    Authentication MethodActions
    For API Key authentication
    1. Enter the API key in the API Key field.
    2. Select a shared list and click Save Configuration.
    For Oauth authentication
    Note: If using Oauth authentication, only the UCF Oauth administrator has access to the system Oauth tables. The user must give the UCF Oauth administrator role to the GRC UCF administrator, so the UCF administrator can set up UCF configuration page.
    1. Enter the Client ID, provided by ServiceNow® HI customer support. See Create HI Request for GRC subscription validation free UCF-CCH account or Create HI Request for UCF-CCH account integration information for information.
      Note: Configuration information is specific to the ServiceNow® instance. Be sure to enter accurate information for any test, development, or production instances you are using. Do not include spaces in the entry.
    2. Enter the UCF OAuth Client ID, provided by ServiceNow® HI customer support. See Create HI Request for GRC subscription validation free UCF-CCH account or Create HI Request for UCF-CCH account integration information for information.
      Note: Configuration information is specific to the ServiceNow® instance. Be sure to enter accurate information for any test, development, or production instances you are using. Do not include spaces in the entry.
    3. Enter the OAuth2 profile to use for downloading. The default is the United Compliance Framework Default Profile that is installed with the UCF plugin. This field does not typically need to be changed.
    4. Enter the Redirect URL, provided by ServiceNow® HI customer support. For example, https://mycompany.service-now.com/oauth_redirect.do

      See Create HI Request for GRC subscription validation free UCF-CCH account or Create HI Request for UCF-CCH account integration information for information.

      Note: Configuration information is specific to the ServiceNow® instance. Be sure to enter accurate information for any test, development, or production instances you are using. Do not include spaces in the entry.
    5. Right-click the form header and click Save.
    6. In the UCF Integration dialog that appears, click Request New Token.
      Note: For initial configuration, a user with an UCF administrator account performs this step.
    7. Enter your Common Controls Hub credentials to log in.
      Note: For initial configuration, a user with an UCF administrator account performs this step.
    8. In the application authorization message that displays, click Authorize.
    9. Select a shared list and click Save Configuration.

What to do next

If the UCF introduces new fields and content, administrators can use staging tables and transform maps to accommodate those changes to UCF data formats. This is an advanced configuration and not required. The following import sets and tables can be configured to customize the UCF download logic.

Table 3. Staging table [extends from import set row table: import_set_row] used for UCF integration
Staging table Description
UCF Authority Document [sn_comp_ucf_authority_document] The UCF Authority Document staging table is used to store authority documents that are downloaded from the UCF Common Controls Hub
UCF Citation [sn_comp_ucf_citation] The UCF Citation staging table is used to store citations that are downloaded from the UCF Common Controls Hub
UCF Control [sn_comp_ucf_control] The UCF Control staging table is used to store controls that are downloaded from the UCF Common Controls Hub
UCF Citation to Control [sn_comp_ucf_m2m_control_citation] The UCF Citation to Control staging table is used to store citation to controls that are downloaded from the UCF Common Controls Hub
Table 4. Transform maps used for UCF integration
Transform maps Description
Default Authority Document transform Transforms data from the UCF Authority document staging table into the Authority Document table
Default Citation Transform Transforms data from the UCF Citation staging table into the Citation table
Default Control transform Transforms data from the UCF Control staging table into the Policy Statement table
Control to Citation transform map Transforms data from the UCF Citation to Control table into the Policy Statement to Citation table
.

Download a UCF Shared List

In order for compliance managers to download Authority Documents from the CCH, the list must be marked as Shared. When updating Authority Documents or adding new ones, you must update all your Authority Documents to ensure that the common controls framework remains in sync with the Authority Documents you are using.

Before you begin

Role required: sn_compliance_admin or sn_compliance_manager

Note: The current design of UCF supports the downloading of mandated and implied controls. The downloading of implementation controls is not supported. See the Unified Compliance Documentation How do I distribute an authority document list to other accounts?
Warning: All data imported from the UCF is read-only and must be protected. Do not customize the Authority Documents, citations, or policy statements on any UCF fields on the GRC tables.

Procedure

  1. Navigate to Policy and Compliance > Administration > Unified Compliance Integration.
  2. Click the UCF configuration.
  3. Configure the UCF integration, if necessary.
  4. Click Import Shared List.
    A progress bar shows the progress of downloading and importing the documents.
    You may encounter any of the following errors:
    Table 5. UCF Shared List Errors
    Error Explanation Resolve
    If the internet connection is lost for any reason, this message appears.
    1. Click Import Shared List to download again.
    If the selected UCF Shared List that you are downloading does not include all the Authority Documents you have already downloaded, this message appears.
    1. Return to the CCH and verify that the Shared List you are trying to download includes all the Authority Documents from the original import to your instance.
    2. Click Import Shared List to download again.
  5. Click Review Changed Records to review the list of changed records.

    Authority Documents in the UCF content are organized and mapped to their proper citations, which in turn are mapped to a common set of controls. The terminology between UCF and the GRC applications differ slightly as explained in the following table.

    Table 6. Terminology differences
    UCF ServiceNow GRC application
    Authority Document Authority Document
    Citation Citation
    Control Policy Statement
Feedback