Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Manage GRC policies, policy statements, and policy documents

Manage GRC policies, policy statements, and policy documents

Organizations import their authority documents from Network Frontiers Unified Compliance Framework (UCF), another third-party provider or they create them manually.GRC: Policy and Compliance Management helps organizations set up and use GRC-related business policies and policy source documents.

Policies

Compliance managers catalog and publish policies that define a set of internally- or externally-generated business processes, procedures, and or standards. Compliance managers can further tailor policies to meet the needs of their organizations by arranging them into hierarchies of parent/child relationships.

Policy Approval Process

Policies are part of a strict approval process to ensure compliance and to reduce exposure to risk. Publishing a policy is automatically incorporated in the approval process. Compliance managers set the length of time that policies are valid, ensuring that the team reviews the policy often to affirm its validity. Policies have a type, such as a policy, procedure, standard, plan, checklist, framework, or template.

The image depicts the approval process flow that is shown at the top of each policy record.

Table 1. Policy approval states
State Description
Draft All policies start in the Draft state. In this stage, all compliance users can modify the policy.
Review The owner, owning group, and reviewers can modify the policy and send it on to the next state.
Awaiting Approval The policy is read only in this state. Approved policies move forward to the Published state. Unapproved policies move back to Review. If no approvers are identified on the policy form, the state is skipped and published without an approval.
Published Approved policies are automatically published to a template-defined knowledge base (KB). Once a policy is published, it remains in a read-only state. The Valid tofield on the policy form defines how long the policy is valid.

When a policy reaches the end of the Review state and is Approved for publishing, it is automatically published to the GRC knowledge base (as defined in the Policy and Compliance > Administration > Properties. The article template field on the policy form defines the style of the published policy.

Retired The KB article is removed when a policy is put into a Retired state.

Policy Statements

Compliance managers catalog the policy statements and generate controls from those policy statements. The same policy statement can be used in multiple policies.

Policy statements can cover multiple citations from different authority documents. They can be organized by Classification, Category, and Type.
Note: UCF refers to policy statements as Controls. When UCF is data is imported, controls are imported into the policy statements table.

Policy Documents

GRC: Policy and Compliance Management managers can define templates for publishing GRC KB articles about policy-related topics. Additionally, they can create authority documents by referencing internally- and externally-created (UCF) information as well as retire these documents. They also can create or retire authority document citations.

Create a policy

A policy is a document which defines an internal practice that processes must follow. Policies are defined as policies, procedures, standards, plans, checklists, frameworks, and templates.

Before you begin

Role required: sn_compliance_admin or sn_compliance_manager

Procedure

  1. Navigate to Policy and Compliance > Policies and Procedures > Policies.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Table 2. Policy
    Field Description
    Name The name of the policy.
    Type

    List of options:

    • Policy
    • Procedure
    • Standard
    • Plan
    • Checklist
    • Framework
    • Template
    Owning Group Group that owns the policy.
    Owner User that owns the policy.
    Compliance Score Percentage The compliance score percentage assigned to this policy.
    Parent The policy containing this policy. If you create a policy statement from within a policy, this field is automatically filled.
    State The state is a read-only field. Possible choices are:
    • Draft In this state, all compliance users can modify the policy and policy statements. All compliance users can click Ready for Review at the bottom of the form, which sets the state to Review.
    • Review In this state, the owner, owning group, and reviewers can modify the policy and policy statements. The owner, owning group, and reviewers click Request approval, starting the workflow by sending approvals to the users in the Approvers list. The owner, owning group, and reviewers move the policy back to Draft, by clicking Back to draft, as well.
    • Awaiting approval In this state, the policy and policy statements are read- only for all. Approvers can approve the policy by updating the approval state in the Approvals Related List on the policy form, or by viewing My Approvals. If the policy is approved, the policy goes to the Published state. Otherwise, it goes back to the Review state.
    • Published In this state, the policy and policy statements are read-only for all. Admins can click Retire which sets the state of the policy to Retired
    • Retired In this state, the policy is read-only for all.
    Number Read-only field that is automatically populated with a unique identification number.
    Valid From The date and time for which the policy becomes valid.
    Valid To The date and time for which the policy is no longer valid.
    Approvers The users you want to be included in the approval process.
    Reviewers Select the users you want to be included in the review process.
    Description A general description of the policy.
    Policy text A detailed description of the policy.
    Knowledge base The knowledge base article related to this policy.
    Article template The article template to use for the publication of this policy.
    KB article The KB article number and link where the policy is published.
  4. Continue with one of the following options.
    OptionAction
    To save and submit the policy
    • Click Submit.
    To mark the policy ready for review
    • Click Ready for review.

Approve and publish policy

When a policy is approved, it is automatically published.

Before you begin

Role required: sn_compliance_admin or sn_compliance_manager

Procedure

  1. Navigate to Policy and Compliance > Policies and Procedures > Policies.
  2. Open the policy record.
  3. Review the policy details, making updates as necessary.
  4. Click Approve.

Review a policy

It is important that the right people in your organization are involved in the review of policies.

Before you begin

Role required: sn_compliance_admin or sn_compliance_manager

Procedure

  1. Navigate to Policy and Compliance > Policies and Procedures > Policies.
  2. Open the Policy record.
  3. Review the policy details, making updates as necessary.
  4. Continue with one of the following actions:
    OptionAction
    To move the policy back into draft
    • Click Back to draft.
    To request approval for the policy
    • Click Request approval.

Retire a policy

Retiring a policy is part of the policy management process. It can be retired any time after being approved and published to the KB.

Before you begin

Role required: sn_compliance_admin or sn_compliance_manager

Procedure

  1. Navigate to Policy and Compliance > Policies.
  2. Open the Policy record.
  3. In the top right corner, click Retire.
    This option is available only for policies in a published state.

Create a GRC article template

Policy and Compliance managers can create templates for policy article publishing.

Before you begin

Role required: sn_audit.manager

Procedure

  1. Navigate to Policy and Compliance > Administration > Article Templates.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Table 3. Authority Document
    Field Value
    Name Name of the article template.
    Type
    • Script
    • HTML
    • XML
    Script The script code. This field is dependent on the Type field.
    HTML The HTML code. This field is dependent on the Type field.
    XML The XML code. This field is dependent on the Type field.
    Is default Check box to indicate that this template is used as the default template for all KB articles.
  4. Click Submit.

Create a policy statement

A policy statement is an objective, direction, or standard that acts as guidance for company interactions and operations. Policy statements can be categorized, classified, and related to policies.

Before you begin

Role required: sn_compliance.admin or sn_compliance.manager

Procedure

  1. Navigate to Policy and Compliance > Policy Statements.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Table 4. Policy Statement
    Field Description
    Name* The name of the policy statement.
    Source A non-editable field with the source of the policy. For example, if the statement is from the UCF import, the source is UCF.
    Source ID The unique identification number used by the source to catalog this authority document.
    Reference A unique numerical identifier.
    Parent The policy containing the policy statement. If you create a policy statement from within a policy, this field is automatically filled.
    Compliance Score Percentage The compliance score percentage assigned to this policy statement,
    Active A policy is marked active if it is not in the Draft or Retired state.
    Creates controls automatically Check box indicating that controls are automatically created from the policy statement.
    Note: Select this option if the policy statement can also serve as the control.
    Category

    List of options:

    • Acquisition or sale of facilities, technology, and services
    • Audits and risk management
    • Compliance and Governance Manual of Style
    • Human Resources management
    • Leadership and high level objectives
    • Monitoring and measurement
    • Operational management
    • Physical and environmental protection
    • Privacy protection for information and data
    • Records management
    • System hardening through configuration management
    • Systems continuity
    • Systems design, build, and implementation
    • Technical security
    • Third Party and supply chain oversight
    • Root
    • Deprecated
    Classification

    List of options:

    • Preventive
    • Corrective
    • Detective
    Type

    List of options:

    • Acquisition/Sale of Assets or Services
    • Actionable Reports or Measurements
    • Audits and Risk Management
    • Behavior
    • Business Processes
    • Communicate
    • Configuration
    • Data and Information Management
    • Duplicate
    • Establish Roles
    • Establish/Maintain Documentation
    • Human Resources Management
    • Investigate
    • IT Impact Zone
    • Log Management
    • Maintenance
    • Monitor and Evaluate Occurrences
    • Physical and Environmental Protection
    • Process or Activity
    • Records Management
    • Systems Continuity
    • Systems Design, Build, and Implementation
    • Technical Security
    • Testing
    • Training
    Attestation List of options.
    • GRC Attestation is chosen by default
    • Note: If the user changes the control attestation, the related policy statement attestation type is changed also.
    Issue group rule The group rule assigned to this policy statement.
    Description Description of the policy statement.
  4. Click Submit.
    The policy statement is created and all related lists are visible.
    • A control is created for every policy statement when a policy is associated with a profile.
    • The control attributes default to the same attributes as the related policy statement.

Deactivate a policy statement

Deactivate policy statements that are no longer relevant to their citation or policy statement.

Before you begin

Role required: sn_compliance_admin or sn_compliance_manager

Procedure

  1. Navigate to Policy and Compliance > Policies and Procedures > Policy Statements.
  2. Open a policy statement.
  3. In the policy statement, clear the check box marked Active.
  4. Click Update.

Relate a policy statement to a policy

Policy statements can be associated to a policy individually by choosing the policy in the document field on the policy statement, or by editing the policy statements related list.

Before you begin

Role required: sn_compliance.admin or sn_compliance.manager

Procedure

  1. Navigate to Policy and Compliance > Policies and Procedures > Policies.
  2. Open the policy record.
  3. Click Edit in the Policy Statements related list.
    The slushbucket contains active policy statements with no associated policy selected.
  4. Select the policy statements.
  5. Click Save.
    Those policy statements are listed in the Policy Statement related list.

Relate a policy statement to a citation

A single policy statement can be mapped to many citations from different authority documents. This function allows you to test a policy statement once while complying with many different citations.

Before you begin

Role required: sn_compliance_admin or sn_compliance_manager

Procedure

  1. Navigate to Policy and Compliance > Compliance > Citations.
  2. Open a citation.
  3. In the Policy statements related list, click New.
  4. Fill in the fields on the form, as appropriate.
    Table 5. Policy Statement
    Field Description
    Name The name of the policy statement.
    Source A non-editable field with the source of the policy. For example, if the statement is from the UCF import, the source is UCF.
    Reference A unique numerical identifier.
    Policy The parent policy statement supported by this policy statement.
    Parent References the parent content.
    Active If the policy statement is not in the Draft or Retired states, a policy is marked active.
    Source ID The unique identification number used by the source to catalog this authority document.
    Category

    Select from a list of options:

    • Acquisition or sale of facilities, technology, and services
    • Audits and risk management
    • Compliance and Governance Manual of Style
    • Human Resources management
    • Leadership and high level objectives
    • Monitoring and measurement
    • Operational management
    • Physical and environmental protection
    • Privacy protection for information and data
    • Records management
    • System hardening through configuration management
    • Systems continuity
    • Systems design, build, and implementation
    • Technical security
    • Third Party and supply chain oversight
    • Root
    • Deprecated
    Classification

    Select from a list of options:

    • Preventive
    • Corrective
    • Detective
    • IT Impact Zone
    Type

    Select from a list of options:

    • Acquisition/Sale of Assets or Services
    • Actionable Reports or Measurements
    • Audits and Risk Management
    • Behavior
    • Business Processes
    • Communicate
    • Configuration
    • Data and Information Management
    • Duplicate
    • Establish Roles
    • Establish/Maintain Documentation
    • Human Resources Management
    • Investigate
    • IT Impact Zone
    • Log Management
    • Maintenance
    • Monitor and Evaluate Occurrences
    • Physical and Environmental Protection
    • Process or Activity
    • Records Management
    • Systems Continuity
    • Systems Design, Build, and Implementation
    • Technical Security
    • Testing
    • Training
    Description Describe the policy statement and how it supports the goals of the organization.
  5. Click Submit.

Create a citation

Usually, authority documents, citations, and policy statements are downloaded from UCF. However, citations can be created manually from an authority document.

Before you begin

Role required: sn_compliance_admin or sn_compliance_manager

Procedure

  1. Navigate to Policy and Compliance > Authority Documents.
  2. Open an authority document.
  3. In the Citations Related List, click New.
  4. Fill in the fields on the form, as appropriate.
    Table 6. Citation
    Field Description
    Name* User-defined name that identifies this citation.
    Source A non-editable field with the source of the policy. For example, if the statement is from the UCF import, the source is UCF.
    Source ID The unique identification number used by the source to catalog this authority document.
    Reference Content reference.
    Type Type of citation created. Optional field not used for any processing. Use the value in this field in reports or to query for records of a specific type.
    • Core Topic
    • Process
    • Control Objective
    • Control
    • Supporting information
    Authority document Name of the parent authority document for this citation. When you create citations from the authority document form, the system completes this field automatically.
    Active A policy is marked active if it is not in the Draft or Retired state.
    Parent References the parent content.
    Description Description of the citation.

Deactivate a citation

The Active option in a citation indicates whether the citation has been retired.

Before you begin

Role required: sn_compliance.admin or sn_compliance.manager

Procedure

  1. Navigate to Policy and Compliance > Compliance > Citations.
  2. Open a citation.
  3. In the citation, clear the check box marked Active.

Deactivate an authority document

The Active option in an authority document indicates whether the authority documents has been retired.

Before you begin

Role required: sn_compliance.admin or sn_compliance.manager

Procedure

  1. Navigate to Policy and Compliance > Compliance > Authority Documents.
  2. Open an authority document.
  3. In the authority document, clear the check box marked Active.