Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

Manage control objectives and policies

Log in to subscribe to topics and get notified when content changes.

Manage control objectives and policies

The Policies and Procedures module contains overview and detailed information related to policy approvals, policies, and control objectives.

Policies and Procedures Overview

Policies and Procedures Overview is contained in the Policies and procedures module and provides an executive view into compliance requirements, overall compliance, and compliance breakdowns so areas of concern can be identified quickly. Users with the compliance administrator and compliance manager roles view the Policies and Procedures Overview.
Table 1. Policies and Procedures Overview reports in the base system
Name Visual Description
Control compliance Donut chart Displays the overall compliance of all the controls in the system.
Control details Donut chart Displays a breakdown of controls grouped by owner, category, or type.
Control Overview Column Chart Displays the total number of controls related to each policy. The chart is stacked to display the overall control compliance status for each policy.
Control Issues by Policy (Opened Date) Line Chart Displays the number of control issues opened each week, grouped by policy.
Policy Exceptions List Displays a list of control issues that have been closed with a response value of accept, meaning the issue was not remediated.
Total Policy Statements by Policy Bar graph Displays a count of the overall number of policy statements in each policy. The chart is stacked to display policy statements by type.

Policy approval process

Policies are part of a strict approval process to ensure compliance and to reduce exposure to risk. Publishing a policy is automatically incorporated in the approval process. Compliance managers set the length of time that policies are valid, ensuring that the team reviews the policy often to affirm its validity. Policies have a type, such as a policy, procedure, standard, plan, checklist, framework, or template.

The image depicts the approval process flow that is shown at the top of each policy record.

Table 2. Policy approval states
State Description
Draft All policies start in Draft state. In this stage, all compliance users can modify the policy and policy statements.
Review The owner, owning group, and reviewers can modify the policy and policy statements and send it on to the next state.
Awaiting Approval The policy is read only in this state. Approved policies move forward to the Published state. Unapproved policies move back to Review. If no approvers are identified on the policy form, the state is skipped and published without an approval.
Published Approved policies are automatically published to a template-defined KB article. Once a policy is published, it remains in a read-only state. The Valid to field on the policy form defines how long the policy is valid. Note that an expired policy automatically moves back to the Draft/Review state depending on the value entered in the property Number of days after reaching a policy "Valid to" date in which the expired policy will automatically move from its Published state back to a Draft/Review state. For example, if you enter the value in this property as 30 days, then the policy will move to ‘Draft/Review’ state automatically 30 days after the valid to date is reached.

When a policy reaches the end of the Review state and is Approved for publishing, it is automatically published to the GRC knowledge base (as defined in Policy and Compliance > Administration > Properties. The article template field on the policy form defines the style of the published policy.

Retired The KB article is removed when a policy is put into a Retired state.

Policies

Compliance managers catalog and publish internal policies that define a set of business processes, procedures, and or standards.

Control objectives

Compliance managers catalog the control objectives and generate controls from those control objectives.

Control objectives reference a single policy, although they can cover multiple citations from different authority documents. They can be organized into Classification, Category, and Type.
Note: UCF refers to policy statements as controls. When UCF is data is imported, controls are imported into the control objectives table.
Feedback