0
21.1.3
Zurich Patch 4, Zurich, Yokohama Patch 9, Yokohama Patch 6, Yokohama, Xanadu Patch 9, Xanadu, Washington DC Patch 5, Washington DC Patch 3, Washington DC, Vancouver Patch 9
The ServiceNow® Policy and Compliance Management application provides a centralized process for creating and managing policies, standards, and internal control procedures that are mapped to external regulations. Additionally, the application provides structured workflows for identifying, assessing, and continuously monitoring control activities.
The Policy and Compliance Management application includes the following features:
- Scope entities and entity types.
- Manage a compliance library consisting of authority documents, citations, policies, and control objectives.
- Manage policies, procedures, and standards using a policy authoring workflow integrated with Microsoft® Office 365® for drafting, reviewing, approving, redlining, and publishing policies.
- Create a unique control for a control objective and entity, or create multiple and granular controls for the same control objective and entity.
- Respond to control attestations from the Employee Center.
- Request policy exceptions from the Employee Center or from other ServiceNow applications, such as Vulnerability Response, using the Policy Exception Integration Registry.
- Acknowledge policies from the Employee Center.
- Monitor controls continuously using indicator templates and indicators.
- View the compliance posture through reports and dashboards.
- Review the compliance posture of policies or checks from other ServiceNow applications by mapping them to control objectives using the Compliance data source registry.
- Manage issues and remediation tasks.
- Mark issues, remediation tasks, and evidence requests as confidential.
- Provide visibility of issues and remediation tasks to the management hierarchy.
New
- Introduction of the ability to associate controls to citations.
- Reflection of the compliance score on citations and authority documents based on the associated controls to citations.
- Enhanced reports on citation and authority documents overview pages to consider the associated citations to controls.
- Enhanced reports on the Compliance homepage to consider the associated citations to controls.
- Auto-populated citation to control associations on upgrade.
- On Policy exceptions, approvers can now review important details for the exception before approving or rejecting a Policy exception and a Policy exception extension in a pop-up.
- For manual indicators, the system will not create new indicator tasks if the control is marked exempt or is within a policy exception period.
- Control objective requirements are available for control objectives and control requirements for controls.
- Lifecycle users on objects will follow the Entity-based access permissions defined.
- GRC choices across the product can now be activated and deactivated with the new active field on the GRC choice table.
Fixed
- Revisited the dependency on the System Administrator for functional use cases and ensured only functional roles are assigned appropriately.
- Tracking license for Policy exception approvers using dynamic approvals.
- Support for enforcement of security when adding or updating records in related lists through the Multi Record Associator.
- The associated issue was not closed when a control is retired.
- GRC Business User Lite could not view Issues or Policy Exceptions where they were added to the Watch List.
- High memory consumption due to a job which populates homepage data.
- Security fixes for inadequate access control on tables.
- Mapping controls to a policy exception in the Review state.
- Smart Attestation flow on controls did not trigger with automation.
- Unable to request policy exception extension.
- Wrong sys_ui_message entries for Widget titles in the Compliance dashboard.
- Controls with incomplete issues were moving back to the Compliant state.
- Smart Assessment Engine, Copy of Default Template "GRC Attestation" could be published.
- Policy reference field was fetching all policies when trying to create a new policy exception record through the issue related list.
- Control attestations were visible on the Employee Center without a defined role.
The following applications are automatically installed when the Policy and Compliance Management application is activated:
- GRC: Profiles
- GRC: Approval Configurator
- GRC: Taxonomy Management
Permissions and roles:
- To install the application, you require the System Administrator (admin) role.
When upgrading the Policy and Compliance Management application, ensure that you also upgrade the Compliance Management Workspace and any other installed GRC applications to their corresponding release versions. For example, Policy and Compliance Management version 21.x has been qualified to work with Compliance Management Workspace version 21.x and other GRC applications from the same 21.x release series.