In today’s evolving regulatory landscape, compliance obligations can be compared to a moving target in archery: if we don’t know what the target looks like or can't anticipate where it will be, then we will likely miss the mark. Maintaining an up-to-date library of the laws, regulations, frameworks, and standards applicable to your organization is imperative for building an effective compliance management program that hits your target and enables confident attestation and reporting.
In ServiceNow, the inventory of authoritative source documents and related control requirements are stored within the Authority Document, Citation and Control Objective tables. The definition of each and the relationships between the tables are depicted in the diagram below.
The Authority Document, Citation, and Control Objective tables will be empty by default, but there are a couple options to on-board regulatory content into your ServiceNow instance.
Option #1: You can identify the laws, regulations, frameworks, and standards applicable to your organization, prepare the data, and manually import them into the platform.
Option #2: You can subscribe to a third-party provider who has already prepared the data and import files for your needed regulatory content.
Leveraging a third-party content provider accelerates the process, effectively exchanging the cost of an annual subscription for: (1) the time it would take to identify, aggregate, decompose and import authoritative sources into your environment, and (2) the effort needed to develop a harmonized control framework based on those sources. However, if your goal is simply to comply with NIST 800-53 or an individual cybersecurity framework, the extra sources and harmonization may not be necessary.
Another factor to consider when it comes to regulatory content is the process for identifying and incorporating new and updated authority documents. Many of the providers will have on-going monitoring in place for this purpose. Additionally, ServiceNow provides a Regulatory Change Management application to facilitate downstream control adjustments that may be required based on the introduction or revision of regulatory content.
Having the laws, regulations, standards, and frameworks in your ServiceNow environment will establish a measuring stick for your compliance program, but to achieve the ultimate value desired, the control framework derived from the regulatory content must be appropriate for your use case, easy to use, and enable necessary reporting. The control framework will guide the application of regulatory requirements to your applications, systems, and processes, and enable or prevent compliance reporting depending on how it’s utilized.
In summary, incorporating regulatory content into your instance is essential for an effective compliance program in ServiceNow, whether it is onboarded manually or via a third-party content provider. If you need help incorporating regulatory content into your ServiceNow environment, please reach out to info@lionwarellc.com, we would be glad to discuss which approach or content providers would be best for your specific use case.
Your success is our mission.
Comments