GRC IMPLEMENTATION

CHECKLIST
Implementation Checklist (Madrid release)

August 23, 2019

Version: 1.2

Professional Services ServiceNow Confidential Page: 1 of 7

 GRC Implementation Checklist Implementation Checklist (Madrid release)
Table of Contents
1 Introduction ............................................................................................................................................ 3
2 Preparation ............................................................................................................................................. 3
2.1 Engagement & Core plugins ................................................................................................................. 3
2.2 GRC Integration Plugins ....................................................................................................................... 3
3 Policy and Compliance Management ................................................................................................... 4
3.1 Core Configuration ................................................................................................................................ 4
3.2 Identity & Access Management (Users, Roles & Groups).................................................................... 4
3.3 Reporting ............................................................................................................................................... 5
3.3.1 Out-of-the-box Policy & Compliance PA .......................................................................................... 5
3.3.2 Custom Reports .................................................................................................................................. 5
4 Risk Management ................................................................................................................................... 5
4.1 Core Configuration ................................................................................................................................ 5
4.2 Identity & Access Management (Users, Roles & Groups).................................................................... 6
4.3 Reporting ............................................................................................................................................... 6
4.3.1 Out-of-the-box Policy & Compliance PA .......................................................................................... 6
4.3.2 Custom Reports .................................................................................................................................. 6
5 Audit Management ................................................................................................................................. 6
5.1 Core Configuration ................................................................................................................................ 6
5.2 Identity & Access Management (Users, Roles & Groups).................................................................... 7
5.3 Reporting ............................................................................................................................................... 7
5.3.1 Out-of-the-box Policy & Compliance PA .......................................................................................... 7
5.3.2 Custom Reports .................................................................................................................................. 7

Version Description Author Date

1.0 Initial Version Zdenek Slavik 15th November 2018

1.1 Updated version for Madrid release Zdenek Slavik 23rd January 2019

1.2 Updated version for New York release Max Mirian 2nd Aug 2019

Professional Services ServiceNow Confidential Page: 2 of 7

 GRC Implementation Checklist Implementation Checklist (Madrid release)

1 Introduction
The GRC Implementation Checklist document is design to assist the Technical Consultant in setting up
a customer to implement the GRC application.

2 Preparation
Depending on scope of engagement, one or more plugins needs to be activated
2.1 Engagement & Core plugins

Check Activity Due Date

ServiceNow instances provisioned based on Customer Order (customer verify instance names)

Document Functional Requirements

Conduct Technical Analysis

Document Technical Requirements

Enable GRC: Policy and Compliance Management dependencies

Enable GRC: Policy and Compliance Management(com.sn_compliance)

Enable GRC: Risk Management dependencies

Enable GRC: Risk Management(com.sn_risk) & GRC: Workbench(com.sn_grc_workbench)*

Enable GRC: Audit Management dependencies

Enable GRC:Audit Management(com.sn_audit)

*Paid plugin; sold as a part of the GRC applications; not installed by default. Used by Risk Management only (2nd Line of Defense)

2.2 GRC Integration Plugins

Check Activity Related core plugin Due Date

Enable GRC: Vendor Risk • GRC: Policy and Compliance
Management(com.sn_vdr_risk_asmt) Management (com.sn_compliance)
• GRC: Risk Management

GRC: Compliance UCF (com.sn_comp_ucf) • GRC: Policy and Compliance

Management (com.sn_compliance)

GRC: Performance Analytics Integration • GRC: Policy and Compliance

(com.sn_grc_pa) Management (com.sn_compliance)
• GRC: Risk Management
GRC: SIG Questionnaire Integration • GRC: Vendor Risk
(com.sn_sig_asmt) Management(com.sn_vdr_risk_asmt)

Professional Services ServiceNow Confidential Page: 3 of 7

 GRC Implementation Checklist Implementation Checklist (Madrid release)

3 Policy and Compliance Management

3.1 Core Configuration

Check Activity Due Date

Configure & Fill-in Authority Documents (sn_compliance_authority_document)

Configure & Fill-in Policy Documents (sn_compliance_control)

Configure & Fill-in Citations (sn_compliance_citation)

Configure & Fill-in Article Template (sn_compliance_article_template)

Configure & Fill-in Control Templates (sn_compliance_policy_statement)

Relate Policies to Control Templates (sn_compliance_policy_statement)

Relate Control Templates to Entity Types (sn_compliance_m2m_statement_profile_type)

Relate Control Templates to Citations (sn_compliance_m2m_statement_citation)

Relate Policy to Entity Type (sn_compliance_m2m_policy_profile_type)

Configure Policy Exception workflow

Design Control Attestation

Create Attestation Types and related them to customers Control Templates

Create a control Indicator

Create a GRC Indicator Template

Populate Question Bank

3.2 Identity & Access Management (Users, Roles & Groups)

Check Activity Due Date

Configure Assignment Group(s) for Compliance Reader

Configure Assignment Group(s) for Compliance User

Configure Assignment Group(s) for Compliance Manager

Configure Assignment Group(s) for Compliance Administrator

Professional Services ServiceNow Confidential Page: 4 of 7

 GRC Implementation Checklist Implementation Checklist (Madrid release)

Configure Assignment Group(s) for Compliance Developer

Configure Assignment Group(s) for Attestation Creator

3.3 Reporting
3.3.1 Out-of-the-box Policy & Compliance PA

Check Activity Due Date

Enable (IAM) GRC Compliance Overview Dashboard in PA

Enable (IAM) GRC Policy Exception Overview Dashboard

3.3.2 Custom Reports

Check Activity Due Date

Activate GRC: Performance Analytics Integration

Associate PA indicator with a Policy Statement

Associate a PA indicator with Controls

4 Risk Management
4.1 Core Configuration

Check Activity Due Date

Configure Risk Statement (sn_risk_definition)

Configure Risk Frameworks (sn_risk_framework)

Relate Risk Frameworks to Entity Types (sn_risk_m2m_framework_profile_type)

Relate Entity Types to Risk Statements (sn_risk_m2m_risk_definition_profile_type)

If required, configure Risk Management Properties located at

Risk > Administration > Properties

Configure Risk Exception workflow

Configure a Risk Indicators

Configure Indicators Templates (templates from Compliance module can be re-used)

Professional Services ServiceNow Confidential Page: 5 of 7

 GRC Implementation Checklist Implementation Checklist (Madrid release)

4.2 Identity & Access Management (Users, Roles & Groups)

Check Activity Due Date

Configure Assignment Group(s) or assignment rules for Risk User

Configure Assignment Group(s) for Risk Reader

Configure Assignment Group(s) for Assessment Creator

Configure Assignment Group(s) for Risk Manager

Configure Assignment Group(s) for Risk Admin

4.3 Reporting
4.3.1 Out-of-the-box Policy & Compliance PA

Check Activity Due Date

Enable (IAM) GRC Compliance Overview Dashboard in PA

Enable (IAM) GRC Policy Exception Overview Dashboard

4.3.2 Custom Reports

Check Activity Due Date

Associate a PA indicator with a Risk Statement

Associate PA indicators with Risks

5 Audit Management
5.1 Core Configuration

Check Activity Due Date

Create an Audit Report Templates

Create a Entity Class

Professional Services ServiceNow Confidential Page: 6 of 7

 GRC Implementation Checklist Implementation Checklist (Madrid release)

Create Entity Rules

Create Entity Types

Configure engagement workflow

5.2 Identity & Access Management (Users, Roles & Groups)

Check Activity Due Date

Configure Assignment Group(s) for Audit User

Configure Assignment Group(s) for Audit Manager

Configure Assignment Group(s) for Audit Admin

Configure Assignment Group(s) for Audit Developer

Configure Assignment Group(s) for External Auditor

5.3 Reporting
5.3.1 Out-of-the-box Policy & Compliance PA

Check Activity Due Date

Enable GRC Audit Engagement Overview dashboard

5.3.2 Custom Reports

Check Activity Due Date

Create Audit Engagement Overview Reports.

Create GRC Audit Indicators (Audit > Indicators > Indicators)

Create GRC Audit Indicator Templates (Audit > Indicators > Indicator Templates)

END OF DOCUMENT

Professional Services ServiceNow Confidential Page: 7 of 7