0
22.0.2
Australia, Zurich Patch 7, Zurich Patch 4, Zurich, Yokohama Patch 12, Yokohama Patch 9, Yokohama Patch 6, Yokohama, Xanadu Patch 9, Xanadu
Standalone Application
The ServiceNow® Policy and Compliance Management application provides a centralized process for creating and managing policies, standards, and internal control procedures that are mapped to external regulations. Additionally, the application provides structured workflows for identifying, assessing, and continuously monitoring control activities.
The Policy and Compliance Management application enables you to:
- Scope entities and entity types.
- Manage a compliance library consisting of authority documents, citations, policies, and control objectives.
- Manage policies, procedures, and standards using a policy authoring workflow integrated with Microsoft® Office 365® for drafting, reviewing, approving, redlining, and publishing policies.
- Create a unique control for a control objective and entity, or create multiple and granular controls for the same control objective and entity.
- Respond to control attestations from the Employee Center.
- Request policy exceptions from the Employee Center or from other ServiceNow applications, such as Vulnerability Response, using the Policy Exception Integration Registry.
- Acknowledge policies from the Employee Center.
- Monitor controls continuously using indicator templates and indicators.
- View the compliance posture through reports and dashboards.
- Review the compliance posture of policies or checks from other ServiceNow applications by mapping them to control objectives using the Compliance data source registry.
- Manage issues and remediation tasks.
- Mark issues, remediation tasks, and evidence requests as confidential.
- Provide visibility of issues and remediation tasks to the management hierarchy.
- New
- Workflow introduced on control objectives (on Workspaces only; necessary changes for the items below done in Policy and Compliance Management):
- Major and minor updates can be done on a separate record instead of the current active record.
- Owners and owning groups added on control objectives.
- Dynamic approvals enabled.
- Auto-publish of control objectives based on the Effective date
- Workflows/reports updated to exclude working drafts.
- All control objectives will have a record nature as the current version, and active ones will be published by default.
- On classic UI, users will see a message to navigate to Workspaces for using the workflow.
- Workflow introduced on control objectives (on Workspaces only; necessary changes for the items below done in Policy and Compliance Management):
- Changed
- Minor update done on a control objective will not move a control back to draft (on Workspaces only)
- Fixed
- When issues are manually created and controls are tagged, the first control status remains compliant or empty, while the rest move to non-compliant.
- Published Compliance policy reverts to Review state when updated with a new Valid to date.
- Invalid ATF step update content appears in installation logs for GRC: Policy and Compliance Management.
- Duplicate Indicator tasks generated on indicator template updates.
- Error occurs when raising an Exception to a policy.
- Schedule job "set_attestation_frequency" triggers text index event influx.
- Compliance score remains 100% despite minor non-compliance.
- Failure in notifying Control Attestors through email for Attestations.
- Horizontal privilege escalation via Related list API.
The following applications are automatically installed when the Policy and Compliance Management application is activated:
- GRC: Profiles
- GRC: Approval Configurator
- GRC: Taxonomy Management
Permissions and roles:
- To install the application, you require the System Administrator (admin) role.
When upgrading the Policy and Compliance Management application, ensure that you also upgrade the Compliance Management Workspace and any other installed GRC applications to their corresponding release versions. For example, Policy and Compliance Management version 21.x has been qualified to work with Compliance Management Workspace version 21.x and other GRC applications from the same 21.x release series.