Entities
[MUSIC PLAYING]
SPEAKER 1: Entities are probably the concept that causes implementers the most confusion. This video
covers what entities are and why ServiceNow leverages them in its GRC suite of applications. Let's begin
by discussing the high level reason why entities are needed and the problems that entities help solve. So
what are entities, and how can I define them for an organization? Basically, entities can be defined as
those people, places, objects, or things that are the target of risk and compliance activities.
Entities are the objects against which we manage risks that threaten the organization on which we apply
controls to ensure compliance and we scope for an audit as part of an / in most cases, when people are
struggling to grasp the concept of an entity, we ask them to show us their control or risk matrix. These
matrices are typically in spreadsheets.
When we ask them to read the first line, they'll say something like all web servers need to have certain
ports closed or all critical financial systems need to adhere to change management. They've just defined
the entities. For the first example, entities are web servers. And in the second example, entities are critical
financial systems. Here are a few additional examples of types of entities, people, it could be department
heads or anyone that is a manager or director.
It could also be members of a specific department or cost center, places, questions to ask are what
places are important for an organization? Are there warehouses or distribution sites that need to be held
accountable? Objects or things questions to ask are what are the major IT components that need to be
involved in risk and compliance? Does the organization define its business processes? Could those be a
type of entity?
For servers, it doesn't have to be at the server level. It could be one step up at the server build level. Let's
look next at what happens when an organization doesn't use entities. This is common with many GRC
solutions out there. They don't provide an effective way to handle compliance testing and risk
assessments at the company or enterprise level. In this first example, we'll look at an object or theme
used in almost any industry, servers.
There may be a requirement that all servers be configured the same way. What we see in a traditional
scenario without ServiceNow GRC is auditors taking a sample of servers and looking to see if they are
configured to meet the requirement. When they find a server that isn't configured correctly, they fail the
control. Failing controls is a big deal during an audit. But wait, what if that failed server was not an
important one or it was scheduled to be retired?
What if this is truly one server out of 10,000 in the data center? Traditional GRC processes don't take that
into consideration. With entities, we can assign this requirement also known as a control to each one of
the servers. If we go through the same exercise, we find that out of those 10,000 servers 9,999 were
compliant. Now, we can focus on the one noncompliant server and resolve this as a compliance task
before auditors ever get involved.
We can hold the responsible party for the failed server accountable as opposed to an audit team
penalizing the entire organization for the one area that may have broken down in the process. Let's return
to the annual audit with a sample of servers and no entities. When the audit failure is reported against a
single item, the compliance team can reach out to the owner of that item and get the failure resolved. But
�what if there are more items that don't meet this requirement, and those servers were not in the sample
group?
What is going to happen when the auditors come back to retest and select a different sample set of items
and find another one that doesn't meet the requirement? This will result in another failed annual audit.
This is why measuring controls at a more granular level and on a continuous basis can benefit the whole
organization. If there are more non-compliant servers, those can be resolved before an annual audit.
In this next example, we'll look at a non-IT example. Here, are the organization is in the health care
industry, and they operate 100 pharmacies. There is a requirement that each pharmacy display the
material safety data sheets for everyone to see. When the annual audit occurs, and a single pharmacy
fails to display the data sheets, the whole organization fails. If each pharmacy is set up as an entity, then
the entity owner, such as the pharmacy manager can be held accountable for meeting this requirement
and resolve it before the audit.
ServiceNow GRC takes the concept of entities and leverages platform capabilities to make managing
entities easier on the organization. Entities can be created to leverage existing data on the platform that is
usually maintained by a group outside of risk and compliance teams. This could be data housed in C and
DB tables, one of the other foundational tables or a table from another application, such as human
resources or security operations.
Entities can be grouped together based on common characteristics. This entity grouping makes it easier
to maintain and manage entities. When we create an entity grouping, we can build a filter that looks at
existing tables, and based on conditions that we define, it will generate the appropriate entities. In this
final example, there are five servers in the Linux server table, but only three meet the entity conditions of
being operational and in production. Those three are generated as entities.
Later, if one of the servers is no longer operational and no longer meets the filter criteria, automation will
remove it from the entity grouping. Entities provide an effective way to handle compliance testing and risk
assessments at the enterprise level. Entities are important tools to ensuring compliance instead of just
proving it. If an organization determines that it needs to adhere to the CIS critical security controls, which
is focused on IT security, then why would they only test compliance once a year during an audit? This
should be an ongoing process so that the organization can ensure to its stakeholders and partners that
the company has a secure environment.
[MUSIC PLAYING]
