[Music] hello grc community and welcome to another video tutorial to help you get started with servicenow's application my name is eric feron i'm in santa clara california and first i want to wish you all well in these uncertain times i hope that you are all safe and in good health today with me we have two of my team members who are grc experts anusha randad who is principal product manager in the risk business unit and who actively leads the design of the risk products hi i'm shri hey eric thank you for having me on the call and jagan rao who is principal product success manager who spends his days helping customers and users make the best of the jrc application hi jagan hello eric hi everyone glad to be back so today we will be talking about entities again this concept and tool that's absolutely fundamental to the successful implementation of the jrc application we have seen a few questions in the community forums and also directly via email to us from our users about entity tiers and truth be told there is not much information about tiers in the product documentation so we thought it'd be a good idea to do a tutorial so we decided to address this topic in context with entity types and entity classes with a view to clarify once and for all what all this means and how all these concepts and tools are useful put together as usual i will take us first quickly through a few reminders we will then look at some real-life situations that will show why you should know about entity tiers classes and types then we'll define and display very simply the definitions and uses of these three concepts and tools we'll also look at how they interact with one another in your grc application and finally our expert amnesia and jagan will give us some practical recommendations on how to get it all set up so let me get started with a couple of refresher slides right so as usual this tutorial as you know is part of the get started with grc series so really aimed at people and organizations in the early stages of implementation we want to make sure that you have the knowledge and tools to quickly realize value from the product from the start in the future we'll also have more tutorials for the more advanced people and organization this is a heavy slide and we will not review it in detail it is here simply so you can print it and keep it as a cheat sheet if you will but you can see in the left hand side there's five red arrows that point to the topics of today anti-type entity class entity tier and how those things are positioned inside of the overall grc jrc universe let's get moving and let's start with some real-life situations to quickly understand where all these concepts fit so let's say that i eric like many of the viewers here i'm a compliance analyst my company bought grc from servicenow and i need to create control lots of controls for all of the entities needed for a particular control objective so how can i do this without spending days copying and pasting text for every single entity what would i hear from the community if i were to ask jagan can you please help me with this one look this is a great question and very relevant for the current scenarios and we see often this question from all the customers and in community forum as well as you know servicenow is all about efficiency automation of workflows and simplification of people's life using tools here entity types is what you want to use by creating entity types first and associating them with control objectives system automatically creates individual controls for the associated entities by this way you can reduce the amount of work that is done by people for creating controls all right so this will help me save time let's have a look at the way it works for risk so let's say again same situation i'm a risk analyst and i need to create risks for a particular risk statement it works exactly in the same way right you create entity types associate them with risk statements individual risks will be automatically created by the system whenever there is a new entity that gets created and there is association that happens between entity and risks excellent it says me time let's move on to the classes let's switch gears and let's say that my cro or my cio comes asking me some tough but fair questions such as this one here she wants to see the risk or compliance posture for all business applications across the whole of the organization anushka can you help me with this how do i answer this question from this very important stakeholder absolutely eric and this is also a question that we see very often indeed so executives need to have the ability to gain insight that match the way they manage the business and we have to have the uh help them provide the answers in this case it is also very easy and this is exactly why we created entity classes so entity classes are used to tag your entities and provide a view on how these entities are categorized across your risk in compliance universe once these tags are in place you can use them to provide specific insight and for all the entities carrying the same tag such as same class you can go find the information that you're looking for all right so a class is essentially a tag and once the entities are tagged because they belong to a class you will be able to interrogate the system according to an individual tag i love it so let's move forward and talk about the tiers so next let's say that my cro my cio is interested in the most critical items in the business to focus on what is really hot at the moment so not so much interested in the complete and exhaustive view but just the most the most important stuff so how do i address this well this is exactly why we created the tears to help build the hierarchy of importance in the compliance and risk universe so you can look at the most important entities in the hierarchy and look at your compliance and responsible okay so hopefully this has given the audience a nice setup of the scenes of where these concepts sit and now we're going to move to some more detailed definitions and jagann you're first in line with entity type so tell us a bit more about entity types so we have seen that entity types are the best friends for compliance and risk analysts right they help to scale and work fast with developing controls or risks for a given control objective or a risk statement the feature is designated to group together entities that are similar in nature for example i can have one entity type that would be departments vendors data centers you want to use entity types to automate your workflow for example when creating a new entity and by creating entity filters we will be able to create entities automatically which will get associated with risks or control statements and the association happens there this is a tool that you want to use during your entity scoping exercise and here is an interesting preview of what is coming in the next slides entity types can contain filters that will belong to more than one class or entities of different tiers all right this is great so let's move on to the class anu should tell us a little bit more about entity classes so entity class is an actually advanced feature but we highly recommend that you use them as soon as you get started it will save you save your time and provide great value later and they are well worth your time so classes are simply tags a way to tag entities across many different entity types for example a department or a business application or a business service could be found in different entity types once your classes are in place and associated with entities you can query the system to have a view of risk or compliance posture for any given class like we saw earlier with the example of cro i highly recommend that you set up your classes during the entity scoping now all classes are not equal and it is good to associate them with a tier each class will belong to one tier only now the way you would set up classes are using grc workbench and grc workbench gives you a visual a representation of the relationship between different classes and once you set that up in the workbench in the background the actual entities associated with different classes form a hierarchy of those classes and these classes can be used to provide the roll-up of one entity to another so you can actually define whether a particular class rolls up to another class and form this hierarchy using grc workbench all right so let's talk about the tiers so tiers are simply a hierarchy level that we give a give to the classes to provide a sense of prioritization tears are associated with entity classes and the tier of a given class applies to all the entities in that class tiers are used to establish a hierarchy and rollups between these entities it helps to provide a view on how your lower tier level entities are affecting your higher tier level entities an example would be it asset tier 3 entities will be affecting application tier 2 entities and eventually will be affecting the tier 1 business entities this helps to measure your compliance and risk roll-ups across the different peers and tiers are established during scoping to build upstream and downstream entity relationships the tiers can be associated with several classes and the entity of tier 1 class will be upstream to entity of tier 2 class and so on and so forth very good let's move on to see how all of this fits together and i'm gonna try to do this myself to see if i have understood how it works and you will correct me if and when i am wrong this is a part of the slide that we have seen in other tutorials to try to set the scene with a realistic example i'm not going to say that it's a real example but realistic somehow so we started with the policy we have with the control objective and for this control objective we are creating entity type so each one of these yellow bars represent an entity type and one at the top is departments and vendors for example now inside of these entity types we create entities and if you look at the one on top for department and vendors we have entities customer support finance department hr department and the itd partners and so on and so forth and when it comes to the classes we can say hey all of these entities here we call them we call them departments in the second entity type we have some business applications and we're going to associate them with the class business application in addition to this we have a new class what we call business services it just happens that the entity belonging to this class business services is also an entity type application and business services another class would be databases and finally for this example our last class would be servers now where do the tiers come in now well the tiers have been defined in advance and in this case one two three and we're going to allocate them by order of importance to the classes that we have defined for example tier one we're going to say departments on the same level as business services then comes business applications and finally the two classes database and servers i think i've got it so okay now i'd like to hear from the experts about what they advise in terms of the sequence to create these concepts and tools at the time of the entity scoping yeah so the first thing that i would recommend is to start with your tears to define different levels of peers in your organization then you create our entity class rules and also the classes so that whenever an entity is created out of a certain table a class can be associated with that automatically and then you go ahead and associate those different classes that you created with the tiers that you've defined once you create classes and tiers and create association next step is creating types this is where all the magic happens by creating types and creating entity filters you can create entities and risks also automatically and then all of this fit together so all the newly created entities that are created from the entity filters and entity types uh get automatically tagged with the right class and here and that's when you can actually define your entity hierarchy this can also be done manually all right this is all very powerful so we are now at the end of our tutorial and as we always do let's give some advice to our audience on what they should be doing right now very practically after they've finished viewing this video i think the very first thing to do right now if you're getting started with grc and planning your entity scoping workshop is to find out how you will define your entities by looking for the data sources that will help you to do so and the next very important step is to document your tiers your classes and your entity types yes i agree and from then on you you have what you need to run your entity scoping workshop also you can view into other tutorials which are available all right well thank you very much for this anushri and jagan we are now at the end of the tutorial i will just finish with with a couple of reminders once again all the links that were mentioned will be available in a pdf version of the slide that will be posted in the forum and we absolutely want to hear from you please ask your questions in the json forum you will get answers within minutes or even better comment share with us what you have learned once again anushka jagan thank you very much and we'll talk to you soon thank you thank you