A financial services firm is implementing Advanced Risk Assessment. They need to define a risk scoring methodology where the final score is calculated as a product of 'Likelihood' and 'Business Impact', but only if the 'Control Environment Effectiveness' is below a certain threshold. If effectiveness is high, the impact should be halved before calculation. Which ServiceNow GRC component is best suited for configuring this custom logic?
During an implementation, an organization with thousands of servers wants to automatically create Entities for any server that hosts a 'PCI-Relevant' application. The list of these applications is managed in the CMDB. What is the most efficient and scalable way to configure this in the Entity Framework?
A compliance manager has published a new 'Data Encryption Policy'. They need to ensure that all database administrators attest that they have read and understood the policy within 10 business days. Which of the following features should be used to manage this process? (Select TWO)
True or False: In the GRC Entity Framework, an Entity Class can only reference a table that is a direct extension of the Configuration Item [cmdb_ci] table.
A risk manager is reviewing the Risk Heatmap and notices that a critical risk, RSK001001, is showing in the 'Green' quadrant (Low/Low), despite having a calculated inherent score that should place it in the 'Red' quadrant (High/High). The controls associated with the risk are all in 'Monitor' state and have an effectiveness of 90%. What is the most likely reason for this discrepancy on the heatmap?
A global retailer is setting up its Policy and Compliance module. They have a parent 'Code of Conduct' policy that applies to all employees worldwide. They also have regional 'Acceptable Use' policies for North America, Europe, and Asia, which contain specific clauses relevant to local regulations. What is the best practice for structuring these policies in ServiceNow?
A GRC implementation requires a new role for junior compliance analysts. This role should allow users to view Policies, Control Objectives, and Controls, and to create evidence requests. However, they should NOT be able to approve policy exceptions or move a control into the 'Attest' state. Which base GRC role would be the most appropriate starting point to clone and modify for this purpose?
A hospital system is using ServiceNow GRC to manage HIPAA compliance. They need to generate controls for every department that handles Protected Health Information (PHI). They have a CMDB, but the concept of a 'department handling PHI' is a business construct, not a specific CI class. The list of these 30 departments is maintained by the compliance team. Which approach should be used to define these departments as Entities?
The scheduled job `GRC Profile Generation` is responsible for which of the following actions?
Which two of the following are valid response options for a risk identified during an assessment? (Select TWO)