How to create, submit, and update a Governance, Risk and Compliance (GRC) Tool.
Audience: IT Professional
Difficulty: Intermediate
Time needed: Approximately 10 minutes
Tools required: If any
Currently, ThreadFix only supports ServiceNow for Governance, Risk and Compliance (GRC) tool integration.
To create a new GRC tool, from the Navigation sidebar expand the Application menu, and click to open the Integrations sub-menu. Select the GRC Tools page and click the Create GRC Tool button.
This will display a New GRC Tool modal dialog:
Fill in the Name, URL and credentials, then click the 'Get Table Names' button.
The URL and credentials are checked, and if accurate, you will need to fill in & select the 'ThreadFix Application Mapping To' and 'ThreadFix Vulnerability Mapping To' fields.
Click the Create GRC Tool button.
This will display a Design Submit Form modal, which lists all the fields available in the GRC instance. To specify the fields to include when submitting a GRC control, drag the desired fields from the Fields column to the Fields to Display column. Click the Save Form button.
In the example below, note the selected fields moved from the Fields column to the Fields to Display column.
A success message will display and the new tool will be displayed in the GRC Tools list.
Need confirmation the image below is accurate to 3.X, the image below is taken from 2X.
Next, click the Get Apps button. This will gives a list of available ServiceNow Applications, as well as any existing mappings.
Need an updated screenshot
To create a new application in a GRC tool from ThreadFix and map an existing ThreadFix application to it, click the Create App button. This will display a modal dialog. Choose the team and application from the drop-down menus, then click the Save button.
Need an updated screenshot
The new GRC application appears in the list:
Need an updated screenshot
Click the Edit Mapping button in the row of the GRC application to map to ThreadFix. Select the team and application to map to and click the Save button.
Click the Sync Apps button to synchronize your mappings with ServiceNow.
Users can schedule GRC applications to update on a regular schedule with the following procedure:
Click the Scheduled Updates tab.
To create a new schedule, click the Create Scheduled Update button. A GRC Tool Update modal dialog appears. Choose between "Daily" and "Weekly" backups, select a time for the update to run, and click the Add Scheduled Update button.
The new schedule is saved and is displayed in the schedule list as seen below.
To delete a scheduled update, click the Delete button and confirm the deletion. A success message will be displayed, and the scheduled GRC tool update will be removed from the display list.
I cannot see/do this section
Now, if users click on the application that has been mapped, users will be taken to the applications details for that application. Since the application is linked to a GRC tool, some new GRC tool-specific actions appear.
From the vulnerability tree, open a node, and select a vulnerability. Click the Action drop-down menu and select Submit GRC Control (or Submit Multiple GRC Controls).
ThreadFix will display a modal dialog with the vulnerability(ies) that it will submit. Do they need to make any selections/changes here?
This will close the dialog and present a success message that the selected controls were submitted to the GRC tool. The vulnerability(ies) will have a badge reflecting the control number(s) submitted. Clicking the badge will open the control in a separate tab.
I cannot see/do this section
From the top Actions drop-down menu, select Update GRC Control Status.
Need an updated screenshot
ThreadFix will display a success message that the update request was submitted to the GRC tool.