grc-compliance
This skill should be used when the user asks to "GRC", "governance", "risk", "compliance", "audit", "policy", "control", "risk assessment", "SOX", "GDPR", or any ServiceNow GRC development.
Best use case
grc-compliance is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
This skill should be used when the user asks to "GRC", "governance", "risk", "compliance", "audit", "policy", "control", "risk assessment", "SOX", "GDPR", or any ServiceNow GRC development.
Teams using grc-compliance should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/grc-compliance/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How grc-compliance Compares
| Feature / Agent | grc-compliance | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
This skill should be used when the user asks to "GRC", "governance", "risk", "compliance", "audit", "policy", "control", "risk assessment", "SOX", "GDPR", or any ServiceNow GRC development.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# GRC & Compliance for ServiceNow
GRC (Governance, Risk, Compliance) manages organizational policies, risks, and regulatory compliance.
## GRC Architecture
```
Policy (sn_compliance_policy)
└── Policy Statements
└── Controls (sn_compliance_control)
└── Control Tests
└── Test Results
Risk (sn_risk_risk)
├── Risk Assessment
└── Risk Response
```
## Key Tables
| Table | Purpose |
| ---------------------------- | ------------------- |
| `sn_compliance_policy` | Compliance policies |
| `sn_compliance_control` | Controls |
| `sn_compliance_control_test` | Control tests |
| `sn_risk_risk` | Risk records |
| `sn_audit_engagement` | Audit engagements |
## Policies (ES5)
### Create Policy
```javascript
// Create compliance policy (ES5 ONLY!)
var policy = new GlideRecord("sn_compliance_policy")
policy.initialize()
// Basic info
policy.setValue("name", "Information Security Policy")
policy.setValue("description", "Enterprise information security requirements")
policy.setValue("short_description", "InfoSec Policy")
// Classification
policy.setValue("category", "security")
policy.setValue("type", "corporate")
// Owner
policy.setValue("owner", policyOwnerSysId)
policy.setValue("owning_group", securityTeamSysId)
// Status
policy.setValue("state", "draft")
// Dates
policy.setValue("effective_date", "2024-01-01")
policy.setValue("review_date", "2025-01-01")
policy.insert()
```
### Policy Lifecycle
```javascript
// Transition policy state (ES5 ONLY!)
function transitionPolicy(policySysId, newState, notes) {
var policy = new GlideRecord("sn_compliance_policy")
if (!policy.get(policySysId)) {
return { success: false, message: "Policy not found" }
}
var validTransitions = {
draft: ["review", "retired"],
review: ["approved", "draft"],
approved: ["published", "draft"],
published: ["review", "retired"],
retired: ["draft"],
}
var currentState = policy.getValue("state")
if (!validTransitions[currentState] || validTransitions[currentState].indexOf(newState) === -1) {
return { success: false, message: "Invalid transition" }
}
policy.setValue("state", newState)
if (newState === "published") {
policy.setValue("published_date", new GlideDateTime())
}
if (notes) {
policy.work_notes = notes
}
policy.update()
return { success: true, state: newState }
}
```
## Controls (ES5)
### Create Control
```javascript
// Create compliance control (ES5 ONLY!)
var control = new GlideRecord("sn_compliance_control")
control.initialize()
// Basic info
control.setValue("name", "Access Control Review")
control.setValue("description", "Quarterly review of user access rights")
control.setValue("short_description", "Access Review Control")
// Link to policy
control.setValue("policy", policySysId)
// Classification
control.setValue("type", "detective") // preventive, detective, corrective
control.setValue("category", "access_control")
control.setValue("frequency", "quarterly")
// Owner
control.setValue("owner", controlOwnerSysId)
// Testing
control.setValue("test_frequency", "quarterly")
control.setValue("test_type", "manual")
// Status
control.setValue("state", "draft")
control.insert()
```
### Control Testing
```javascript
// Create control test (ES5 ONLY!)
function createControlTest(controlSysId, testData) {
var test = new GlideRecord("sn_compliance_control_test")
test.initialize()
test.setValue("control", controlSysId)
test.setValue("name", testData.name)
test.setValue("description", testData.description)
// Test details
test.setValue("test_type", testData.type) // design, operating
test.setValue("planned_start", testData.plannedStart)
test.setValue("planned_end", testData.plannedEnd)
// Assignment
test.setValue("assigned_to", testData.tester)
// Status
test.setValue("state", "open")
return test.insert()
}
// Record test result
function recordTestResult(testSysId, result) {
var test = new GlideRecord("sn_compliance_control_test")
if (!test.get(testSysId)) {
return false
}
test.setValue("state", "closed")
test.setValue("result", result.outcome) // pass, fail, not_tested
test.setValue("actual_end", new GlideDateTime())
test.setValue("findings", result.findings)
test.setValue("evidence", result.evidence)
// If failed, create issue
if (result.outcome === "fail") {
createComplianceIssue(test, result)
}
test.update()
return true
}
```
## Risk Management (ES5)
### Create Risk
```javascript
// Create risk record (ES5 ONLY!)
var risk = new GlideRecord("sn_risk_risk")
risk.initialize()
// Basic info
risk.setValue("name", "Data Breach Risk")
risk.setValue("description", "Risk of unauthorized access to customer data")
risk.setValue("short_description", "Data Breach")
// Classification
risk.setValue("category", "security")
risk.setValue("subcategory", "data_protection")
// Risk assessment
risk.setValue("inherent_likelihood", 3) // 1-5 scale
risk.setValue("inherent_impact", 5) // 1-5 scale
// Inherent risk = likelihood x impact
// Controls that mitigate this risk
risk.setValue("controls", controlSysIds) // Comma-separated
// Residual risk (after controls)
risk.setValue("residual_likelihood", 2)
risk.setValue("residual_impact", 5)
// Owner
risk.setValue("owner", riskOwnerSysId)
// Status
risk.setValue("state", "assess")
risk.insert()
```
### Risk Assessment
```javascript
// Calculate risk score (ES5 ONLY!)
function calculateRiskScore(likelihood, impact) {
var score = likelihood * impact
var rating = "low"
if (score >= 20) {
rating = "critical"
} else if (score >= 12) {
rating = "high"
} else if (score >= 6) {
rating = "medium"
}
return {
score: score,
rating: rating,
}
}
// Assess risk and update record (ES5 ONLY!)
function assessRisk(riskSysId, assessment) {
var risk = new GlideRecord("sn_risk_risk")
if (!risk.get(riskSysId)) {
return false
}
// Update inherent risk
risk.setValue("inherent_likelihood", assessment.inherentLikelihood)
risk.setValue("inherent_impact", assessment.inherentImpact)
var inherentScore = calculateRiskScore(assessment.inherentLikelihood, assessment.inherentImpact)
risk.setValue("inherent_risk_score", inherentScore.score)
risk.setValue("inherent_risk_rating", inherentScore.rating)
// Update residual risk
risk.setValue("residual_likelihood", assessment.residualLikelihood)
risk.setValue("residual_impact", assessment.residualImpact)
var residualScore = calculateRiskScore(assessment.residualLikelihood, assessment.residualImpact)
risk.setValue("residual_risk_score", residualScore.score)
risk.setValue("residual_risk_rating", residualScore.rating)
// Assessment metadata
risk.setValue("assessed_date", new GlideDateTime())
risk.setValue("assessed_by", gs.getUserID())
risk.setValue("state", "monitor")
risk.update()
return true
}
```
## Audits (ES5)
### Create Audit Engagement
```javascript
// Create audit engagement (ES5 ONLY!)
var audit = new GlideRecord("sn_audit_engagement")
audit.initialize()
audit.setValue("name", "Q1 2024 SOX Audit")
audit.setValue("description", "Quarterly SOX compliance audit")
audit.setValue("type", "compliance")
// Dates
audit.setValue("planned_start", "2024-01-15")
audit.setValue("planned_end", "2024-02-15")
// Scope
audit.setValue("scope", "Financial controls, access management")
// Team
audit.setValue("lead_auditor", auditorSysId)
audit.setValue("audit_team", auditTeamSysId)
// Status
audit.setValue("state", "planning")
audit.insert()
```
### Audit Findings
```javascript
// Create audit finding (ES5 ONLY!)
function createAuditFinding(auditSysId, findingData) {
var finding = new GlideRecord("sn_audit_finding")
finding.initialize()
finding.setValue("engagement", auditSysId)
finding.setValue("title", findingData.title)
finding.setValue("description", findingData.description)
// Severity
finding.setValue("severity", findingData.severity) // critical, high, medium, low
// Related control
if (findingData.control) {
finding.setValue("control", findingData.control)
}
// Recommendation
finding.setValue("recommendation", findingData.recommendation)
// Owner for remediation
finding.setValue("owner", findingData.owner)
// Due date for remediation
finding.setValue("due_date", findingData.dueDate)
finding.setValue("state", "open")
return finding.insert()
}
```
## Compliance Reporting (ES5)
### Compliance Dashboard Data
```javascript
// Get compliance summary (ES5 ONLY!)
function getComplianceSummary() {
var summary = {
policies: { total: 0, published: 0, review_needed: 0 },
controls: { total: 0, effective: 0, failed: 0 },
risks: { critical: 0, high: 0, medium: 0, low: 0 },
audits: { open: 0, findings: 0 },
}
// Policies
var ga = new GlideAggregate("sn_compliance_policy")
ga.addAggregate("COUNT")
ga.groupBy("state")
ga.query()
while (ga.next()) {
var count = parseInt(ga.getAggregate("COUNT"), 10)
summary.policies.total += count
if (ga.getValue("state") === "published") {
summary.policies.published = count
}
}
// Risks by rating
ga = new GlideAggregate("sn_risk_risk")
ga.addQuery("active", true)
ga.addAggregate("COUNT")
ga.groupBy("residual_risk_rating")
ga.query()
while (ga.next()) {
var rating = ga.getValue("residual_risk_rating")
var riskCount = parseInt(ga.getAggregate("COUNT"), 10)
if (summary.risks.hasOwnProperty(rating)) {
summary.risks[rating] = riskCount
}
}
return summary
}
```
## MCP Tool Integration
### Available Tools
| Tool | Purpose |
| --------------------------------- | --------------------- |
| `snow_query_table` | Query GRC tables |
| `snow_execute_script_with_output` | Test GRC scripts |
| `snow_audit_compliance` | Run compliance audits |
| `snow_assess_risk` | Risk assessment |
### Example Workflow
```javascript
// 1. Query active policies
await snow_query_table({
table: "sn_compliance_policy",
query: "state=published",
fields: "name,category,effective_date,review_date",
})
// 2. Find high risks
await snow_query_table({
table: "sn_risk_risk",
query: "residual_risk_rating=high^ORresidual_risk_rating=critical",
fields: "name,category,residual_risk_score,owner",
})
// 3. Get compliance summary
await snow_execute_script_with_output({
script: `
var summary = getComplianceSummary();
gs.info(JSON.stringify(summary));
`,
})
```
## Best Practices
1. **Clear Ownership** - Assign policy/control/risk owners
2. **Regular Reviews** - Schedule periodic assessments
3. **Evidence Collection** - Document control effectiveness
4. **Risk Quantification** - Use consistent scoring
5. **Audit Trail** - Track all changes
6. **Automation** - Automate testing where possible
7. **Reporting** - Regular compliance dashboards
8. **ES5 Only** - No modern JavaScript syntaxRelated Skills
pci-compliance
Implement PCI DSS compliance requirements for secure handling of payment card data and payment systems. Use when securing payment processing, achieving PCI compliance, or implementing payment card security measures.
legal-compliance-agent
Generate legally compliant privacy policies, terms of service, HIPAA documentation, and compliance pages for healthcare SaaS platforms. Ensures Google Play/App Store approval and GDPR/HIPAA compliance.
industry-compliance
Use this skill when you need industry-specific regulatory compliance for Banking & Finance (FFIEC, FINRA, Basel III, PSD2, DORA), Healthcare & Life Sciences (FDA 21 CFR Part 11, HITRUST CSF, HL7 FHIR security, GxP), Hi-Tech & Semiconductors (ITAR, EAR, CMMC), or Retail/Consumer (PCI-DSS, CPRA). Trigger for sector-specific compliance programs, regulated industry deployments, or when standard frameworks alone are insufficient.
Data Privacy Compliance
Data privacy and regulatory compliance specialist for GDPR, CCPA, HIPAA, and international data protection laws. Use when implementing privacy controls, conducting data protection impact assessments, ensuring regulatory compliance, or managing data subject rights. Expert in consent management, data minimization, and privacy-by-design principles.
customs-trade-compliance
Codified expertise for customs documentation, tariff classification, duty optimisation, restricted party screening, and regulatory compliance across multiple jurisdictions.
compliance-manager
Guardrails for edits to core/security/compliance-manager.js that preserve PCI/GDPR/PSD2/SOX/HIPAA controls (masking, encryption, SCA, consent checks, and audit logging). Use when changing compliance validators, security handling, or audit flows.
compliance-frameworks
ISO 27001, NIST CSF 2.0, CIS Controls v8.1, EU CRA compliance mapping, multi-standard alignment per Hack23 ISMS policies
compliance-evaluator
This skill should be used when evaluating translation compliance with legal, regulatory, and content safety requirements. It checks for prohibited terms, required disclaimers, and region-specific restrictions based on risk profiles.
compliance-checker
Policy-based compliance assessment for OpenClaw skills. Define security policies, assess skills against them, track violations, and generate compliance reports. Maps findings to frameworks like CIS Controls and OWASP. Integrates with arc-skill-scanner and arc-trust-verifier.
COMPLIANCE_CHECK
You are a compliance expert specializing in regulatory requirements for software systems including GDPR, HIPAA, SOC2, PCI-DSS, and other industry standards. Perform comprehensive compliance audits and provide implementation guidance for achieving and maintaining compliance.
Compliance Audit
Audit technical controls against compliance framework requirements
bulk-sales-compliance
Drafts U.S. bulk sales law compliance packages for asset purchase transactions outside the ordinary course, including jurisdictional analysis of UCC Article 6 status, creditor schedule, notice of intended bulk sale, seller affidavit, escrow/claims framework, and closing checklist. Use when handling bulk sale, bulk transfer, inventory sale, asset purchase compliance, creditor notice, or successor liability avoidance.