ServiceNow GRC: New Features and Use Cases
Piero DePaoli
2 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
The current state of Governance, Risk and Compliance
Common ServiceNow GRC use cases
What’s new in London for ServiceNow GRC?
Q&A
Agenda
3 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
Gartner: Transform Governance, Risk and Compliance to Integrated Risk Management May 2018
74% percent of global risk management executives state that their ability to forecast critical risks will be more difficult in three years.
4 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
Problem: GRC in an old work model is inefficient
Workflow Driven Process
SECURITY• ISO 27001, HIPAA,
PCI, NIST• Policies• Cyber Risks• Controls• Control Test,
Evidence, Monitor
Integrated Reporting
LEGAL• FCPA/UK Bribery/
Code of Conduct• Privacy / GDPR• Policies• Audits• Investigations• Case
Management
INTERNAL AUDIT• SOX, IIA Standard• Policies • Risks• Controls• Control Test,
Evidence• Audits
IT• COBIT/ITIL• Policies• Risks• Controls• Control Evidence,
Monitoring
FINANCE• SOX• Policies • Risks• Controls• Control Test,
Evidence, Certification
Transparency
Tools & Capabilities Can’t Keep Up
Email Spreadsheets Meetings
5 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
What this means to the enterprise…
Higher operating cost
Unproductiveemployees
Slow resolution times and missed deadlines
6 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
$342B $1.2M
$3.62M55% 2015
68% 2016$1M
43% of respondents are operating compliance efforts at an ad hoc or fragmented/siloed maturity level5The effects of a breach or non-compliance can be severe
Fines for misconduct on banks since 2009 Erasing $850B in profits for the top 50 global banks since 20084
Largest settlementTo resolve a legal action based on a policy review (in study)3
Avg. total cost of a data breach2
Loss due to corporate fraudin 23% of cases studied1
1. Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017 2. Ponemon Institute Cost of Data Breach Study, June 2017 3. 2016 Ethics and Compliance Policy Management Benchmark Report. Retrieved 18 January, 2017
4. Reuters: U.S., EU fines on banks' misconduct to top $400 billion by 2020: report. September 27, 20175. Balancing risk with opportunity in challenging times, Grant Thornton GRC Survey 20166. Ponemon Institute Tone at the Top report, May 2016 7. Deloitte Third-Party GRC Survey 2017
16.7% 26%Suffered reputation damage
$10MCost of respondingTo third-party breaches over the previous 12 months6
As a result of third-party relationships7
Non-compliant with regulatory frameworks
7 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
8 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
Now Platform®
U S E R E X P E R I E N C E S
S E R V I C E E X P E R I E N C E S
S E R V I C E I N T E L L I G E N C E
CommunityServicePortal
ServiceCatalog
StatusNotifications
KnowledgeBase
Integrationand APIs
Low CodeDev Tools
ServiceAware CMDB
VisualTaskboardsWorkflow
Time-seriesDatabase
Actionable Analytics
AnomalyDetection
SupervisedMachine Learning
PeerBenchmarks
POLICY & COMPLIANCE MANAGEMENT RISK MANAGEMENT AUDIT MANAGEMENT VENDOR RISK MANAGEMENT
ServiceNow Governance, Risk and Compliance
9 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
Continuously monitor, automate activities and prioritise risksPolicy and Compliance Risk Management
10 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
Reduce overhead and increase performance
Continue tomonitor for compliance with real-time dashboards
Analyse, reviewand close issue
Monitor forControl effectiveness
Control failure auto-generates an issue
CMDB
Business hasinsight intorisk exposure
Risk Scoreautomaticallyadjusted
Vulnerability scanresults database
Proactively identify emerging risk through use of indicators
CVE-2014-3566SSL Vulnerability
QID 70000NETBIOS Vulnerability
Issue prioritised
Lunch ServerHosts HR applications
CMDB
Reduce compliance overhead Automate risk scores based on critical vulnerabilities
Policy & Compliance Management Risk Management
11 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
Streamline audit and program managementAudit Management
12 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
Streamline audit and program management
• Continuous controls monitoring and automated evidence collection for efficiency and scale
• Automated self-service workflows: Policy, risk, control, audit, test and certification
• Real-time dashboards: Monitoring enterprise compliance and audit activities
Eliminated 5,000 hours annually in manual status tracking and providing evidence to auditors
$500k
Real-time dashboards, monitoring, automated
workflows
Cost savings with ServiceNow GRC
Saved annually
Eliminated 1,000s of emails annually for performing policy management
110
Automated publishing of policies through Service Portal
Reduced effort and more transparent policy mgmt.
Corporate policies managed
From 3 weeks down to 1 week in certifying 208 controls quarterly
66%
Automated surveys, reminders and monitoring
Time reduction in control certification
Reduction in quarterly control certification
Replaced manual tasks and processes while providing better
control over risk exposure
24x7 Assurance
Continuous monitoring and event-based alerts
Better visibility and efficiency
13 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
ServiceNow’s GRC timeline
Planned:Self-service PortalThird-party Tools Integration
Continuous Controls MonitoringMar-May ‘17
Sarbanes-Oxley ComplianceQ4’15-Q1’16
Risk-based Operational AuditsMay ’16
Enterprise Policy ManagementQ4’16-Q1’17
Q4’15 Q1’16 Q2 Q3 Q4 Q1’17 Q2 Q3 Q4 Q1’18 Q2
Legal GRC Privacy Program/GDPRJan-Feb ‘18
DashboardsJune-July ‘17
Audit Request ManagementOct-Nov ‘17
IT SecurityOct-Dec ‘17
Cap
abilit
ies
Reso
urce
s
• Policy• Risk• Attestations• Control/control test• Audit/engagement• Issue/remediation• Reporting
• Enhanced existing capabilities
• PA dashboards
• Enhanced policies capability through workflow configuration and Service Portal
• Authority documents
• Citations• UCF• Indicators
• Integration with 3rd party apps (SAP, Qualys)
• Minor enhancements
• Audit request
• More integrations
• Sustaining engineering
• 1 BSA• 2 Engineer
• 1/2 BSA• 1/2 Engineer
• 1/2 BSA• 1/2 Engineer
• 1/2 BSA• 1/2 Engineer
• 1/2 BSA• 1/2 Engineer
• 1/4 BSA• 1/2 Engineer
14 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
Reduce risk posed by your vendorsVendor Risk Management
15 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
No visibility into overall program activities and vendor risk posture
Siloed processes and organisations lead to missed communications
Manual and time-consuming processes (Excel, email, meetings)
Vendor risk management in an old work model
Legal
HR
IT
XLS
16 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
Third-party risk management process
Tier
Assess
Generate findings
Remediate issues
Report risks
Monitor
Onboard vendor Retire
17 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
ServiceNow Vendor Risk Management
GRC Integration
VendorCatalog
Legal
IT
HR Vendor portal
Issues and Remediation
Deadlines
Assessments Contacts
Security Score provider integration
Internal Tiering Assessment
ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.
18 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
New features in London
Security Score IntegrationVendor Tiering SOX Content Pack
19 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
Vendor Risk Tiering
Collaborate and consolidate communications in the vendor portal tracking everything through the conclusion of the assessments
Send out appropriate vendor assessment through vendor portal either manually or use rule to automate
Send tiering assessments to “internal” vendor analyst team
Tiering score automatically calculated and vendor record updated. Tier ranges are configurable. CMDB
1
2
3
4
SecurityComplianceContractsHR
Vendor Risk Assessment
20 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
Vendor Score Provider Integration
Collaborate and consolidate communications in the vendor portal tracking everything through the conclusion of the assessments
Continuously monitor and when score changes, send out appropriate vendor assessment through vendor portal either manually or use rule to automate
Download the plugins from the ServiceNow store or use your own metrics
Vendor security scores are continuously updated in the security scores table and are visible in the vendor record
1
2
3
4
Internal Metrics
BitSight Security Scorecard
CMDB
Vendor Risk Assessment
Store
21 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
Actionable, automated and unified ServiceNow GRCImprove your risk and compliance posture and effectively communicate it across departments and to the board
CONTROL YOUR RISK EXPOSURE ACROSS YOUR EXTENDED ENTERPRISE… with continuous monitoring internally and with vendors, at scale
INCREASE PERFORMANCE AND PRODUCTIVITY… with consistent and cross-functional automation
IMPROVE STRATEGIC PLANNING AND DECISION MAKING… with a single integrated risk management program
EFFECTIVELY COMMUNICATE AND COLLABORATE… with real-time reports and a purpose-built vendor portal
22 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
We want to hear from you!
ServiceNow User GroupsNow Forum®
Knowledge®Events
Design Partner ProgramLighthouse ProgramProduct Advisory Council
Programs
GRC CommunityThousands of active members hailing from all geographies, industries and size companies
Community
23 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.
Top Related