ServiceNow GRC: New Features and Use Cases · 13.01.2017 · • Case Management INTERNAL AUDIT • SOX, IIA Standard • Policies • Risks • Controls ... Grant Thornton GRC Survey

ServiceNow GRC: New Features and Use Cases

Piero DePaoli

2 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential.

The current state of Governance, Risk and Compliance

Common ServiceNow GRC use cases

What’s new in London for ServiceNow GRC?

Q&A

Agenda


Gartner: Transform Governance, Risk and Compliance to Integrated Risk Management May 2018

74% percent of global risk management executives state that their ability to forecast critical risks will be more difficult in three years.


Problem: GRC in an old work model is inefficient

Workflow Driven Process

SECURITY• ISO 27001, HIPAA,

PCI, NIST• Policies• Cyber Risks• Controls• Control Test,

Evidence, Monitor

Integrated Reporting

LEGAL• FCPA/UK Bribery/

Code of Conduct• Privacy / GDPR• Policies• Audits• Investigations• Case

Management

INTERNAL AUDIT• SOX, IIA Standard• Policies • Risks• Controls• Control Test,

Evidence• Audits

IT• COBIT/ITIL• Policies• Risks• Controls• Control Evidence,

Monitoring

FINANCE• SOX• Policies • Risks• Controls• Control Test,

Evidence, Certification

Transparency

Tools & Capabilities Can’t Keep Up

Email Spreadsheets Meetings


What this means to the enterprise…

Higher operating cost

Unproductiveemployees

Slow resolution times and missed deadlines


$342B $1.2M

$3.62M55% 2015

68% 2016$1M

43% of respondents are operating compliance efforts at an ad hoc or fragmented/siloed maturity level5The effects of a breach or non-compliance can be severe

Fines for misconduct on banks since 2009 Erasing $850B in profits for the top 50 global banks since 20084

Largest settlementTo resolve a legal action based on a policy review (in study)3

Avg. total cost of a data breach2

Loss due to corporate fraudin 23% of cases studied1

1. Association of Certified Fraud Examiners. (2016). 2016 Report to the Nations. Retrieved 13 January, 2017 2. Ponemon Institute Cost of Data Breach Study, June 2017 3. 2016 Ethics and Compliance Policy Management Benchmark Report. Retrieved 18 January, 2017

4. Reuters: U.S., EU fines on banks' misconduct to top $400 billion by 2020: report. September 27, 20175. Balancing risk with opportunity in challenging times, Grant Thornton GRC Survey 20166. Ponemon Institute Tone at the Top report, May 2016 7. Deloitte Third-Party GRC Survey 2017

16.7% 26%Suffered reputation damage

$10MCost of respondingTo third-party breaches over the previous 12 months6

As a result of third-party relationships7

Non-compliant with regulatory frameworks



Now Platform®

U S E R E X P E R I E N C E S

S E R V I C E E X P E R I E N C E S

S E R V I C E I N T E L L I G E N C E

CommunityServicePortal

ServiceCatalog

StatusNotifications

KnowledgeBase

Integrationand APIs

Low CodeDev Tools

ServiceAware CMDB

VisualTaskboardsWorkflow

Time-seriesDatabase

Actionable Analytics

AnomalyDetection

SupervisedMachine Learning

PeerBenchmarks

POLICY & COMPLIANCE MANAGEMENT RISK MANAGEMENT AUDIT MANAGEMENT VENDOR RISK MANAGEMENT

ServiceNow Governance, Risk and Compliance


Continuously monitor, automate activities and prioritise risksPolicy and Compliance Risk Management


Reduce overhead and increase performance

Continue tomonitor for compliance with real-time dashboards

Analyse, reviewand close issue

Monitor forControl effectiveness

Control failure auto-generates an issue

CMDB

Business hasinsight intorisk exposure

Risk Scoreautomaticallyadjusted

Vulnerability scanresults database

Proactively identify emerging risk through use of indicators

CVE-2014-3566SSL Vulnerability

QID 70000NETBIOS Vulnerability

Issue prioritised

Lunch ServerHosts HR applications

CMDB

Reduce compliance overhead Automate risk scores based on critical vulnerabilities

Policy & Compliance Management Risk Management


Streamline audit and program managementAudit Management


Streamline audit and program management

• Continuous controls monitoring and automated evidence collection for efficiency and scale

• Automated self-service workflows: Policy, risk, control, audit, test and certification

• Real-time dashboards: Monitoring enterprise compliance and audit activities

Eliminated 5,000 hours annually in manual status tracking and providing evidence to auditors

$500k

Real-time dashboards, monitoring, automated

workflows

Cost savings with ServiceNow GRC

Saved annually

Eliminated 1,000s of emails annually for performing policy management

110

Automated publishing of policies through Service Portal

Reduced effort and more transparent policy mgmt.

Corporate policies managed

From 3 weeks down to 1 week in certifying 208 controls quarterly

66%

Automated surveys, reminders and monitoring

Time reduction in control certification

Reduction in quarterly control certification

Replaced manual tasks and processes while providing better

control over risk exposure

24x7 Assurance

Continuous monitoring and event-based alerts

Better visibility and efficiency


ServiceNow’s GRC timeline

Planned:Self-service PortalThird-party Tools Integration

Continuous Controls MonitoringMar-May ‘17

Sarbanes-Oxley ComplianceQ4’15-Q1’16

Risk-based Operational AuditsMay ’16

Enterprise Policy ManagementQ4’16-Q1’17

Q4’15 Q1’16 Q2 Q3 Q4 Q1’17 Q2 Q3 Q4 Q1’18 Q2

Legal GRC Privacy Program/GDPRJan-Feb ‘18

DashboardsJune-July ‘17

Audit Request ManagementOct-Nov ‘17

IT SecurityOct-Dec ‘17

Cap

abilit

ies

Reso

urce

s

• Policy• Risk• Attestations• Control/control test• Audit/engagement• Issue/remediation• Reporting

• Enhanced existing capabilities

• PA dashboards

• Enhanced policies capability through workflow configuration and Service Portal

• Authority documents

• Citations• UCF• Indicators

• Integration with 3rd party apps (SAP, Qualys)

• Minor enhancements

• Audit request

• More integrations

• Sustaining engineering

• 1 BSA• 2 Engineer

• 1/2 BSA• 1/2 Engineer






Reduce risk posed by your vendorsVendor Risk Management


No visibility into overall program activities and vendor risk posture

Siloed processes and organisations lead to missed communications

Manual and time-consuming processes (Excel, email, meetings)

Vendor risk management in an old work model

Legal

HR

IT

XLS


Third-party risk management process

Tier

Assess

Generate findings

Remediate issues

Report risks

Monitor

Onboard vendor Retire


ServiceNow Vendor Risk Management

GRC Integration

VendorCatalog

Legal

IT

HR Vendor portal

Issues and Remediation

Deadlines

Assessments Contacts

Security Score provider integration

Internal Tiering Assessment

ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.


New features in London

Security Score IntegrationVendor Tiering SOX Content Pack


Vendor Risk Tiering

Collaborate and consolidate communications in the vendor portal tracking everything through the conclusion of the assessments

Send out appropriate vendor assessment through vendor portal either manually or use rule to automate

Send tiering assessments to “internal” vendor analyst team

Tiering score automatically calculated and vendor record updated. Tier ranges are configurable. CMDB

1

2

3

4

SecurityComplianceContractsHR

Vendor Risk Assessment


Vendor Score Provider Integration

Collaborate and consolidate communications in the vendor portal tracking everything through the conclusion of the assessments

Continuously monitor and when score changes, send out appropriate vendor assessment through vendor portal either manually or use rule to automate

Download the plugins from the ServiceNow store or use your own metrics

Vendor security scores are continuously updated in the security scores table and are visible in the vendor record

1

2

3

4

Internal Metrics

BitSight Security Scorecard

CMDB

Vendor Risk Assessment

Store


Actionable, automated and unified ServiceNow GRCImprove your risk and compliance posture and effectively communicate it across departments and to the board

CONTROL YOUR RISK EXPOSURE ACROSS YOUR EXTENDED ENTERPRISE… with continuous monitoring internally and with vendors, at scale

INCREASE PERFORMANCE AND PRODUCTIVITY… with consistent and cross-functional automation

IMPROVE STRATEGIC PLANNING AND DECISION MAKING… with a single integrated risk management program

EFFECTIVELY COMMUNICATE AND COLLABORATE… with real-time reports and a purpose-built vendor portal


We want to hear from you!

ServiceNow User GroupsNow Forum®

Knowledge®Events

Design Partner ProgramLighthouse ProgramProduct Advisory Council

Programs

GRC CommunityThousands of active members hailing from all geographies, industries and size companies

Community


Documents

ServiceNow GRC: New Features and Use Cases · 13.01.2017 · • Case Management INTERNAL AUDIT • SOX, IIA Standard • Policies • Risks • Controls ... Grant Thornton GRC Survey