Demystifying Governance, Risk, and Compliance (GRC) with 4 Simple Use Cases Gen Fields Senior Solution Consultant, Federal Government ServiceNow 1
Agenda The Current State of Governance, Risk, and Compliance ServiceNow Governance, Risk, and Compliance 4 Simple Use Cases Vendor Risk Management Automating Risk Scores based on critical Vulnerabilities Security Assessments of New Applications Streamlining Audits 2
Speaker Introduction NAME: Gen Fields TITLE: Senior Solution Consultant, Federal Government FUNCTION: Solution analysis and design COMPANY: ServiceNow EXPERIENCE: Almost 2 years with ServiceNow, over 8 years in policy and governance, over 20 years in IT EXPERTISE: ITSM, ITBM, ESM, GRC, PA CURRENT PROJECTS: Enabling the Australian Defence Posting Process, various Defence and Intelligence projects 3
Your Enterprise is Faced with Increasing Challenges and Demands Changing Regulations Cyber Risks Internal Risk Reduction Initiatives Vendor Risks Compliance Guidelines New Standards 4
Currently how many legislative, regulator, and industry compliance frameworks are there worldwide? Logos are trademarks or registered trademarks of their respective owners and not ServiceNow 5
& growing Logos are trademarks or registered trademarks of their respective owners and not ServiceNow 6
Tools & Capabilities GRC in the Typical Enterprise is Complex Security Legal IT Internal Audit Finance ISO 27001, HIPAA, PCI, NIST Policies Cyber Risks Controls Control Test, Evidence, Monitor FCPA/UK Bribery/ Code of Conduct Privacy Policies Audits Investigations Case Management COBIT/ITIL Policies Risks Controls Control Evidence, Monitoring SOX, IIA Standard Policies Risks Controls Control Test, Evidence Audits SOX Policies Risks Controls Control Test, Evidence, Certification Email Spreadsheets Meetings Integrated Reporting Workflow Driven Process Transparency 7
Todays GRC Processes and Tools Can t Keep Up Reactive Risk Management Siloed Tools & Organizations Manual Processes Security IT Finance Internal Audit Legal 8
How many man hours are spent per year on the manual tasks of GRC? Logos are trademarks or registered trademarks of their respective owners and not ServiceNow 9
Logos are trademarks or registered trademarks of their respective owners and not ServiceNow 10
Transform Ineffective Processes into a Unified GRC Program Continuously Monitor Unify and Prioritize Automate Get actionable information about high impact or emerging risks from real-time dashboards showing status, updates, and tasks. Identify your most critical risks using crossfunctional process integration and context from the platform CMDB to assess business impact. Automate cross functional activities with predefined business, risk, IT owners and systems to streamline evidence data collection and other tasks. 11
ServiceNow Governance, Risk, and Compliance Policy & Compliance Management Risk Management Audit Management Vendor Risk Management Predictive Modeling Anomaly Detection Peer Benchmarks Performance Forecasting Intelligent Automation Engine Service Portal Subscription & Notification Knowledge Base Service Catalog Workflow Developer Tools Reports & Dashboards Single Database Contextual Collaboration Orchestration Multi-Instance Secure & Compliant Scalable 12
Four Simple Use Cases 13
Transform Vendor Risk Management From HR Legal IT Manual and time consuming processes (Excel, Email, Meetings) Siloed processes and organizations that lead to missed communications No visibility into overall program activities and vendor risk posture 14
To ServiceNow Vendor Risk Management HR Legal VENDOR PORTAL IT Assessments Contacts Deadlines Vendor Catalog Issues and Remediation GRC Integration 15
Automate Risk Scores based on Critical Vulnerabilities?? Who owns the server? What s the business impact? Are the business owners aware? Business has insight into risk exposure IT Risk Score automatically adjusted CMDB Facilities HR Vulnerability scan results database Issue prioritized Vulnerability scan results database QID 70000 NETBIOS Vulnerability CVE-2014-3566 SSL Vulnerability Vulnerabilities identified QID 70000 NETBIOS Vulnerability Hosts HR applications CVE-2014-3566 SSL Vulnerability Linux Server 16
Perform a Security Assessment for New Applications?? What s the business impact? Are controls in place for this application? Continue to monitor for compliance Review, approve, and assign IT action IT Finance Business Impact determined CMDB New Application Request for new application and automated assessment New Application 17
Streamline Audits Continuous controls monitoring and automated evidence collection for efficiency and scale Automated self service workflow - Policy, Risk, Control, Audit, Test, and Certification Real-time Dashboards monitoring enterprise compliance and Audit activities Time Reduction in Control Certification Better Visibility and Efficiency Reduced effort and more transparent policy mgmt. Cost savings with ServiceNow GRC Automated Surveys, Reminders, & Monitoring Continuous Monitoring and Event- Based Alerts Automated Publishing of Policies Through Service Portal Real-time Dashboards, Monitoring, Automated Workflows 66% Reduction in quarterly control certification 24x7 Assurance 110 Corporate policies managed $340k Saved annually 18
Top Takeaways 1 2 3 Control Your Risk Exposure Continuously monitor to detect control changes in real-time, at scale Prioritize Response to Critical Risks Combine single platform cross functional visibility with CMDB context Slash GRC Burden Automate processes and consistent workflows across IT and the business 19