Demystifying Governance, Risk, and Compliance …€¢COBIT/ITIL •Policies •Risks ... •ISO 27001, HIPAA, PCI, NIST •Policies ... Perform a Security Assessment for New Applications

1© 2017 ServiceNow All Rights Reserved© 2017 ServiceNow All Rights Reserved

Gen FieldsSenior Solution Consultant, Federal GovernmentServiceNow

Demystifying Governance, Risk, and Compliance (GRC) with 4 Simple Use Cases

2© 2017 ServiceNow All Rights Reserved

Agenda

• The Current State of Governance, Risk, and Compliance

• ServiceNow Governance, Risk, and Compliance

• 4 Simple Use Cases• Vendor Risk Management

• Automating Risk Scores based on critical Vulnerabilities

• Security Assessments of New Applications

• Streamlining Audits


Speaker Introduction

NAME: Gen Fields

TITLE: Senior Solution Consultant, Federal Government

FUNCTION: Solution analysis and design

COMPANY: ServiceNow

EXPERIENCE: Almost 2 years with ServiceNow, over 8 years in policy and governance, over 20 years in IT

EXPERTISE: ITSM, ITBM, ESM, GRC, PA

CURRENT PROJECTS: Enabling the Australian Defence Posting Process, various Defence and Intelligence projects


Your Enterprise is Faced with Increasing Challenges and Demands

Vendor Risks

ComplianceGuidelines New Standards

Internal Risk Reduction Initiatives

ChangingRegulations

Cyber Risks


Currently how many legislative,

regulator, and industry

compliance frameworks are

there worldwide?Logos are trademarks or registered trademarks of their respective owners and not ServiceNow


&growing

Logos are trademarks or registered trademarks of their respective owners and not ServiceNow


GRC in the Typical Enterprise is Complex

• SOX• Policies • Risks• Controls• Control Test,

Evidence, Certification

• SOX, IIA Standard• Policies • Risks• Controls• Control Test,

Evidence• Audits

• COBIT/ITIL• Policies• Risks• Controls• Control Evidence,

Monitoring

• FCPA/UK Bribery/ Code of Conduct

• Privacy• Policies• Audits• Investigations• Case Management

• ISO 27001, HIPAA, PCI, NIST

• Policies• Cyber Risks• Controls• Control Test,

Evidence, Monitor

Too

ls &

Cap

abili

ties

Email Spreadsheets Meetings

ITSecurity Legal Internal Audit Finance

Integrated Reporting Workflow Driven Process Transparency


Todays GRC Processes and Tools Can’t Keep Up

Siloed Tools &Organizations

Reactive Risk Management

Manual Processes

ITSecurity

LegalInternal Audit

Finance


How many man hoursare spent per year on the manual tasks of

GRC?Logos are trademarks or registered trademarks of their respective owners and not ServiceNow


Logos are trademarks or registered trademarks of their respective owners and not ServiceNow


Automate

Transform Ineffective Processes into a Unified GRC Program

Continuously Monitor Unify and Prioritize

Get actionable information about high impact or emerging risks from real-time dashboards showing status, updates, and tasks.

Identify your most critical risks using cross-functional process integration and context from the platform CMDB to assess business impact.

Automate cross functional activities with predefined business, risk, IT owners and systems to streamline evidence data collection and other tasks.


ServiceNow Governance, Risk, and Compliance

Policy & Compliance Management Risk Management Audit Management Vendor Risk Management

SingleDatabase

ContextualCollaboration

ServiceCatalog

ServicePortal

Subscription & Notification

KnowledgeBase

OrchestrationDeveloperTools

Reports & Dashboards

Workflow

Intelligent Automation Engine

Predictive Modeling

Anomaly Detection

PeerBenchmarks

PerformanceForecasting

Secure & Compliant ScalableMulti-Instance

13© 2017 ServiceNow All Rights Reserved 13© 2017 ServiceNow All Rights Reserved

Four Simple Use Cases


Transform Vendor Risk Management From…

Manual and time consuming processes (Excel, Email,

Meetings)

Siloed processes and organizations that lead to missed communications

Legal

IT

HR

No visibility into overall program activities and vendor

risk posture


… To ServiceNow Vendor Risk Management

VendorCatalog

Legal

IT

HR VENDOR PORTAL

Issues and Remediation

Deadlines

Assessments Contacts

GRC Integration


Business hasinsight intorisk exposure

Automate Risk Scores based on Critical Vulnerabilities

IT

??Who owns the server?

What’s the business impact?Are the business owners aware?

Risk Scoreautomaticallyadjusted

Vulnerability scanresults database

Vulnerabilitiesidentified

CVE-2014-3566SSL Vulnerability

QID 70000NETBIOS Vulnerability

CVE-2014-3566SSL Vulnerability

QID 70000NETBIOS Vulnerability

Vulnerability scanresults database

HRFacilities Issue prioritized

Linux ServerHosts HR applications

CMDB


Continue to monitorfor compliance

Perform a Security Assessment for New Applications

IT

??What’s the business impact?

Are controls in place for this application?

Review, approve, and assign ITaction

Finance

Request fornew application and automatedassessment New Application

New Application

CMDBBusiness Impactdetermined


Streamline Audits

66%

Automated Surveys, Reminders, & Monitoring

Time Reduction in Control Certification

24x7 Assurance

Continuous Monitoring and Event-Based Alerts

Better Visibility and Efficiency

110

Automated Publishing of Policies Through Service Portal

Reduced effort and more transparent policy mgmt.

$340k

Real-time Dashboards, Monitoring, Automated Workflows

Cost savings with ServiceNow GRC

• Continuous controls monitoring and automated evidence collection for efficiency and scale

• Automated self service workflow - Policy, Risk, Control, Audit, Test, and Certification

• Real-time Dashboards – monitoring enterprise compliance and Audit activities

Saved annually

Corporate policies managed

Reduction in quarterly control certification


1 2 3

Top Takeaways

Control Your Risk Exposure

Continuously monitor to detect control changes in real-time, at scale

Prioritize Response to Critical Risks

Combine single platform cross

functional visibility with CMDB context

Slash GRC Burden

Automate processes and consistent

workflows across IT and the business

Demystifying Governance, Risk, and Compliance …€¢COBIT/ITIL •Policies •Risks ... •ISO 27001, HIPAA, PCI, NIST •Policies ... Perform a Security Assessment for New Applications

Documents