Demystifying Governance, Risk, and Compliance …€¢COBIT/ITIL •Policies •Risks ... •ISO...
Transcript of Demystifying Governance, Risk, and Compliance …€¢COBIT/ITIL •Policies •Risks ... •ISO...
1© 2017 ServiceNow All Rights Reserved© 2017 ServiceNow All Rights Reserved
Gen FieldsSenior Solution Consultant, Federal GovernmentServiceNow
Demystifying Governance, Risk, and Compliance (GRC) with 4 Simple Use Cases
2© 2017 ServiceNow All Rights Reserved
Agenda
• The Current State of Governance, Risk, and Compliance
• ServiceNow Governance, Risk, and Compliance
• 4 Simple Use Cases• Vendor Risk Management
• Automating Risk Scores based on critical Vulnerabilities
• Security Assessments of New Applications
• Streamlining Audits
3© 2017 ServiceNow All Rights Reserved
Speaker Introduction
NAME: Gen Fields
TITLE: Senior Solution Consultant, Federal Government
FUNCTION: Solution analysis and design
COMPANY: ServiceNow
EXPERIENCE: Almost 2 years with ServiceNow, over 8 years in policy and governance, over 20 years in IT
EXPERTISE: ITSM, ITBM, ESM, GRC, PA
CURRENT PROJECTS: Enabling the Australian Defence Posting Process, various Defence and Intelligence projects
4© 2017 ServiceNow All Rights Reserved
Your Enterprise is Faced with Increasing Challenges and Demands
Vendor Risks
ComplianceGuidelines New Standards
Internal Risk Reduction Initiatives
ChangingRegulations
Cyber Risks
5© 2017 ServiceNow All Rights Reserved
Currently how many legislative,
regulator, and industry
compliance frameworks are
there worldwide?Logos are trademarks or registered trademarks of their respective owners and not ServiceNow
6© 2017 ServiceNow All Rights Reserved
&growing
Logos are trademarks or registered trademarks of their respective owners and not ServiceNow
7© 2017 ServiceNow All Rights Reserved
GRC in the Typical Enterprise is Complex
• SOX• Policies • Risks• Controls• Control Test,
Evidence, Certification
• SOX, IIA Standard• Policies • Risks• Controls• Control Test,
Evidence• Audits
• COBIT/ITIL• Policies• Risks• Controls• Control Evidence,
Monitoring
• FCPA/UK Bribery/ Code of Conduct
• Privacy• Policies• Audits• Investigations• Case Management
• ISO 27001, HIPAA, PCI, NIST
• Policies• Cyber Risks• Controls• Control Test,
Evidence, Monitor
Too
ls &
Cap
abili
ties
Email Spreadsheets Meetings
ITSecurity Legal Internal Audit Finance
Integrated Reporting Workflow Driven Process Transparency
8© 2017 ServiceNow All Rights Reserved
Todays GRC Processes and Tools Can’t Keep Up
Siloed Tools &Organizations
Reactive Risk Management
Manual Processes
ITSecurity
LegalInternal Audit
Finance
9© 2017 ServiceNow All Rights Reserved
How many man hoursare spent per year on the manual tasks of
GRC?Logos are trademarks or registered trademarks of their respective owners and not ServiceNow
10© 2017 ServiceNow All Rights Reserved
Logos are trademarks or registered trademarks of their respective owners and not ServiceNow
11© 2017 ServiceNow All Rights Reserved
Automate
Transform Ineffective Processes into a Unified GRC Program
Continuously Monitor Unify and Prioritize
Get actionable information about high impact or emerging risks from real-time dashboards showing status, updates, and tasks.
Identify your most critical risks using cross-functional process integration and context from the platform CMDB to assess business impact.
Automate cross functional activities with predefined business, risk, IT owners and systems to streamline evidence data collection and other tasks.
12© 2017 ServiceNow All Rights Reserved
ServiceNow Governance, Risk, and Compliance
Policy & Compliance Management Risk Management Audit Management Vendor Risk Management
SingleDatabase
ContextualCollaboration
ServiceCatalog
ServicePortal
Subscription & Notification
KnowledgeBase
OrchestrationDeveloperTools
Reports & Dashboards
Workflow
Intelligent Automation Engine
Predictive Modeling
Anomaly Detection
PeerBenchmarks
PerformanceForecasting
Secure & Compliant ScalableMulti-Instance
13© 2017 ServiceNow All Rights Reserved 13© 2017 ServiceNow All Rights Reserved
Four Simple Use Cases
14© 2017 ServiceNow All Rights Reserved
Transform Vendor Risk Management From…
Manual and time consuming processes (Excel, Email,
Meetings)
Siloed processes and organizations that lead to missed communications
Legal
IT
HR
No visibility into overall program activities and vendor
risk posture
15© 2017 ServiceNow All Rights Reserved
… To ServiceNow Vendor Risk Management
VendorCatalog
Legal
IT
HR VENDOR PORTAL
Issues and Remediation
Deadlines
Assessments Contacts
GRC Integration
16© 2017 ServiceNow All Rights Reserved
Business hasinsight intorisk exposure
Automate Risk Scores based on Critical Vulnerabilities
IT
??Who owns the server?
What’s the business impact?Are the business owners aware?
Risk Scoreautomaticallyadjusted
Vulnerability scanresults database
Vulnerabilitiesidentified
CVE-2014-3566SSL Vulnerability
QID 70000NETBIOS Vulnerability
CVE-2014-3566SSL Vulnerability
QID 70000NETBIOS Vulnerability
Vulnerability scanresults database
HRFacilities Issue prioritized
Linux ServerHosts HR applications
CMDB
17© 2017 ServiceNow All Rights Reserved
Continue to monitorfor compliance
Perform a Security Assessment for New Applications
IT
??What’s the business impact?
Are controls in place for this application?
Review, approve, and assign ITaction
Finance
Request fornew application and automatedassessment New Application
New Application
CMDBBusiness Impactdetermined
18© 2017 ServiceNow All Rights Reserved
Streamline Audits
66%
Automated Surveys, Reminders, & Monitoring
Time Reduction in Control Certification
24x7 Assurance
Continuous Monitoring and Event-Based Alerts
Better Visibility and Efficiency
110
Automated Publishing of Policies Through Service Portal
Reduced effort and more transparent policy mgmt.
$340k
Real-time Dashboards, Monitoring, Automated Workflows
Cost savings with ServiceNow GRC
• Continuous controls monitoring and automated evidence collection for efficiency and scale
• Automated self service workflow - Policy, Risk, Control, Audit, Test, and Certification
• Real-time Dashboards – monitoring enterprise compliance and Audit activities
Saved annually
Corporate policies managed
Reduction in quarterly control certification
19© 2017 ServiceNow All Rights Reserved
1 2 3
Top Takeaways
Control Your Risk Exposure
Continuously monitor to detect control changes in real-time, at scale
Prioritize Response to Critical Risks
Combine single platform cross
functional visibility with CMDB context
Slash GRC Burden
Automate processes and consistent
workflows across IT and the business