Anu Bulusu
With organizations across various industries having to cough up massive fines for non-compliance, some are left to wonder whether the current approaches for achieving compliance simply don’t work.
Organizations are looking for a robust program that will enable them to manage compliance with regulations and internal policies, improve information security practices and streamline audits and remediation activities.
As regulations continue to mount, there is a constant barrage of new guidelines to adhere to, and new initiatives being pushed forth in order to mitigate risk. Needless to say, risk and compliance groups are finding it daunting to keep up. There is also the challenge of growing cyber security threats, further compounding the problem with compliance.
While there are a plethora of problems organizations face with current processes and tools, we will highlight 3 core challenges that we’ve witnessed across multiple industries and organizations:
Challenge 1
Many companies treat each regulation or framework as an independent set of controls, which leads to:
- Multiple Audits
- Redundant tests
- Repetitive evidence gathering
The solution
A centralized repository with a list of controls that map to all regulatory, compliance and operational requirements. This allows for “test once, comply many".
Challenge 2
Manually collecting compliance evidence, through manual assessments, walkthroughs or capturing screenshots. Relying heavily on the tribal knowledge present within the information security team takes a lot of time, and is mostly managed through spreadsheets or email.
This leads to version control issues and several times evidence cannot be repurposed for other audits, or even reproduced.
The solution
Risk-based, workflow driven control testing, with automated evidence collection wherever possible. INRY clients have leveraged ServiceNow for multiple formats of evidence collection, including basic and advanced indicators pulling data from the CMDB, Attestations and Assessments, and data certification techniques.
Challenge 3
Tracking audit observations and remediation activities to closure and managing risk exceptions.
The Solution
- Logging audit observations
- Generating tasks for remediation
- Workflow driven remediation management
ServiceNow Audit Management for GRC challenges:
The ServiceNow® GRC Audit Management application provides a centralized process for internal audit teams to automate the complete audit life cycle. Project driven audits allow auditors to quickly scope engagements, conduct fieldwork, collect control evidence, and track audit observations.
INRY clients have leveraged ServiceNow Audit Management to log observations and track remediation activities using control tasks. A lot of remediation activities are actually carried out by the Service Management teams, and if they're using ServiceNow ITSM, then it gives them a central location for all tasks, embedding controls into the Service Management processes.
- Service Management and Risk Management share common automated processes and workflow engine
- Assign and track work associated with evidence and remediation tasks
- Design, track, and report on audit activities
- Single System of Record enables integrated checks and balances to ensure controls, service objectives, and operational integrity are achieved.
- Many ServiceNow applications in the ITSM, ITOM, and ITBM already have elements of managing risk.