to continue reading.
Click here to Download the PDF or continue reading below.
Use Case 2: IT Risk Management
ServiceNow’s Risk Management application has evolved significantly over prior versions. It assists in the continuous monitoring of risks that can negatively impact business operations; and it provides structured workflows for the management of risk assessments, risk indicators, and risk issues.
ServiceNow’s Risk Management application provides ways to organize categories of risks to normalize risk scores across the organization, consistently assess risks using a best practice workflow, and reports on financial and statistical impacts of risk to the organization.
There are two built in risk scoring methods, qualitative (Impact / Likelihood) or quantitative: Single Loss Expectancy (SLE), Annualized Rate of Occurrence (ARO) and Annualized Loss Expectancy (ALE). Depending on the maturity of your current risk management practices and the availability of metrics and data, you can choose either method for scoring.
Use Case 3: Audit Management
ServiceNow GRC application can be used by internal audit teams to document and track phases of the audit cycle; audit planning, audit risk assessment, audit project management, time management, issue tracking, audit work paper management, audit evidence management, and reporting.
Like Compliance Management, Audit Management also provides a centralized repository and process for Internal Audit teams to automate the complete audit life cycle. You can maintain all test templates and test plans in a single repository, connect your audit tasks to controls within the application and configure indicators to collect audit evidence. Issues can be automatically created from indicator results. Observations and deficiencies can be set up as tasks, assigned to people or groups, and tracked via workflows, SLAs, alerts and notifications.
An audit workbench provides a timeline view of all audit engagements from which you can select an audit engagement to view details or create a new engagement. Project driven audits allow auditors to quickly scope engagements, develop audit plans, conduct fieldwork, collect control evidence, and track audit observations. The My Audit Approvals feature enables supervisors to view audit documents awaiting approvals.
The application provides an executive view into audit results, engagement breakdowns by task, and allows areas of concern to be identified quickly. If you’ve previously spent hours building reports for management and leadership or been a leader frustrated by lack of granularity in your reports, you will appreciate the reporting and dashboard capabilities this tool provides.
Use Case 4: Vendor Risk Management
If you need to perform periodic security assessments for third parties that have access to your applications and data, you’re probably aware of how time consuming and challenging the process can be. For most organizations, the vendor relationship office sends out the assessments as Excel based questionnaires and requests evidence, example SSAE 16 or SOC reports.
Usually, there are multiple iterations of the process before the assessment is completed and a report generated. If you are dealing with multiple regulations (ISO 27002, NIST, HIPAA, PCI-DSS, GLBA etc.), you may be customizing your security assessment by vendor, which can be frustrating and error-prone.
ServiceNow GRC can also be used for management, measurement, and reporting against vendor and third party related risk. Leveraging the Vendor and GRC applications, a Vendor Risk Assessment process can be configured using assessments and workflows. The responses to the assessments can be validated and scored.
Dashboards and reports can be leveraged for both transactional reports (ex. number of assessments by status, region, etc.) or analytics based reports (ex. which areas are most vulnerable, vendors with high to low compliance metrics etc.). Integrhythm has developed a robust Vendor Security Assessment application which works with the GRC application to automate assessments and reporting.
Use Case 5: Business Continuity Planning and Disaster Recovery
This use case is often the most overlooked for GRC. ServiceNow can automate most aspects of ongoing Business Continuity Planning & Disaster Recovery (BCP /DR), because it is a natural extension of both Service Management and Governance, Risk, and Compliance.
ServiceNow’s Business Service Maps can generate relationships between business services and the Configuration Items that make up those services. CMDB enables rapid identification of upstream and downstream impacts as infrastructure changes occur. Adding in ServiceNow Discovery enables real-time updates to DR planning and documentation. Workflows for planning, review, and testing activities helps organizations reduce cost and save time. Notifications enable organizations to remind service and application owners to update business continuity plans.
Using ServiceNow Knowledge Base and automated testing capabilities, organizations can minimize impact and prevent serious disruptions to their business. Since ServiceNow is a cloud based application, it is not impacted by your downtimes. Greater visibility into all aspects of BCP/DR allows for faster and more effective responses.
One of the most tedious aspects of BCP/DR is ensuring the plans exist for all high-risk applications, and monitoring periodic updates of the plans. This requires tracking, following up with application owners (IT and business), seeking approvals, and uploading documentation to a secure site. A significant portion of this effort can be automated by workflows, SLAs, alerts, and notifications.
While your organization may not require all five use cases currently, it is always good practice to evaluate which other pain points in the organization can be alleviated using tools you either already own, or are in the process of purchasing.
If you have any questions; are looking for more INRY insights related to ServiceNow GRC; or would like more information about INRY’s implementation approach for ServiceNow GRC, please contact us at info@inry.com.