We are very pleased to announce the Istanbul market release of Governance, Risk and Compliance. GRC is designed to enable customers extend their investments in Service Management to automate cross functional processes across business, IT, security, risk, audit and compliance silos and embed risk and compliance controls in these activities.
The Business & IT Challenge
Governance, Risk and Compliance (GRC) is an ongoing concern for many organizations. Enterprises must constantly keep up with changes in the global regulatory environment and industry standards. As the organization adopts new business models, establishes new partner relationships, and deploys new technologies, it must also be able to quickly assess the impact of these developments on its existing compliance obligations and risk posture. For critical processes, it must be able to monitor and detect for failing controls, update controls and related risk assessment, and audit protocols post risk assessment.
Enterprises operating in increasingly fluid environments require GRC solutions that deliver the following capabilities:
- Share risk information and facilitate decision-making across the relevant stakeholders.
- Accelerate business impact analysis and scope the exposure by showing the dependencies and relationships across assets, processes, security, and compliance controls.
- Enable fine-grained analysis on the likelihood and financial impact of potential control failures.
- Identify failing controls in between assessments. The ability to compress the time to monitor, detect, and assess changes to the risk and compliance posture is only one side of the equation. Once a decision is made, the enterprise must also be able to orchestrate the appropriate remediation and risk treatment actions across business and IT processes.
The ServiceNow Solution
ServiceNow ® Governance, Risk and Compliance (GRC) is designed to enable organizations extend their investment in Service Management best practices and technology into GRC programs by embedding compliance and risk controls into their business and IT processes. GRC runs on the Service Management platform. It takes advantage of the CMDB to provide the business context to controls, expose risk dependencies, and accelerate business impact analysis. Service Management offers organizations a single-system of records, collaboration and process design, workflow automation, and a platform for custom application development. GRC utilizes these capabilities to facilitate information sharing and decision making across GRC, security, and business stakeholders, and to automate remediation and risk treatment activities.
What's New in GRC?
The Istanbul version of GRC offers the following new features, which advances customer capabilities to enable continuous monitoring, model GRC dependencies across business assets (profiles), and realize process efficiencies during assessments.
Performance Analytics Integration
Customers have always taken advantage of the Service Management platform to minimize the integration risk and costs associated with automating controls assessments and evidence data collection of IT controls from applications such as vulnerability management, incident management, change management, asset management, cloud management, etc. As the Service Management portfolio expanded into Business and IT Operations Management, GRC also enabled customers to collect Performance Analytics (PA) KPIs on a periodic basis to support scheduled assessments.
Periodic and siloed risk assessments are unable to identity and provide an integrated view of critical changes in the risk posture, in between assessments, leading to material events (data breach, IP theft). In Istanbul, GRC delivered out of the box integration with PA. Customers are able to assign PA indicators and thresh holds to detect and monitor the risk posture continuously. The Service Management platform allows customers to select from a list of automated indicators and define thresh holds such as the number of critical vulnerabilities.
(Figure 1)
They can drill down on a specific indicator, for example, the average age of high priority vulnerabilities, to identify failing controls across by business services.
(Figure 2)
Since PA indicators are utilized to monitor the performance of critical applications and processes, customers using PA for continuous risk monitoring enhance their capability to detect failing critical controls in between assessments.
GRC Workbench and Dependencies Modeling
Risk, compliance and security professionals struggle with planning for and in building defensible remediation and response decisions due to their inability:
- to understand dependencies across compliance, risk, security and operational requirements;
- to view potential failures/threats in the context of historical trends; and
- model future scenarios using multiple risk models.
GRC Workbench offers the compliance, risk management, and audit function a role-based dashboard that summarizes the various status updates, priorities, and tasks associated with their various GRC engagements.
(Figure 3)
The dependencies modeling feature utilizes the CMDB in combination with controls and policy statements information to show the upstream and downstream relationships across entities. GRC functions utilize this information to assess risk and compliance dependencies during business impact analysis and to plan the scope of a control.
(Figure 4)
GRC Attestation Designer
A single control statement typically maps to multiple entities or profiles. Compliance and risk policy statements are therefore prescriptive in the requirements to demonstrate compliance or to measure risks. Customers that rely on a single attestation template to test a control that maps to multiple assets and business services are spending significant time and resources manually reconciling the evidence data to the control tests. This approach is error prone and expensive.
GRC attestation designer enables the customer to create and execute tests and attestations that are specific to a policy statement. This eliminates errors during evidence data collection and mitigates the need to manually reconcile test results and metrics for controls with multiple risk and compliance policy statements.
(Figure 5)
Key Business Benefits
ServiceNow GRC takes advantage of the Service Management platform to deliver the following benefits not readily available in stand-alone GRC applications
- Deliver a single system of record for security, compliance, and business and IT operations data.
- Automate and align policies and controls enforce and orchestrate cross-functional alignment of controls and processes across IT operations, business operations, compliance, security, risk, and audit.
- Harness service performance data and CMDB to deliver timely risk assessment and eEnable continuous monitoring and detection of changes to the compliance and risk posture.
- Use the CMDB data to deliver fine-grained visibility into the business scope, likelihood, and financial impact of changes to the risk and compliance posture and to prioritize risk mitigation..
- Eliminate integration costs and risks associated with stand-alone GRC systems.
- Harness orchestration, workflow automation, and Security Operations to accelerate risk reduction and risk mitigation across functional teams.
- Eliminate redundancies and errors; provide assurances by using a common controls framework for both audit and compliance.
- Optimize resources and productivity in compliance and audit by utilizing risk data to determine security, risk, compliance and audit priorities.
