The Washington D.C. platform release is here and with it are some important new enhancements for the ESG product and GRC product portfolio: Integrated Risk Management, Business Continuity Management, Third-party Risk Management, and Privacy Management products. You can see it all in action in the What’s New webinars with live demos on Live on ServiceNow.
Integrated Risk Management
Manage documents on records with OneDrive. Managing documents that are attached to policies, controls, evidence requests, issues, remediation tasks, indicator tasks, control tests, engagements, audit tasks, is necessary to prove you are adhering to policies and following the appropriate processes and procedures, but it is a manual challenge. A task that involves downloading and/or updating attachments to the above records offline. This lack of a collaborative environment can result in errors and omissions as files and comments are manually merged. Unfortunately, these errors generally come to light during an audit and result in, best case, time-consuming processes to track down information and, worst case, an audit finding.
ServiceNow reduced the friction of this by introducing the ability to edit, update, and maintain versions using OneDrive integration. SharePoint integration is also available for collaborating and Google Drive for redlining documents. The ability to share and collaborate on documents improves the timeliness and accuracy of information within the documents, ultimately improving the speed and completeness of audit engagements – helping mitigate reputational risk due to policies violations and audit findings - and possibly even reduce the risk of a breach.
A feedback and review process for the second line. With more sophisticated attacks and evolving regulations it’s more important than ever to quickly identify potential risks or compliance violations. A flexible, frontline user-friendly process that allows the second line risk and compliance teams to capture findings (challenge) control owners or users, ensures activities that could negatively impact the business are addressed as soon as possible to maintain a strong risk and compliance posture.
Previously, risk and compliance teams had to wait until records were in a specific state to request more information regarding evidence or to clarify what has been reported. The Review and Feedback capability contains the workflow to raise a challenge across any workflow at any state and have the frontline control owner or user respond. You can think of this as a mini-audit, without the control testing workflow, or assurance by the second line. With the increased flexibility and streamlined risk and compliance processes the second line user experience is enhanced, oversight is improved to identify potential risks or compliance violations more quickly, while the frontline user experience is maintained at a high level.
The Continuous Authorization and Monitoring application is designed to automate the NIST RMF process for authorizing systems in the U.S. Federal government and other high maturity frameworks. The Washington release continues to add automation with the ability to auto create requirements on controls that have defined at the control objective. Hybrid controls have been implemented and for NIST 800-53A test templates with Examine, Interview, and Test steps have been added. Auto creation of test plans and control tests for engagements is now available. In addition to enhancements to support Assessment Objectives while performing control tests.
Continuous Monitoring for CIS 8 and CSA CCM controls. Hybrid environments are common, so you need help mitigating cyber risk and protecting data regarding of where it resides. To help improve cyber and cloud security we’ve added support for CIS 8 and CSA CCM controls. We now support authority document and citations for CIS 8, 171 CIS 8 control objectives, authority document and citations for CSA CCM 4.0, 197 CSA CCM 4.0 control objectives, and 67 automated indicator templates to monitor CIS v8.0 controls. These indicator templates are also mapped to the related CIS 8 common controls from CSA CCM 4.0, NIST 800-53 Rev5, NIST CSF v1.1, ISO 27001/2, PCI DSS 4.0 etc.
- Other enhancements include:
- Multi-level approvals based on dynamic conditions for policies.
- Indicator enhancements: sampling, performance improvements, and reminders for tasks.
- For Compliance Case Management, export case or request records to PDF and automate identification of relevant controls, policies, and regulations determined by the compliance case type and affected entities.
- For Regulatory Change Management we’ve added manual alert creation and an automation/rule engine for auto assigning the alerts.
- Ability to have senior management reporting in Word to show the risk profile and actions, in addition to enjoying enhancements to the metrics application and the RCSA user experience.
Business Continuity Management:
Empower Business Continuity Management with Operational Resilience Management. Operational Resilience Management is now a key component of the Business Continuity Management product in addition to being available as part of an IRM license. By uniting these interdependent offerings, the BCM solution becomes more powerful in driving resilience and reduced risk across the enterprise. With the ability to track service dependencies and metrics, you can now monitor the service's resiliency, while additional features enable you to test and demonstrate how adverse scenarios may impact those business services or specific assets themselves.
These enhancements enable you to analyze the importance and impact tolerance of these business services and provide insights on preparing self-attestation reports for regulatory compliance purposes. Greater automation capabilities were added between the CMDB and BIAs (Business Impact Analysis) allowing for changes in CMDB records to be automatically emailed, and a UI action was added to pull these changes directly into BIAs, plans and exercises so that business continuity activity and resources remain consistent with organizational change. Improvements to the first line experience further empower employees to contribute to overall business resiliency without creating an additional burden on employees.
Third-party Risk Management:
The Third-party Risk Management application continues to receive updates with rule-based automation for scoped due diligence assessments and the ability to prepopulate assessment questionnaires to improve your efficiency. ServiceNow was also just named a Leader in The Forrester Wave™: Third-Party Risk Management Platforms, Q1 2024. Read the blog post where we talk about this recognition.
Privacy Management:
A new Privacy Case Management workflow helps ensure the timely detection of privacy violations and swift triage of cases. Any breaches can be assessed and handled promptly while regulatory notifications are managed efficiently. And we’re excited to announce a new integration available in the ServiceNow Store, Privacy Case Management Integration with RadarFirst, to automate privacy incident risk assessments and get clear, actionable notification obligations in seconds. Also, Privacy Managers can now export case or request records to PDF for better sharing of information.
ESG Management:
- Disclosure reporting governance has been added to streamline the review, approval, governance, and tracking process including metrics data collection and integration of ESGM with O365 disclosures for cloud and local support.
- Sustainable IT v2.0 has many enhancements including a new map view with filters and drill-down capabilities. Access to the Sustainable IT dashboard is now available form the IT Asset Executive dashboard for better visibility across IT.
- ESGM has been integrated with IRM Advanced Risk Assessments to digitize the complete risk management lifecycle and embed the risk assessment process in the ESG workspace.
Please reach out to your sales representative with any questions.
Additional resources:
- Access our demo videos
- Watch our Live on ServiceNow What’s New webinars
- Bookmark our 2024 events blog
- join us at Knowledge 2024 May 7-9th in Las Vegas for more exciting news.
1 Comment
