CCM Use Cases

Go to solution
Shabbir
Kilo Explorer

‎02-04-2020 04:31 AM

Hello Everyone, I am looking for top 10 use cases for continuous controls monitoring (CCM) using SNOW GRC both IT and Non IT

0 Helpfuls
  • 1,711 Views
1 ACCEPTED SOLUTION

Go to solution
Notorious BFG
ServiceNow Employee
ServiceNow Employee

‎02-10-2020 09:32 AM

Hi Shabbir,

So just so we're on the same page, if you're talking about the CCM plugin, that is a specific method of creating an automated relationship between ServiceNow's GRC applications (specifically controls) and the Security Operations applications (specifically Vulnerability Response and it's corresponding integrations to Vulnerability scanning tools such as Qualys).  

When you install the CCM plugin and configure it properly to your scanning appliance of choice, you can select common configuration tests that can provide insight into the status of various IT controls.  Common configuration tests include testing password age, complexity, etc; firewall configurations; disposition of various user accounts and so on.  These specific tests are done via the scanning appliance (Qualys for example) and then reported back to the ServiceNow GRC application.  The other thing that's kinda neat about the CCM plugin in this context is that it also creates and monitors all of the entities related to these tests.

Now, CCM isn't the only way that the GRC plugin can do continuous monitoring - when Policy and Compliance or Risk is installed, any control can be set up to do automated continuous monitoring through the use of something called GRC Indicators.  When a policy or risk control is instantiated against a specific entity in your organization, an indicator can be created that can, on any schedule you deem appropriate, be executed either manually (as assigned testing task) or automatically (via query or script) to test the status of said control.

As I mentioned, this can be done for any control regardless of whether it is IT or non IT focused. 

Use cases include but are not limited to:

  • checking to ensure users adhere to specific processes (e.g. Do all expense reports have receipts attached?, Do all standard change requests have risk assessments?),
  • assigning a user to do a site visit to ensure that they are properly signed in upon arrival as a guest (or a secret shopper to visit retail store location to ensure they are greeted when entering and asked if they require assistance),
  • checking the average in service time of a specific class of asset (e.g. parts that must be regularly serviced or replaced as part of airplane engine maintenance for safety)
  • examining the disposition and allocations of various software licenses as reported via the asset tables

...and more...

Depending on the level of data access and integration to other systems, these indicators can be automated but even in situations where the instance is not able to "see" into other systems directly, users can be assigned these tasks at regular intervals (daily, weekly, monthly, quarterly, etc) and report back into the GRC application the outcomes, which will then update the status of a given control.  

Hopefully that helps!

Best,

Ben

View solution in original post

2 REPLIES 2

Go to solution
Phil Swann
Tera Guru
Tera Guru

‎02-09-2020 01:00 PM

Most obvious ones are for any IT related controls, you can hook into ITSM:

- Incident: Number of P1 incidents unassigned 

- Incident: Fixed with workaround, no problem ticket

- Change: RFCs without backout plan, etc

- etc

 

for other areas, you can tap into SecOps:

- Vulnerable Items

 

HR & Finance, Project & PPM

You can even check against the CMDB , check Service Catalog, etc etc 

There is no limit 🙂 

 

but really this is going to be driven from your control and risk libraries, what regulations are you most concerned with? 

Go to solution
Notorious BFG
ServiceNow Employee
ServiceNow Employee

‎02-10-2020 09:32 AM

Hi Shabbir,

So just so we're on the same page, if you're talking about the CCM plugin, that is a specific method of creating an automated relationship between ServiceNow's GRC applications (specifically controls) and the Security Operations applications (specifically Vulnerability Response and it's corresponding integrations to Vulnerability scanning tools such as Qualys).  

When you install the CCM plugin and configure it properly to your scanning appliance of choice, you can select common configuration tests that can provide insight into the status of various IT controls.  Common configuration tests include testing password age, complexity, etc; firewall configurations; disposition of various user accounts and so on.  These specific tests are done via the scanning appliance (Qualys for example) and then reported back to the ServiceNow GRC application.  The other thing that's kinda neat about the CCM plugin in this context is that it also creates and monitors all of the entities related to these tests.

Now, CCM isn't the only way that the GRC plugin can do continuous monitoring - when Policy and Compliance or Risk is installed, any control can be set up to do automated continuous monitoring through the use of something called GRC Indicators.  When a policy or risk control is instantiated against a specific entity in your organization, an indicator can be created that can, on any schedule you deem appropriate, be executed either manually (as assigned testing task) or automatically (via query or script) to test the status of said control.

As I mentioned, this can be done for any control regardless of whether it is IT or non IT focused. 

Use cases include but are not limited to:

  • checking to ensure users adhere to specific processes (e.g. Do all expense reports have receipts attached?, Do all standard change requests have risk assessments?),
  • assigning a user to do a site visit to ensure that they are properly signed in upon arrival as a guest (or a secret shopper to visit retail store location to ensure they are greeted when entering and asked if they require assistance),
  • checking the average in service time of a specific class of asset (e.g. parts that must be regularly serviced or replaced as part of airplane engine maintenance for safety)
  • examining the disposition and allocations of various software licenses as reported via the asset tables

...and more...

Depending on the level of data access and integration to other systems, these indicators can be automated but even in situations where the instance is not able to "see" into other systems directly, users can be assigned these tasks at regular intervals (daily, weekly, monthly, quarterly, etc) and report back into the GRC application the outcomes, which will then update the status of a given control.  

Hopefully that helps!

Best,

Ben