GRC Fundamentals - K19 Pre-Con May 5 & 6 - Jan Spurlin

Welcome everyone.  I will be your instructor for Pre-Conference training on GRC Fundamentals. I will be using this channel to post any information that you need to  have here.

In most of the classes I teach I compile a Tips and Tricks document that I send out after class.  I have a Post Class Tips & Tricks document for GRC Fundamentals.  I will be posting it in this channel near the end of class on Day 2.  So, be sure and check back and download that document.

Cheers and welcome to two great days of training!

This is a comment against a post.

Post your enhancement ideas/requests here.  Click on the comment button.  Click the Helpful option at the bottom of an idea if you agree with it.

Provide the following info:

• Enhancement Idea
• Explain how it will provide benefit to customers
• Your name and email (we may need to ask for details)
• Indicate if you are a customer, partner or prospect

Enhancement Idea # 1

Hello, 

I am currently the Enterprise Service Management (ESM) Architect for Alcon. 

Information Detail:

I would like to know more about the integration of the data within the GRC solution and how that interacts with thinks like ITSM/APM - Application Portfolio Management and Portfolio Management. 

 Is there any current data models or taxonomies that we can see associated with this question?

This will be helpful when implementing more than on solution set from ServiceNow at the same time. 

Lee Alvarez - lee.alvarez@alcon.com

We are a customer that has just implemented ITSM and are currently in the process of starting projects for the following:

• ITBM
• GRC
• HR

 Regards, 

Lee Alvarez

Hi, I'm Jon Arnold from Finastra

I am the primary ServiceNow Administrator/developer and concerned Helicopter Parent for all things ServiceNow at my organization, with oversight for the entire platform.

We are strongly considering adopting the GRC module so I am getting "up to speed" on it - which is a bit of an odd fit as I typically approach this topic with: "Oh its fine, don't worry about it"

We are  so busy with parallel ServiceNow initiatives at my organization, every day is an adventure 😉

Hi Team!

Torbjörn Skantz from Sofigate Sweden, I have been working with the ServiceNow platform since 2010.

Regarding GRC, is there a graphical view of the GRC data model showing objects and their relationships?

Hello GRC classmates:

I'm Jim Lamadrid and I work as the Information System Risk Program Manager for Intermountain Healthcare located in Salt Lake City, UT.  We recently purchased and implemented the SN GRC module with CareWorks Tech.  I have basic knowledge of the GRC module and am excited to take a deep dive into the capabilities and functionality of the GRC module to enhance our overall Risk Management program.

Hello Everyone,

I'm John Parkes and work with Jim at Intermountain Healthcare however, i work on the policies and compliance portion of the GRC module. I've got a little more experience than Jim on ServiceNow as i've worked in several companies/project that have used it. I've moved around in several jobs including working with Microsoft and Dell at different times.

I'm Tami Gieder and work with Alcon (a medical device company). I am the Service Delivery Manager, Control Framework & Risk and am responsible for controls & assessment, risk, third party assessment & risk management, and audit governance. I have a little experience with Risk in the GRC app and have seen demos for other areas. We are starting the implementation of GRC in the next few weeks. 

Hi I am Kula

Planning to go down the GRC journey. Hope this will give me some insights.

Rgds

Kula

Hey John and anyone else from the Healthcare space, Let's connect on a break. Love to make a connect. 

Geoffrey from BSW Health

I am Nate, I am an IS Security Specialist on the Security Assurance Team with Baylor Scott & White Health. I am familiar with GRC Capabilities within RSA Archer eGRC, however, new to the GRC module in Service Now. I'm particularly interested in exploring the ServiceNow capabilities in building Surveys or Attestations. 

Here is the documentation to what Jan was referring to as far as the dynamic display of relationships.
https://docs.servicenow.com/bundle/madrid-platform-administration/page/administer/table-administrati...

Where can the downloads on page 40 of the workbook be found? 

If you search for knowledge in the Filter Navigator (Search box on the left hand side) and then choose Knowledge under the Self-Service section. Then on the new page that loads click on the Governance, Risk, and Compliance box. There should be 3 articles in there, you will have to click into each one and download the ZIP file for each.

Got it! Thanks

Definitely! Jim and I are on the front row right in front of Jan.

Has anyone here implemented GRC enterprise-wide (i.e., for non-IT purposes)?  I work in Internal Audit for a health insurance company who recently implemented GRC.  I would love to talk with somebody else who's implemented GRC enterprise-wide.

Hi Torbjörn,

I believe I work with your colleague Madeleine T. back in Sweden. She is helping us build a control framework at Telenor inpli 🙂

Br,

Ovid

Regarding 'Attestations' on Service Portal:

You need to add the 'My surveys' widget to your portal page.

'Baseline' this is the page named 'index'.

You probably would like to create a widget instance and then customize your labels and maybe create a filter.

If you have resources managing your Service Portal they will now exactly what to do...

BR Ted

I agree with Torbjörn, a high-level data model would be beneficial.

The schema map mentioned in other comments gets too detailed...

Something like the CSDM Whitepaper would be really useful.

/Ted

Does CareWorks Tech have a strong SN GRC background? Would you recommend them? 

These are the two slide that were requested on GRC architecture.

Jan

Attached is the post class document I have referred to in class.

They do work with you fairly well and have a good GRC background, Jim and I can get together with you at the breaks to talk about them. they've really been helpful in our implementation though.

Hi Tami, ditto what John said, let's meet during the break to exchange contact information and discuss our experience with the consultants.

Step-by-step instructions: Many of the users in GRC that will need to attest that the Controls are in place and provide evidence, but will not want to nor have access, to the native view.

You can expose the attestations and risk assessments on the portal so they will see My Attestations and My Risk Assessments by visiting the service portal

1. In the left Nav filter type in "Portal"

    Open " Service Portal Configuration"

2. Select the designer module

3. Find the Service Portal Index page and open it

4. Find the My Surveys widget and drag over to any portal container

5. Verification - once you move it over.

Service Portal Verification

See also following information related to FAIR model

https://cdn2.hubspot.net/hubfs/1616664/The%20FAIR%20Model_FINAL_Web%20Only.pdf

FAIR model site itself: https://www.fairinstitute.org where Risk Lens is a technical advisor 

Here is a link to details on currency localization

https://docs.servicenow.com/bundle/madrid-platform-administration/page/administer/core-configuration/topic/p_Localization.html

1. Version tracking for Policies (including maintaining historical versions for reference)
2. Tracking of user attestation/acknowledgement of policies
3. Policy publication in the Portal

The assessment evaluation we discussed is actually done in a script include.

If you're interested in how it evaluates to make sure that any customized assessment works...look at the attached pic.

There's the script include and the section involved.

You may want a developer to help you interpet the script unles you now JavaScripting...

BR Ted

Data model whitepaper for GRC module.

Will give insight into how different data entities relate to each other.

Ted Norlander (ted.norlander@businessnow.se).

Primarily partner but weäre using ServiceNow to manage our own business as well (ITBM/ITSM).

In ITSM/CSM/ITBM there is a whitepaper available named CSDM (Common Services Data Model).

Something like that in GRC would be perfect to explain the concepts.

BR Ted

Versioning, with historical versions, would be extremely useful for responding to audits and investigations, especially with regards to incidents and what policies were in place at the time of the incident.

How many ServiceNow GRC users do all of your organizations have - not including IT users (ITSM, etc.)?  We are implementing ITSM and GRC and have staff on the ITSM side but not on the GRC side.  Looking for advice on how we should grow our GRC staff to meet the needs of successfully deploying and operating GRC.

For perspective, our organization is ~5000 employees, ~$400M annual operating budget, operating in multiple, regulated industry verticals (healthcare, local government, education (secondary), etc.).  We have ~500 IT systems (including cloud) and 181 laws and regulations (just from a cybersecurity perspective).  Thanks!

Pics from the training session...

Thank you! Here are a few more. Thanks for everything, GRC Fun K19 staff!

Hi Jan,

Hope all is well. I was curious if there was a digital version of the participant guide from the GRC Fundamentals course available? And if so, where to attain a copy.

Respectfully,

Patrick Booth

How do I connect a Control and an indicator in order to create only 1 issue (not 2). Example: My Profile Type filters, so that only the Service AD is in scope. My Indicator filter is set to check a value in another table. Why does both by control and my indicator create an issue, when the indicator fails? 

Kind regards

Maja