K20 LAB3015 - Scale Trust and Resilience for your Third Parties with Vendor Risk Management

I am going to have to reach out to engineering on this one...standby 🙂

Hi Dwilcher - I replied to your comment on the other thread above.  IP Restrictions right now are all or nothing, but there are architectures that could help; my advice would be to engage your overall Account team's Solution Consultant for help with this.   Great feedback, and I will send it to Product Management today.  Thank you ! 

Hi Dwilcher - Matt is correct, your core account solution consultant can provide some advice here.  Our team believes this could be done through a reverse proxy, but do ask for some help from your account team to be sure.

Ahh, thanks man! I thought it got buried up there! Fair enough, and thank you!

No problem !   I did already provide the feedback to Product Management. Thanks for your ongoing support ! 

I understand, but my account just created in the LAB, with which I did the assessment is not allowed to login to the ServiceNow instance as a user. That makes sense if it is not considered a user.

however we have companies that are both Customer (with users who needs to be able to log into the Service Portal and raise incidents or requests) and Vendor (with contacts who need to be able to log into the VDP to take the assessments)

it would be helpful if by default a VRM contact gets the role snc_external, but that we can either change it into e.g. "snc_inANDexternal" or that we can have both snc_external and snc_internal

(we even have a different issue as we have domain separation and the best solution offered now by ServiceNow is that we have duplicate companies. One having its own domain and users who can access the Service Portal and the other within the same domain as our own company for the VRM, with the VRM contacts to do assessments)

I will get that feedback to our Product Management team.  Thanks a lot.

I'm not on the ServiceNow team, but we are just beginning our VRM journey as well, and the Explicit Roles plug-in that you are referring to that adds the 'snc_internal' and 'snc_external' roles introduced some things to work through in regards to our deployment. 

Some more information on the Explict Roles 

https://docs.servicenow.com/bundle/newyork-platform-administration/page/administer/contextual-securi...

The plugin has a script that touches a lot of different records in the platform (ACL's, Record Producers, Catalog Items, etc). The 'snc_internal' role is granted automatically when a user logs in successfully to the internal side of the platform. The 'snc_external' is added automatically to a new Vendor Contact. 

Additionally, we had a test account that ended up with both 'snc_internal' and 'snc_external' roles inadvertently, and it caused portal oddities between what was allowed on our internal portal and what was visible on the Vendor Portal. Think of all the pages and widgets used for the Portal configurations, and a potential fix could be complicated and touching many records. 

I'm curious as well to what Dan finds from the Prod Mgmt team. We do not have the scenario you are mentioning, but I guess it's always a possibility and I'd like to be prepared if it ever comes up. If allowed, I imagine there would be some ACL and/or User Criteria adjustments needed that would be specific to your environment. 

We are just beginning our VRM journey, and in regards to updating and maintaining templates, question banks and questionnaires, are there any best practices documented for managing these as it relates to the ServiceNow Admin (traditionally capturing things via update set) and also for the teams facilitating the assessment processes? 

There is a lot of documentation out there, just looking to see if this is highlighted anywhere that I can be directed to for future reference. 

I'm concerned specifically about versioning, and updating these items while there are existing assessments in flight. I want to avoid any mishaps that would impact the availability and functionality of the assessment process. 

Questions and Answers for the APJ Session

If a vendor goes through a bunch of dependent questions (say 3 or 4), and then changes the parent question to no longer match the dependency rule, does it reset all the child question responses?

Ooh that's a good one Jeff! Let me do a quick test! 

Could you use this to to complete an internal assessment, such as for internal application teams and whether they've completed certain governance processes, certain SOPs, etc.?

As it turns out, the child question responses are NOT cleared/reset. They're persistent once the responses are saved. 

Some of the relationship with a vendor is assessed through SLAs, compliance with ongoing change management, etc. How could we incorporate that into this assessment (or even just the output of the assessment) using ServiceNow?

Do the vendor contacts have a tiered structure?  For example if we have a parent company and want to track sub vendor records as child vendors of the parent company, can that be done?  Can we have different vendor contacts per type of contact within a single vendor record (sale manager, security, etc)?

in real time how do I relate records vendor record to vendor contacts? it that to be dome manually?

You can import bulk data and create those data relationships - very easy to do

Is that answering your question?

Hi Carol! Currently, vendor hierarchy structure is on our near-term future roadmap. This will allow vendors and their subsidiaries to be assessed at the appropriate level. 

For your second question, can you provide an example? 

I would also add that an integration can also be leveraged to pull in this type of vendor and contact relationship metadata. 

do customers usually host this in a separate instance from other apps which may have sensitive data (such as HRSD or ITSM)?

Posting for Kassidy D'Annolfo:

Managing vendors also involves tracking compliance with SLAs and change control processes, among other things.. is there a way to incorporate those in the workflow or the output of the assessment in ServiceNow?

Hi Carol, Not necessarily. It's a scoped application with separate access controls. All the applications on the platform can be used in a single instance. Having a separate instance is a customer decision. I work in Australian Federal so I do have customers with separate instances due to security classifications.

Does that answer your question?

Only if absolutely necessary due to strict security restrictions, more of a customer decision. Since it's a scoped application there are elevated access controls. 

Hi Kassidy, You can pivot from VRM into the Vendor Manager Workspace. Have a look at https://docs.servicenow.com/bundle/orlando-it-service-management/page/product/vendor-manager-workspa...

Let me know if that helps to answer your question.

Thank you!

The Vendor Contact form has a Role field (default choices include Finance, Information Security, Legal, etc.). You can create multiple Vendors across these different types.

In the Vendor Portal, a Primary Contact can re-assign the Assessments they have to another Contact with the correct role.

Hi, Can I create update set in Global and do this changes can move to QA system? or need to be in scoped app?

Although you can, it's cleaner to create the update set in the appropriate scoped app, in my experience. 

yes, thanks

thanks.  that's a big need for us (hierarchy).  My 2nd question was answered later in the lab after seeing vendor contacts