Avanade needs effective and efficient processes to meet its internal and clients’ regulatory requirements
As a leading global professional services company, Avanade needs to show compliance to its clients, regulators, and its parent company. It’s especially important to meet strict regulatory requirements, including ISO, GDPR, HIPAA, CCPA, and SSAE 18. Because of this, Avanade, which is a subsidiary of Accenture, has an overriding focus on effective governance, risk, and compliance (GRC).
ServiceNow helps Avanade connect and automate its GRC processes, increasing scalability and eliminating time-consuming manual work
Avanade had issues with its existing GRC environment. According to Ann Auerbach, Global Certification and Compliance Manager at Avanade, “We had an on-premises system, but we were concerned about its scalability. And, despite having a tool, our compliance team still had to use spreadsheets to track regulatory updates from our legal team. Our team is small, so we were overloaded—particularly with the high number of regulatory changes.”
Avanade had recently deployed ServiceNow IT Service Management (ITSM). To address its GRC challenges, it decided to migrate from its existing tool to ServiceNow Governance, Risk, and Compliance and add ServiceNow Security Operations to the Now Platform®.
Ann says, “The transition to ServiceNow for GRC was completed with the help of Accenture in just six months. Before, governance, risk, and compliance were disconnected processes. With ServiceNow, they all work together. For example, by looking at compliance, we can immediately see our risks.”
The company gets major benefits from having GRC, SecOps, and ITSM on a single platform
Greg Petersen, Director of Security Technology and Operations at Avanade, says, “GRC, Security Operations, and ITSM belong together. For example, take security incidents. When an asset in our CMDB is involved in a security incident, we can see right away if there’s a corresponding policy exception—for instance, an approval to defer a patch. By tying security incidents and exceptions together, it is easier to identify potential gaps in our security exception process.”