The client faced a systemic issue surrounding the security risk assessments for applications running on their network. Every version of each application needed to pass a security risk assessment before being installed on a device using the telecom provider’s network.

However, the existing risk assessment system was being sunsetted, creating a significant problem: the entire business process needed to be rebuilt in a new application. The previous system was no longer going to be supported, which meant they had to find a way to integrate these security assessments directly into a new platform without losing the ability to effectively assess all applications and devices, especially third-party apps.

The primary requirements for the new system were:

• Establishing relationships between all risk assessments and the corresponding configuration items (CIs) for both in-house and third-party applications.
• Integrating third-party apps into the CMDB and ensuring accurate logging of relevant devices, versions, and modules for each application.
• Customizing the risk assessment methodology and scoring to comply with security authority sources, including PCI/DSS, NIST 800-53, and internal policies.
• Ensuring identification and creation of issues related to non-compliance with these authority sources and policies.

GlideFast Consulting proposed a solution leveraging ServiceNow’s IRM module, which allowed for a custom risk assessment process built around a new hierarchical structure in the CMDB.

The solution involved:

• Creating a Hierarchical CMDB Structure: GlideFast built a new CMDB structure that organized the telecom devices (e.g., phones, cellular access points, gaming systems) into categories based on their platform (e.g., Apple, Google, Nokia, Microsoft, Nintendo) and further segregated by device versions. This setup allowed each platform and its associated versions to undergo detailed security assessments.
• Automating Integration with the Testing Lab: Integrations were set up to automatically identify and process new versions of software from the customer’s testing lab, ensuring that every update or new release was captured for risk assessment without manual intervention.
• Custom Risk Assessment Process: GlideFast implemented a custom workflow for risk assessments using tasks, checklists, assessment questionnaires, and issue tracking. This process enabled security analysts to review and document risk factors for each device, version, and module.
• Compliance Tracking and Issue Management: The new system also included tracking mechanisms for compliance with industry standards like PCI/DSS, NIST 800-53, and internal policies. Any risks or non-compliance issues discovered during the assessment process were automatically logged and assigned to product owners, who communicated with development teams for timely resolutions.
• Collaboration and Training: Throughout the project, GlideFast hosted multiple requirements-gathering sessions with the client to ensure the solution met their needs. They also held bi-weekly meetings for Q&A sessions and provided training after the system entered User Acceptance Testing (UAT).

The successful implementation of ServiceNow Integrated Risk Management for this telecommunications provider has transformed their approach to security assessments and compliance. By leveraging the power of the CMDB and custom workflows, GlideFast Consulting helped the client move from a legacy system to a modern, automated process that saves both time and money while ensuring adherence to the highest security standards.

Key Outcomes:

• $ Millions Saved: By retiring the outdated risk assessment system and shifting to ServiceNow IRM, the client saved millions of dollars in system renewal and maintenance costs.
• 33% Reduction in Assessment Time: The custom risk assessment workflow cut the time required to conduct security assessments by one-third, improving overall operational efficiency.
• 100% Automation of Risk Assessment Updates: Integration with the customer’s testing lab ensured that new software versions were automatically identified and assessed, achieving 100% automation for this process.
• Full Compliance Tracking: The new system successfully tracks and manages compliance with industry standards like PCI/DSS, NIST 800-53, and internal policies, ensuring better adherence and risk management.

Through these innovations, GlideFast Consulting helped the client streamline their risk management processes, significantly improve compliance, and reduce operational costs, empowering them to focus on their core business objectives with confidence.