The Customer
The client directly provides a telecommunications platform for cellular traffic, with dedicated devices and an app store, and also provides a dedicated, limited access cellular network for first responders on duty. They have implemented other ServiceNow modules such as IT Service Management (ITSM) and Configuration Management Database (CMDB).
In this case, the client needed the help of GlideFast to implement Custom Risk Assessment, which is founded on the IRM module.
The Challenge
The client was running into a systemic issue. As it stands, every version of every application that could be installed on a device utilizing the cellular network must pass a security risk assessment, which was done in another system at the time. That system was now being sunsetted, which meant the entire business process would have to be rebuilt in another application.
To solve this problem, the GlideFast team came up with the following expectations for the solution:
-
Relationship of all risk assessments of relevant applications to the appropriate configuration items, if the telecom provider developed/provided/owned.
-
Identification and logging of new applications from Third-party apps into the CMDB.
-
Identification and logging of all relevant devices, versions, and programming modules for each application.
-
Documentation of custom risk assessment with custom risk scoring methodology, with aggregation of overall risk from assessments of each module/version/device.
-
Documentation of relevant security authority sources, including PCI/DSS, NIST 800-53, and internal policies.
-
Identification and creation of Issues of non-compliance with said authority sources and internal policies.
The Solution
The solution was to create a custom assessment process based on IRM, with a new hierarchical CMDB structure that allowed for the device types, e.g. Phones, Cellular Access Points, Gaming Systems, etc, to be further segregated by platform, e.g. Apple, Google, Nokia, Microsoft, Nintendo, etc. Each platform was then further segregated into versions, and each version could then be assessed for security concerns using the custom assessment process.
Integrations with the customer testing lab allowed new versions to be automatically identified and consumed for the relevant platforms. An assessment flow was designed using tasks, assessment questionnaires, checklists, and resultant issues that allowed the analysts to document their findings as relevant to the appropriate policies, and assign them to the product owners, who communicated back to the developers for resolution.
To ensure the success of the solution, GlideFast held requirements-gathering sessions throughout the course of the project, as each portion needed to be developed in sequence. They also held bi-weekly meetings with the client for question-and-answer sessions and provided training after the project was in User Acceptance Testing (UAT).
Results
Through the implementation of the solution, the sunsetted application was retired, and all processes shifted into ServiceNow, allowing the client to forgo a renewal and saving them millions of dollars. The process was streamlined from spreadsheets into a workflow, and assessment time was cut by a third, anecdotally. Phases one and two have been completed for this implementation and GlideFast is currently working with the client as they complete Phase three.
