Share the Wealth: ServiceNow Governance, Risk, and Compliance (GRC)

In this week’s Share the Wealth video, John Gilaspy of GlideFast Consulting gives an overview and demonstration of ServiceNow Governance, Risk, and Compliance (GRC).

What is ServiceNow GRC?

GRC consists of four applications, covering multiple disciplines:

• Policy and Compliance Management

• Policy Management, Policy Acknowledgement, and Policy Exception

• Compliance Management

• Risk Management

• Risk Assessment

• Advanced Risk Management & Risk Events

• Audi Management

• Vendor Risk Management

• Vendor Tiering

• Vendor Risk Assessment

• SIG Questionnaire Integration

• Various Accelerators

Why does my company need GRC?

John compares GRC to the idea of parents telling their children to brush their teeth — each process follows a set of policies. As a parent, you might tell your children to brush their teeth first thing in the morning and last thing at night. These are examples of policies. With GRC, expectations and time frames are set, controls are designed and tested for effectiveness, and policies are monitored and verified when necessary.

Policies are redesigned according to audits. Think of an audit as a dentist visit every six months — the results of audits are used to emphasize what happens if we don’t adhere to those policies and use those controls. The risks, in terms of our analogy, of not adhering to the policies set in place are tooth aches and more dentist visits.

Governance and compliance from an internal side, risk management of what could happen if the policies are not followed, and the audit of the dentist visit is GRC for every individual when it comes to brushing your teeth. These elements work together so that if we follow the policies, adhere to the controls, and put them into practice, audits are passed and risk is lowered. That is what happens in the enterprise.

What do we do with GRC?

GRC is the idea of making sure that we are looking at things in the system that present risk or are required to be maintained compliance, otherwise known as entities. Entities include servers, VPs, departments, applications — frankly anything can be part of GRC.

When configuring GRC, it begins with the upfront configuration. This is 90% of the project. There is a lot of documentation to gather, including business process documentation and configuration. We gather documentation, frameworks for risk, and current risk statements, or what the client has identified as the risk the enterprise faces. Everything in the system that could be impacted is looked at — those are our entities.

We then look at the authorities. We talked about policy management, or internal policies. Every enterprise has an internal policy and ways of documenting them. For example, ServiceNow has a policy management process and repository. Policy management, policy acknowledgement, and the authority document that come with it are the external side of the house, or external policies. The external side of brushing your teeth, for example, could be the American Dental Association — any external body that regulates standards or laws.

All of this brings us to a controlled objective, which is a template. What should we actually be doing on a daily basis? We should be configuring applications to require passwords with strict standards, for instance. Once we have this all documented and put into the system, we let ServiceNow do what it does best — automation. ServiceNow automation includes entity generation, risk generation, assessment generation, indicator generation, test plan generation, control generation, and attestation generation.

Risk and compliance managers are able to monitor what is happening on a daily basis. Regular verification is then brought into the process. The goal for GRC is to automate the management of GRC as much as possible and put the responsibility at the desktop.

What does GRC interact with?

GRC interacts with the following:

• Approval

• Departments

– VIP Users and Process-responsible parties

• Vendors

– Vendor Risk Assessment

• CMDB

– SolarWinds, Nagios, SCCM

• Users

– Workday, AD, PeopleSoft

• Custom

• VR

• SIR

– SecOps, Qualys, Tanium, Rapid7, etc.

• Request

– Request Processes and Approvals

• Incident

– Incident-to-Request Transition

• Problem

– Incident and Problem Relationships

• Change

– Change process and relationships

– Change Tasks and Approvals

Interested in working with experts like John? Reach out to our team. We would love to learn more about your ServiceNow challenges and how we can help your organization build better solutions.