demystifying governance, risk, and compliance
TRANSCRIPT
1© 2017 ServiceNow All Rights Reserved© 2017 ServiceNow All Rights Reserved
Demystifying Governance, Risk, and Compliance (GRC) with Four Simple Use Cases
Bryce SchroederSr. DirectorSecurity and Risk Solutions ConsultingServiceNow
Diego RegulesEMEA Solution Consulting Demo CenterServiceNow
2© 2017 ServiceNow All Rights Reserved
Speaker Introductions
NAME: Bryce Schroeder
TITLE: Sr. DirectorSecurity and Risk Solutions Consulting
FUNCTION: Security and Risk Solutions Consulting
COMPANY: ServiceNow
EXPERIENCE: 17 years security and systems engineering, 10 years R&D, 7 years IT
EXPERTISE: systems and security architectures, solving problems
CURRENT PROJECTS: ServiceNow Security Operations and GRC
NAME: Diego Regules
TITLE: Solution Consultant
FUNCTION: EMEA Solution Consulting Demo Center
COMPANY: ServiceNow
EXPERIENCE: 8 years technology consulting, 5 years financial services, 3 years SMBs
EXPERTISE: Third-party assurance, IT risk transformation, internal audit, fintech
CURRENT PROJECTS: EMEA Solution Consulting Demo Center GRC Team Lead
3© 2017 ServiceNow All Rights Reserved
Agenda
• The Current State of Governance, Risk, and Compliance
• ServiceNow Governance, Risk, and Compliance
• Demo: Four Simple Use Cases
• Q & A
4© 2017 ServiceNow All Rights Reserved
Your Enterprise is Faced with Increasing Challenges and Demands
Vendor Risks
ComplianceGuidelines New Standards
Internal Risk Reduction Initiatives
ChangingRegulations
Cyber Risks
5© 2017 ServiceNow All Rights Reserved
Currently how many legislative, regulator, and
industry compliance frameworks are there
worldwide?
7© 2017 ServiceNow All Rights Reserved
The Problem: GRC in the Typical Enterprise is Complex
• SOX• Policies • Risks• Controls• Control Test,
Evidence, Certification
• SOX, IIA Standard• Policies • Risks• Controls• Control Test,
Evidence• Audits
• COBIT/ITIL• Policies• Risks• Controls• Control Evidence,
Monitoring
• FCPA/UK Bribery/ Code of Conduct
• Privacy / GDPR• Policies• Audits• Investigations• Case Management
• ISO 27001, HIPAA, PCI, NIST
• Policies• Cyber Risks• Controls• Control Test,
Evidence, Monitor
Too
ls &
Cap
abili
ties
ITSecurity Legal Internal Audit Finance
8© 2017 ServiceNow All Rights Reserved
The Problem: GRC in the Typical Enterprise is Complex
• SOX• Policies • Risks• Controls• Control Test,
Evidence, Certification
• SOX, IIA Standard• Policies • Risks• Controls• Control Test,
Evidence• Audits
• COBIT/ITIL• Policies• Risks• Controls• Control Evidence,
Monitoring
• FCPA/UK Bribery/ Code of Conduct
• Privacy / GDPR• Policies• Audits• Investigations• Case Management
• ISO 27001, HIPAA, PCI, NIST
• Policies• Cyber Risks• Controls• Control Test,
Evidence, Monitor
Too
ls &
Cap
abili
ties
ITSecurity Legal Internal Audit Finance
Email Spreadsheets Meetings
9© 2017 ServiceNow All Rights Reserved
The Problem: GRC in the Typical Enterprise is Complex
• SOX• Policies • Risks• Controls• Control Test,
Evidence, Certification
• SOX, IIA Standard• Policies • Risks• Controls• Control Test,
Evidence• Audits
• COBIT/ITIL• Policies• Risks• Controls• Control Evidence,
Monitoring
• FCPA/UK Bribery/ Code of Conduct
• Privacy / GDPR• Policies• Audits• Investigations• Case Management
• ISO 27001, HIPAA, PCI, NIST
• Policies• Cyber Risks• Controls• Control Test,
Evidence, Monitor
Too
ls &
Cap
abili
ties
ITSecurity Legal Internal Audit Finance
Email Spreadsheets Meetings Integrated Reporting Workflow Driven Process Transparency
10© 2017 ServiceNow All Rights Reserved
Todays GRC Processes and Tools Can’t Keep Up
Siloed Tools &Organizations
Reactive Risk Management
Manual Processes
ITSecurity
LegalInternal Audit
Finance
11© 2017 ServiceNow All Rights Reserved
Poll Question
How many man hours are spent per year on the manual tasks of GRC?
A. 3,000
B. 5,000
C. 10,000
D. 15,000
13© 2017 ServiceNow All Rights Reserved
The Need: Transform Ineffective Processes into a Unified GRC Program
• Get actionable information
• Identify your most critical risks
• Automate cross functional activities
14© 2017 ServiceNow All Rights Reserved
ServiceNow Governance, Risk, and Compliance
Policy & Compliance Management Risk Management Audit Management Vendor Risk Management
SingleDatabase
ContextualCollaboration
ServiceCatalog
ServicePortal
Subscription & Notification
KnowledgeBase
OrchestrationDeveloperTools
Reports & Dashboards
Workflow
Intelligent Automation Engine
Predictive Modeling
Anomaly Detection
PeerBenchmarks
PerformanceForecasting
Secure & Compliant ScalableMulti-Instance
16© 2017 ServiceNow All Rights Reserved
Transform Vendor Risk Management from…
Manual and time consuming processes (Excel, Email,
Meetings)
17© 2017 ServiceNow All Rights Reserved
Transform Vendor Risk Management from…
Legal
IT
HR
Manual and time consuming processes (Excel, Email,
Meetings)
Siloed processes and organizations that lead to missed communications
18© 2017 ServiceNow All Rights Reserved
Transform Vendor Risk Management from…
Legal
IT
HR
Manual and time consuming processes (Excel, Email,
Meetings)
No visibility into overall program activities and vendor
risk posture
Siloed processes and organizations that lead to missed communications
20© 2017 ServiceNow All Rights Reserved
Legal
IT
HR
… To ServiceNow Vendor Risk Management
VendorCatalog
21© 2017 ServiceNow All Rights Reserved
Legal
IT
HR
… To ServiceNow Vendor Risk Management
VendorCatalog
VENDOR PORTAL
Issues and Remediation
Deadlines
Assessments Contacts
22© 2017 ServiceNow All Rights Reserved
Legal
IT
HR
… To ServiceNow Vendor Risk Management
VendorCatalog
GRC Integration
VENDOR PORTAL
Issues and Remediation
Deadlines
Assessments Contacts
24© 2017 ServiceNow All Rights Reserved
Automate Risk Scores Based on Critical Vulnerabilities
IT
??Who owns the server?
What’s the business impact?Are the business owners aware?
CVE-2014-3566SSL Vulnerability
QID 70000NETBIOS Vulnerability
Vulnerability scanresults database
HRFacilities
25© 2017 ServiceNow All Rights Reserved
Business hasinsight intorisk exposure
Automate Risk Scores Based on Critical Vulnerabilities
IT
??Who owns the server?
What’s the business impact?Are the business owners aware?
Risk Scoreautomaticallyadjusted
Vulnerability scanresults database
Vulnerabilitiesidentified
CVE-2014-3566SSL Vulnerability
QID 70000NETBIOS Vulnerability
CVE-2014-3566SSL Vulnerability
QID 70000NETBIOS Vulnerability
Vulnerability scanresults database
HRFacilities Issue prioritized
Lunch ServerHosts HR applications
CMDB
27© 2017 ServiceNow All Rights Reserved
Reduce Compliance Overhead
IT
??Are we meeting our regulatory obligations?
Do we have any critical issues?
Finance
Legal
28© 2017 ServiceNow All Rights Reserved
Continue to monitorfor compliancewith real-timedashboards
Reduce Compliance Overhead
IT
??Are we meeting our regulatory obligations?
Do we have any critical issues?
Analyze, review, and close issue
Finance
Legal Monitor for Controleffectiveness
Control failureauto-generatesan issue
CMDB
30© 2017 ServiceNow All Rights Reserved
Streamline SOX Audits
66%
Automated Surveys, Reminders, & Monitoring
Time Reduction in Control Certification
85%Reduction in resource hours tracking compliance
Continuous Monitoring and Event-Based Alerts
Better Visibility and Efficiency
110
Automated Publishing of Policies Through Service Portal
Reduced effort and more transparent policy mgmt.
$340k
Real-time Dashboards, Monitoring, Automated Workflows
Cost savings with ServiceNow GRC
• Continuous controls monitoring and automated evidence collection for efficiency and scale
• Automated self service workflow – Policy, Risk, Control, Audit, Test, and Certification
• Real-time Dashboards – monitoring enterprise compliance and Audit activities
Saved annually
Corporate policies managed
Reduction in quarterly control certification
31© 2017 ServiceNow All Rights Reserved
Top Takeaways
Control your risk exposure
• Continuously monitor to detect control changes in real-time, at scale
Prioritize response to critical risks
• Combine single platform cross functional visibility with CMDB context
Slash GRC burden
• Automate processes and consistent workflows across IT and the business
1
2
3
32© 2017 ServiceNow All Rights Reserved
Q & AThank you for joining us.
Bryce SchroederSr. DirectorSecurity and Risk Solutions ConsultingServiceNow
Diego RegulesEMEA Solution Consulting Demo CenterServiceNow