1© 2017 ServiceNow All Rights Reserved© 2017 ServiceNow All Rights Reserved

Demystifying Governance, Risk, and Compliance (GRC) with Four Simple Use Cases

Bryce SchroederSr. DirectorSecurity and Risk Solutions ConsultingServiceNow

Diego RegulesEMEA Solution Consulting Demo CenterServiceNow

2© 2017 ServiceNow All Rights Reserved

Speaker Introductions

NAME: Bryce Schroeder

TITLE: Sr. DirectorSecurity and Risk Solutions Consulting

FUNCTION: Security and Risk Solutions Consulting

COMPANY: ServiceNow

EXPERIENCE: 17 years security and systems engineering, 10 years R&D, 7 years IT

EXPERTISE: systems and security architectures, solving problems

CURRENT PROJECTS: ServiceNow Security Operations and GRC

NAME: Diego Regules

TITLE: Solution Consultant

FUNCTION: EMEA Solution Consulting Demo Center

COMPANY: ServiceNow

EXPERIENCE: 8 years technology consulting, 5 years financial services, 3 years SMBs

EXPERTISE: Third-party assurance, IT risk transformation, internal audit, fintech

CURRENT PROJECTS: EMEA Solution Consulting Demo Center GRC Team Lead

3© 2017 ServiceNow All Rights Reserved

Agenda

• The Current State of Governance, Risk, and Compliance

• ServiceNow Governance, Risk, and Compliance

• Demo: Four Simple Use Cases

• Q & A

4© 2017 ServiceNow All Rights Reserved

Your Enterprise is Faced with Increasing Challenges and Demands

Vendor Risks

ComplianceGuidelines New Standards

Internal Risk Reduction Initiatives

ChangingRegulations

Cyber Risks

5© 2017 ServiceNow All Rights Reserved

Currently how many legislative, regulator, and

industry compliance frameworks are there

worldwide?

6© 2017 ServiceNow All Rights Reserved

700and growing

7© 2017 ServiceNow All Rights Reserved

The Problem: GRC in the Typical Enterprise is Complex

• SOX• Policies • Risks• Controls• Control Test,

Evidence, Certification

• SOX, IIA Standard• Policies • Risks• Controls• Control Test,

Evidence• Audits

• COBIT/ITIL• Policies• Risks• Controls• Control Evidence,

Monitoring

• FCPA/UK Bribery/ Code of Conduct

• Privacy / GDPR• Policies• Audits• Investigations• Case Management

• ISO 27001, HIPAA, PCI, NIST

• Policies• Cyber Risks• Controls• Control Test,

Evidence, Monitor

Too

ls &

Cap

abili

ties

ITSecurity Legal Internal Audit Finance

8© 2017 ServiceNow All Rights Reserved

The Problem: GRC in the Typical Enterprise is Complex

• SOX• Policies • Risks• Controls• Control Test,

Evidence, Certification

• SOX, IIA Standard• Policies • Risks• Controls• Control Test,

Evidence• Audits

• COBIT/ITIL• Policies• Risks• Controls• Control Evidence,

Monitoring

• FCPA/UK Bribery/ Code of Conduct

• Privacy / GDPR• Policies• Audits• Investigations• Case Management

• ISO 27001, HIPAA, PCI, NIST

• Policies• Cyber Risks• Controls• Control Test,

Evidence, Monitor

Too

ls &

Cap

abili

ties

ITSecurity Legal Internal Audit Finance

Email Spreadsheets Meetings

9© 2017 ServiceNow All Rights Reserved

The Problem: GRC in the Typical Enterprise is Complex

• SOX• Policies • Risks• Controls• Control Test,

Evidence, Certification

• SOX, IIA Standard• Policies • Risks• Controls• Control Test,

Evidence• Audits

• COBIT/ITIL• Policies• Risks• Controls• Control Evidence,

Monitoring

• FCPA/UK Bribery/ Code of Conduct

• Privacy / GDPR• Policies• Audits• Investigations• Case Management

• ISO 27001, HIPAA, PCI, NIST

• Policies• Cyber Risks• Controls• Control Test,

Evidence, Monitor

Too

ls &

Cap

abili

ties

ITSecurity Legal Internal Audit Finance

Email Spreadsheets Meetings Integrated Reporting Workflow Driven Process Transparency

10© 2017 ServiceNow All Rights Reserved

Todays GRC Processes and Tools Can’t Keep Up

Siloed Tools &Organizations

Reactive Risk Management

Manual Processes

ITSecurity

LegalInternal Audit

Finance

11© 2017 ServiceNow All Rights Reserved

Poll Question

How many man hours are spent per year on the manual tasks of GRC?

A. 3,000

B. 5,000

C. 10,000

D. 15,000

12© 2017 ServiceNow All Rights Reserved

15,000

13© 2017 ServiceNow All Rights Reserved

The Need: Transform Ineffective Processes into a Unified GRC Program

• Get actionable information

• Identify your most critical risks

• Automate cross functional activities

14© 2017 ServiceNow All Rights Reserved

ServiceNow Governance, Risk, and Compliance

Policy & Compliance Management Risk Management Audit Management Vendor Risk Management

SingleDatabase

ContextualCollaboration

ServiceCatalog

ServicePortal

Subscription & Notification

KnowledgeBase

OrchestrationDeveloperTools

Reports & Dashboards

Workflow

Intelligent Automation Engine

Predictive Modeling

Anomaly Detection

PeerBenchmarks

PerformanceForecasting

Secure & Compliant ScalableMulti-Instance

15© 2017 ServiceNow All Rights Reserved

Four Simple Use Cases

16© 2017 ServiceNow All Rights Reserved

Transform Vendor Risk Management from…

Manual and time consuming processes (Excel, Email,

Meetings)

17© 2017 ServiceNow All Rights Reserved

Transform Vendor Risk Management from…

Legal

IT

HR

Manual and time consuming processes (Excel, Email,

Meetings)

Siloed processes and organizations that lead to missed communications

18© 2017 ServiceNow All Rights Reserved

Transform Vendor Risk Management from…

Legal

IT

HR

Manual and time consuming processes (Excel, Email,

Meetings)

No visibility into overall program activities and vendor

risk posture

Siloed processes and organizations that lead to missed communications

19© 2017 ServiceNow All Rights Reserved

… To ServiceNow Vendor Risk Management

VendorCatalog

20© 2017 ServiceNow All Rights Reserved

Legal

IT

HR

… To ServiceNow Vendor Risk Management

VendorCatalog

21© 2017 ServiceNow All Rights Reserved

Legal

IT

HR

… To ServiceNow Vendor Risk Management

VendorCatalog

VENDOR PORTAL

Issues and Remediation

Deadlines

Assessments Contacts

22© 2017 ServiceNow All Rights Reserved

Legal

IT

HR

… To ServiceNow Vendor Risk Management

VendorCatalog

GRC Integration

VENDOR PORTAL

Issues and Remediation

Deadlines

Assessments Contacts

23© 2017 ServiceNow All Rights Reserved 23© 2017 ServiceNow All Rights Reserved

DEMO

24© 2017 ServiceNow All Rights Reserved

Automate Risk Scores Based on Critical Vulnerabilities

IT

??Who owns the server?

What’s the business impact?Are the business owners aware?

CVE-2014-3566SSL Vulnerability

QID 70000NETBIOS Vulnerability

Vulnerability scanresults database

HRFacilities

25© 2017 ServiceNow All Rights Reserved

Business hasinsight intorisk exposure

Automate Risk Scores Based on Critical Vulnerabilities

IT

??Who owns the server?

What’s the business impact?Are the business owners aware?

Risk Scoreautomaticallyadjusted

Vulnerability scanresults database

Vulnerabilitiesidentified

CVE-2014-3566SSL Vulnerability

QID 70000NETBIOS Vulnerability

CVE-2014-3566SSL Vulnerability

QID 70000NETBIOS Vulnerability

Vulnerability scanresults database

HRFacilities Issue prioritized

Lunch ServerHosts HR applications

CMDB

26© 2017 ServiceNow All Rights Reserved 26© 2017 ServiceNow All Rights Reserved

DEMO

27© 2017 ServiceNow All Rights Reserved

Reduce Compliance Overhead

IT

??Are we meeting our regulatory obligations?

Do we have any critical issues?

Finance

Legal

28© 2017 ServiceNow All Rights Reserved

Continue to monitorfor compliancewith real-timedashboards

Reduce Compliance Overhead

IT

??Are we meeting our regulatory obligations?

Do we have any critical issues?

Analyze, review, and close issue

Finance

Legal Monitor for Controleffectiveness

Control failureauto-generatesan issue

CMDB

29© 2017 ServiceNow All Rights Reserved 29© 2017 ServiceNow All Rights Reserved

DEMO

30© 2017 ServiceNow All Rights Reserved

Streamline SOX Audits

66%

Automated Surveys, Reminders, & Monitoring

Time Reduction in Control Certification

85%Reduction in resource hours tracking compliance

Continuous Monitoring and Event-Based Alerts

Better Visibility and Efficiency

110

Automated Publishing of Policies Through Service Portal

Reduced effort and more transparent policy mgmt.

$340k

Real-time Dashboards, Monitoring, Automated Workflows

Cost savings with ServiceNow GRC

• Continuous controls monitoring and automated evidence collection for efficiency and scale

• Automated self service workflow – Policy, Risk, Control, Audit, Test, and Certification

• Real-time Dashboards – monitoring enterprise compliance and Audit activities

Saved annually

Corporate policies managed

Reduction in quarterly control certification

31© 2017 ServiceNow All Rights Reserved

Top Takeaways

Control your risk exposure

• Continuously monitor to detect control changes in real-time, at scale

Prioritize response to critical risks

• Combine single platform cross functional visibility with CMDB context

Slash GRC burden

• Automate processes and consistent workflows across IT and the business

1

2

3

32© 2017 ServiceNow All Rights Reserved

Q & AThank you for joining us.

Bryce SchroederSr. DirectorSecurity and Risk Solutions ConsultingServiceNow

Diego RegulesEMEA Solution Consulting Demo CenterServiceNow

33© 2017 ServiceNow All Rights Reserved© 2017 ServiceNow All Rights Reserved

• Accelerate buy-in• Establish a strategic program• Share solutions with your Enterprise

Champion Enablement™ Center

Access Today!

www.servicenow.com/champion

Get the solutions you need to: