You can read Liyu You’s first blog about ServiceNow GRC, here.
The ServiceNow Policy and Compliance Management provide a centralized process for creating and managing internal policies and controls that are mapped to external regulations, standards, and frameworks. For governance, it includes personas, roles, rights, and responsibilities.
There are many regulations, standards, and frameworks that businesses need to comply with, on top of landscape changes with high non-compliance fines. ServiceNow GRC enables “test once, satisfy many” by deploying compliance frameworks such as Unified Compliance Framework (UCF) and managing regulatory change by integrating tools such as Thomson Reuter Regulatory Change Management.
Answering who, what, why, and how will help with business justification.
Who? | People with different personas across the enterprise benefit from the solution. They include C-suite executives, directors, managers, action-takers, and employees. |
What? | What problems do we solve?
1. No central location for all GRC artifacts (authority documents, citations, policies, procedures, standards, controls, etc.) across all enterprise domains/BUs 2. Employees may not have access to all relevant GRC artifacts pertaining to them 3. GRC lifecycles are managed manually and are time-consuming 4. No enterprise-wide visibility/insight of GRC artifacts in terms of departments, categories, status, etc. GRC assessment is very difficult, if not possible 5. Roles, rights, and responsibilities in the GRC lifecycles are not clear and thus accountability cannot be established and enforced What values does ServiceNow GRC bring to the table? 1. Provide a central location for all GRC artifacts across all enterprise domains. 2. Employees have access to all relevant GRC artifacts pertaining to them per their roles 3. GRC lifecycles are managed through orchestration and automation, thus saving time 4. Have enterprise-wide visibility/insight into GRC statistics in terms of departments, categories, status, etc. GRC assessment is structured and easy to follow Roles, rights, and responsibilities in the GRC lifecycles are transparent and thus accountability can be established and enforced |
Why? | Why ServiceNow solution?
ServiceNow provides a single source of truth, a system of action, and the right platform to solve the issues listed above that most enterprises face today. |
How? | How does it work?
How to access the system? By accessing the ServiceNow instance through web or mobile |
Implementation Patterns
Once who, what, why, and how have been answered, the next step is to identify which implementation pattern will work best for your enterprise.
IP #1: Policy Management Lifecycle — Draft -> Review -> Awaiting approval -> Published -> Retired
A policy defines an internal practice that processes must follow. The policy can have a hieratical structure, type (policy, procedure, standard, plan, checklist, framework, and template) and category (incident, problem, vulnerability response [VR], etc.), and other attributes.
IP #2: Policy Acknowledgement Campaign Lifecycle — New -> Pending Acknowledgement -> Closed -> Canceled
A policy campaign is a record used to prepare for a policy acknowledgment request. It defines the audience who must provide an acknowledgment of a particular policy. It can be used in the enterprise security program for awareness training.
IP #3: Policy Exception and Extension Lifecycle — New -> [optional substate “Pending Verification”] Analyze -> Review -> Awaiting Approval -> Approved -> Closed
Users can request exceptions for policies, control objectives, or issues by specifying the reason for the exception on a particular list of the systems or entities to which the exception will apply. The user must also specify the duration for which the exception is required. Risk assessment must be performed, and approval is required for governance and accountability.
IP #4: Control Lifecycle — Draft -> Attest -> Review -> Monitor -> Retired
Controls are specific implementations of a control objective. Controls are automatically generated when you associate a policy with an entity type or an entity type with a control objective. For the control objective, a control is created for each entity listed in the entity type. Controls can also be manually created.
IP #5: Reporting and Analytics
ServiceNow Analytics and Reporting solutions contain preconfigured dashboards. These dashboards contain actionable data visualizations that help you improve your business processes and practices.
Use the Performance Analytics widgets on the dashboard to visualize data over time, analyze your business processes, and identify areas of improvement.
- Compliance Overview (Compliance Requirements, Overall Compliance, Compliance by Authority Document, Compliance Score Trends, Non-Compliant Entities, Compliance Breakdown)
- Compliance Overview – PA Premium. The same contents as Compliance Overview; However, with interactive filters and checkboxes.
- Policy Overview (Control Compliance, Control Details, Compliance Score by Department, Control Overview, Exempted Controls by Policy, Control Issues by Policy, Exempted Controls by Entity, Total Control Objectives by Policy)
- Policy Overview – PA Premium. The same contents as Policy Overview; However, with interactive filters and I checkboxes.
- Policy Acknowledgement Overview ([Past Due, Pending, Accepted, Declined, Exception Requested, Exempted], Policy Acknowledgement Status)
- Policy Exception Overview (Active Policy Exceptions, Policy Exceptions by Priority, Policy Exceptions by Policy, Policy Exceptions by Control Objectives, Policy Exceptions by Entity, Policy Exceptions by Department, Approved Policy Exceptions, Exempted Controls)
- My Attestation Overview (My Past Due Attestations, My Attestations, My Pending Attestations)