[Music] [Music] this conference will now be recorded uh and these all come in uh one practice area grc and cops are will be taken care by usually the csos of the company chief security officer will take care of all these things uh like we'll have the operations manager in itsm right uh like incident problem change everything comes in one android the same wise governance race compliance vendor respect and risk management audit management there are so many other models like bcp uh everything will come under one umbrella and grc is all about you monitor your risk you try to mitigate those risks okay and you you implement policies based on the risk you identify or you identify policies first and if you see that policy some policy is not implemented you identify risk and then based on this how to mitigate those risks and again it's an ongoing process it's a cycle i'll brief about one example with a very layman example then everyone will understand what is drc and why grc is so important okay so yeah the governance first part is governance governance is someone is governing on what are the principles or policies or whatever the standard set like ceos ceo might be governing what is happening in your organization a cso will be governing what are the cyber security policies involved how is everything going as for the business objectives or not so to manage this thing we we call that part as governance okay whether you are our licenses are up to date or not someone should govern it right or your employees are uh following the policies like everyone should work nine hours in the office someone is going right or everyone should wear a id id card before entering into the zone what do you see so that is all about governance right and the structure we implement to communicate manage monitor these uh ongoing operational activities that is governance coming to the risk risk is all about so there is a thin line difference between risk and issue issue is something you identified you identified a threat that is issue whereas risk is you are predicting something it may or may not happen okay so the risk can be converted into an issue it may or may not be a threat but you identified it you need to manage those risk management if someone is already in the project management you might be doing this okay there is what are the pr risk involved in your project a simple example can be maybe your database center is located in uh a tsunami proven area it won't happen i just took a very bad example but a tsunami may hit at any time that is the risk you identify but it is not it happened you need to manage a different type of risk it might be a reputational race it might be a financial risk a physical anything all type of risk you need to manage uh when you are working in an organization as a risk manager or as a csu so managing all this risk and you have to mitigate the risk when risk occurs risk becomes the issue you need to track that you need to have a mitigation plan for that even though if you apply mitigation plan there is some more risk every time there will be some residue left over a residual risk will be left over so you need to manage all these things so that is all about the risk management in compliance coming to what are compliance policies or standards whether the uh associates is complying to that or not okay whether they are conforming with the rules regulations uh if government is uh passing some a new rule or new standard whether the organization will complain to or not at the same time whether the employees are compliance to that or not when you are taking a new vendor whether the new vendors are adhering to the uh standards of the government or standards set by the government or not are standard side by the organization or not everything everything come under the compliance part so within those uh categories grc typically as i said there are lot more modules risk management third-party risk management is vendor risk management and then audit management everything falls in this place so i'll go with a very uh layman example it's uh it's like brushing your teeth and nuggets to brushing your teeth don't worry i don't ask how many of you are breastfeeding today brushing your teeth i'll go with a simple example what is policy embracing your teeth what is audit management what is the risk what is the control everything i'll explain uh in this example so policy coming to policy while you are when i take this example because most of the people don't uh understand the grc very quickly so i take this very layman example okay so when coming to policy the first statement policy how and when we pressure teeth is the policy okay is well is we tell so uh someone how to do things like how to brush your teeth up and down or when morning and night once morning once night once you set one policy right to your kids hey you have to do your bridge like this up and down and morning once and night ones this is the policy we said right and promoting these policies to enterprise level is nothing but policy management and coming to the controls controls is the one word we usually use in grc so what is this control control is all about the techniques we use uh while while we uh while we teach our kids how to do brush right like singing abcd song or members or you need to brush like this the techniques like singing abc song or members so it's stupid that is control okay and we monitor and we verify if necessary right we defend we want to rather doing his best correctly or not so that is gone inside of the house and every six months you have an audit for your teeth brushing policy it is called dentist visit that is nothing but audit and while you visit your uh dentist he he might be reciting something he might have found something so you come back you change your policies maybe something something he might have said you need to work on here you need to work on the left tooth you need to work on the right something is not going good as a as a dentist as the auditor you will come back you will change your policy you need right you you will change how to brush your teeth or maybe thrice you might be doing you will change your policy so that is that is a continuous ongoing process a policy changing end so if you don't do uh it rightly correctly then there is a risk involved of not doing it correctly like a physical pain or feelings or a potential tooth loss right that is the risk part in a simple amr example this is what a policy audit policy management controls risk in the grc okay so grc is nothing but looking at system which present risk or required to maintain compliant like applications of applications no servers department anything grc is nothing like brushing your organization any queries here and just give a pass maybe i'm going too fast or too slow everyone understood what is a policy what is the rest what is an audit yeah okay good so what is jrc framework then the jrc framework is as i said it's managing organization level governance risk management and compliance through regulation different regulations uh everyone might be uh aware of this iso or we are iso standard what is that iso or we are missed if you are in the u.s part you might be uh hearing the uh hipaa missed continuously uh in most of the world we will be hearing iso we are iso 9001 we are iso some some other member standard so we the framework they set some rules they said some uh already uh the guidelines are set by these guys these third-party entities so this is called the framework to manage your company overall governance risk and compliance through these regulations that is called a grc framework so what is servicenow grc service now grc offers these things a governance risk compliance these are the four modules uh usually uh we either it well excuse me sorry i got a question for you yeah what version are you working on sorry what's really is servicenow releases are you are you working on are you trying this on yes i said what release are you training us on what release uh currently i'm not providing any training this is the demo part i know i know i know i know what the training is going to be what what release well currently it's on the new york question okay so you're going to train us from new york yes okay with this preparers for because i want to take the uh i don't know if some people are like very new to servicenow grc i'm not new to servicenow jrc i just wanna my wife is new but i want you know uh additional brush up for like the exam you know this cis and risk and compliance so which which which means you have to be like you know be able to explain in the details for the framework like go into the detailed tables you know all the all the extent tables and the you know all the tables and just framework and you know that's that's really most of the exams come from there so you if you can if you can do that that would be very good you know um i know for for some people you know a lot of people will be interested in the rudimentary like what is grc what is that and these these which is cool but for me i'm really interested in the like what can make you pass the exam which is the new you know on new york version you know basically right now he's never called prefer type is his entity type so those kind of things should reflect in the training so if you can if your training will cover that that would be very good so just that yes just my own um piece of you know so next part is what this is uh i i'm just going because most of the people don't understand what is yasi yeah yeah i get that i get okay okay so this is my agenda this is the last slide of my ppd this will be the agenda what are the modules i am going to cover this completely from the uh irm implementation uh book okay these are the modules i'm going to cover okay okay the first part because as i said most of the people don't yeah that's fine that's fine that's fine that's fine go ahead right sorry thank you nevermind so that is zlc and uh servicenow grc covers of these modules uh policy and compliance management risk management audit management vendor risk management and the various accelerators are so these things will go differently sometimes like you can ah you can install a policy and compliance management separately for a customer you can implement risk management separately you can implement audit management separately or policy compliance and risk management can go together that's now servicenow is calling as irm as someone said they are preparing for cas now they're calling it scisir integrated risk management now no one is calling as crc because of these two policy compliance risk is much more integrated now so they're calling it as irm integrated risk management and the future will be in the irm so these are the modules available uh in the policy compliance management you can see on my screen uh the policy management we talked about the policy acknowledgement like when organization set some policy uh as employees or the organizations will whether they are acknowledging the to that policies whether those policies are helpful or not uh to manage all these things uh there is a module available policy acknowledgement this comes very recently after the new question and policy management is of course the the core one like how to manage your policies the workflow of the policy uh and control objectives everything come under the policy management policy exception uh is nothing but when someone is uh not able to implement your policy there there should be some exception why they couldn't be able to implement that policy and uh compliance manager will review there is a life cycle whole life cycle for the policy exception uh that will come under policy exception and then compliance management uh the controls indicators right everything comes under the compliance management uh then the risk management coming to risk management how we are assessing our risk the scoring part and the calculation the hierarchy part like of top to bottom approaching an organization from individual risk to organization risk how you are scoring okay that is all about risk assessment and advanced risk assessment uh if anyone can raise the risk someone in not only risk management or risk users but anyone in the organization can identify some risk and they can raise service that is all about risk events and how you are managing that advanced risk management in servicenow those are the models mainly uh cover in this management and audit management is very small module how the audit management links between the stress and policy policy exceptions then vendor risk management is the as i said risk will have a reputational risk involved financial risk involved risk because i didn't go through much part of that what the basics of grc i'm not going to teach that uh when i risk management is some some type of risk where it will it will happen because of the when you are on boarding a third-party vendor are you working with multiple vendors so the vendor tearing or the costly templates documentation templates everything comes under the vendor risk management various accelerators is nothing but the performance analytics part or various service no basic offerings that's that will become another various accelerators so this is all about the servicenow grc and this is how it integrated in servicenow risk management policy compliance management and audit management of course uh there is some other model uh psychops uh which will be tightly attached to grc we are not going to discuss that that will be again separate uh modules uh this is how the policy errors cannot eat wind rs sits on the servicenow platform we'll have the submission of basic functionalities as we use uh in the other modules and this is how it sits on the platform engine so why why servicenow grc is needed as everyone know servicenow is all about digitalization right you manage everything in cloud and you are moving from the old school to completely automating of something or you're moving to digitalization part so usually uh whatever the implementations i have seen is like they are maintaining their policies in a sharepoint folder or they manage uh they risk in an excel sheet uh audit audit guys comes and they manage in the excel sheet so they they keep on sending emails like you need to adhere this so you need to do this they follow excel sheet emails they sit and do meetings they they don't be any digitalization so to they work in a very confused department manner a different type of people collaborate using these old school methodology so coming from that to the complete automation or digitalization servicenow is the tool that helps you in transforming from old work to a new new model which helps you generate reports a workflow driven process like i said there is a workflow process involved in policy there is a workflow process involved in policy etc there is a workflow process involved in risk there are so many workflows provided by out of the box that uh that will be covered in the next modules and the transparency part who can see all type of risk who can uh do the assessments there will be roles involved like compliance user compliance manager risk manager there will be roles involved like our roles like itil in the itsm or if you take hr there will be different roles same same likewise we have different roles involved in crc also and who can see what data all is coming uh that's where the grc services grc please a major part the training comes to cover all these topics and someone was asking what going to be covered as part of this sessions uh these are the modules the grc overview like preparing our client or whoever is going to implement services grc how we are going to uh install the plugins and what are the modules you are going to get there is first module and the second module is entity ownership entity is a one thing i didn't cover as part of the definitions in gsa because entity or entity scoping is something services offers when you usually talk with any of the organizations csos or risk managers most of the guys don't understand entity or grouping their profiles they might be directly talking to you about the controls or policy or exceptions or policy statements service now offering a servicenow offers this beautiful concept entity scoping like automating uh something that we are going to cover and the policy and compliance implementation approach is obviously the module for what are the forms available what are the tables available uh everything what are the rules available what are the automations available how the process glow uh process flow goes in policy policy exception issues and the final one is risk management risk implementation like what is the workflow involved in risk what is the workflow involved in risk assessment when you are mitigating and assigning some task with respect to risk risk response tasks what is the workflow involved in risk response tasks what is the qualitative and quantitative risk how the calculations goes in service now all these uh things will be covered under risk implementation approach and of course the extended capabilities also something like slas the sms can be defined on only few tables in risk and a policy compliance management so what are those tables uh how the pa works what are the different type of portal works portal stuff available in risk and compliance implementation so all these six modules covered under risk and compliance implementation if you are looking for a vendor risk management this is a separate slide uh i'm not going to teach in the risk and compliance implementation because when risk management is completely a separate module if you are looking for csvr in training it again a different session altogether uh these will be the models covered in vendor risk management implementation if you are looking for like what is vendor risk management what service now uh what is the service out of box features available how you manage uh vendor vendors vendor database vendor contact database uh different vendor tiring scores everything the template part and how the vendor portal looks like how the third-party vendor contacts access the vendor vendor portal how they respond to your vendor risk assessment all this will be covered in vendor risk management yeah that's it um i might be too quick because of the time i have given uh that's overall i'm going to cover and this is very brief in a brief about the jrc overview and what i am going to uh cover as part of submission of grc implementation any any queries it's a q and a part i will give two to five minutes if you want so vendor risk management is not part of the grc so it's a separate cis exam cis vrm is a separate one cis irm and cis vrm are separate modules okay um how many weeks is this training for uh i didn't decide that whether will it be a daily session or it's a weekend session i'm not sure i didn't talk to these guys yet uh it's uh usually take a 24 hours trying 24 or maybe 26 hours uh if you are taking only on the weekends maybe a two-day complete training will be enough or it will be a one-way at least seven to eight days training basically come again come again come again if you're doing what if it is a weekend session a two days training one saturday and one sunday will be enough what do you mean like how many hours on a saturday sorry you mean like the old day yeah day uh maybe a 24 hour session if you are taking whole grc it will take at least uh i know so this session is 24 hours and talks about how many days are you saying like if i want to do a weekend session i'm gonna have to take it like both days like 12 hours a day is that what you're saying oh based on how it goes in the lab if you are going to take the lab in front of me it will take more time if you know good if you are a good date service now and if you are going to take lab outside of these sessions then it will take eight hours eight hours eight hours saturday and eight hours sunday yeah i think that that might be too long you know i i want something that's like i'll probably do the weekday sessions maybe like a few hours like four hours a day or three hours a day or something for like you know for like a week or something right usually i plan in that way but based based on the all attendees availability yeah we can plan on the weekdays yeah okay sounds good and this training will be prepared me for my cis exam yes do you have cs education yourself uh yes this will help you to finish your cis but i'm not going to provide any voucher for it i don't know who will be providing vouchers uh or you might be already having watcher i'm not sure about that coming no no yeah i have voucher i have voucher but i'm just saying that do you are you certified in cis yourself i sent myself yes okay so you have certified service now um csgrcs yeah not the paris version not i didn't write the delta site but i'm a certified uh irm yes i'm certified integrated risk management i'm saying okay but you're not certified in cs itself i'm i'm certified i'm telling yes but not in servicenow cis which is um compliance and risk management yes yes okay okay so i plan to take the exam i took it once i failed it so i feel maybe this session would help me yes of course it will be it will help you okay thank you i'm going to talk about each and everything like what are the uh formulas involved to calculate quality to this what are the formulas involved in quantitative risk analysis uh which are the questions they will be asking like how the annualized loss expectancy will be calculated that can be a question uh yeah and the different tables that that extend from from from maybe from profile type or you know entity type all the all the tables you know the framework a lot of questions come from the framework you know yes i'll show you one different slide maybe you will you might be worrying what will be the slides coming in the next session because there's a basic one and a demo one i didn't say that let me share the other one this is how unable to see my screen yeah uh which one you are seeing this is for vrm say we're not doing vrm now i see p and c personal components so i'm going to teach like this next ones this is the module four of my uh training so if you're going to understand how the policy record works in servicenow service no grc how what are the different stages so the questions will come on this also like who can uh review a policy whether it's a compliance user or a compliance manager the questions would be like this what is the uh what is the step after review this is all about policy record this is about the control record life cycle who can attest who can do what and what is the table table name everything okay okay okay this training yeah usually a small lab exercise like what is what are the different requirements we get usually when we are implementing uh servicenow grc some small some small lab access i'm going to give that's it are we gonna get the um the free version of servicenow the way i'll be able to get jrc there uh unfortunately i can't provide that because this offering is not providing directly by the service law right so you can have your own demo instances readily available that should be a pre-requisite and unfortunately we can't do performance analytics in demo instances i think you you aware of that so we'll get a demo instance but i'm not sure if the jrc plugins are there for this thing it can be activated in demo instance you don't need to worry about that you can you can just uh make sure that you have your personal personal deviations available i can help you how to install the uh grc plugins okay so so because the last time i checked the jrc plugins were not there it wasn't fully functional like oh everything wasn't there in uh in the demo instance uh what are the modules you have said accept performance analytics i haven't checked i checked in on madrid versions this grc program was not there let me open my personal device for you i just need to wake up i think if you have just five more minutes time i can show uh my personal development operations okay so we can do all the lab lab exercises um there right accept performance analytics lab yeah that's that's like five percent of the of the exam yes you can do reminding all all others okay that's interesting i never i never knew it was there so uh let me wake up so i'm just waking up i can show you personal damage oh my god oh sorry i need to restore it so it will take more more longer it's fine it's fine i mean i believe is this fine so i'll just i'll look it up okay uh thank you yeah okay one more last thing it's not on new york it will be on orlando okay i installed everything on orlando version and i am going to give uh training on the orlando ocean not new york so paris i don't have it i didn't go through delta i'm sorry for that i can kill people but the exam is on new york version right you have paris readily available now paris is already open i know babson the exam is on gonna be on new york question no i had the orlando delta so that is good but we will will that work for me taking the exam sorry if i want to take the exam right now and you're training me on orlando and they're currently in paris it should be chinese should be in new york yeah right correct so it's gonna be in new york right training will be on new york and i'll cover it on northland i will try to cover uh orlando also if possible is latest right or not orlando is the latest okay so trinity should be in orlando we'll be on orlando yes okay yeah so i request everyone if if everyone going to continue these sessions i request everyone to have a personal dev instance available on the orlando okay okay thank you just a quick question um how much of do is there a prerequisite to become a servicenow admin to take up this grc yeah of course because if you don't know how to configure a form or configure a list or how to even impersonate to different users it will be tough uh for those guys well because as someone was asking like they want to try and they don't want me to teach how to impersonate also it will be killing others time so at least there should be css or they should not be csa certified at least they should understand how servicenow works when i say hey navigate to this model they should understand that i should not be saying type something in the left nav and you click on that and you click on the hamburger icon it will literally kill your time if so everyone agrees yeah uh-huh no no i i'm so i'm aware i'm not a certified but i'm aware of all things i mean i understand service now from a from an admin point of view also i mean when you talk about user navigation roles talking i think the ui is everything i understand um but i am not a certified person so will that be a problem no that won't be a problem that is fine perfectly fine okay but but to take up the exam do we do you need to be a certified csa no right no not required if you have a voucher available uh you can take cis also that is not a prerequisite csa is not a creative site just for training purpose at least you should understand servicenow fundamentals but to take up the exam no it's not a prerequisite okay no i don't get this concept of virtual so who use this virtually how do we get it that servicenow will provide uh if you are either your organization will be providing or you might be talking with trying a training facilitators uh that i'm not sure how you are getting version but usually if you are a partner with servicenow like there is a partnership if you ever offer like partner strategic partner premier partner with servicenow uh then you will and you go through trainings which also you will get voucher okay so voucher is something we don't have to really pay for it it's just a rio no you have to pay for training as part of training ochre is the one the last step they will provide and you can use that voucher uh to get certified to write the exam to schedule the exam uh you need a voucher so i i go through that i go through the training now with you okay i finished the training now for for if i need to go ahead and for the exam okay uh what is the approximate cost it's like thousand five hundred thousand four hundred i think it's uh eighteen hundred now i don't remember if you are going to pay 1800 uh i don't think you can directly pay uh in the service now and servicenow again will provide the same type of training and orchard oh okay and you will get a demo instance from servicenow itself there you can do performance click slab as well you you got my point right you can go to now learning and you can opt for you you are willing to pay that eighteen hundred dollars uh for this grc uh you will get a three-day training along with virtual and along with that demo instance you will be provided uh trainer can teach while teaching lab you could able to do the performance and analytics and few more capabilities which you cannot do in a personal dimensions thank you so usually what happens is these trainings are uh most of the people opt like they are working on a servicenow platform for for years uh their client might be asking them to do some gis stuff and they don't want to willing to pay 1800 and get it certified they want to understand how grc servicenow works they will come to this training they will understand grc they don't want to get certified they just want to implement for their clients so those type of people will come to these sessions based on my experience okay might be someone might be me having voter uh maybe they got from someone but they didn't able to get training from servicenow those people also will come to these sessions uh they will get tried and then they will write the exams okay got it any other queries for me or i'll hand over to it canvas okay that's it from my side thank you um hello chaitanya yeah uh so can we drop the session for today yeah we can drop the session yeah thank you thanks for the joining thanks to everyone yeah yeah thank you all have a good day yeah i'm going to end it