hello everyone this is Scott Ferguson principal architect with ServiceNow and for the next few minutes I want to talk to you a little bit about continuous controls monitoring within ServiceNow so as we start to look at this demo right there's some other pieces that you may want to wrap around this contextually right in front of this you may have a conversation around policy management you may have a conversation around authoritative documents regulations bringing them into the platform there also may be some additional conversations that you have when it comes to risk management and how controls are used to mitigate those risks and continuously monitor those to understand risk exposure but what we want to focus on here today is specifically around that continuous controls monitoring of controls this is a really a differentiator for ServiceNow in this space it's something that we can do that many other solutions in the space cannot do we start looking at the functionality we start on our policy overview dashboard and this is really where a compliance manager or someone who works in the GRC space would come to look at how are we doing from a overall compliance within within ServiceNow first glance what we see is got over 800 of my controls that are compliant you know I may have some that are still in flight maybe some that are not applicable control was assigned to an individual and it didn't apply to their particular environment so it's it's flagged as not applicable the ones that are still in flight may be being assessed tested too and I've got very you know easy insight into those that are non-compliant in this case there's 103 controls that are non-compliant and I want to focus on those particular controls so as we drill into as you familiar with any report or dashboard within ServiceNow right there actionable you can click into them get to the details that are behind them I get a list of controls that are non-compliant now I feel like it's it's a pretty bold statement for us to say this control is non-compliant and to be able to actively update the status of that from a compliant to non-compliant systematically traditionally organizations spend time manually assessing a control and we're doing it automatically let's look at these these controls and we'll focus on a couple were here for a financial accounting I can quickly see you know some of these controls that are non-compliant so let's look at this one around establish inmate and maintaining a patch management program now before we talk about how I was able to see that it was non-compliant let's let's talk a little bit about the control itself there's a life cycle to a control a control gets identified you know through our entities and the entity types within service now but this control gets assigned to an owner so James is assigned this control for financial accounting that says you need to maintain patch management program and in throughout that life cycle right James has to attest to that control that yes I've implemented it within my environment that goes through a review stage where the second line of defense or the compliance team looks that that evidence and says yes it looks like this control is implemented and it moves to the monitor state which is where continuous controls monitoring comes in we can now actively validate did James you know right is he is he doing what he needs to do to ensure compliance within the environment this control may tie back to different citations right authoritative sources it may tie back to a policy regardless of how it was assigned to right we want to make sure that we're proving compliance to this a couple of other things I'll point out here is that you know it's an operational type of control there's reputational types there's financial or but also notice that the classification is preventive we've got preventative controls that are gonna keep bad things from happening in this case if we patch our systems before they're exploited we can keep bad things from happening in the environment where you may have detective controls because we may not be able to keep bad things from happening but we want a very quickly detect that that is out of compliance and be able to respond to it so we've got different types or classifications of controls regardless there's a control here that we want to manage there's a couple of things here at the bottom and we can see there's an issue associated to this and you know in this case it says that something bad has happened it says an indicator has failed and this issue that's been generated is what's flipped the status of this to non-compliant because there's something wrong in the now if we move over to this indicators related list here at the bottom what we'll see is that there's an indicator and this is where the continuous controls monitoring really comes into play is we have this indicator that is going to actively evaluate data within the ServiceNow platform and check to see if the control that has been implemented is actually doing what it said it should do now another example of this that we won't show in this demo may be segregation of duties sarbanes-oxley require segregation of duties other regulations require segregation of duties and it's really to prevent collusion or people from committing fraudulent activity so what that regulation may say is that you know the person that's requested a change we made in the environment can't be the person that implements it and this keeps people from introducing you know bad code but we can actively monitor that you can look at the change request table within ServiceNow then C is the requester the implementer is the approver are they different individuals in which case we can prove segregation of duties and that's what this indicator is going to give us the ability to do is if we find a failure condition or something that doesn't match what the known good should be then automatically alert someone and take some sort of corrective action now for this specific control we would think that the the data that we would want to look at is well are there vulnerabilities logged against assets that support financial accounting that have not been patched and if there are then we're not adhering to a good patch management program so let's take a look at this particular indicator the supporting data section here we're gonna see a couple of things we're going to actively monitor or look at the vulnerable item table within ServiceNow yes this requires in this example that you have also subscribed to our vulnerability response suite of products from the security business unit but in this case if that table is there and you're populating it you may have information coming in from you know multiple vulnerability scanner that data is coming in through the vulnerability response application it's being tied to assets within the system and gets identified as of honorable item from a GRC perspective because we want to ensure that people are adhering to the patch management program I can look at that application say well let's take a look at the vulnerable item table you know I want to pull back data as evidence like well when was the vulnerability found what was its vulnerability score what's its impact to confidentiality integrity and availability and we're gonna capture that as evidence we only care about open vulnerabilities and and in this case I only care about vulnerabilities that may have have an impact to my confidentiality my availability in my integrity where that impact is complete you know I only care about those ones that were found more than seven days ago right because it means they haven't gotten around to it it's still outstanding and we want to take some sort of action so we're able to actually monitor data within the system if we find something that matches we want to put this asset right we want to say it's a non-compliant then we want to take some sort of corrective action now where we'll see this we can see that we're looking for a condition and we're gonna run this every single week so the system this is where that continuous monitoring comes in we can run this on a weekly monthly quarterly daily basis based upon the scenario I have to understand which one is the most important but in this case because we're gonna look at this on a weekly basis because we may only patch on weekends on a Monday we're gonna look at things that haven't been patched in the last week and the last couple of times this is rayon you can see here that it's actually failed and we could drill into that and get to the specific vulnerabilities exploitable here and and may increase the risks to our organization but the fact that these failed gets unchecked and if we move back because this indicator failed that's what actually updated the status of this control to non-compliant because when an indicator fails it's going to update the status to non-compliant it's gonna create an issue right and we're gonna see here if we go back to this issue we can drill into the issue that was generated by that indicator failure an issue is a task-based record and it's been assigned to James right that owner of s ap financial accounting so when James comes in he looks at as my work q you can see oh I have a new issue assigned to me on Monday and in this case it's because in the and the related list down here we see that that indicator that validate patches have been deployed indicator failed on August 26th and he can then go take corrective action understand why something wasn't patched he can go figure out what needs to happen to resolve this particular issue to get his control back to compliant and where so we see that issue that's been assigned there's gonna be SL A's the notifications all the capabilities that exist within task management within ServiceNow are gonna apply to this issue as well as we wrap up this conversation we're gonna move into our compliance overview so we started with our policy overview we were very quickly able to get to a control that was non-compliant because of a policy that may have been set forth by the organization when we look at the compliance overview dashboard right we see a little bit different spin on this data we still have all the same number of controls but instead of being tied back to a particular control it's gonna be tied to a particular regulation and someone that may be a compliance manager here right grace may care about you know maybe an auditors coming in and they're gonna do a PCI audit or maybe this is a public sector customer and you know they have to approve compliance to a FedRAMP or something to that effect maybe it's a retailer that has to look at something around payment card industry protecting that particular data regardless of what that may be here on our compliance overview I can do something like well let's drill into PCI I can select that slice of the pie so to speak and now very quickly get to here you know I've got 32 non-compliant controls specifically tied back to PCI the power of continuous controls monitoring within ServiceNow it's because ServiceNow takes this asset centric view of compliance because we assign controls out through those entities and the entity types to individual assets right and an asset can be a two piece of technology it can be a location it can be a department it can be a company they can use the indicators to actively look at data that exists within the ServiceNow platform whether it's IT Service Management data operations data security data HR data whatever that may be and valuate that control against those items in the environment to prove compliance actively and then only have to respond through issues management to those things that are non-compliant saving them time and alerting them very quickly to those things they need to get back on track thank you for your time today