[Music] hello GRC community and welcome back to another video tutorial to help you get started with ServiceNow applications my name is Eric Farrell I'm in Santa Clara California and first I want to wish you well in these uncertain times I hope we are all safe and in good health today I'm joined by two GRC experts Penn Forest who has been a guest on a number of tutorials before and Phillips one who is one of our very active community contributors hello Ben good to have you back hey oh it's a pleasure hug hello Eric thank you for having me today we're going to talk about indicators how important they are and how to set them up so Phillip to set the scene for us why do we want to talk about indicators firming indicators are now helping to move your GRC implementation at the maturity scale indicators of what really enable continuous monitoring of risk and compliance so here's our program for today first we're gonna have a few quick refreshes I'm going to talk about the rationale behind the need for indicators and an overview of indicators the value that they offer some recommended practices with the product demo and of course you're going to end up with some recommendations I will get us started with a couple of refresher slides as usual this tutorial is part of the get started with GRC series so really aimed at people and organizations in the early stages of implementation we want to make sure that you have the knowledge and tools to quickly realize value from the product in the future we will have more tutorials for the more advanced people and organizations here is a slide you've seen before it helps position indicators into the overall life cycle of a control we saw this slide in at all we did last year with Scott Ferguson there is a link in the bottom left corner of this slide you can access it to the PDF version of the slides all right then I would like to start with you please help us understand what indicators are great well so indicators really are the sort of the canary in the coal mine er the the pretest between audits that we use make sure that we understand whether or not the control is is actually compliant or not now of course we have our folks that are the control owners that are doing the attestations themselves but the indicator actually is our gauge it lets us know if the entities fully compliant or non-compliant so in the old days people thought of a traditional control test we used to do them kind of out of a sense of paranoia that sometimes they'd be called QA you know you'd get the auditor it would be like oh oh I'm here to see if you're compliant please provide me a list of controls know the policy person go okay here you go yes we're quite compliance and note the large number of our rules related to your laws except or etc into the audit ago this is very nice when we checked last time to ensure that your employees were following these controls one was that of course policy person would be like haha you know all of our employees are of course they're compliant they always follow the rules they don't violate these rules at all ever because it's in our policy and of course the auditor is going to come back and say well yeah you wouldn't you mind if I simply verify this for myself and of course the follow sir person's like I'm sure so what we really want to see is before the auditor gets here before that final last line as it were we want to be able to provide a heap of evidence that says yes we have constantly been monitoring things and we have our indicators that have told us exactly when we're in compliance when we're not in compliance all right so you've seen this slide before when we talked about comprehend scoring and bet you're gonna show us where the indicators fit inside here right you might see that we've got our policies which then relate to our control objectives and we we then instantiate all of our controls on each of our entities whatever they might be so in order to ensure that those controls are actually compliant in addition to the attestations which we're saying the first line is like okay we're saying that we are going to be compliant then we have little continuous checks that evaluate whether or not they're actually compliant in real time and this gives us an opportunity to see how to fix things as issues crop up right so we don't want to wait until the actual audit engagement to see an issue we want to see it right away all right and just as a reminder there's a link at the bottom of this slide that will be available in PDF version of the slides that takes you to the compliance coding tutorial so now you're going to take us through an example of this that's right so we're going to take a look relating back to our previous videos we've done basically a set up related to the current situation with kovat and let's say that we've got a policy that says that all of our remote employees have their equipment everything that they need to do their job so the control objective is that we are going to say to each department head make sure your people have what they need right so that's the control control owners or the department heads themselves for each of the customer support and HR and IT etc they're going to attest that each of their employees has what they need right now the attestation itself is great rank but and we trust our people we trust our managers but in order to just make sure that everybody's got all their eyes dotted in a t's crossed we're going to create an indicator which is then going to create a validation step it's going to be that canary in the coalmine just that reminder let's double check so we're going to go ahead and instantiate a few of our indicators against each of these controls and we'll be able to see whether or not they're actually compliant and you see in our example that we've got a couple of departments that are doing exactly everything that they need to do however we might have one that does not pass okay and we're gonna see this later in the demo with Phil how to set these things up and how it manifests itself these are the product so this is a great simple explanation but I suspect that things can also get quite a bit more complicated oh yeah because we can go real deep but we're gonna start here at what we call a manual indicator as a quick reminder to everybody we've got several different methodologies that we can use and at first were going to start with the manual kind of indicator we like to say that it's an on-ramp to getting a little bit more sophisticated in the platform itself so we usually we'll start here with with manual indicators and the manual indicates that a person is going to be making a decision related to whatever supporting data we have or supporting evidence that we have oftentimes this means that we can really easily translate anybody's existing control tests and/or their existing QC or QA methodologies that they use prior to an engagement and we often will start here because this makes it very very simple we can easily translate any of those existing methodologies into a task where a human makes a decision now oftentimes that's because it we either a we don't have enough data in the platform maybe you're just getting started with ServiceNow and the data doesn't exist in the Ecosystem yet and you maybe having to check other systems too to get that information that evidence but as you get more and more data into the system you can still use a manual indicator again because a human has to make a decision we haven't maybe set up a test or a methodology yet that allows you to feel comfortable completely automating it now when we get into the the basic realm the basic indicators those presume that all the necessary evidence is inside the ServiceNow platform itself right this is going to be things like your ITSM process is already generating change control records and we can quickly assess those using a very basic pass or fail test and then as we get more and more sophisticated we can get into the scripted indicators which really have no limits right this gives us the full power of the platform this is where we can do things like using PA thresholds and targets and and limits we can also use this to leverage some of our integrations and so on so the sky's the limit was scripted but we're going to start over in the manual section because I think that's where most of our our folks are really just kind of getting their teeth cut in the platform here the way that we do this is almost exactly like we do our control objectives or our risks in other videos that Eric's done we're going to be basically creating what we call a template her literally just that an indicator template and that is going to be our method for quickly creating indicators automatically and relating them directly to some of our control objectives so this will then propagate those indicators across all of our entities and let us know whether or not they're truly compliant now when everything goes correctly we're able to cover all of our bases so in our previous example where maybe the third line kind of comes in and says hey let's go ahead and check all of your controls and make sure that you're really doing what you say you're doing when we have indicators this provides us a great level of detail that we can hand over to the audit team and say there we go I can show you that I have checked daily weekly hourly monthly however often we need to to ensure that that level of compliance and we've got a full audit trail this also gives us an idea over time how we're performing so in our overall model you've probably seen this particular graphic several times and if you've ever taken a course with us we kind of refer back to this model but the indicators themselves see come from our templates so once we have those templates the indicators then get brought together with our risks and our controls and then all of that data can then later be reviewed during the audit engagement itself and we can use that to report findings and issues and so on thank you very much for the spend for this very complete introduction my pleasure Gators excellent thanks so let me move now over to Phil and Phil you're gonna do a little demo for us the workflow we're gonna follow is described here first you're gonna create an indicator template and we're gonna go to the process of planning the control objective naming the template putting together the schedule the method the supporting data then we're going to create indicators themselves for all of the relevant controls for the entities that we were working with that we mean actually selecting the template and then we will execute the indicators to see what sort of results we get and to make this applicable to Ben's lens example we want to follow this model here and we're gonna focus really on creating those indicators only for customer support and finance because would be the same thing for the identities so we can go to the process of all the way down to a Fed indicator and a pass indicator does that work fail that sounds perfect all right so let me switch over now to the demo instance so here we are failed so now please guide me to the creation of the indicator template exactly so we're going to create an indicator template against the control objective an indicator template is going to give us a consistent approach to automatically test that control objective consistently for each of those controls so if you navigate to your control objectives control objective and we want to find the control objective for all employees have remote working equipment so I do the start call employees to do the search and I find the control objective called employees have remote remote working equipment now a quick note it says empty here and I believe that this is because this controller chip was created and was not imported from an external database is that right yes sure so when you when you load your data in from the likes of UCF UCF has a unique reference for that so that would be populated but you can use this reference field for your own references as well so if you've got some documentation stored offline and you're moving into ServiceNow from your excel sheet for example you could populate that reference manually but in this case we don't have one so it's empty so from here we want to create a indicator template is that right exactly so on your related lists at the bottom you will find indicator templates and from here if you click new that's going to pre-populate the control objective and this is where we want to start filling out the information about the Archaic template so we put a name here right manager validates remote employment equipment this is our the name for our indicator templates right perfect yes and we just work through now those form selection so for the schedule I think we probably want to do this monthly into the methods it defaults to manual and that's the type we're going to work through today okay so we just need a short description this is the description that the indicator task is going to get so something like manager validates remote employee equipment okay exactly instructions this is what we're telling the person who receives that task to do ok so a manual indicator is going to generate a task so this is the instructions something like please review attached asset list to ensure that your teams have access to all of them all right we've got value mandatory there we don't want to make the value mandatory and then supporting data this is where we really harness the power of the platform and that better to give a story because the information that we want the manager to review is available in the platform so if we tick collect supporting data this will help the the manager in this case is to make the decision if you click the table and just type computer there'll be a few options in here but we want the CMDB CI computer the supporting data fields this is now where we can make that information that's presented a bit more meaningful so something like name manufacturer yeah you can just double-click as well here as you got assigned to do want to know who's got that piece of equipment location asset tag operational status as well make sure it's not retired or missing and then the next thing that's going to help make this meaningful is that use reference field that's going to enable us to tie the computers back to the control itself okay so our controls have been done by the department so how do we get from computer to to the department so click the plus next to the assign to department so it's one right yep click the actual text and you can see then the reference field is the assigned to department so when we execute this indicator it's going to go and get all of the computers that belong to the department that the control is for so in our case we're going to focus in on customer support and Finance so it's going to show all of the equipment for the users within customer supports for one indicator and all of the equipment in the finance department and this is because the entities that we chosen belong to the department and vendors entity type exactly here's Bachmann's so the reference field is very important it's very powerful if you didn't tick use reference field you would just get all of the computers that meet the condition but here our criteria is blank ok we want to see everything when you save this because we're at the indicator level the system is going to automatically produce an indicator for all of the controls against that control objective so a lot of the hard work is being done for us right now it says it may take a few minutes there's not a lot of controls here we're talking about eight control so only eight indicators if you just right-click on the top it and reload the form very good there is a point here and I'm one of the things you may want to do is actually modify your list layout to make sure that you can see the entities from here okay but that's a different task something that we might do as part of you know some implementation but if you just scroll up to your control objective field and let's go into that control objective and see how that looks so from here we can see all of our controls we can see that the indicator template we just created now exists and yes this one yeah exactly and in the controls list which is just next to it if we look at our finance and going to that control this will now have an indicator against it then we go and obviously this control I don't know if you're going into it already but if you just scroll up just notice that this control doesn't have a status yet it's still in draft it hasn't gone through the process but the status is none okay so that status at the very top that is going to change now because we're going to execute the indicator do we need to keep this control in state draft or do we move it to monitor typically we want to get them to monitor but you can execute them while in draft there's nothing to stop that happening so if we scroll down to the indicator and let's go into that indicator so the indicator template was for the control objective and that gave us the control objective wide approach and now we've got an instance of that indicator template which is an indicator you do have the option here to override the template and also in the supporting data if you just open that form section you'll see that the reference field can actually be changed okay without overriding the template because that's the one thing that ties it all together so the reference field should be reviewed once you've got your indicators but for us out we don't need to do that what we want to do is just click execute because this is a manual indicator it's going to create an indicator task okay so it doesn't automatically create the result it creates the task and because natasha is the owner of the department entity natasha is going to receive an indicator task so if you just scroll down and look at the related lists and just go into indicator tasks and right click on that header bar down there and refresh list we've now got an indicated in our tasks so we could go back as well go back up to the control objective do the same thing for the customer service or support so let me go back here and search for the control objective all the employees have remote working equipment here we go and let's find the one for customer service notation of the one is here so I'll go to the control yeah status non-state draft it's the same thing here yeah and we've got an indicator down there so for that one we're just going to that and and execute it and then we'll have an indicator task for each of these Department owners it's executed excellently get a task I'm gonna hand brush and one other thing to to just check on before we go through this process maybe it might take a moment there you go okay perfect okay that's going to Rob Woodburn as well yep so just navigate back just to the control objective and just take a note of that control objectives compliance score percentage yeah so you can see that's zero okay just bear that in mind and then we can go in as Natasha and then Tasha has now received an indicator task in the application navigator just type in their indicator and you see my indicator tasks it is here so Natasha's received an indicator task and everything Natasha needs to do for this indicated tasks should be spelled out in this task now from the generation and their indicators he can see this she got the short description we entered and she's got a set of instructions and it says please review the attached asset list and that's supporting data that we created has presented Natasha now with a list of 40 computers she can see who they're assigned to the location she can see the status and the asset tag and now Natasha can make a decision now Natasha is the head of the finance department and from our scenario we know that the finance department has got all the equipment they need ok so Natasha looks at this list this is a task right so this is in service now one of the powerful features of tasks so if you just just scroll back up to the top there and we can see things like additional comments right so she can track this work she might not be able to do this straightaway but she can use additional comments so she can say here all team members have the equipment than you exactly because she's she knows a team and they're talking about it in in 101 in all hands or she sent an email to a team and they all responded everything's good exactly but this equally could stay on just waiting for for Annie to get back to me and make sure Annie is happy ok Cora so she can use that to track this task and just click the state at the top you see that drop down it says open at the moment so there's a few options here she can move this to work in progress and just helps show you know and track her workload but right now we're just going to jump straight to this decision and Natasha has made the decision all team members have the equipment they need so if you just change that to closed and you can see the result is now mandatory so it's either a parts or a fail in this case she's fast exactly if we had of ticked make value mandatory then that value would also be mandatory but it doesn't cry it doesn't quite fit here but that could be a number it could be a string you could type a word in there but it's not mandatory so just click Save on this and you can see that an indicator result has been created and just click back to my indicator tasks and you can see that's now closed as well so so let's do the same for Rob exactly and Rob's the head of customer support okay so so robbers got to okay so the one we want to look at is the most recent one the 2005 it looks like Rob has a little bit more permission and than attached to because some of these fields are not read-only like Natasha's so Rob maybe is the compliance manager or bit more privileged now but the same is true here but customer support you can see there's 295 computers it's got a much bigger team and remote working for customer support is probably a bit trickier so we're going to say for example Katherine has not responded or she does not have the equipment either yeah Katherine needs an another monitor or or a new chair but in the additional comments maybe we want to put some information in there you know Katherine needs a new chair Katherine needs a new monitor and the same story right in terms of how do we complete this journey the state will be changed so we will close this okay and you'll see the same message will come up an indicator result has been created and also notice everything's gone read-only here that task is closed you can't change it I'm back and run right it's a point in time but next month that schedule will run again and Rob will have to answer the same question and check with the Katherine again whether the whole team moves all right so now we need to go back to who you are the system admin right exactly and then do a check on the indicator results well let's just start with the control objective right let's go and see what that compliance score is going to look like we search for all employees with a star the front and we see control objective and we see a compliance score that's what I wanted to show right compliance core of 50 exactly yeah because of the two controls that have now got a status one is compliant one is non-compliant thank you very much for this demo so here are the big insights I think at this in my view indicators are easy to create and they really make compliance easy what what seems to be really accent also is that it brings everything into this one system of record that makes things simple and it looks like this is really key which enables you to do continues muttering and have this continuous view of how your business is doing you want to add anything Ben yeah I just wanted to really second that in hammer at home right we don't want to be losing any of our tests and spreadsheets or you know spread out across different systems we want to have it all in one place all the tasks available and make sure that we we keep everything kind of centralized so one system of what I like to call engagement all right so we coming to the end of this tutorial and we usually end up with recommendations on on what to do right now right at the end of this tutorial so what would be your recommendation then well I would pay close attention to Phil's demo and see if you can translate one of your own control tests into a manual indicator and then see about maybe thinking through how to create a basic indicator using kind of a similar style or some little similar model if you have the data available in the platform make sure that you you go back and review some of the previous videos to understand entity scoping and see how that can apply and if you don't have the necessary entities set up make sure you've got those so you can you can get your indicators attached to those along with your controls all right excellent well thank you very much then if you remind us before we close of course the PDF version of the slides available in the forum you may have questions do not hesitate to post them in the governance risk and compliance forum and the very last thing that I want to share with you is this slide which is a bit of an eyesore it is here to be printed so please go to the PDF version of the slides and print out we built this thing as a sort of cheat sheet that comprises some of the key concepts and simple definitions you can see that indicators are located at this level in submissions Ben thank you very much for your time and thank you for having me again Phil thank you so much for your time and sharing your expertise there's a pleasure thank you and to the audience thank you for listening and until next time goodbye [Music]