hello GRC community and welcome to another video tutorial to help you get started with ServiceNow applications my name is Eric Farrell in Santa Clara California and first I want to wish you well in these uncertain times I hope that you're all safe and in good health today with me is Ann Marie Fernandez who is a senior education advisor a GIS specialist who is contracting with ServiceNow hello Ann Marie and also I hope that you are well hello Eric hello everyone very happy to be here with you all yes and thank you I'm doing well and I'm looking forward to this tutorial many of you will already know Ann Marie since you may have taken your GRC classes with her like I did and today Ann Marie is with us to tell all about compliance scoring so Ann Marie why do we want to talk about compliance scoring and how we're going to approach this today well Eric in my experience teaching GRC to hundreds of people I have found that compliance scoring is a simple concept that really clarifies and brings home the idea as to why entity scoping is so important it really helps to summarize and shine a light on all the work that can go into setting up the GRC application GRC is not a plug-and-play piece of software and a number of concepts need to be mastered before one gets that kaha moment that brings the story of the product together and compliance scoring is one of those concepts and tools that makes what we do tangible and real one of the big insights of compliant scoring is really the importance in the actual simplicity of entity scoping so I want to share this with the audience today we'll quickly review the definition of compliant scoring then I will take us through a simple example to explain how the score is calculated and then we'll do a quick product demo before some final recommendations this sounds very enticing so let me get us started with a couple of refresher slides as usual this tutorial is part of what we call the get started with GRC series so it's really aimed at people and organizations in the early stages of implementation we want to make sure that you have the knowledge and tools to quickly realize value from the product and in the future we will have more tutorials for the more advanced people and organizations this is a heavy slide and we will not review it in detail it's here so that you can print it and keep it as a cheat sheet if you are it shows and provide some definitions on the most critical concepts of GRC and how they complement each other the topic for today compliance Corinne is at the bottom here in the evaluate sections but it's tightly related to entities and entity scoping and Ann Marie is gonna show how enough of me for now and Marie the flow is yours please take it away so to set the scene let's start with a very simple definition of compliance scoring for a single control objective compliance scoring is very simply the percentage of controls that are compliant but this is also very powerful because you can quickly assess your overall compliance posture you immediately get a complete view of the areas of compliance and non-compliance in your company it enables proactive organizational compliance monitoring as well as evidence collection and reporting this granular level at the entity level is a very powerful way to gain insights and will open the door to such things as compliance monitoring collection of evidence and of course reporting so let's take a look at how this works so without service now and the entities construct most GRC tools will allow you to reconcile Authority and internal policy to the control objectives that support it that provides a lot of value however the problem is that we don't know where and that is what people places are things in the organization are compliant are not compliant so if an audit is based on this level of data they will fail the organization if only one part of the organization is found non-compliant because we don't know where else in the company there may have been a breakdown so essentially the entire company will fail the control objective it's a binary pass fail in other words there's no visibility past the control objective all right so it's a very blunt very blunt instrument with the creation of entities we have a more nuanced result we can slice the organization into smaller and much more manageable parts according to the right ownership and accountability for every the control objective a control is created for each entity so we have the ability to assign a control owner proactively now not only do we understand the parts of the organization that are responsible for the overall control objective but we have established and distributed the accountability so with entities we pass fail at the granular control level not at the company control objective level essentially we take the pass/fail of all the controls combine them to give an overall compliance score so there's no longer a pass/fail system and the company level but a more mature grading on a continuous scale this also allows us to know exactly where our weaknesses are and take the appropriate actions to achieve full compliance alright so we get the compliance core in this case of 2/3 which is 67% and we see that one of the entities when the control has failed so so far conceptually it's very simple and easy it really is isn't it so let's have a look at an example of how this would look in real life so we have the authority the NIST 853 which says that the organization develops documents and disseminates immediate protection policy then we have an internal policy that says records and media management requires at some point that these be destroyed after their retention period has expired then we have a control objective which says establish and maintain electronic storage media measure procedures that is operationally what needs to be done in the company for the company to be compliant with both via external Authority and internal policy but now we ask ourselves how do we distribute responsibility let's say we have decided in our entity scoping exercise for this control objective to assign control ownership along its key departments because this is where we find the most adequate ownership the head of the departments each department is an entity so far so good yep this is very clear now every one of these entities has to meet the demands of the control objective with its own control which is derived from the overall control objective when these controls are tested let's say during an audit for the sake of the exercise we find that one is not yet ready to be addressed we'll talk about this later we will also find that one fails and two pests so 2/3 of the control pass this gives us a compliance score of 2/3 or 67% now note that if we had not had the entity's approach if the organization had been one single monolithic structure the test for the control objective would have given a result of fail and no indication as to where or why that's a very cool however I suspect that things can also get a little more complicated than this right yes things can get a little more sophisticated and useful actually so let's take a look into more detail at what is behind the compliance score number so compliance score is derived from the sum of the weights of the compliant controls over the sum of the total weights of the active controls so let's take a look back at our example in GRC the state of the control also matters as you know controls have to go through a number of states namely draft a test review monitor and retire if this is a fully clear to you there's a link at the bottom of the slide that will take you to the controls tutorial but for now I'll assume that we are all comfortable with this each of the controls will be in different states simply because each of these departments will have their own constraints and time tables in this example customs customer support is just getting their procedures in place so we won't count them in the compliance score finance HR NIT however have the procedures in place so their scores will be counted as far as compliance scoring is concerned to keep it all fair and exact who simply remove from the calculations those entities and controls that are in draft or retire stages they just don't participate in the calculation also entities do not have to have the same importance when it comes to evaluating compliance to a control objective in this example for this control objective we decide that IT is much more important than the other departments so we give it a weight 3 times higher say 30 now we see whether each control is pass or fail customer support is still in the draft state remember so it's not counted in the calculation finance has some issues so it failed gives a value of 0 HR and IT have no issues so they are compliant which gives us 10 and 30 respectively the whole thing divided by the maximum number of value is 10 10 30 resulting in simply 80% that is a compliant score for this organization for this control objective so the organization did not fail the entire control objective and we didn't have to wait for an audit to notice we now know that something needs to be addressed in the finance department in order to be fully compliant at company level try this is this is bryggen it's a very simple and straightforward so now let's have a look at how it works in the ServiceNow product itself I think you got a little demo for us right yep this is a control objective that at a company level specifying a particular activity that supports a policy so in this case it's supporting a business records in the imagine policy as well as a citation which is a specific paragraph from a particular authority and in this case it's the NIST 853 Authority typically without entities at a company level what it's saying is that we need to establish and maintain electronic management procedures this control objective this score is not possible essentially the way that we will find out whether we are as a company compliant with this control objective that supports this policy and this citation of NIST is that an auditor will come in and audit the various groups that have a procedure if they find one group that is not compliant with the procedure the entire company will fail that control objective now that's obviously not desirable so with entities what happens is that we are able to then establish granularity at a lower level an operational level so in this case what we're doing is we're establishing proactively control owners the way that we do that in service now is that we are going to scope out this control objective that means trying to understand who in the organization that means people places are things how are we going to establish ownership in this case let's just say we want to establish by the department heads for those groups that are subject to NIST so I have an entity type set up here in this case you'll see the NIST departments and again those are the departments that are subject to NIST audits and let's just take a look at the entity type for a second so if I open that up you'll see here that underneath this entity type there are four entities customer support finance IT and HR in service now in order to establish control ownership or to generate controls we need to click click this magic box with which has Korea's controls automatically once I save that we are essentially establishing control ownership by those NIST departments so if we just wait a second and we load we shall see that there are four controls being generated when we look at these four controls they essentially say the exact same thing that the controller objective is saying which is establish and maintain electronic storage and media management procedures the actual name of the control is identical because everybody is essentially supporting that same control objective for their area so each of these departments have their part in the overall compliance core company level so let's take a look at that how that's established so first what I'm going to do is move all these controls to the test space select all of them and click a test what we have to do is get these control owners to attest to the fact that this control is in place because why start to measure it if that control is not in place so first we have to establish that this control is in fact in place for each of the departments so first I'm going to log in as Woodburn he's the first control owner for customer support he's received an attestation so I'm going to log in as Rob would burn and go to my annotations here and he's gonna complete this first attestation and essentially what it's asking him is is this control implemented for your area which is customer support and for this control objective so he's gonna say right now for customer support it's not applicable we are not subject to NIST for whatever reason so he's just going to say that's not applicable for customer support and hit submit let's take a look at what happened to the actual compliance score so in this case if the control objective nothing essentially changed and that's because controls that are not applicable or are retired do not count in the overall score here so let's complete the rest of the annotations for the rest of the areas so first I'm going to log in as Finance so as Natasha Ingram and complete that data station for her area I'm going to take this first one here and what she's gonna say is that no this control objective is not implemented in my area and maybe they'll say some legacy system to be replaced this control will be non-compliant until the new system is implemented so they may choose to submit a policy exception in order to to ensure that there's traceability and there's transparent awareness of exactly what's happening with that particular control objective in that area let's go back to that control objective it's still zero we have one non-compliant and the compliance score is zero as you can see the IT department and the HR department still have not even confirmed whether this control is implemented in their areas so let's go ahead and complete the annotations for each of these areas so I'm going to log in as David Lu and login it as Mariano and we'll just go ahead and say that those controls are implemented in their area so first we're going to do Mariano go to my stations and take that meditation there and say yes it is implemented I'm gonna attach a screenshot of the procedure for example but I'm just going to pick any attachment here and we'll say implemented January 30th 2019 and I'm going to submit that let's take a look at whose outstanding so in this case the person that still needs to complete the attestation is David Liu so I'm going to login as David Liu so here's the attestation I'm going to take the assessment and say yes and attach evidence to show that this control is in place so we see that that is accurate and just saying implemented last year February to 2020 19 right so we'll go ahead and submit that and now let's take a look at what happened to the overall compliance score so when we take a look at that control objective it still says zero there is a scheduled job that needs to run so we can go ahead and force that scheduled job to run the scheduled job that you want to look for is called the compliance score I'm gonna go ahead and execute that now normally this will run every two hours but I'm gonna go ahead and execute that now and we're going to wait for just a second for that compliance score to update now let's go back to that control objective now we see that the control objective has been updated and now we see that that control compliance for is 67% and that's because the formula that's happening here is the sum of the compliant the weights of the sum of the complaint controls which is 10 and 10 over the total sum of all the controls that are applicable so not applicable doesn't count if they were retired it wouldn't count and so in this case what we're going to do is its 20/30 equals 67% now just to show you that compliance form is also affected by control waiting let's just say the IT control is a key control in that if this is compliant or non-compliant it should really affect the control more so I'm going to change the waiting its uneditable right now I'm going to return this to draft and I'm gonna change this waiting to 30 and go ahead and hit update because I moved it to draft I now need to redo the attestation so this attestation is going to go another one is going to go out to David Lu I'm going to impersonate David Lu complete that attestation there's a attestation hit take assessment and I'm gonna do the same thing and I'm gonna say yes it's implemented attached evidence and then we'll say implemented 220 2019 all right so we're gonna go ahead and submit that now let's take a look at how that weighting affected the overall compliance score so we go to the control objective as you can see it's not yet updated so again we're going to execute the compliance four so we can immediately see the effect without having to wait two hours and as you can see the compliance won't updated so in this case you'll see the formula is the sum of the compliance scores which is 40 over 50 equals 80% thank you for this Amory so here's the most important lesson I draw from this for me it seems that comprehend screen is really a beautiful tool to keep your organization compliant and identify the areas that need to be improved but it all relies on getting the entities set up in the most useful and powerful way for your organization so this is really where lots of preparation work and effort should take place there's quite a lot of useful resources about entities and entity scoping that I encourage all of you here to review attentively there are some links at the bottom of this slide yes you're absolutely right Eric entities are the key to it all and I'll mention that also be sharing on the community an entity scoping template it's a tool that I use in class that the students sometimes find pretty useful and now we're coming to the end of this tutorial and Marie what would you advise our audience to do like right now very specifically as soon as this video is over well I cannot emphasize enough the importance of entities to get the best from the client scorn so I'll simply I would simply start there review the distribution of ownership for all your control objectives and confirm that you have the right level of entities put a placeholder in your calendar to hold us coping workshop with your team and stakeholders and of course make sure that you are all fully on top of the concepts of entities and controls by reviewing the tutorials we mentioned in the slides today well thank you for the summary we are now at the end of the tutorial a couple of reminders before we close all the links that were mentioned will be available of course in the pdf version of the slides that will be posted in the forum and we absolutely want to hear from you please ask your questions in the jost forum you will get answers within minutes or even better come and share with us what it is that you've learned then we thank you very much for your time and for sharing all this important information with us today thank you for having me well and to everyone if you made it that far thank you for your time and attention and please stay safe and happy my [Music]