uh thank you for joining today's webinar on simplifying grc with servicenow integrated risk management uh my name is tim lee with cern solutions and we are proud to be doing another co-sponsored webinar with servicenow um and one of the reasons we wanted to do this one specifically is we know a lot of our customers are asking us what's the difference between grc and the newer offerings around irm and what does that really mean for their organization so what we hope to do today is demystify what these two offerings are uh really give you a better sense for what they mean for your organization and really how to give you a strategy around getting started and making a plan for uh for your organization i am honored to be joined today by uh don harlan and tommy lamont uh don can you go ahead and just give us a quick introduction yeah absolutely uh thanks thanks tim uh so don harlem i'm a solutions consultant with servicenow been on board for about four years actually today is my fourth year anniversary and uh and i focus specifically in security and risk so everything technical as it relates to you know integrated risk management or uh set offs is our bailiwick all right fantastic and tommy i'm tommy lamont i'm a principal consultant with serna solutions i work in the security and risk practice so similar to don i work with the irm modules the secops modules and really guiding customers through implementations planning out where they should go next um weird coincidence i think today or sometime this week is my four year anniversary at cerna also didn't realize that that is that's creepy all right well let's go ahead and get started then oh i know we have a lot of information to get through um by way of agenda um just to give you guys a a sense of what we're going to be going through today first we're going to introduce uh integrated risk management really kind of give an overview of what that means and then we're going to talk a little bit more in depth about how to identify where you are on the maturity map of of irm and what kind of strategies you can put together around that after that we're going to talk about how to improve communications with stakeholders as well as why that's so important for your organization and um we're going to talk a little bit more about what are some things that customers are specifically doing in this space and and what that might mean for your business as well and after that we'll just follow up with some extended learning and give you a few resources to continue your irm journey if that's something that you're interested in doing uh i want to take care of some housekeeping while we're on this slide um if you have any questions during the event you don't have to wait until the end it's very much encouraged for you to ask your questions throughout the presentation one reason for that is we can very often uh switch gears and talk about something that might be important to you if uh if that is something that if we're not covering the content that you're looking for and you have some information that you're looking to get we can very easily try to cater to you that way either during the conversation if it's relevant or afterwards during our q a session at the end one question everyone has is will i be getting this recording and absolutely yes we will be emailing this to everybody that registered to the event but we will also be making it available on our website cernasolutions.com as well as our youtube channel so i'm guessing you guys already have your introduction to servicenow if you don't already know about certa solutions i just want to take a second to give you a brief introduction we are servicenow elite partners that have been focused in the servicenow space since 2012. uh and right now we currently cover the entire platform so that means if you have projects you're looking around itx hr security operations or irm uh we are a one-stop partner that you can talk to about that and we have heavily prioritized areas like security operations and integrated risk management with servicenow and i've been working closely with them pretty much since they first announced the offering as early adopters because we saw how important it was for our customers to be able to utilize one of the best products for businesses to be able to accomplish some of the most important things around risk and security so if you have any questions uh around other projects or would you like to just reach out to us you can always uh go to cernan solutions.com and contact us that way or leave a question for us in q a and let us know that you'd like us to reach out and we'll be happy to address that as soon as possible so without much further ado let's go ahead and jump right into the topic and for this don i'm going to uh i'm going to ask you can you give us a little bit more of an overview of uh irm and what does that mean yeah absolutely yeah thanks tim so there's there's two key points i want to make on this slide uh the first and foremost is that servicenow is a platform uh so the best example i can give you the platform is actually my my iphone right my ios device on my iphone i have linkedin which is tied to my camera which is automatically tied to my photo library and is automatically being backed up in a google drive now i didn't have to you know integrate any of these applications simply because they live on the same platform i only had to allow them to communicate so servicenow is that exact same concept but for a business so when our founder fred luddy had envisioned servicenow the whole goal was that any area of an organization could have their own application with their own workflow and process and automation but be able to effectively route that work across the organization because you know people don't work in silos right uh and so yeah same deal you don't have to integrate these applications that work simply flows just like linkedin to my camera to google drive etc and so if we look at you know a lot of these different applications we have on the platform they very much play into that integrated risk conversation whether it be things like hr and acceptable use policies if employees don't accept the policy as it relates to internet usage there can be legal ramifications there that presents a risk same thing with security right if i have a active intrusion on a device or have a vulnerability on a pci asset that's going past its you know 30-day remediation target that poses a risk to the organization naturally even i t operations uh so a lot of that's about availability and and uptime let's face it if some of our critical systems go down for an organization that presents quite often a financial loss because we're not able to you know meet the needs of the business anymore and even i.t service management at the bottom at six o'clock so things like change management going back to that availability again if we put in place a bad change without a back out plan there could be an impact to availability that again presents a risk and even customer service another thing that we do on the the platform a good example here is uh yeah i work with a lot of power companies and you might not know it but if you put in a request to your local power company they have a certain period of time or sla that they need to respond otherwise they are out of compliance with certain regulatory frameworks and then you know naturally finance i'm sure we can all kind of understand that one that you're providing audit oversight and monitoring key financial controls like account close to validate you know that that we're managing our financial services in the appropriate manner and we're helping prevent risks of the organization sitting at the heart of all of this why do we do any of this well we're trying to manage risk for the organization at that high level at that top level not in each one of these applications as a silo and so through integrated risk management we have the ability to look at all of these different applications on the platform and external platform information which we'll talk about later to help manage that hierarchical risk at the top level and getting out of managing risk and silos uh tommy did you have anything you wanted to add to that one yeah uh so in addition to you know it's all being on one platform you know it's very easy for all these applications to communicate with each other technically um that also doesn't just mean you know from a technical sense communication it's easy i find through a lot of these implementations um it really servicenow really helps break down the silos between departments so you know if all of these things are living on the same platform your it service management your it operations management or integrated risk management it's a lot easier for uh for them to communicate and people are going to work together a lot better if they are on a single platform communication is easy and that's something we're going to talk a lot about during today's webinar really how can people communicate with each other and involve your whole organization and you know not just your irm process but uh leveraging the whole servicenow platform to uh to make your life easier and make your business more efficient yeah and i love i love the example of the the cell phone right i think that's a perfect idea for uh people who realize how much a smartphone changed their life now that they have something that really interacts with every part of their life now uh goes back somewhere to the iphone same thing for your business in terms of being able to touch not just one area like it but having having that really protection uh that level protection across uh multiple departments what about um i think we have the next slide here i mean i think we have a few real world examples that we wanted to uh to get into yeah yeah uh this slide needs any explanation whatsoever none at all it makes perfect sense on how this relates back to irm right guys uh so actually uh got a couple cool customer stories for you and you know this one is um i'm sure you're wondering what does a cow and fat as money have to do with risk uh well this is for a customer as a major dairy manufacturer if you ever bought a pound of butter or half and half of milk i'm sure you've seen their logo in their name and they had a particular application that managed the intake of feed right so what is the nutritional content protein ash moisture what farm did it come from what time of year was it grown and then it took that information and it cross-referenced it with the amount of milk fat based on the cows that were fed that certain feed why because fat is money okay if you've ever gone to the store and you buy a pound of butter and a gallon of milk they're roughly the same cost but obviously by volume their amounts are significantly different so their challenge was if they needed to manage this application and understand uh is the application supported or is it in hotfix only support what about the database or the os are they supported is it a sox or a dr application and so you know by you know actively looking at these fields from within the risk as it relates to the application it was looking for those adverse situations and this is what we call continuous monitoring so the ability to continue to look for things within the platform or external which i'll share in the next one that might present a risk to the organization and in this case uh the the scenario was is it's in topics only server is not supported or i say server os database isn't supported and it is a stocks application that all of a sudden presented a huge risk and so we recalculated that for the customer bubble that up to show that one of their mission critical applications that is absolutely relevant to their bottom line was in dire straits and therefore presented a larger risk to their organization and the overall financials speaking of financials uh this is for another organization and a couple things i want to highlight here is one we're getting completely away from it risk the second is we're looking at external information so for this particular customer this bank they wanted to have collateral-backed jumbo loans and that collateral would be stock portfolios so what we actually did is we brought in external information on stock prices into the platform and then tied that to you know the original stock price of the collateral that was used to back the loan now their requirement was is that they needed at least 40 margin on the original amount of the loan with that collateral if it did below 40 percent it automatically triggered a flow in our financial services application to then you know review that collateral view that loan and make a decision at that point in time it was more up to the loan officer and exactly you know what it is that they should do now at 25 of margin on the collateral it triggered a mandatory workflow that would do one of three things it would either require the onboarding of more collateral it would suggest the sale of collateral or it would actually suggest the sale of the loan completely to another higher risk institution so again the overall message there is completely non-i.t integrated risk management or grc but then being able to bring in external information and monitor on that or look at external systems and monitor on that to identify areas of risk for the organization that might live in other environments and i find the uh that automated indicator stuff and you know automating that that's really to me one of the more exciting aspects of irm just being able to take that manual work people were previously doing and completely automating it um really just shows how how powerful servicenow is and what you can do with the platform um yeah i was going to mention that it's serviced now using that that same technology that you're referring to we've actually automated our our grc burden by 60 66 just by leveraging those automated indicators to look for adverse situations yeah so you know a lot of customers we talk to um you know they hear these stories and it's amazing they want to get there they want to automate 60 of their compliance but they say you know we're just starting out on our compliance journey maybe we just hired a cso last year still building out our team don't have a lot of things to find servicenow is this really powerful tool but or can we even use this are you ready to use it and you know the answer i always give is is yes uh servicenow is there throughout your your journey of uh irm maturity and what we've actually done to kind of help customers visualize this of where you can start and where you can go is put together an irm maturity roadmap so you'll see here we broke this kind of down into three categories we have people process and technology and i'll take you through four steps we put together here of irm maturity so starting down here at one it's kind of a disjointed process this is really when you're you know your risk and compliance process is brand new you don't have a clear delegation of responsibility everything's probably falling on one risk or compliance manager or very small team trying to manage things out of email the process to get that data is not defined they're updating spreadsheets manually you know they're working towards getting compliant and getting a better picture but it's tough there's a lot of manual work and it frequently falls on just a couple people within the organization moving up in the maturity here uh you start to see you know a kind of reactive approach so we're getting a bit more mature we have a basic delegation of responsibilities you know we've identified that everything isn't the responsibility of that single compliance officer it has to we have to involve some other people in the business those processes are getting documented kind of who's responsible for um for certain for compliance for risk of what applications what areas of the business what departments and those are communicated out so we have that documented probably still you know some manual communication there but we at least know who should be doing what um and your data is getting centralized so you know you're getting out of spreadsheets and this is where we see a lot of people starting to move into service now that's kind of the first step there get your data in one central location that can be secure and audited and is easy to access because it's great to find out all this information about compliance and risk but if you can't go back and see it and report on it you know it's not much use so moving up the next step here we go from reactive to proactive so now not only have we identified some people who are responsible those people are being more proactive about their response to risking compliance you know they're not just every year getting an email asking if they're compliant with something they're they're more aware that they have to stay compliant they have to reduce risk within their their department or their applications or whatever area of the organization it may be and there's policies to identify these kinds of things so you know well-defined documented policies these policies may be linked to controls you can do that in service now link your policies to your controls so you know uh you know what are we trying to comply with how are we complying it and you can even link that back to a compliance framework so you know something like nist or one of the iso frameworks you can link that all together in servicenow now a lot of people down in the reactive area they are looking at frameworks but they might have you know a spreadsheet that the framework organization supplied they're growing through trying to find out are we compliant are we not compliant and then they go to the next one and do it all over again and you get a lot of uh redundancy there you're doing the same work multiple times servicenow allows you to uh take away out a lot of that duplicate work for example if you use the ucf plugin that can actually co-reference your controls across frameworks so now you know our single you know maybe password policy satisfies uh compliance across several different frameworks um and now all this data as we've uh mentioned it's stored in a central location and integrated to those frameworks so with the ucf integration if you were to use that not only can you de-duplicate all these controls in this work you can get that information that they store directly from you know a list of nist controls um and get those updated as uh as additional uh controls come out so moving up here into kind of our final state of maturity that we've identified here is we called it managed and this is where your entire organization is really very risk and compliance aware it's not an afterthought it's not you know we have to do this yearly fill this out it's everyone's proactively aware of risking compliance across the organization and you can also start to automate some of this so back to those automated indicators don was talking about and that i mentioned earlier not only are you checking for compliance and monitoring your risk you can integrate and automate those to get that data back automatically and really get an up-to-date picture of your risk and compliance posture and then you you can have that in a kind of single intuitive view so we're not just storing all this data in service now and then you know having a compliance manager pull reports but we have a one-stop view whether that be dashboards or portal where uh stakeholders can go in and see how they're doing so i you know department head can go in and see how's my department doing uh with our our relevant compliance or executives can go in and say how's the organization as a whole doing what's what's our risk posture right now i'm really tying everything together and giving people access to uh to see that information and act on it and be aware of it so tommy i have a question um you know i i know i work with a lot of customers i know you work with a lot of customers and people are always wondering you know where am i at today where do i want to get to and um where do you usually see that people start on this maturity scale when you begin your conversations with them and then likewise during your initial engagements you know where do they typically end um can you tell me a little bit about that yeah yeah and that's a good question a big part of the reason we put this together um i should should reference here this is kind of a consolidated version of our uh roadmap so um uh let us know if you want to see the full version or walk through with us we can take you through that um because you know that is a lot of people we talk to they're not not sure where to start where can they go um like i said they know servicenow is this powerful tool but but where should we go with it um so we see a lot of people starting between kind of that one and two step you know it might be somewhere in the middle uh this isn't quite you know you don't fit in one silo you might have your uh your process a bit more clearly defined but maybe your technology hasn't quite caught up yet um so you know what what we do we identify where those people are you know like i said between one and two is most common and then through the servicenow implementation really move that up move them up um through the through the maturity roadmap um you know definitely right away just implementing service now you can get to that proactive stage so you know you're getting everything defined your policies are documented related to controls that delegation is kind of a byproduct of implementing service now because when you're going and implementing a tool and making sure your processes are defined it forces you to look at you know who is actually responsible for this you know if you have applications that have policies that need to be enforced yes the compliance manager is monitoring it but who in the business is responsible for actually implementing those policies servicenow really helps you define that as well and then have it recorded after that depending on you know the roadmap that the client's looking to go through we'll see them move up to four a lot of the time so once you have all this process implemented you're aware of where you're compliant or you're not compliant that's where automation starts to come into play you can identify you know what's taking a long time in our men in our process of of compliance or risk and let's start to automate some of those indicators and let's give people a better view into that that's where that really takes you up into that uh managed state of uh irm yeah and i think this is an important guide for people to be able to use and if you want uh sort of the the more filled out guide you see there's a link there if you just go to cernosolutions.com guides you will have access to this and and you can kind of zoom in and probably get a little bit more detail uh that you need or obviously give us a call like like tommy said and we're happy to work with your organization on on that one as well um but yeah let's let's move on to the next uh the next question that we have which is around um how to improve communication with stakeholders one thing i want to remind the attendees right now if you do have any questions definitely feel free to throw those into the q a um i don't see any right now but don't wait until the end definitely feel free to uh to let us know what your thoughts are or what what questions you have and we're happy to try and engage you on that as soon as possible but um but let's jump into our next topic so um tommy you want to go to the next slide real quick so yeah so tell us tommy i mean give us a little bit more of the overview here and why this is important yeah so um kind of in that fourth stage of the maturity map i showed you down in the bottom right we talked about communication we talked about visibility um so i just picked out a couple examples here of how servicenow helps you do that um so a lot of a lot of customers we work with the process is very manual they they're walking by people's cube to ask questions about uh compliance when they're doing audits to see if you're compliant um they're emailing out maybe many emails are going out uh you know every week they have to track people down back and forth gets lost in the inbox it's a very difficult process to track um so what servicenow does is takes all of that whole process and centralizes it in one tool that you can easily track uh one example of that is attestation so when you need a um you know department head or director or application owner to attest that they're compliant with a certain control you no longer have to email that out and hope they reply to you and it doesn't get lost in the inbox you can create an attestation which gives them a notification easy link back to come fill out get the questions asked that you need to ask them they can submit those and then as a compliance or risk manager you automatically get notified when that comes back in can review that approve it and take that into account with your compliance process uh similar to that audit templates and tasks when you're doing an audit there's a lot that has to be done so you can create these audit templates which allow you to identify what are these things we have to do what are the steps for an audit and uh pre-create those so when you go to start an audit you just say what you're going to audit and then your audit tasks get automatically spawned off and again those are just assignable pieces of work that you can assign to people track when they're supposed to be complete are they getting completed see what even what percentage your audit's at based on how many audit tasks you've completed really streamlining the process getting you out of email similar no risk assessments just getting your business's input on risks it's a lot easier to do that if you're not emailing back and forth you know making things easy for people i find is really the best way to to get get input from them and get everyone involved in your risk and compliance process because if it's easy to do people are going to be more proactive about it and you're going to get faster responses you know with all these attestations audits risks we issues come up so issues in service now are basically problems across any of these areas if you're familiar with the irm suite you'll you'll see issues a lot so for example attestations you might have someone say no we're actually not compliant with this for some reason what you can do there is automatically create an issue which is just another another record a task that you can assign to someone and then you can actually see who is responsible for that issue when you expect it to be resolved and track all your communication about that issue right in that one task so again really just getting out of email and being able to uh track all your communication and your deadlines and how you're doing and completing issues and tasks like that yeah uh there's something you said there tommy that's uh yeah i kind of want to double down on and it's you said it a few times actually it's that communication process right those reminders those notifications and emails that are going out to people that's something servicenow is really good at right we have uh many out of the box sla and notification workflows because it'll chase that nobody wants to go over to someone's desk and put a sticky note on or continually follow up the email or text messaging so you let the system do the work for you let it do that minutiae send out those reminders send out those tasks do the the escalations or reassignments it's something it's really good at um the other thing is you know when you start talking about attestation and assessments just like the highlight these are really up to you as the customer and what they look like what the questionnaires are if you've ever done a survey monkey designer it's very much you know like the same thing so you design those questionnaires uh it's very flexible easy to use um easy to get that engagement out of those those folks that are directly responsible you know for the the systems as it relates back to the controls so you again getting into that distributed uh irm model there as well yeah and that really gets back into uh yeah make things easy um you know not only are we making these people to answer uh answer these surveys answer these questions communicate with us but you know as a risk manager it's easy to you know update these at test stations figure out what you need to ask ask customers and servicenow is really uh it's really one of the big big highlights of using service now and you know they're always improving what you can do um with your communication so uh cherry picked a couple new features here we've seen in irm these aren't necessarily new just in paris but just probably the last six months to a year uh some features that kind of stood out to me as really improving communication so the first one i have here is consolidated assessment responses and this goes back to those attestations that we were talking about sometimes you have someone that's responsible for a lot of maybe applications they have a lot they need to be compliant with you need them to attest for a lot of it sometimes it might be very similar questions or the same question for example if you want to check if someone's compliant if someone's application is compliant with a password policy maybe they own 10 different applications but the password policy is all managed you know in ad or in octa so we know it's compliant because they use those for single sign-on so they're going to answer yes to all those 10 applications so what servicenow allows you to do is just combine those attestations so we can say for these 10 applications yes i'm compliant let's attach the evidence here's the evidence and submit that and again make it easy we don't want them to have to go through and select yes 10 times attach something 10 times and you can just combine that all into one place a similar similar new feature is audit evidence requests again in audit there's a lot you have to get done to uh complete those audits uh one of which is getting evidence so sometimes you need some evidence from someone that's not directly involved in the audit and you know it's hard can be hard to communicate that via email you know they may need to go in and pull some evidence from their application that they're an administrator on you're sending emails trying to follow up what service now allows you to do is create this audit evidence request and then spawn a task out for it and what that will do is notify that application owner or that administrator or whoever it may be that you need information from and give them steps on what you actually need so for example you know a list of all changes in the last quarter uh review of completeness and then backup procedures send that out to the person they know exactly what you need for them you can track whether it's been done or not and they can respond right back to servicenow with that information and keep it all in one place again you don't have to dig through your inbox to figure out if this is complete or not awesome yeah so getting back towards that integrated risk management conversation i think i mentioned in the beginning and you know one of the other solutions we have on the platform is is vulnerability very common within a vulnerability program you need to put in place an exception and sometimes that's because there's no fix available or you're waiting a maintenance window or something of that nature but when we start looking a lot of the frameworks whether it be nist or pci or iso you know that a lot of them are going to require things like a vulnerability program and i would like to use the example let's say we're dealing with a pci based system well if it's critical vulnerability you have a 30 days to meet that remediation target so you know a new feature that we've added is if you request an exception in parallel to creating that vulnerability exception it can actually create a policy exception as it ties back to that vulnerability where we might have sexual excuse me potential compliance issue and so then that policy exception has its own lifecycle just like the vulnerability exception with expirations and approvals and perhaps risk assessments uh and that is a fully automated process so no longer do as a vulnerability manager have to go to a separate portal somewhere else to put in place of policy exception to make sure that you know we're managing our compliance program appropriately similarly with security incidents uh if we look at you know in that same example let's say we had a critical vulnerability there's no next plate and then it got exploited well now we're dealing with a security incident there's an active intrusion or malware on a system and so of course that that presents a risk to the organization and we've talked a little bit about indicators but with security incident what we can actually do is report a risk event and that's part of our advanced risk management program if you will and so that gives us the ability through a single button to say yeah we actually have an issue right now on a critical piece of infrastructure and so for the risk that is tied to that ci or that infrastructure we would actually generate a risk event and then perhaps you know based on that and slas if we're not tracking well against that we're having an issue you know managing or resolving that security incident just like in the customer stories i shared earlier we can actually see that risk being recalculated called calculated risk because there's a risk event that's posing a large risk with an act of infection to the organization so again just getting towards that you know more integrated risk tying these different things together and actually just to jump i see we had a question here about is there an exception process so that jumps back to what you were talking about vulnerability exceptions so servicenow has always had a policy exception process so when there are when you have policies someone can raise an exception request against those and there's a workflow behind that but not only can you just you know go view a policy and click request exception it's now tied into vulnerability like don was just speaking about so directly from that vulnerability you can request an exception and really gets back to that kind of integrated risk management picture where we're not doing these things in silos they're all tied together and can all easily communicate across the different applications and across departments within your organization so a couple couple other things i want to hit on here we've talked about some of the kind of base features of servicenow i wanted to give just a couple examples of interesting things that we've seen customers do um so these are some things maybe you might not hear about um as a basic use case but you know some some exact use cases that we've seen people accomplish first one here is contextual attestation views so we had a customer they did have an attestation process already stood up they're implementing service now heavy attestation users sending a lot out to their relevant business stakeholders uh those business stakeholders wanted a little bit more information when they were filling out those attestations so uh not just are we compliant with the control they wanted to know you know information about that control what framework does this align to what policies are this associated with are there any issues open it so we created a nice portal-based view where they could pull all this information together right into one screen and again just going back to that making it easy when they're doing this attestation they get all that information pulled together and don't need to navigate around a bunch of different places they could see it all altogether another kind of specific attestation use case is automated access attestations we hear about this use case a lot specifically we had one with a data data reporting company access was very important you know data data is their company's life so they need to make sure their data is secure so they had a very well-defined access attestation process uh that they were doing i think every quarter or so um so they had a manual process where they were kind of running running some scripts querying ad primary octa pulling things back managing putting that into a spreadsheet sending that out to the application owners via email application owner fill out the spreadsheet send it back you know manually look at that figure out if anything's wrong and kicked off the process from there um and really that was taking them you know it was almost like when they were done with the one first first quarter is audit they had to be certain the next quarter is on it because of how long that took so what we did with service now is created an automated indicator for controls uh that were around access that were driving these access attestations and that that allowed them to automate this process so what we did was pull the information into that automated indicator from octa in this case so finding out who has access to what applications pull that into service now use the tool and service now called data certification which then allows you to basically look at a list of records which in this case is users that have access to a specific application send that out to the application owner they'd see that list in service now they can check off yes this is all good all these people should have access or they can say you know no maybe these two people in here they they are in a different role now they no longer should have access um that would then be communicated back that indicator roll up to that control and could then affect that controls compliance so you could get that updated in real time it's a phase two we actually took it a step further um not only could the application owner say no this person should not have access uh we expanded that octa integration to then uh enable it to go out and remove that access so not only were we identifying compliance issues but we were resolving them right away in an automated fashion so you know taking that quarterly process from from a long multi-month project down to pretty much instantaneous and just needing the application owners to fill out that information um i am going to jump over here to into a just a brief demo of some what we've done for enhanced views for business users um and kind of some relational views across irms so we hear a lot of people asking about you know they have a lot of people that work with servicenow they're not in the tool all the time though they're doing attestations quarterly or yearly you know they have some approvals and issues to review but they're not in there all the time they wanted kind of a direct view so what we've done several times is put together portals for people uh customers that that want this kind of view and we've actually rolled this into um well we'll soon be a store application so this is just an example of what we're gonna put out on on the store just um and this is a serna product so this uh integrated risk management portal kind of based on what we've seen from other other customers other projects we've worked on what people are looking for in a portal so a couple simple things up front here just get right in front of you you know what do i need to do what are my tasks and issues um what approvals do i have pending me you know we see our issues here we see our risk acceptance plans make that easy for stakeholders to come in here and complete those um you know they also can come in here and request things so like those policy exceptions submit those um gives kind of your irm team its own space in the catalog to uh to have requests so you know a big ask about this was the company does have an i.t portal but the irm team kind of wanted their own space that they could really configure and tailor to their irm process so this really allows that with things like viewing policies as well browsing more reports uh what one more cool feature we had here that i wanted to show is this kind of i've talked a couple times about relational data and contextual data um so you have tons of data within servicenow and you want to be able to uh to use that to look at it um so what we did here was kind of giving give a different spin on that view and uh have this data explorer we call it and what this does similar to kind of a related list but an easier to see view is you can open up a record like a policy or control objective and see all control objectives and policies that are related to that and uh coming down here you can also see visually not only you know what are the records but how do they all relate so we have this main policy we're on and we see you know what controls is this satisfying so use the password policy example a lot so you can see our one policy is satisfying all these controls and you could drill into these different controls if you want to see data about that exact controls do we have other policies related to it um you know i don't want to spend too much time here i want to make sure we have uh time for questions but uh if you see anything here you're interested in definitely reach out we can do a more in-depth demo of what this looks like or i see we've had a couple questions about demos for other parts of the application so definitely feel free to reach out if you want to see a demo on anything more or more information about what these things actually actually look like in servicenow all right great so um and you're right we are uh we do have about five minutes left of the webinar we want to make sure that we were able to cover some of the questions that we saw that were coming in but we want to also make sure that you have the best resources if you have more questions about this and want to do a little bit more exploring on your own um go ahead tommy you can move to the next one there so one item coming up that's actually very exciting is servicenow's very first operation risk and resilience seminar series so you can see here now obviously you cannot click on the screen right now but we will be making this link available to you um but we have a very exciting summit coming up with servicenow if you're interested in learning more about the um security space and how looks like uh sam just put that link in the uh in the chat so yeah definitely go ahead and click and to register there this is a very exciting opportunity to um roll up your sleeves and get your elbows dirty with uh what's happening in security and kind of understanding more and working with the servicenow team to better understand what's available to you and what that means for your organization we also have a few additional uh pieces of content available for you on the cernicide if you go to our website cernasolutions.com or go to cernan solutions youtube page we have tons of content around servicenow but also specifically focused in security and risk and integrated risk management so as you see there's just a few samples of of some of the types of quick tutorials and demos that we've already made available to you from our team and we also have a few additional uh pieces of collateral that you can use for your own resources we have an irm assessment that is available to you if you go to cernasolutions.com irm-evaluation again we'll be making that link available to you as well uh this gives you a questionnaire uh which is a quick assessment for you on your end but that can also lead to for qualified customers a one-hour free evaluation with our team and that will help you understand more of where you are in the maturity model and kind of what type of strategy you can be looking forward to for your organization if you want more access to the guide that we had mentioned before for the maturity model you can go to cernan solutions.com guides uh looks like both of those links are now available in the chat as well i highly recommend uh going in there and and accessing that information as it's extremely valuable to our customers and we've gotten a lot of great feedback there um i want to take some time right now just to make sure that we answer a few of the other questions that i saw come through and actually i see that we've uh we've been proactive we've been answering a few of those already but one i wanted to make sure that i want to make sure that we were able to take live so it looks like someone had a question around does nist csf 1.1 iso 27001 controls auto populate with irm or do you need to configure that yourself don are you able to address that yeah absolutely so if i understand the question correctly uh you know it is uh it is an automated process with a minor configuration and i think tommy alluded to it earlier about the ucf integration uh so when we tie in with ucf you simply have to select which frameworks that you would like to uh you bring into the platform and at that point in time it will bring in all the associated uh what we call uh citations but it controls uh associated to that framework into the platform and then from there i think tommy also talked about this what you can then do is tie that to your own internal policy standard and procedures or other their children control objectives if you will so that with a single control objective vulnerability right i need to do vulnerability management if you had multiple frameworks when you meet compliance to that one policy you're meeting compliance through all of those other frameworks that were automatically brought in from ucf yeah and we see uh that miss csf and iso 27001 specifically are two we see a lot of customers using especially at ucf you know pulling all those in and duplicating that work so definitely possible in a common use case now someone else had a question just about you know irm in terms of how practical it is it was asking the question of uh the process of doing audit templates and audit tasks seems overwhelming as you create uh audit tests for each policy statement would you say that is accurate or would you say that that's probably easier than it looks um yeah so i mean i think audits in general can be overwhelming uh a lot to get done um so i'll say you know i find it to be there is some legwork to get it done there but you know you kind of do it once um and i would say it's less overwhelming than doing it manually you know uh previous state a lot of people are figuring this all out kind of on the fly as they're doing an audit maybe they have a spreadsheet somewhere so you know you may need to have a lot of data you need to put in the service now but kind of once you do that then you're set and you're good to go um i will say you know if you're having any specific issues with that and really struggling uh feel free to reach out we can definitely talk about that and take a look at what what you may be uh struggling with all right and with that i think we are at time i want to thank everyone for joining us today and spending uh your lunch hour with us um i want to thank don and tommy for lending their expertise it's greatly appreciated and if you guys have any other questions obviously feel free to reach out in the comments or questions we'll leave this open for a couple more minutes and hopefully we'll have a chance to see you guys at the next event thanks everybody thanks guys