hello everybody i'm matt mays senior technical consultant for cerna solutions today we're going to explore policy and compliance for integrated risk management on the servicenow platform servicenow's integrated risk management program is made up of four applications policy and compliance risk management audit management and vendor risk management these four products can work together or stand alone depending on the needs and maturity of your organization's irm team let's look at an overview of policy and compliance policy and compliance ensures your organization is following the applicable laws regulations and ethical standards that your organization must comply with being able to effectively manage compliance can prevent you from paying fines and minimize lawsuits servicenow helps organizations accomplish this by populating tables in the platform with regulatory frameworks the organization must comply with the organization's internal policies procedures and standards a list of records for the organization's systems processes applications and business units by defining controls monitoring for control effectiveness automatically generating issues for control failures analyzing those issues and closing them or generating policy exceptions and finally enabling continuous monitoring with real-time dashboards before we dive into the demonstration we need to cover a few key terms internal requirements consisting of internal policies standards and procedures are referred to as policies in the servicenow platform servicenow enables organizations to map their internal policies standards and procedures to external requirements external regulations laws and ethical standards are referred to as authority documents the individual requirements that make up these authority documents are referred to as citations policies and citations are implemented through the use of control objectives control objectives are templates that are applied as controls to entities entities are records that aggregate compliance and risk data for any organizational item such as departments locations applications services etc entities can be related to each other to show how their control and risk posture impact the organization the controls that are applied to entities are evaluated for compliance through the use of control owner attestations control compliance indicators and audit control tests issues a servicenow task-based record are automatically generated for non-compliant controls as a result of attestations indicator and control test failures so what can servicenow do for your irm program well our goal is to get you here to show compliance by authority document or the individual regulations that your organization must comply with along the bottom we see regulations themselves for example nist cobit iso 27001 and payment card industry the bars of the chart represent an alignment of our compliance against the requirements that make up these regulations let's look at pci in yellow we see those requirements that we have not addressed in blue we see the requirements that we're compliant with in gray we see those requirements that we've deemed not applicable and in red we see those requirements that we're not compliant with so let's say we have a pci audit coming up we could go ahead and drill in here to not compliant and now in preparation for the audit we can work with our control owners to help them get compliant with these requirements knowing that they've already received a notification automatically from the system that they're not compliant so how did we get here well we started with your policies our policies have a life cycle they start off in draft where we input the information in the system from there we move to review where our reviewers review the information for accuracy from there our policy moves to awaiting approval where our approvers review and approve the policy prior to publish and then we move to a published state this is where our end users consume the policy and at the end of the life cycle our policies move into a retired state on our form we have our name and our type types include standard policy procedure plan checklist etc we have our owning group and our owner and then we have our compliance score percentage client the compliance score percentage is one of the most powerful aspects of policies and servicenow here we're able to roll up our compliance score from the requirements that make up this policy across our organization we'll get more into that later we also have our valid prominent are valid too thirty to sixty days before our valid two date will bring our policy back to review state our reviewers will ensure that our policies still accurate and then we'll move it back through the approval and ultimately publish states here we see the description of our policy and then we have our policy text and this is the internal view of the policy text once published we publish our policies to our knowledge base here we see we're publishing to the governance risk and compliance knowledge base we have our article template article template is what brings in the requirements which we'll go over in a second and then finally we publish as a knowledge base article the knowledge base article is the end user's view of the policy once published you can see here we have our policy change management it's made up of the introduction scope and purpose and then we have these requirements which we'll go over in a second that are brought in from the system our policy is made up of these 13 control objectives which are the requirements we showed on the end user's view of the policy the control objective is essentially a template of a control applied to our organization here we have the establish and maintain a change control program control objective sourced from the ucf or unified control framework with a compliance score percentage of 83. this compliance score percentage is the overall compliance of our control objective applied as controls across our organization satisfying our control objective also meets these 33 citations from our various regulatory requirements our control objective is applied as a control here we have our establish and maintain a patch management program owned by james vitolo on behalf of the sap financial accounting service an entity in servicenow is a enterprise element in which controls and risks are applied for example business applications business services or departments our control has a life cycle starting at draft where it's initially input in the system from there we move to an attest state where our control owners validate that our controls and the test that our control's in place we move to review where our where our irm team validates that that the controlled owner truly does have the control in place and then we move into a monitor state where we actively monitor our control at the end of the control's life we move it to a retired state where it is then retired out under control form we have our name our number entity control objective owning group owner whether or not it's the key control the weight of the control description supplemental guidance and additional information our status of our control in this case non-compliant the state whether or not we're exempt from the control information on enforcement information on the category the type of control its classification for example preventative or detective frequency down below we have the attestation tab here james vitollo the control owner will attest to the compliance of the control he will provide evidence and give a description of how the control is in place down below you'll see we have some various other related information points under control including issues indicators and risks this control compensates for the risk of loss of confidentiality availability and integrity our indicators actively collect compliance information on our controls we have various types of indicators we have manual where a task is sent to an end user to manually validated controls in place we also have we can do it by script where we write a script and the script goes out and looks at information to see if the control's in place and finally we can just look at tables and service now here we have the validate patches have been deployed indicator it's looking at the establish and maintain a patch program control and it's performed on a daily basis this indicator looks at our vulnerable item table now this particular indicator is implying that we have the vulnerability response application installed but indicators can look at any table in this case we're looking at vulnerable item our indicator looks at the vulnerable item table and it pulls in the various supporting data fields and we're looking at in this case vulnerab vulnerable items that have a score greater than six because we don't necessarily want to mark or control not compliant if we have say a one or a two or three scored vulnerability out there we obviously are only going to look at active vulnerabilities and then we're going to say that last found was over a week ago and the reason why is we want to give our control owners time to resolve their issues down below you'll see we have our results for the indicator each time it's ran it's been in this case failing on a regular basis and as the indicator is executed this last results checkbox is checked because the indicator did not have the last results passed checkbox check this control was marked non-compliant and an issue was generated as you can see we have the issue ipt 0025002 sap financial accounting has an indicator failure when the indicator failed this issue is generated an issue in servicenow is a task-based record that is assigned to a control owner that tracks their remediation and resolution of an issue our issue starts off in a new state from there it moves to analyze where we determine what the best response to the issue is there we move to a response state where we handle and remediate the problem after respond we move to review where our irm team reviews the response and determines if it's if it successfully resolve the issue and then finally our issue is closed additionally on our issue form we have the details behind our risk including the entity and control that it belongs to a description and a recommendation we also have our dates which we have our planned start end date and then we also have the actual start and end date which is when the work is actually performed so if we've got policies and we've got controls and we also have issues then we're probably granting policy exceptions this dashboard is where we can keep track of all the exceptions we've granted across our organization we're able to track them by priority by the individual policies by our control objectives by our entities and by our departments here we can see we have all of the policy exceptions granted to the sales department finally we have our controls matrix which is all the controls we've applied to our organization we're seeing this in the servicenow list view which is how we work with bulk data in the system from the list view we can do things like create reports or export data to excel or csv if we need to work with it outside the system we can group by the various data points for example here we'll group by status and then we could drill in and see here's all of our non-compliant controls and we could take it a step further and filter in and look at all of our non-compliant controls for sap enterprise services thank you for watching policy and compliance in the servicenow platform presented by cerna like this video and subscribe to our channel for more great integrated risk management content for more information or to contact us see the information on the screen