[Music] hi my name is tommy lamont i'm a principal consultant in the security and risk practice at cerna solutions today we'll be taking a look at managing policies and servicenow and how using a single platform for integrated risk management and take your policy management to the next level using servicenow as your centralized policy library allows your users and stakeholders to easily interact directly with your company's policies this will give you a more accurate view of compliance and how that affects your company's current risk exposure in this demo we'll walk through creating a policy and relating it to a control objective from the perspective of a policy analyst approving and publishing that policy from the perspective of a compliance manager viewing the policy in a portal and requesting a policy exception for that policy from the perspective of an end user or system owner we'll now jump over into servicenow for a quick demo of what this functionality looks to start we'll look at creating a password policy directly from a control objective in this case the control objective is from a sox regulation it's about network and erp passwords we'll come to the bottom of the policies tab here and click new so bring up our form to create a new policy i'll go ahead and give it a name we can then give it a type in this case it's going to be a policy so i'll select policy we'll select the owning group here so i'll select it securities we could also select an individual owner but in this case i'm going to leave the ownership at a group level you can enter a description if you would like and i'll then paste in a sample password policy here just so we have some text we can look at as you can see with the html editor you can give a nicely formatted policy for your employees to review in a few minutes we'll take a look at what this will look like on a service portal as well we'll then go ahead and select a valid to date i'm going to just pick one year from today we can then add an approver so this would be your policy owner that would need to approve the password policy you can select a reviewer so this would be someone like a policy and compliance manager that'll be reviewing the policy before it goes for approval and now that we have our form filled out i'll go ahead and say ready for review i'll now impersonate adam who is our policy reviewer i'll pull up my full list of policies here you can see our sample password policy that was just created in the review stage i can make edits to the policy to be when i might be discussing the policy with the password analyst as the reviewer can come in here edit once i'm done editing i'll click request approval we'll now go ahead and impersonate our policy owner and do the approval you can see here our sample password policy shows up in my approval queue click that to open the approval record we can now review the policy as you can see once we're in the approval state the policy will be read only so it stays consistent with what was reviewed if you would like to make further modifications you can reject the approval and send it back to the review stage make those modifications and request approval again but in this case i'm going to go ahead and approve the policy right away as you can see a kb article was created for the policy this leverages servicenow's knowledge base feature to easily publish these out for the user base to view and you can see our sample password policy was approved we'll now take a look at what viewing a policy can look like from an end user perspective here we have a service portal for integrated risk management i'm in our kb view right now which shows us all of our plans policies procedures and standards these are driven off that type field that we saw earlier go ahead and select policy we'll come down here and see our sample policy we just created i can open that up and now review it as we showed earlier we have this nice html formatting and using the knowledge base power you can publish policies out to your entire user base and also limit that viewership if you desire so if i have certain policies that may be a little more sensitive you can easily restrict that access down while other policies like a password policy you can show your entire user base at your company now that we've viewed the policy there are some cases where we may need to submit a policy exception you can also delegate this process out to end users or system owners that way you can get the password policy exception process easily started so i'll show you on a portal what that could look like as well we have our policy exception form right here i'm going to go ahead and select the sample password policy you can also relate it directly to a control objective or an issue but maybe as the system owner i don't have that information so having the policy is good enough i'll give a short description maybe our system xyz is a legacy system that cannot support the policy we'll then come down here we can select our valid from and valid to so i'll select today as the valid from and then maybe the system is going to be retired end of this year so i'll select december 31st as the valid 2 date i can then go ahead and submit that and we now have a policy exception submitted into the system now that we have our policy exception submitted we might need to review it as a policy analyst or policy compliance manager i'm going to go ahead and impersonate our policy and compliance manager atom again i can then come over here pull up our list of all exceptions we can see our policy exception that was just submitted here you can get information on who submitted it who's going to approve it so in this case the compliance managers group we can then see the information i entered about that policy now as i'm filling this out i can add a little more information that maybe the end user or system owner wouldn't know such as the business impact the schedule of when this will apply the policy i can view more information about the policy this is against and i can then send it off for approval or request more information from that user using servicenow as your central repository for policies gives you not only the power to easily publish out policies but also relate them to controls regulations and your risk rating having that integrated risk management system with everything living in one place enables you to do things like easily update your compliance and risk ratings based on policy exceptions as they're approved thank you for listening and please don't hesitate to comment below or reach out to us with any questions or for assistance improving your company's security and getting maximum value out of service now [Music] you