good morning good afternoon um it looks like people are still joining so we're going to give it another minute or two before we get started so thank you okay so let's go ahead and get started uh welcome everyone uh thank you for joining us today for our session on mitigating third party data privacy risk using servicenow my name is mike d'andrea and i'm the grc advisory solution architect here at cavestick and i specialize in helping our customers understand how they can leverage their investment in servicenow to comply with various privacy laws and regulations i'm joined today by my colleague eric smith our integrated risk management pre-sales lead and servicenow platform solution consultant eric would you please introduce yourself thanks mike uh so eric smith as mike said i lead pre-sales here at covestick um in in my 10 years the the last 10 years i've been focused on servicenow most of that time as a business process consultant and a solution architect around government risk and compliance and then the 10 years before that uh still in it but i was in financial services and healthcare uh two very privacy sensitive uh very compliance oriented uh areas to do business in and um you know i'm really excited to be part of this servicenow journey towards irm and it's great what they've built and uh thanks everyone for joining us today so we can learn about vendor risk in particular okay thanks eric uh so today we're going to talk about and then we're going to actually demo uh how you can use servicenow to manage monitor and mitigate your third party data privacy risk but before getting started let's take care of some housekeeping so please submit your questions via the chat window eric and i will answer as many as time permits at the end of the session and if there's any that we can't get to today we'll definitely answer those via email also i want to let you know we are recording today's session and we will post a copy of the recording along with the copy of the slides on our website and they're typically up there within 24 hours and last but not least just a quick disclaimer everything we present here today is for informational purposes only we're going to be talking about privacy laws and regulations but nothing we say should be construed as constituting legal advice also everyone attending today will be entered into a drawing where you will be eligible to win a 250 amazon gift card and the drawing is tomorrow and the winner will be notified via email so uh please keep an eye out for a notification from our team and uh good luck to you all so we're going to start off with a high level overview of third-party data privacy risk what it is and why it's important and then we'll talk about how you can leverage servicenow to mitigate that risk and then once we lay this conceptual foundation we'll demo in real time how to set up and conduct vendor risk assessments this uh this will allow you to see firsthand the kind of interactions your vendor risk managers and assessors as well as your vendors should expect to experience when they conduct a risk assessment using servicenow vendor risk management then we'll wrap up today with our q a session okay so let's get started okay third-party data privacy risk well as you all know in today's highly competitive global and digital economy businesses must rely on a network of vendors to provide the products and services they need to generate revenues to reduce costs and to help them achieve and maintain a competitive advantage even moderately sized businesses often rely on hundreds if not thousands of third-party vendors and one of the most common types of third-party vendors that businesses rely on are data processing companies so last year 90 of businesses reported that they relied on vendors to process data on their behalf all different types of vendors vendors like payment processors order processors credit card processors data mining and data storage and data destruction services like iron mountain and even contracted call centers that businesses are to take orders and respond to customer inquiries so while relying on all these vendors is essential to a business it also introduces a significant risk last year 21 of data breaches were confirmed to be caused by vendors with the average cost of a data breach at 4.29 million and when a vendor was involved this cost went up by nearly 10 percent to around 4.7 million and two-thirds of these companies reported uh seeing a growing number of third-party incidents and 46 percent acknowledged that managing third party risk is a priority for them but only 37 percent said that they had sufficient resources to adequately deal with that risk so as a result of this under investment in resources 50 percent of companies said they didn't didn't have a clear picture or understanding of the nature of their third-party relationships and 43 percent indicated that they lack sufficient knowledge of contracts terms and conditions and 41 percent reported that they don't even monitor vendor risk so this situation exposes these businesses to significant risk and this risk is greatly magnified when personal data is involved now personal data is any information relating to an identifiable individual and it's commonly referred to by other terms like personal information or pi or personally identifiable information pii or similar terms and while different laws define it differently personal data includes things like age marital status voter registration social security numbers uh bank account numbers but it also includes things like purchasing preferences and even internet browsing habits so this information has valuable uh i'm sorry this information has value not only to your business but also to hackers and since this information is so personal any misuse or unauthorized disclosure can cause harm to your customers like you know identity theft financial loss or even reputational loss so this constitutes what the federal trade commission has referred to as an unwarranted invasion of privacy so to protect individuals from protect potential harm governments around the globe have enacted stringent data privacy laws that make businesses that collect and process personal data accountable for safeguarding that data no matter who does the processing so this means your company can be held legally liable for your vendor's failure to adequately protect the data they that they're processing on your behalf and you're probably familiar with the eu's general data protection regulation it really set the bar for privacy protection worldwide but if you do business in any of these other jurisdictions i'm sure you're familiar with their requirements as well now here in the united states there's really no comprehensive federal data privacy law and while there are industry specific federal laws like hipaa which has stringent protections for protecting the privacy of personal health care information personal data protection is largely left to the states and california led the way with the passage of the california consumer privacy act or the ccpa and that just went into effect in january of this year but other states like nevada and maine are following suits and they've enacted their own laws and many other states still have their own data privacy bills working their way through their respective state legislatures and capacity has published a series of blogs on the ccpa as well as on the state of privacy laws across the country and you can access these on our website and at the link shown below so what do all these different types of privacy laws have in common well they've got a lot of things in common but one is that they impose very uh hefty fines uh both civil and criminal fines for violations and when that violation is willful various departments like the department of justice in the united states can get involved and bring criminal charges and in addition to that many of these laws provide for a private right of action like the ccpa and hipaa and this grants individuals the right to basically sue organizations that fail to protect their personal data and agencies can get involved like the ftc and end up having exposing your organization to basically increase government oversight so these consequences can be significant to your organization so what do you do about it how can you protect your organization from third party data breaches well um it's really a good idea to start with a strategy a strategy for screening contracting monitoring and auditing your vendors and screening of course is your first line of defense but your vendors must also understand your requirements you need to make sure that they understand what's expected and they need to agree to those to abide by those standards by your requirements and then of course the best practice is to continually monitor the vendors to make sure they're doing doing everything according to contract as expected of them and it's always good to conduct audits of the vendors to double check and to you know basically gain that extra layer of assurance so basically the idea is to trust but verify so no matter how much you trust a vendor the best practice is to monitor them and last year 94 of businesses reported that they trust their vendors explicitly but only 59 actually assessed their vendors and fewer yet only 25 uh audited their vendors yeah and and mike when i see these numbers you know what occurs to me is there's been a tremendous amount of focus here you know rightly so and you you've kind of laid out the potential fines uh you hinted at some of the potential damages but you know those 59 of the businesses the the rest of them are open themselves up not just those fines and damages but reputational risk which could be massive and we've seen that happen um and and you know i know it doesn't have to be that hard you can get something in place um you know again like you said it starts with a strategy but you know also that 25 of businesses uh auditing that to me is just as risky because you know you definitely have to inspect what you expect uh if you're not auditing if you're not going back and you know doing a look back and seeing how he did there's no continual improvement um you know making sure that you're asking the right questions the right way of the right vendors um you know just inspecting the product the process itself so i think the audits can be critical as well yeah good point uh that's exactly the situation and we actually saw earlier that the lack of resources make vendor risk management very challenging for businesses and a common refrain i often hear is along the lines of so many vendors so little time so anything that you can do to enhance the efficiency of the vendor risk of the overall vendor risk assessment process that's a good thing and this is where servicenow comes in and what servicenow really excels at uh so eric you want to tell us a little bit about the servicenow integrated risk management suite yeah absolutely so you know i mentioned at the top i've been working with a surface now grc application for you know about 10 years i think i think it's actually more like eight or nine years and um you know back then it had a really good workflow you know there was some policy and compliance in place there was some risk management in place it was very i.t focused but you know these last few years wow as servicenow has matured towards integrated risk management it is it is amazing the the application i believe they put together and others do as well you know third party uh forrester gartner said the same uh you know as far as completeness of vision and ability to execute uh servicenow uh is is moving ahead um so what is the application well it's these four areas that you see here uh policy and compliance that's kind of the excuse me the blocking and tackling so as a business we have external regulations and frameworks that we're subject to well what are the controls in those regimes and which ones apply to us and then how do we scope that if you will to our organization uh what applications databases devices entire services you know areas of business are subject to these how do we manage that well policy and compliance brings all that together uh in a relatively easy area to manage so you can have continual compliance that continual compliance is is critical servicenow does it really well it's not just hey let's see how we're doing you know today it's right there in your face which controls are risk there's a lot of good monitoring reporting to that end um risk you know initially servicenow was primarily just i.t risk but it's it's really expanded into the business uh and there's a lot of great features there to um adequately describe a risk so that it can it can be a part of your strategy to mitigate um yeah the the annual loss expectancy the likelihood to occur all those things can be measured uh and then also well what if a risk has happened and that's an issue it's in our lab so what are we going to do about it well you can store your strategy to remediate that and go after it it can also let you know of things that might be you know vulnerabilities uh in your you know your it stack if you will uh and and get ahead of those relate those to risks um so that when you're pulling people into that process you know everybody knows what the cost of that is well what's the cost of not doing it risk can help you understand that audit the audit application what i love about it there's a few things one audits are never fun i'm sure there's some folks who enjoy them they might be on this call i love you for that but um you know what what's always painful is gathering all the right evidence getting it in a presentable format either for an external auditor or for your internal group and surface now helps you out with that and there's also some other accelerators so you can you can copy a previous audit it had all the right tasks it had all the right process flow i had all the right requests in it let's go ahead and leverage that audit for a new audit uh you know change the assignees and move on um servicenow can help you accelerate your audits by making things repeatable and then vendor risk which i won't belabor too much because we're gonna be seeing it today but the vendor risk management application um what what i really like about it is that it's it's been built with the vendor in mind uh in order for all this to work it has to be relatively easy for the vendor uh to respond to you know they've got a day job too but we need our information so servicenow provides a portal and a really good framework that mike's going to show you to get those vendor responses very easily okay great thanks eric um i just want to reiterate that all these applications are fully integrated out of the box and we'll see how this integration can be leveraged when doing vendor risk assessments here momentarily when we start to demo but before diving into the demo i just want to do a quick synopsis of how vendor risk assessments are created in servicenow and this will help hopefully make the demo much more meaningful so the main thing you need to understand is that vendor risk assessments are really built from the bottom up you start by creating a library of questionnaires and document templates you know typically for example you might have different questionnaires for different types of vendors you might have one questionnaire for a hardware vendor another set of questions for a software vendor and yet another set of questions for a data processing vendor and same thing with the document template you may ask request different documents from different types of vendors so you created your library of questionnaires and document templates and then you draw upon these resources to create different types of assessment templates for example you might want to assess your strategic partners differently than you would assess say your just-in-time product suppliers so the idea is you create your library of templates that you would use for assessing different types of vendors and then to actually assess a particular vendor you would just us you would pull that assessment and associate it with the vendor so here we see that you take this assessment template which is comprised of questionnaire templates and document request templates and you sign it to a vendor and in today's demo we're going to be using a fictional vendor called data now and so you associate this ascent assessment template with the vendor data now and you send it you create that creates the vendor risk assessment and you submit that to the vendor okay now once that assessment is submitted to the vendor it's immediately available to in the vendor portal and the vendor has access to this portal so the vendor can come in open the assessment review the questions respond to the questions provide any documentation that's necessary and then return that to your risk assessors to your vendor risk assessors so then your assessors can review the responses and generate any observations or issues and can can assign those back to the vendor to address and then the the vendor will complete will address those issues and complete any tasks that are assigned to them and then return the assessment back to to to the assessor so all communications between your organization and the vendor takes place in this vendor portal and they take place in real time or near real time so with that let's go ahead and see what all this looks like in the actual service now application okay so here's our cavestic instance of servicenow and we are running the paris release and you see here in my favorites folder i have the the irm suite of applications the policy and compliance vendor risk management audit and risk and of course these are this is only one suite of all the multiple uh products available from servicenow so let's go ahead and jump right into our vendor risk management application and the first thing i'm going to do is go into my vendor portfolio and find my record i'm going to bring up fire record for data now so i bring up the record for data now i open up the mender record and the first thing i see is i get a little message up here reminding me that this particular vendor is scored using a default scoring rule which is available out of the box with vendor risk management and of course you can build your own scoring rules if you prefer a different methodology but what we see here at the top of the record is just some general information about the vendor name website we see it's a data processing vendor that provides technical services over here we see that we've rated this vendor before and it turned out to be a minor rating and this is good because this is a critical uh vendor that's a valued partner and then down here we have a little bit of information about the vendor and we were told that this vendor processes and reports on data collected from two of our very important systems our officer call system and our customer loyalty program and here in the middle section we have some additional information about the vendor and what i really want to draw your attention to are these tabs down here these tabs are in service now uh are referred to as related lists and they show uh information that is relative relevant to this particular vendor this information can be stored anywhere in the enterprise throughout the servicenow database so um vendor agreements well we saw earlier that one of the issues that vendor management's report vendor managers reported last year was that they lack visibility into the terms and conditions of the vendor contract and so the vendor risk manager can just come into the vendor come here open up that record and see the actual data processing agreement now here we we have a hard copy of the agreement attached so the vendorist manager can download it look at it but because this vendor was a critical vendor we actually cited all the sections of this particular contract and so we see that there's 15 sets of provisions starting from uh how many are 14 sets of provisions for this particular vendor and for each of these provisions we've associated um control objectives so that our policy and compliance division can make sure that this vendor is complying with all of our internal requirements so we get a you know full view high visibility into this vendor and what the different requirements are within this vendor of this vendor okay so let's let's jump back to our um business services well we saw we saw earlier here that this vendor processes data that's generated from our officer call system and our customer loyalty program you know when you're when you're creating defining an assessment for a vendor it's good information to know and so you can come in here and take a quick look at what that particular process is within your organization you can read all about it and that will help you in defining what types of templates to use or what types of questions to ask that particular vendor and our next list is the vendor contacts now there are two types of vendor contacts in servicenow one is a primary contact and the other is a secondary contact both anybody who's a contact a vendor contact can go into the vendor portal and respond to the questions complete various sections of the questions of the questionnaire or provide documents but the primary vendors have additional capabilities the primary vendor contact can manage the secondary accounts within their organization so this means that the primary contact has the capability of creating user accounts for that vendor for that secondary contact to access the vendor portal and this this takes the responsibility of managing a large number of accounts um it well it puts it in the hands of the vendor rather than in your hands so this means you don't you know like you can be freed up from getting calls saying hey i forgot my uh my password instead the primary contact at the vendor's location handles all that account management assessments we're going to come back to this in a minute because that's going to be the heart of our demo vendor risk issues so if we do a assessment and we find that there are issues related to that assessment that we want to have the vendor remediate or maybe there are issues that you know will run by our internal team like maybe the security team to see if if we can accept that issue those issues would be listed in this list and we see we don't have any now which is a good thing similarly with tasks if if on reviewing an assessment we assign tasks back to the vendor to to complete or to perform those tasks would be listed here and we could track the progress of those now these last these last three tabs risk controls and audits they're related to the the other three primary applications in the integrated risk management suite the risk management control policy and compliance and audit and the risk just shows the risks that um apply to this that this vendor that we're monitoring this vendor for and one of those risks are the vendor discloses personal information and then controls now these are actual controls that are specific to this vendor and you can see we have 97 of them uh this is you know this this is close they're almost uh they they pretty much match up to the control objectives we solved for the the vendor that we wanted the vendor to uh to comply with and so then audit tasks if there were any uh if or not it were being conducted against this vendor you know perhaps the auditor will assign a task to the vendor saying hey i need some more information or can you provide certain details for me those tasks that the auditor assigns would appear here so all this information is readily available to the vendor risk manager okay so now i'm going to go ahead and look at our history of assessments so we see here four assessments and we see they're all closed and completed and the um the primary this first one is the we titled it the 2019 annual data privacy full risk assessment so this is a pretty comprehensive assessment and then each quarter of the year we did a we created a quick assessment that focused more on just the privacy provisions so i'm going to open up one of these i'm not going to reopen it in essence but i just want you to see what this particular assessment is comprised of so we can open up this we can revisit i should say we're not reopening this we can just revisit this assessment and see we'll take a look at it okay so we see that this assessment was comprised of a questionnaire and a document request as we had pointed out earlier that's how you build assessments and the questionnaire that we use for this particular assessment was called our data privacy full questionnaire and our document request was our data privacy documentation request so that's those were the primary components of our annual privacy assessment now let's look at one of our quarterly ones so we'll just grab any of them and down here we'll see that our questionnaire template is different so we used a different data privacy a different questionnaire called the data privacy quick questionnaire for this particular quarterly assessment but we use the same data privacy document request so as i was saying earlier in the slides you you create these repositories of templates and then you can combine them in any combination that you need that's appropriate for the vendor actually let's go out and take a look at that repository so if i come over here to my assessment setup module i have questionnaire templates assessment templates and document request templates i'm going to go in and open up our questionnaire templates and you can see that i have our two data privacy questionnaires defined here are full and are quick and again i can use those with any vendor or i can combine them in different ways i don't need to send for example a document request if i don't want to or i don't need to send a questionnaire if i don't want to but i need to send one or the other and oh um here we you see all these uh questionnaires these are the sig questionnaires the standard information gathering questionnaires that is pretty much a standard that's used widely it's produced by the santa fe group and these questionnaires servicenow actually has a built-in integration that allows you to integrate to these questionnaires so if your organization uses the sig questionnaires they're readily available in servicenow you don't have to build your own integration they're there okay so i'm going to open up this data privacy full questionnaire to just show you how comprehensive it is so we have 16 metric categories and what that means is we have 16 different categories of questions we have some you know general demographic questions and down here we have questions related to backup and recovery data privacy etc and we have a couple groups of those and so um that gives you an idea of how you know how comprehensive you can make your questionnaires and each of those question categories has individual questions of course okay so that and now the data privacy quick questionnaire if we open that um and let's go ahead and we see it only has one category of questions and just our quick questions and so if i open that up i can see the questions that we asked in our in that category and you can see most of them are yes or no questions there's a few multiple selection questions these questions where you see numbers over here that indicates that this question is dependent on the response to a previous question so you can kind of stack and nest questions in your question error in fact what i'm going to do is come back over here and and actually show you how easy it is to create these templates you know we're talking about templates being the the fundamental building blocks blocks of um building these assessments so it's important to understand that servicenow provides a way to really expedite the creation of these templates so i'm going to go ahead and click this new designer button here and what that does is it brings up this blank canvas and a palette of different types of questions that i can use to design my questionnaire and i could do this all within service now i don't have to do it in another application and and you know import it so i'll just show you how easy this is i'm going to grab a boolean question i'll bring that over here and all you do is you click on this gear and you go in and you type in your question let's say i'm making something simple can you answer this question okay and we see that the type is boolean and it's active and we can make it mandatory if we want to um we can also allow the addition of information and there's different types of boolean and the default is checkbox but we want this to be a yes no question so we're going to go ahead in and type and select yes no and then down here uh oh here's the mandatory box i meant to point out to you and then down here is the uh you specify the correct answer so we're going to specify that we want the vendor to answer yes to this and so this is very important because what happens is by you telling servicenow what the proper answer to the question is then when the assessment is completed and returned you can have servicenow do all the work for you they can the service now can open up the assessment and generate any issues any observations of for questions that are not answered as expected so it's really that simple to create a question and then any question you create whether in the designer or anywhere else in your questionnaires you can store those in the servicenow question bank so that means you can reuse those so i can come in here to my question bank and i can scroll through all these questions and i can say hey i want to use this question again and then you know just modify it so it fits your particular assessment but then you can grab an entire category of questions too so you can come down here and say okay i just want to ask this bunch of general questions so you can bring the whole category over so that's how quickly you can create and how easily you can create and design your own templates and what's really another really cool feature of this is that you can then preview the assessment that you've designed to see what the vendor is going to see and not only that but you can actually go through and and respond to the questionnaire so that you can make sure that it's it's functioning the way that you want it to function so that's again that's how you uh that's how quickly you can create these assessment templates so i'm gonna go ahead and close that out and we'll go back and we'll actually do an assessment i'm not gonna save this so we'll go ahead so now let's um let's go back into our vendor record and navigate back to my data now and we'll open that and we'll jump right down to our assessment and we're going to go ahead and create an assessment and send it to the vendor and have the vendor respond to it so we'll do another quick assessment and we do that by simply clicking new and then i prefer to just immediately grab the assessment that we want to perform so we want to do another date of privacy quick assessment so we grab that template servicenow automatically titles it but we're going to change it we'll call it 2020 q4 and we'll just do a little edit on the title privacy quick risk assessment and that's it and so once we've done that then all we do is save it and servicenow will automatically pull in the questionnaires associated with that template so we see that we've gotten our data privacy quick questionnaire as well as our document request so at this point all we do is submit it to the vendor once we submit it to the vendor then i can go in and as a vendor and bring up my portal my vendor portal and let's refresh this okay so as the vendor i come in and you know i'm either the primary contact or the secondary contact but i i come in and i can see that hey i have this new assessment waiting for me and i also see that i have four assessments that i completed in the past so let's just jump in and take this assessment so i open the assessment and we see that it consists of our data privacy quick questionnaire as well as our data privacy documentation request and we're going to go in and we're going to just go in and look at it okay so here's our questionnaire so we have 10 questions which we saw earlier so let's just uh let's just go through it so these are tip this is this would be like a sampling these questions that we're using here for demo purposes are sort of a sampling of the types of questions that you may ask your vendors so does your organization have a data protection office or similar role well we'll say yes we do and does your organization incorporate privacy by design we'll say yeah that's best practice we'll definitely do that and does your organization have and maintain an inventory of systems yes we do that um has your organization suffered a breach within the past two years well let's say yeah unfortunately we we had a while back um does your organization conduct security awareness training yeah good practice does an organization do you comply with global privacy regulations now here's an example of those nested questions so if i answer yes i can be presented with a list of um choices and multiple choices and so i can say um yeah i comply with gdpr and maybe papita and maybe ccpa or maybe i don't and or if i if there's another one i can click other and then i get to type in the name of the other organ other regulation that i comply with so similar question does your organization adhere to any privacy standards so we can say yes i uh we comply with the nist privacy framework or maybe this cyber security framework or pci or we can indicate any others that we may comply with and that as you saw those you know you can mess these questions continuously okay so have you recently conducted a pia privacy impact assessment yes we have and you have processes in place to immediately notify us of any data breaches and we'll say yes we do and does your organization contract out to any any part of the data processing we'll say yeah we do that we use a fourth party data service provider so that's how quick quickly you can do an assessment we just save that then we exit and then we confirm that we want to save and exit the questionnaire and now we can go into the document request oh by the way we could parse this out so for example if we wanted eric to do this part we could remove mic from that and same down here we could remove uh say if we want we can remove eric and then mike would be responsible this allows you to complete the assessment in in parallel you don't have to do it in a serial manner and the wii here is the the vendor right mike so the the vendor could actually say hey mike you take this part hey eric you take this part right yes thank you eric yeah that's exactly like that's exactly the case this this is managed these are um the vendor contacts and these are managed by the primary contact and as i said you can add multiple secondary contacts for example in that full privacy assessment we saw that it had like 15 different categories of questions well the primary contact can come in look at each of those categories and assign those categories to different people within their organization to complete so so as i said everything can be could be done in parallel okay thanks eric okay so data privacy document requests so on the document request we're asking for three different documents first we're saying hey do you have a sock or a sock too and we'll say yeah we have that and we can attach that so we can come out here very simply select the attachment and submit it to the vendor okay do you have a data breach response report yes we have that and again these this is the idea of the subsidiary or not dependent questions and so um we can go ahead and attach our data breach notification plan and then the last question is is do you have a information security plan yeah and we may want to share it or we may not but in this case we're going to say yeah we'll go ahead and share that with the organization so okay so now we've provided all the documentation that has been requested so i'm going to go ahead and save that and then exit and close out these informational messages and so then you see that the the assessment is in progress and that we have answered all the questions and provided all the documents that have been uh requested so now we're done and we go ahead and we submit the assessment back to the vendor so i click this and we submit okay so now what does the vendor risk manager sees back at your organization okay so the vendor risk assessor is notified that responses have been received and we'll emulate that here by simply reloading this form and we see that the state has moved to responses received and down here we have our document request and we see it's 100 percent completed the vendor has completed it we can view the responses that the vendor submitted so we can load those and we can see okay here's what the vendor provided to us here's how they've responded and we can see that they attach these documents but we'll go over into the questionnaire see you know how did this vendor respond on this questionnaire so we come over here and same situation okay they're 100 complete um for those larger assessments that have multiple sections in it as the vendor completes a section that's reported immediately to the risk assessor so that gives your risk assessor's insight your vendor risk assessor's insight into the progress that the vendor is making on completing the questionnaire okay so we can come in here and we can view the responses so we go in and say oh okay so this is what the vendor how the vendor replied yes and and as we look at each question we have some options and one option is that we can flag this question for follow-up we might want to come back to it later we might want to have the vendor follow up on it we can say we want to create an issue regarding how they responded here and so we can click click this check box to include this question when we generate the issues and we'll do that when we're finished our evaluation by coming up in here and clicking create issues so we go down and one of the other things we can do is to communicate back to vendor we can just add a comment about this and we can type in information any comments we have back to the vendor and that will appear on the vendor portal so this is one way of doing it this is manual this is a manual way of um reviewing the results of what the vendor submitted but there's another way you know and the other way is to let servicenow do the work for you you know remember earlier i mentioned when i was showing how you um create a boolean question a yes or no question how you you indicate the correct answer and this is where that comes into play because servicenow when i click generate observation service now will do exactly that it'll go through it and indicate any generate any observations of things we weren't expecting and those show up right here and this is what happened remember before we didn't have any issues now as soon as i said generate observations servicenow said okay here's two things you need to take a look at and so these are the issues that servicenow generates and then we can open these issues and review them and we can make recommendations you know we can say okay let's see here what's the issue and we can come in and we can say let's go ahead and accept this issue or let's require the vendor to remediate it or let's let's let's ask for more information so we have some choices here what we can do uh for right now i'm not going to do anything okay so we do have those now what's once we once we said generate observations servicenow did something else servicenow pulled into 10 controls that are related to these 10 questions that appeared on the questionnaire and it showed the prior uh status of those questions these questions were all compliant previously okay so that gives you insight into the current status of those controls so we're not going to do anything we're just going to finalize this with the vendor we're not going to ask we're not going to remediate anything for right now for demo purposes and when we finalize the vendor we have two issues open right we had those two findings those two observations and so because of that as soon as we said okay let's finalize this assessment service now automatically flipped a bit on those controls indicating that they those controls are no longer compliant so in a nutshell you these assessments are very easy to create you can have servicenow do most of the evaluation work for you and they basically just really expedite um the the overall process um making making everything much much more efficient and not only that but you can also come in and you can automate the whole the whole thing so you can set up these assessments so that they run automatically on some periodic basis you can come in and define what's called a repeating assessment and then you can say okay i want this assessment to run automatically every 12-13 months and that's totally up to you as to the uh you know how you can have them run every quarter whatever you prefer so basically that that kind of concludes our demo today um so eric yeah uh thanks mike so i i think you you kind of showcased the efficiencies it can build but you know definitely want to still underscore the integration capabilities if you've got data that you're relying on elsewhere servicenow plays really nice with others and also it's very configurable so mike showed you a fairly baseline view if you will uh unconfigured view if you will for the most part he added some data for the demo um but he kind of used servicenow the way it was um well you don't have to do that um you know we definitely don't encourage uh configuration for configuration safe we prefer to stick more on the side of uh you know uh you know the base use it using what's there adopt versus adapt if you will versus customizing it extensively but there are options if you want to form a little bit more simplified our business does xyz before an assessment is sent you can build in a workflow in front of it lots of options uh so mike i think we want to kind of we got some great questions i want to get to so i'm gonna i'm gonna go through this pretty quickly but you know to sum up um regulators made it clear that you are responsible for the data you collect you can't contract away your responsibility or accountability and if a vendor has a breach and they're your vendor that's now your breach so with that uh just briefly want to kind of summarize what mike showed you how to set up your vendors and your vendor portfolio little advertisement there uh the person your company who's responsible for choosing vendors may be nice to know that when you do this you've done a good bit of their work for vendor performance management a different application in servicenow but it helps people helps companies choose vendors that align uh either you know the capabilities the responsiveness strategic alignment etc uh vendor assessments we covered that and how easy they can be to build uh the intent was for ultimately the business uh to be able to manage some of this uh there's definitely things we can help you configure upfront and i highly recommend it having somebody like mike who's been a practitioner and folks like our you know our technical resources who have done this before helping you out we saw the vendor portal briefly and how basic streamline that is servicenow has been investing in making that even better and expanding its capabilities um we touched briefly on well vendor has an issue now what uh the the remediation steps that are in there and here again you can attach your own workflow to that and then also we we saw some of the um sweet integration capabilities like one of the tabs you saw was audit you know you start collecting evidence for an audit so mike with that let's get to our questions several of them came in uh this one came in early and then you kind of covered at the end but i want to put it back in front of you just in case there was any nuance you wanted to offer can you schedule assessments to occur periodically yes absolutely that's um what i just was touching on um briefly was the ability to set up uh repeating assessments and again you can define an assessment and then you can schedule it to uh repeat at a you know regular periodicity outstanding okay rapid fire because we get a lot of questions i'm going to take some of these and i'm going to point some of you um this is kind of for both of us but i want to take you want you to take it first uh can this be tied into my done and bradstreet data oh that's really a good question and i'm glad you asked because yes the answer is yes you can tie you can tie the vendor risk management application into various business evaluation data so that when let's say the dun and bradstreet report comes in and it indicates uh that the vendor should change it makes us reevaluate the vendor and assign the vendor to a different tier and when we do that when we change that tier then we can set you can set up vendor risk management to then automatically trigger a new assessment that's appropriate for that tier and again that can all be automated so that as soon as the um new that as soon as the tier changes uh the auto the um assessment can be generated and sent to the vendor outstanding and we've done a lot of other stuff lexisnexis several other you know data repositories we've done a lot of integrations here uh into the grc suite uh give us a call with you know your specific use cases and we're gonna help you out with that i'm gonna take the next two mike because i i got a quick answer um is the vendor agreement mapping process manual or does the product scan the contract for the controls uh no unfortunately there isn't that level of magic automation uh with all the natural language investment the servicenow has been making i can definitely picture it coming in the future um so it is it is manual but easy you can say that these are my data processing vendors and these are the controls that apply to those relate those to the vendor but i also want to point out there's another easy button that's policies we said policy compliance policies are your internal policies but they relate to external frameworks or they can and they're a great aggregator so you can say that this policy applies to my data processing vendors uh and as soon as you make that relationship in the background um then all those controls come along for the ride so several different ways to do that um wait another question is it possible to have the questions side by side like two columns on the questionnaire this is for the assessment um the the assessment designer uh the the wysiwyg that mike showed you it's single column uh and that's you know just ease of use that was the intent uh predictability so no one has three columns or five columns that was happening you know to a lot of servicenow instances uh when the survey feature first started coming out so servicenow paired back on that um you know if there's a explicit use case there though uh there are other ways to build out those assessments that aren't that designer and uh we can i'm sure address those needs for you uh it is still just a survey in the background um is there a shared assessment inventory of sig responses of vendors so yes servicenow uh has sig and sig lite available as well as several other flavors mike anything you want to add there on repository of questions no no that's uh that pretty much covers it um again you can you know as i said you can build out your own repositories and you can store questions in the question bank and then draw upon those to to as needed outstanding and we're at our time i do want to call out one more it was more of a comment than a question that we got um on average a publicly traded company can anticipate uh 20 market hitting valuation due to breach yes whoever sent that in you're awesome and that is the truth i'd almost say maybe it could be higher than 20 but i don't want to call out any company names just go out and search you know company data breach uh read those stories of what happened after they got hit with their fines how'd their share price get impacted uh how'd the revenue get impacted it does happen don't let it be you um so give us a call uh servicenow covastic is our email uh covestic.com is our our website um go ahead and link up with us on linkedin uh follow us on twitter we have a lot of great content around grc coming out all the time thanks to mike so everyone thank you for your time today really appreciate your attendance and uh great questions uh enjoy your day okay thank you very much everybody you