The Washington D.C. platform release is here and with it are some important new enhancements for the ESG product and GRC product portfolio: Integrated Risk Management, Business Continuity Management, Third-party Risk Management, and Privacy Management products. You can see it all in action in the What’s New webinars with live demos on Live on ServiceNow.

Integrated Risk Management

Manage documents on records with OneDrive. Managing documents that are attached to policies, controls, evidence requests, issues, remediation tasks, indicator tasks, control tests, engagements, audit tasks, is necessary to prove you are adhering to policies and following the appropriate processes and procedures, but it is a manual challenge. A task that involves downloading and/or updating attachments to the above records offline. This lack of a collaborative environment can result in errors and omissions as files and comments are manually merged. Unfortunately, these errors generally come to light during an audit and result in, best case, time-consuming processes to track down information and, worst case, an audit finding.

ServiceNow reduced the friction of this by introducing the ability to edit, update, and maintain versions using OneDrive integration. SharePoint integration is also available for collaborating and Google Drive for redlining documents. The ability to share and collaborate on documents improves the timeliness and accuracy of information within the documents, ultimately improving the speed and completeness of audit engagements – helping mitigate reputational risk due to policies violations and audit findings - and possibly even reduce the risk of a breach.

A feedback and review process for the second line. With more sophisticated attacks and evolving regulations it’s more important than ever to quickly identify potential risks or compliance violations. A flexible, frontline user-friendly process that allows the second line risk and compliance teams to capture findings (challenge) control owners or users, ensures activities that could negatively impact the business are addressed as soon as possible to maintain a strong risk and compliance posture.

Previously, risk and compliance teams had to wait until records were in a specific state to request more information regarding evidence or to clarify what has been reported. The Review and Feedback capability contains the workflow to raise a challenge across any workflow at any state and have the frontline control owner or user respond. You can think of this as a mini-audit, without the control testing workflow, or assurance by the second line. With the increased flexibility and streamlined risk and compliance processes the second line user experience is enhanced, oversight is improved to identify potential risks or compliance violations more quickly, while the frontline user experience is maintained at a high level.

The Continuous Authorization and Monitoring application is designed to automate the NIST RMF process for authorizing systems in the U.S. Federal government and other high maturity frameworks. The Washington release continues to add automation with the ability to auto create requirements on controls that have defined at the control objective. Hybrid controls have been implemented and for NIST 800-53A test templates with Examine, Interview, and Test steps have been added. Auto creation of test plans and control tests for engagements​ is now available. In addition to enhancements to support Assessment Objectives while performing control test​s.

Continuous Monitoring for CIS 8 and CSA CCM controls. Hybrid environments are common, so you need help mitigating cyber risk and protecting data regarding of where it resides. To help improve cyber and cloud security we’ve added support for CIS 8 and CSA CCM controls. We now support authority document and citations for CIS 8, 171 CIS 8 control objectives, authority document and citations for CSA CCM 4.0, 197 CSA CCM 4.0 control objectives, and 67 automated indicator templates to monitor CIS v8.0 controls. These indicator templates are also mapped to the related CIS 8 common controls from CSA CCM 4.0, NIST 800-53 Rev5, NIST CSF v1.1, ISO 27001/2, PCI DSS 4.0 etc.