talk about today about third parties and I am so excited to be here with one of our two of my favorite co-workers although I said that last week also because I have lots of favorite co-workers but these are truly my favorite co-workers um Brian Myers and Christian Ketchum um Brian you want to introduce yourself thanks Teresa good to be your favorite this week uh I'm Brian Myers I I Risk Solutions specialist I work on the federal side I've been doing this for service now for for about four and a half years Kristen y hey everybody Kristen Ketchum Solutions architect primarily focused on the risk within the federal space as well and I think I am definitely Teresa's favorite because she's worked with me the longest so about years now this is true this is true and we are here to talk about third party risks pressing problems facing Global governments and you know we've had something exciting happen or exciting but not good happen um this last week that we're going to be talking about here too so stick around everybody before we get into it however there are a couple of housekeeping things I have to go through you have been automatically placed on mute but if you look at the very bottom you'll see a little Q&A panel down there um we want to make this this get your questions answered we want to make this informative so please use the Q&A panel and one of us will answer your questions for you we're going to hold questions for the most part until the very end to make sure we get through all the material um so don't think that we're ignoring you if we don't answer your question immediately live um the session will be recorded and it will be out on our YouTube playlist in about 24 to 48 hours um I will be putting in the chat panel the links to the YouTube playlist and also the links to other webinars because we have some really good webinars coming up as we introduce our new release this next month um after the session you will be prompted to fill out a short survey um we do appreciate you doing that it does help us um come up with other ideas for webinars that you want to see and with that I am going to pass it over to Brian who is going to kick us off with the talking about third party risks thanks Teresa uh great to be here everybody appreciate you uh spending a few minutes with us today uh what we really want to talk about today is how we seamlessly embed our third- party risk management into the digital experience that you might already have with service now or you can have with service now so the way we're going to do that we're going to talk about a little bit about challenges Teresa alluded to those uh talk a little bit about our platform then how the thirdparty risk management application sits in there uh Christian's going to do an outstanding demo of uh of of tprm and then at the end uh what I'd like to do is talk a little bit about executive order 14028 and how service now might be able to help with that so uh with that I'm going to get started so you know third party risk management like all risk management all compliance pieces are really about reducing uh the effect if something bad happens to an organization and and bad in in supply chain is is getting is is being said to get worse so uh Snick has a report out saying we're going to be at $60 billion of of threat in uh 2025 um reversing Labs did their prediction of of 1300% increase over the past three years and of course we're all living through what happened uh last week when crowd strike uh had an effect on on Microsoft systems and sisa came out and tried to help everybody so you know we're here we're we're actually going through this and really I think a third-party risk management system is going to be really critical and that system you know in the federal side um you know nist helps us some sisa helps us some nist has the U special publication 8001 161 and 8276 sisa has put together uh supply chain risk management icts um where uh they've developed Hardware bill of material and software Bill material that are really uh feeding into 14128 uh how that is uh how how we can make that most effective and sis has also put this leader guide on their website so you can see you know they've given you kind of a a a way to get through this but in federal third-party risk management it's a team sport so you know uh starting at the top you know the administration puts out those executive orders om follows up with directives to to agencies and operational divis uh departments then consolidate U the information coming up at the from the agencies and optiv but also push down those policies um the agencies and optiv take that uh Department policy and have to adjust it and refine it so it fits into their mission framework at the agency uh we've got the first line second line and third line of defense and you know these this is kind of a best practices way of looking it um of of how you do it so basically it's the operations at the bottom who's using the third party the risk management in the middle and then uh the compliance fece how do we make sure that we're doing the right things across the organization in in that third line of defense so service now as a platform is in use across the federal government and in a lot of the Fortune 500 Fortune 100 U um and it and we think it's all about the platform that single data model that single architecture for our federal customers it's that fed ramp High Cloud that gives you those set of uh controls to get you started and and ensure that you're available your availability your uh security is where it needs to be but that platform is really about delivering your mission so being able to to meet your mission requirements to increase your employee satisfaction their productivity digitize processes so you can be more effective in in add automation all the way across the board so your mission success is why that platform really is there and it connects to just about any system that you have a across your organization um to that we add a lot of pre-built uh in custom workflow the ability to to connect to your customers to connect to your employees connect Finance supply chain and Technology workflows we have a coner service called service now impact that helps you use this creative tool the best way possible when I'm talking about risk and compliance management audit management resiliency it kind of sits between that very powerful platform and all of the mission space that you have because there's risk in all of those there's compliance space in all of those and there's audit requirements across all of those and of course resiliency is what we're talking about today like I said it's a team sport to get into thirdparty risk management and you know it's all of those things in the green box the it Security customer service all have a function inside of that third party risk management so how do you then connect all of those internal systems and and people who need those capabilities with the external providers of those either products services or even people that come in and help your organization meet those Mission requirements and that's really what we're going to be talking about today so we see the life cycle of ser of the uh third party risk management from onboarding how how do we determine that inherent risk doing those assessments find determining findings bringing in information from external sources looking across remediations being able to report risks and and develop uh the best practices for your organization on this platform but for us it's all about workflows so being able to break these things down into individual bites size things that we can then look to automation to to Really drive forward your processes and ensure that everyone across the board knows where you are inside the process and you can make those processes as efficient and as effective as possible and with that I'm going to turn it over to Christian who's going to run us through the platform and help us understand how this works thanks Brian let me go ahead and you guys are able to see my screen we can Perfect all right so let's jump into this demonstration you are looking at the vendor management workspace so the workspaces are great for you know holistic view of everything that would be going on with your program and you know essentially seeing you know at a high level um and this is from the program wide so all of your third parties that you may be managing you know you have access directly to see them any type of Engagement that you guys are doing so if you have you know a a tier one and then under that tier you know there's um subsidiaries you can come in there and manage them from an engagement perspective quick actions to your right hand side that is going to be everything about workflow so anytime you see quick actions and service now think workflow it will kick off any of these particular tasks so you have it right at your fingertips below that we're going to get into you know some of the responses that are coming back in whether that been risk ratings by our third parties or top risk areas know that any of these types of dashboards that you see in service now can be configured based on the data that you want to see so if you have top risk areas outside of what we're you know providing out of the box you can absolutely add those and then any type of issues that you may be managing um with those individual third party suppliers Partners um that's going to show as well and then any unknown fourth parties or and then your fourth parties specific so all of that one easy place to go see that now if you notice on the left hand side of the screen we have different tabs over here and we're going to start jumping into some of these we're going to really get into that initial onboarding piece but we're going to hit all of these as we go through so let's jump into due diligence so the first thing that we really need to do is make sure that do we even want to do business with these particular suppliers now we've created this out of the box workflow you're seeing any active new requests come in and you'll have any new requests again the um risk inherent risk questionnaire that's going to go out and due diligence as well as approval process and then if you bring in that contract risk perspective and then final review so again this is your workflow from a due diligence perspective now this morning I went in and I created one so you're seeing that right here this first item see that I created it over on the right um this morning so let's take a look at what this is going to look like now when I jump in you can see essentially once you start this it it will you know create a risk assessment that inherent risk assessment that's going to be automatically sent out now where did this come from so that's where we're going to get into because this had to come from somebody out in the business um that wanted to go ahead and say hey I need to do business with somebody maybe that's for consulting or maybe I need new software Hardware whatever the case may be um we're going to jump into that so this is where that's going to start kicking off and then you can also see as I build my vendors in here you're going to see that risk intelligence scores if you have any of these providers whether it's bits side rapid ratings up Guard Security scorecard um any of those right um You can do those out-of the- boox Integrations and then have those scores start driving in so that's going to help you understand you know maybe what type of assessment that you want to send out so let's see how this actually came in now I created it but this again this is coming from your outside business areas so if I go in here I'm going to go in from a business first line and they're going to go to a portal now that could be an existing service portal that you guys are using or you may be using the employee Center which is what you're seeing here so that's kind of your One-Stop shop now as these guys log into these portals traditionally right people are going out here and they might be creating you know hey I need a laptop or something's broke um that's the type of portal that they would go to to say hey I need to go in here and I want to you know I need a new third party to come in so you can come in you can see that that's one of my favorites right it's just a service catalog item so you guys can create these different types of questionnaires based on your requirements but if I want to go in here and onboard an you know a new engagement right I could see is there someone already here right that I've been doing business with yes and you also have the option if somebody's not there right to add in that information so we would go through all of this information start filling it out and then who's going to respond to that questionnaire so these are the things that I did to generate that screen that you had just seen previously so all of these things can be configured by you right they would come down here you can use same as it's going to bring information in because we were using as an existing third party so again just different types of questions initially that we're going to start asking so will this third party have access to data well I did a Consulting one so I'm going to say yes um will they impact operations no because not going to be working in production for example so again whatever questions you have they can go out here and submit it and comes back to you that's where you analyze it from that first screen that we were at and create that questionnaire now what does that questionnaire look like let's take a step back let's go up here to the top and let's go back to home we'll leave this for now now again any of the folks that are coming out to these portals and getting work um they're going to get notific ifications in their inbox so again the first line they will get a notification that says hey they submitted that initial request you did what you needed to do and you're going to send them back out an initial questionnaire so you can see we've got a survey down here would have taken him to this so we've got it doe in 30 days we're going to get started on this and then we'll come through and we'll ask different types of questions again these questions can be based on anything that you guys need so keep that in mind as you go through anything in service now camp be configured now we're not going to go through this just from a timings perspective but you can see down here that I can submit it I could save it and come back later because this one has several questions um that they're going to go through um to be answered so if we transition back let's go back to the first line so that would come back and then from that area then you would go into the due diligence part of this so in that we're going to take a look at tasks so you guys are able to kind of see everything within the workspaces I'm going to take a different view I could do it right there right I could go to due diligence and pick up any of those but let's take a look at the tasks and this is a you know this is all of the task that you may have going on so you know that we've got due diligence here we've got other issues so again it's a single pain to see all of those issues and tasks that we may be managing so if we go in here and we pick up payroll support as an example right you can see that that was that existing inherent risk assessment that we did and now we're going to actually kick this out to a third party so we have to have those on here so we would have you know added new which you're seeing here and if I go into this one here you'll see that we've got a workflow that's going to be you know submitted along with this again can modify that if need be notice over in the right hand pane so I've got this over here this can be any information again the right side is where you want to add additional information again just so it's a quick easy access so that workflow will be out there we've not got anything stored on here because we haven't had this information come back yet and you can see that I've got submit to third party so if we did submit the third party what does that look like let's take a look now what I did here is I transitioned over to Chad now Chad is our thirdparty vendor supplier or partner and they would have gotten an email to set this up and say hey um here's your temporary password and you know make sure you're going to have to be forced to change that and then Chad can log in and Chad can see all of the activity that's going on between you and I now this is the assessments issues and tasks so that's what we're managing out here for Chad and he can see that he's got any assessments he can see that he's got an AG you know engagements coming down here so there's that Consulting one you know HR software so lots of different things that are going on and anybody that's done this before knows that these questionnaires can be quite lengthy and lots of things going on with them so we wanted a single pain so all of our suppliers could come in and see that information so let's take a look at one of those examples you can see here Chad's going to see that he's got this assessment out here he can see a status questionnaires you know document requests and other things of that nature and this is what his view is now he also can come in here and he could assign this to other people on his team so that's a functionality that would be in his settings where he could add additional people um to help get these completed and you can see timelines what's been answered what has not been answered what needs to be submitted so right if I come in here and you know open up this monster Sig then we're going to see the types of questions that are going to be coming you know that I have to complete now you also had seen right there we can ask for stock one or stock two requests any type of documents that you need to have that also can be managed so again this is an example of a Sig core so you can see all of the different sections green check marks what needs to be done what's not done things of that nature if you want to import this information as well as notes and comments so collaboration is Big here as well as this portal in a sense of most folks are doing this via email today and you know this can be something that is hard to manage so if I add people to an email thread or I remove people right that's where you know people get left out this collaboration piece in here you can see Chad is asking back to you know hey I'm going to get start working on this but if I have any other questions I'm going to come back and I can do do this on any of the issues and tasks so keep that in mind again all easy experience for these guys so they would submit this and you know be done with that as well as any again those different types of sock requests or other documents that you may be looking for now issues and tasks within service now there are issues and tasks everywhere within service now and issues you know I look at this as hey you know we we've got a problem here and we need to get this resolved so whether that is something that was autogenerated because you know we've done something or maybe I need you to update your password parameters whatever that is you can you know run that through an issue workflow you can also do you know tasks tasks are hey send me a sock an updated sock 2 report um so again you can Define what your issues and tasks are but again it's going to give them a clear description of what they're doing who's it assigned to add any additional attachments right if I need to send that sof two report boom I can do it right there resolve the issue and it's done so this is the things that you know the third party supplier can manage from a dedicated portal to get that work done now let's jump back over and let's take a look at your view again so as we go through those particular pieces let's jump in and see when they submit that back to you so for that we're going to go into the risk activity and the risk activity essentially is going to show any open assessments that you guys may be having any overdue things total open issues any open tasks you guys can see this assessment um by state issues by state and tasks so it's managing all of this work for you and giving you these out-of thebox dashboards as well as any assessments by risk ranking so I could jump in all these are interactive dashboards so you can jump in and see those high risks now let's take a look at that one that was received so this is actually the view for you when those assessments would be coming back to you remember that report was responses received so as you can see here we are in the risk overview you can see that life cycle that it's went response is received any of the assessment scorecard this score is being generated by these components over here so as you get through that that will generate the score and then we've got the components so if you remember we opened up that Sig core over here um it's you can see it's still in progress so all of these other components have been received so we can start taking action on those as well as those document requests and any type of questionnaires you want to have down there you can also see those questionnaires here now these again are noticed as related list from a service now perspective um you can have as many as you'd like here in a sense from data right service now has all of these tables and what information do we need we can bring those things in so this example we've got all of our questionnaires and all of our document requests so we have e easy access and we might need to add another one right so as we start going through things I might want to come in here and add you know another type of you know document request that I need so easily able to do that and any of those issues that I've been managing right we sent this out we saw that on the portal so again that's the view that you guys would have being able to see that and any other task that would come in or Downstream suppliers and controls if you were using integrated risk management that would be shown here as well now from there let's take a look at the risk map so this is essentially you know showing us all of our risks on a geographical map again if you want to start jumping into them you can and it'll show you what those rates are so again it's just something a quick you know easy access if I need to get in here and start taking action I can right I can come back over here pull them up or those engagements that I might be working at same thing and then you always have your toolbox so I always say with M service now this is your toolbox you know your left navigation and this really brings everything that you know as you kind of go through these components this is how you build it out so all of your third parties whether that is you adding them independently or having them brought in automatically right you can see all of those third parties I can see all of my due diligence requests if I need to do things any open approvals tasks or tearing assessments you know all of this is the toolbox everything that you guys need to make third party work for you so with that I'm going to turn it over to Brian sorry you caught me off guard thank you again let me uh um start sharing my uh screen we're going to talk about 14028 and how that is going to be uh um really uh crucial it it is part of what the government is is working on right now um the executive order was issued originally in early in May of 2021 so early in the Biden Administration um it has kind of gone through a couple of uh of of iterations of OMB memos the first in uh 2022 and and the second one in 2023 to to push out of the the requirements to uh departments and agencies really what we're trying what I believe 14028 was trying to do from a software security uh look across the organization is to fit in with the rest of the requirements that um the federal space has and to normalize the third party the software piece of that third party Management in CDM assets were were looked at but the software asset part really wasn't uh delved into as much as um in 14028 fsma is is a requirement that requires us to do those uh Thea process and then of course the the overall reporting that agencies have to do for fura is uh it can be a trying uh part of the uh and organizations day-to-day life really what we're looking at is is two things from a software provider and a software provider we'll talk about in a minute what does that mean but really an attestation is is from a software provider is i i as a software provider attest that I I'm I'm promising to you that I've done the security work uh to uh to look across my software and and my software security here a software build M material in esom is totally different an esom is basically the recipe of that software package that's put together um software is built upon containers of other pieces of software uh they may use uh features from uh third-party softwares or wh labeled softwares so when you're when an agency or department is buying software it's critical for them to know the source of that software and so they can understand how it what it might affect so in the invisibility uh of how those things work together service Bell offers a complete capability to to go around this we're not going to go through all of this but really what I wanted to to get to in this slide is software is in every one of these steps it's it is a requirement to monitor to manage that software as part of your risk management uh capabilities for any type of project or program that you're bringing on to the agency so that you can understand that the the the risks that are are being imposed upon you by using that software and third party risk management the the capability that Christian was just talking about is is a key part of that so uh the CM process across the top um the they um that box that's in the uh the white box is the from the NIS documentation around esoms and you can see how we're they're developing risk management so for service now what we proposed to to solve for the attestations and the esoms are are three of our capabilities uh integrated risk management so uh risk management policy and compliance and the third party risk management you just saw it Asset Management which includes software Asset Management the software Asset Management then becomes the library for those for the software that is uh deployed across the organization and then Security operation because in our vulnerability response capability we've actually built a uh sbom decoder so we're able to pull in esbs directly into the platform and evaluate those for vulnerabilities but we can also bring those into different parts of the uh the platform so when Christian was talking about her uh the the third party risk management she was talking about all of the third parties in her libraries and that's in the yellow box here uh because as as agencies you get software and services from a whole bunch of different places a third part uh that's supplying you directly on one uh project may be a fourth or fifth party on another one where they're providing services or to a to another to provide to you uh on a different project and what I've done in this on this slide is we're we're looking at all of the different components of what is required in order to do a to bring in that attestation and to bring in that as bomb so that you can meet the 14028 requirements and it all starts with policy and compliance being able to establish the policies and controls if you remember you know we we said those policies the the controls would I'm sorry the the the policies will be coming down from the Department level down to the agency and down to the program so establishing those policies controls whether it's uh an sop at the at the uh program level or uh up above a a policy statement we use uh software asset management is that repository for software inventory we can differentiate uh using that uh initial request that uh Christian went through uh to by system by criticality what's important and that really drives us towards determining the risk appetite for using that software so as your bringing that software on board you're really doing a risk appetite assessment you're saying how much risk am I going to accept with this software from there we bring everyone into that software that third-party Library so we can bring all of the providers the builders the users uh the contractors into that third-party Library so that you can see the how they're interweaved as as in your organization the assessments uh Christian went through an assessment they're all template based so we can ask for one of the attestations we can ask for an attachment of the esbon so that we can get that out to the uh to the third party to the correct third party so that we can have that automated Communications so we can send that request out we can bring that information back in with just the the limit number of human touches required in order to bring that in from our vulnerability response I mentioned you know we've got the ability to bring in those es bombs and import that and bring that format in uh so that we can then use it across the organization so now we know what sbom is in which one in which area what uh software is being used in which project now we can finalize that risk assessment and then finally the last step is to monitor the for compliance so how are we going to maintain compliance against this complex uh capability of bringing these s bombs in that are always changing these attestations that might change occasionally and bring it into a system where it's usable to your users and you're able to automate the communications back and forth to the third parties the third fourth parties with that I'm going to ask if there are any questions and turn it back over to Teresa I don't see any questions but I know this was amazing I promised to uh to um this was going to be a fantastic webinar and it absolutely is a fantastic webinar um thank you all for joining us Brian and Christian This was um extremely informative it was very Timely um a lot of great information you all can follow up with us on um the community we do have a um a link to the community here you can check out our products on our risk site you can watch this um this recording again or share this with your co-workers it's out on the YouTube playlist within 24 to 48 hours and in the the chat I've not only put a link to the YouTube playlist but also to register for additional webinars because we have again a lot of them coming up specifically around our new release that's going to be coming out next month um and we also if you are not on our community blog um you should be um because we do have one that lists all of our events throughout the year so you can plan ahead and with that I really want to thank again um Brian and and Christian really appreciate your time your wisdom your knowledge um and I want to thank all the people that joined us today and I hope to see you all again when the future webinar