ServiceNow Governance, Risk, and Compliance

1 DATA SHEET. ServiceNow Identify risks in real-time governance , Risk, and Compliance Configure real-time business and IT service performance The business and IT challenge data, and identify vendor requirements to enable Managing risk and Compliance with a manual, siloed and reactive work model is no automated controls testing. longer effective as the global regulatory environment continuous to evolve, forcing Define thresholds as indicators changes across your organization. Changes driven by the need to: adopt new business for continuous monitoring of your models, establish new partner relationships, deploy new technologies, and address the extended enterprise increasing number of threats and cyber risks . Many enterprises have discovered that without an integrated view of risk it is virtually impossible to quickly assess the impact Increase performance on their existing Compliance obligations and risk posture of these changes.

2 The Now platform CMDB, Respond to business risks in real-time with ServiceNow process designer, service mapping, and consistent and ServiceNow governance , Risk, and Compliance (GRC) helps transform inefficient cross-functional workflow processes across your extended enterprise into an integrated risk program. Through automation simplifies GRC. continuous monitoring and automation ServiceNow delivers a real-time view of processes and eliminates errors Compliance and risk, improves decision making, and increases performance across your organization and with vendors. Only ServiceNow can connect the business, Optimize internal audit security, and IT with an integrated risk framework that transforms manual, siloed, and productivity inefficient processes into a unified program built on a single platform. Use of risk data and issues Risk management - Detect, and assess the likelihood as well as business impact of management enables effective an event based on data aggregated across your extended enterprise, and respond audit project scoping, planning, to critical changes in risk posture and reporting while optimizing Policy and Compliance management - Automate best practice lifecycles, unify internal audit and Compliance Compliance processes, and provide assurances around their effectiveness resources audit management - Scope and prioritize audit engagements using risk data and profile information to eliminate recurring audit findings, enhance audit assurance, Improve strategic planning and and optimize resources around internal audits decision making Fine-grained business impact Vendor risk management - Institute a standardized and transparent process to analysis, task management.

3 And manage the lifecycle for risks assessments, due diligence, and risk response with contextual alignment with the business partners and vendors CMDB on a single platform provides cross-functional visibility Risk Compliance to identify, prioritize, and appropriately respond to risks Automate third-party risk Formalized vendor risk assessment and tiering process, improved visibility, and transparency save time and reduce vendor risk. Extend your ServiceNow investment The single platform of engagement offers orchestration, easy integration, and data ingest and publication capabilities audit Vendor 1. DATA SHEET. GRC use cases data collection and mitigates the need to manually reconcile test results and modeling uses CMDB information to show upstream and downstream Compressing the time to identify, metrics. relationships across entities, so you can prioritize, and respond to changes visualize the business impact of a control Create a risk register and failure throughout the enterprise.

4 In your risk and Compliance posture automate risk assessments is imperative. To do so you need to ServiceNow GRC helps identify and Assess vendor risk continuously monitor data across your extended enterprise to speed manage risks in a single register. Self- ServiceNow GRC provides the ability to detection of emerging risks . Automating assessments can be scheduled to collect more easily manage and assess vendors, the appropriate remediation and risk information about existing and emerging saving time and reducing vendor risk. treatment actions across business and risks , and the accuracy of controls. Portfolio management capabilities IT processes breaks down the silos and GRC combines asset and process- allow you to consolidate vendors into ensures a rapid response. centric risk methodologies to determine a single vendor catalog. Through the The Now platform collaboration engine qualitative and quantitative risk assessment designer and built-in and issues management capabilities scores, which are informed by service questionnaires, you can more easily work across GRC applications and with performance data with the business monitor vendors and obtain better the Vendor Portal to create a shared impact derived from the configuration quality data, to more accurately track understanding and facilitate timely management database (CMDB).

5 This changes over time. decisions. allows you to accurately gauge your The first step in a vendor risk risk exposure in real time. There is a management program is to Define a governance framework consistent process for automatically appropriately tier your vendors. A. and test Compliance controls creating and responding to issues, formal tiering process, including ServiceNow GRC helps manage your reducing remediation time from weeks to tiering assessments and automatically governance framework, including only minutes. generated tiering scores help you policies, laws and regulations, and best categorize vendors into levels or tiers. Implement real-time monitoring practices in one system, and maps Expand the knowledge of the risk posed them to controls. Once defined, you can ServiceNow GRC identifies non- by your vendors through integration automate repetitive processes, even compliant controls, monitors high-risk with third-party security score provides, across functional groups.

6 Areas, and manages the Key Risk allowing you to adjust vendor tier scores. Indicator (KRI) and Key Performance Through ServiceNow GRC you can Indicator (KPI) library with automated Vendors risk is based on risk scores, which identify relevant business, risk and IT data validation and evidence gathering. are dynamically generated based on owners, and systems, and automate vendor questionnaires, updated in real the manual cross-functional processes To complement existing GRC time, and stored in the vendor catalog. for policy lifecycle management and capabilities, we provide out-of-the-box integration with Performance Analytics The vendor portal consolidates commu- Compliance testing to identify non- (PA) for GRC, which uses PA indicators nication and enables collaboration with compliant controls, respond to issues, or and thresholds as another means to your vendor and between your vendor effectively scope a GRC engagement.

7 Detect failing critical controls between and their response team replacing The unique capabilities of our platform assessments. email and phone calls. Scheduled eliminate errors and inefficiencies assessments and automated notifica- associated with emails, phone calls, Interactive real-time dashboards tions and escalations ensure you stay on and in-person meetings. provide overviews of your risk and top of activities. Additionally, using the built-in GRC Compliance posture and audit activities. Attestation Designer, you can create The role-based dashboards in the GRC Learn more at and execute tests and attestations Workbench allow you to view status that are specific to a policy statement. updates, priorities, and tasks associated This eliminates errors during evidence with GRC engagements. Dependency Copyright 2018 ServiceNow , Inc. All rights reserved. ServiceNow , the ServiceNow logo, and other ServiceNow marks are trademarks and /or registered trademarks of ServiceNow , Inc.

8 , in the United States and/or other countries. Other company and product names may be trademarks of the respective companies with which they are associated. SN-DS-GRC-072018. 2.