“Establishing a successful ISMS (Information Security Management System) has Good Governance as a pre-requisite”
In current enterprise functionality, there have been multiple teams with their specific skills and unique perspectives, who work jointly to provide assurance to all enterprise GRC initiatives. Following a conventional Three Lines of Defence practice, there are three functional groups:
- The Business Units who are responsible for maintaining effective internal controls and for executing control and risk procedures on a daily basis.
- Governing bodies to oversee risks and controls to ensure that the first line of defence is operating adequately. It includes a compliance function, risk management committee and a controller function
- Internal and External Auditors to provide comprehensive security assurance to senior managers. This encompasses the effectiveness of internal controls, risk management and governance practices.
Many enterprises implement this model in legacy manners to overcome with the underpinning security challenges (Figure 1). There have been manual and reactive compliance practices among fragmented business functions, who test controls independently of each other leading to duplication of efforts and inefficiencies. Furthermore, traditional tools (emails, spreadsheets, meetings, documents) become hard to manage, document-centric and un-scalable all across the organisation.
How PDCA and ServiceNow GRC can work together?
Here’s a step by step approach to create a pan-enterprise blueprint of control and risk within integrated Enterprise Service Management. The logical overview of Deming’s cycle (ISO 27001:2005), also popular as Plan-Do-Check-Act methodology illustrates the adherence to the following ServiceNow GRC applications and underlying key activities:
- Policy and Compliance Management
- Risk Management
- Audit Management
- Vendor Risk Management
Figure 2: ServiceNow GRC and Deming’s PDCA Wheel
Above flowchart displays how PDCA cycle integrates with key applications. Let’s study PDCA cycle in detail now.
Step 1: PLAN
- Find all external and internal compliance influencers for the organisation
- Define Enterprise policies, control objectives, risk register and vendor portfolio
Step 2: DO
- Establish control implementation methods, attestations, assessments and periodic reviews.
- Assign all security and privacy controls to the right people, processes and technology functions
- Perform assigned control activities, assessments and procedures
Step 3: CHECK
- Achieve situational awareness with right metrics and reporting measures
- Review the results of internal/external audits and indicators
- Perform continuous monitoring with Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs)
Step 4: ACT
- Assign required actions and milestones to the right business units and track until completion
- Conduct risk remediation tasks (Accept/mitigate/remediate) and use the results to redefine the risk appetite
- Find strategic influencers that may cause amendments to existing policies, procedures and standards
ServiceNow Governance, Risk and Compliance (GRC) connects the IT, business and security teams with an integrated risk framework built on a single platform. Through continuous monitoring and service automation, ServiceNow delivers a real-time view of compliance, risk within the organisation and along with vendors. Furthermore, workflow automation for remediation actions breaks down the security siloes, compresses the time to identify risks and ensures a rapid response.