I’ve just returned from ServiceNow’s annual Sales Kick-Off event, or “SKO”. This annual conference serves as both internal sales training to the ServiceNow team and as a training and networking event for those of us involved in the “ServiceNow Ecosystem”. This year, a bunch of us from Stave traveled to Walt Disney World in Orlando, FL to attend the event.
While there, I kept thinking about activities surrounding Governance, Risk, and Compliance (GRC). In lay terms, these are controls and ways to automatically make sure that your processes work the way you want them to and to guarantee your data is as accurate as you need it to be.
ServiceNow includes a GRC-IT application, but I saw a few other real-life examples that I felt really help to tell the story of what GRC can do for any organization. Here’s what I observed and what I started to think about:
1. Golf Cart Navigation
The Stave team was lucky to be invited to the annual Cask Captain’s Choice Golf Tournament at the Waldorf-Astoria. Now, I’m not sure you can really call what I do inolving a set of clubs, “golf”, it was great to spend the day with our partners at Cask and ServiceNow.
This was an exceptionally nice course and I learned on the 3rd hole one of the automated controls they utilize to keep it that way.
Each cart is GPS enabled and it will actually prevent movement on fairways where the ground is wet and can be damaged by a cart’s wheels. If you do wander off the cart path on such a hole, the cart automatically gives you a visual and audio alert and your speed is throttled until you return to the designated area. These “GPS fences” are clearly dynamic and represent a terriffic example of automated governance controls.
Is there data in your ServiceNow cloud that you want to restrict access to? Are their tables — such as in the HR suite — that shouldn’t be available to everyone who has access to ServiceNow, including your admins? If you’re not auditing this, you’re going to have trouble. Luckily, there are several ways to address this such as contextual role-based security, access control lists (ACLs), and periodic GRC scans.
2. Home Dynamic Door Access
Opting not to stay at one of the Disney hotel properties, the Stave team rented a full house “off-campus” via AirBnB. Emma and Rene were great hosts and as they’ve been getting many visitors lately, they have implemented automated controls to govern their home access.
The front-door lock was activated via a Wifi-enabled keypad. We were provided a unique code that went live exactly at the time of check-in and deactivated at exactly the time of check-out. This automated scheduling ensured we could only access the house during the prescribed times, but still come and go as we pleased, and Emma didn’t need to leave her office to ensure our access was disabled.
She explained that the cleaning crew has their own unique code and all access attempts are logged so that she and Rene can audit everyone coming and going into their house.
Are you auditing who accesses — and attempts to access — your ServiceNow instance? Do you review user logs, or do you automatically scan multiple failed access attempts or access from users “out of band”? You can easily do this in the platform and it can pay dividends to protect your data. This is a an important process that spans both GRC and Security Operations (SecOps) that you absolutely need to conduct.
3. Reception Party Bartenders
The cloud rains alcohol at ServiceNow’s SKO, but I noticed some processes put in place to limit risk. First off, realize that for as much as we preach about self-service and enabling the end-user, this does not apply to drink distribution. The bartenders are the gatekeepers and have sole authority to fulfill drink orders to customers. This is a first-line control which effectively enables a required pre-approval / default-deny approval mechanism.
The bartenders are instructed to follow the process of only serving one drink per person and use a standard measuring device to control the ratio of alcohol in mixed drinks.
What are the critical processes you rely your ServiceNow users to follow? Are their controls in place to help guide them? Can user still side-step these controls and bring down the house? Controlling people is very, very difficult but there are certainly ways to train, game-ify, enforce, audit and correct these behaviors.
SKO is host to various user personas — ServiceNow salespeople, solution consultants, professional services, trainers, and 3rd-party partners like Stave. Obviously there is different access and information available to employees vs partners and this was easily distinguished via the color of the lanyard holding your name. Red employee lanyards could more-readily enter the private sessions, while black partner lanyards could quickly be identified. And since each name tag included an embedded RFID chip, scanning everyone’s badge could provide the authoratative control regarding if access were allowed or not.
How do you set role access in your ServiceNow instance? Are your groups properly aligned? How often is this reviewed? Is stopping access part of your off-boarding process or are their still ex-employees with access? Do you think your data is leaking? Fortunately, there are many mature ways to solidify security in any ServiceNow instance and that’s important as this absolutely requires your attention.
First off all, if your enterprise hasn’t deployed ServiceNow’s GRC-IT application, I’d recommend you make that your New Year’s resolution. As you start using more and more of the ServiceNow platform both in IT and outside in line-of-business functions, you want a strong foundation to keep your data secure and protected. I recommend you give a partner such as Cask a call to learn about all the great things they’re doing in both the GRC and Security Ops fields.
In addition to that, Stave can help you immediately with apps that run in ServiceNow to solve many key problems:
• Sensitive Data. No matter how many processes you have in place to prevent people from entering sensitive data into your instance, it still happens. Personally identifiable Information (PII) such as Social Security Numbers, credit card numbers, and certain IP addresses don’t belong in your instance.
Stave’s Data Tools Suite includes the Data Masker application which allows you to define monitored phrases and intercept them when a user tries to enter them into ServiceNow. These phrases can be exact, or be based on patterns. This sensitive data can then be fully or partially masked, stripped away, or placed in quarantine for a security person to review.
Data Masker is easy to configure and belongs in every single instance.
• Case Management. There might be personnel situations where someone is constantly introducing risk to your organization. Beyond simple HR management, Stave’s Case Manager application allows you to easily document comprehensive cases around any employee. Everything is stored securly right in your instance and available only to the appropriate users.
Case Manager can make a process generally done via paper and emails more-accurate and easier, and provides tremendous value to your compliance and risk management operations.
• Guided Tours.
Ensuring your users know the right way to use any ServiceNow application is critical and that’s why we created Guided Tours. This application displays in-line help and guidance on any form or portal to walk the user through how to use it. You can set the tours to run the first time a user uses the tool, every time, or on-demand. Guided Tours not only reduce your training time, they ensure compliance that your people are using your tools as intended.
Everyone is very fired up for a great 2017 in the ServiceNow community and we’re looking forward to everything that’s coming next. Let me know in the comments below about real-world GRC scenarios that you’ve witnessed and how such controls using ServiceNow and Stave applications can help your enterprise this year and beyond.