The Now Platform® Washington DC release is live. Watch now!
Help
Join the Community
-
Documentation
Find detailed info about ServiceNow products, apps, features, and releases.
-
Impact
Drive a faster ROI and amplify your expertise with ServiceNow Impact.
-
Partner
Grow your business with promotions, news, and marketing tools for partners.
-
Store
Download certified apps and integrations that complement ServiceNow.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- ServiceNow Community
- Products
- Governance, Risk, and Compliance
- GRC forum
- Relationship between GRC and Security Operations
Options
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Float this Question for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2019 01:49 AM
Hi,
I'm trying to understand the relationship between GRC and Secops. What would be the benefits for companies to implement both as opposed to just one of these modules?
Thanks.
Solved! Go to Solution.
Labels:
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2019 07:03 AM
Hi!
Please be aware that out of the box, there are no specific integrations between GRC and any of the SecOps applications. Those application are 100% independent.
Of course, you can customise your instance to link both solutions. The GRC solution can be configured for many scopes, at any level. Yet, keep in mind that SecOps is IT focussed, while GRC is at its best when focussing at the highest Corporate level.
Most cross-integrations between those two aspects would probably have to be IT focussed.
Possible examples of cross-integrations:
- GRC Risk Management + Vulnerability Response Management: One IT Risk for "Loss of Availability" could be linked to automated Indicators monitoring the existence of critical Vulnerable Items among your sensitive servers. Should you have un-patched critical vulnerabilities present, the Calculated Risk Score would increase.
- GRC Risk Management + Security Incidents Management: One IT Risk for "Loss of Confidentiality" could be linked to automated Indicators monitoring the existence of Spear Fishing attempts received by your employees. If the number is higher than usual, the Calculated Risk Score would increase and could trigger remediation tasks like an emergency mandatory Security Awareness training.
- GRC Policy & Compliance Management + Vulnerability Response Management: One Policy Statement mandating that "All critical servers must be kept secure" could be linked to automated Indicators monitoring the existence of Vulnerable Items among your datacenters. Should you have un-patched critical or major vulnerabilities present that are older than 2 weeks, the related Control would be automatically marked as non-compliant for the relevant datacenter. A GRC Issue would then be automatically created, to decide if a specific remediation is required. This would also allow for easier tracking for non IT compliance officers, and auditors.
Any SecOps incidents are very confidential by nature. The tracking of those in GRC could allow you to let your Risk and Compliance managers to be aware of sensitive events, without granting access to them to specific confidential details.
"We have at least one un-patched critical servers, the likelihood of our EU datacenter being hacked has been increased. The new Annualized Loss Expectancy (ALE) is half a million dollars." is probably less sensitive and more useful for the CEO than "SRV-OUTLOOK04 is vulnerable to Heartblead attacks" or than "SRV-OUTLOOK04 has been breached".
As you can see with this example GRC is more focussed on the corporate big picture, where SecOps is more focussed on immediate IT remediations. The stakeholders, processes and goals are not the same.
∴
Best regards from Switzerland
Shiva :¬,
If this reply assisted you, please consider marking it 👍Helpful or ✅Correct.
This enables other customers to learn from your thread.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2019 05:34 AM
Hi,
Cybersecurity has become a top concern of businesses everywhere. In fact, 95 percent of CIOs surveyed last year said that they expect cybersecurity threats to increase and impact their organization. So it’s surprising how many businesses are still bogged down in broken, siloed security and compliance processes.
Manual workflows using spreadsheets and email are still widespread. Understaffed security teams are slow to gather risk data and plan a response. When companies do adopt new security software, it often isn’t integrated with other applications across the business. Each department might have its own programs and procedures, with no oversight across the entire enterprise. Meanwhile, industries and legislators are moving quickly to respond to the new environment, so new compliance regulations are popping up and old ones are changing all the time. These compliance mandates require a kind of cross-functional collaboration that most organizations just aren’t set up for.
Incredibly, detecting and responding to a threat can take months—if it’s caught at all. Few businesses have the capacity to monitor everything that’s happening across the organization, prioritize and respond to risk in real-time, and efficiently produce the reports that internal and external auditors need to see.
That’s where ServiceNow’s offerings for Governance, Risk management, and Compliance (GRC) and Security Operations (SecOps) come in.
ServiceNow GRC
The concept of GRC developed from a vision of a business that could quickly and cost-effectively combat risk and meet compliance requirements regardless of where in the organization the incidents and vulnerabilities occurred. But for most organizations, the messy GRC procedures in place have teams responding long after the fact—and facing huge compliance fines if faced with an audit. Today’s cyber threats are simply too prevalent and too sophisticated to rely on slow-moving, reactive programs.
ServiceNow GRC is a suite of applications built on the Now Platform. It’s a single, integrated program spanning your enterprise, meaning you can get away from fragmented processes and continuously monitor risk in real-time. This even includes assessing risk from your vendors as well as internal risks and points of non-compliance.
ServiceNow GRC is made up of four main applications:
Policy and Compliance Management. Your GRC program needs to be customized to your own business rules and compliance needs. Policy and Compliance Management provides a centralized process for managing your policies, standards, and internal control procedures and cross-mapping them to external regulations and best practices.
Risk Management. Risk Management is what you use to monitor, detect, assess, and respond to enterprise and IT risks that could greatly impact your business. The application uses data aggregated from across your organization and allows you to quickly adapt to security changes.
Audit Management. Automate workflows for internal audit teams. Use risk data and profile information to prioritize audit engagements, eliminate recurring audit findings, and optimize resources around internal audits.
Vendor Risk Management. The risk posture of your vendors is as critical as your own. Use Vendor Risk Management to monitor and asses your vendors from a central dashboard. You’ll be able to reduce your risk through automated procedures and vital reporting.
ServiceNow SecOps
ServiceNow Security Operations is all about connecting your security strategy to your IT team.
The typical organization is already oversaturated with security tools, most of which send some kind of alert in case of an incident or risk. Without a platform to integrate these applications, it’s difficult to see all the alerts at once, much less identify and respond to the most critical issues. ServiceNow SecOps can pull data from these existing applications to automatically create prioritized security incidents. Better yet, it can automate a basic remediation response or make sure the issue is delivered to the correct person.
Because Security Operations is running on the same platform as IT, your IT team can collaborate on incidents and issues quickly using the systems they’re already using. While Security Operations fosters a deep connection between security and IT, access to sensitive security data is still protected using user roles.
Risk information is easy to see and manage with customizable, role-based dashboards and reports—just another way that Security Operations ties your disparate tools and processes together.
Available SecOps applications include:
Security Incident Response. Track security incidents as they progress from detection and analysis through containment, eradication, recovery, and closure.
Vulnerability Response. Use this application to track, prioritize, and resolve known vulnerabilities from the National Vulnerability Database (NVD) and other sources.
Configuration Compliance. Aggregatescan results from configuration scanning applications and prioritize configuration compliance issues with the Configuration Management Database (CMDB).
Threat Intelligence. Find indicators of compromise and enrich security incidents with threat intelligence data.
Trusted Security Circles. Generate and receive community-sourced observables to improve threat prioritization and shorten the time required to identify and remediate threats.
Security Operations common functionality. If any of the plugins for Security Incident Response, Vulnerability Response, Threat Intelligence, or Configuration Compliance are activated, it will activate the Security Support Common plugin. The plugin loads modules that provide functionality common across all Security Operations applications.
Security and Compliance Should Be Simpler
ServiceNow GRC and Security Operations both protect your business from increasing cybersecurity threats and compliance issues—and they do so while actually making the lives of your employees easier and minimizing costs. Ditching the manual security processes not only improves effectiveness, it frees up your team to do more strategic work.
NOTE: Mark correct or helpful if it helps you.
Warm Regards,
Raj patel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2019 05:36 AM
Hi,
Based on impact of my answer please mark answer as correct or helpful.
NOTE: Mark correct or helpful if it helps you.
Warm Regards,
Raj patel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2019 07:03 AM
Hi!
Please be aware that out of the box, there are no specific integrations between GRC and any of the SecOps applications. Those application are 100% independent.
Of course, you can customise your instance to link both solutions. The GRC solution can be configured for many scopes, at any level. Yet, keep in mind that SecOps is IT focussed, while GRC is at its best when focussing at the highest Corporate level.
Most cross-integrations between those two aspects would probably have to be IT focussed.
Possible examples of cross-integrations:
- GRC Risk Management + Vulnerability Response Management: One IT Risk for "Loss of Availability" could be linked to automated Indicators monitoring the existence of critical Vulnerable Items among your sensitive servers. Should you have un-patched critical vulnerabilities present, the Calculated Risk Score would increase.
- GRC Risk Management + Security Incidents Management: One IT Risk for "Loss of Confidentiality" could be linked to automated Indicators monitoring the existence of Spear Fishing attempts received by your employees. If the number is higher than usual, the Calculated Risk Score would increase and could trigger remediation tasks like an emergency mandatory Security Awareness training.
- GRC Policy & Compliance Management + Vulnerability Response Management: One Policy Statement mandating that "All critical servers must be kept secure" could be linked to automated Indicators monitoring the existence of Vulnerable Items among your datacenters. Should you have un-patched critical or major vulnerabilities present that are older than 2 weeks, the related Control would be automatically marked as non-compliant for the relevant datacenter. A GRC Issue would then be automatically created, to decide if a specific remediation is required. This would also allow for easier tracking for non IT compliance officers, and auditors.
Any SecOps incidents are very confidential by nature. The tracking of those in GRC could allow you to let your Risk and Compliance managers to be aware of sensitive events, without granting access to them to specific confidential details.
"We have at least one un-patched critical servers, the likelihood of our EU datacenter being hacked has been increased. The new Annualized Loss Expectancy (ALE) is half a million dollars." is probably less sensitive and more useful for the CEO than "SRV-OUTLOOK04 is vulnerable to Heartblead attacks" or than "SRV-OUTLOOK04 has been breached".
As you can see with this example GRC is more focussed on the corporate big picture, where SecOps is more focussed on immediate IT remediations. The stakeholders, processes and goals are not the same.
∴
Best regards from Switzerland
Shiva :¬,
If this reply assisted you, please consider marking it 👍Helpful or ✅Correct.
This enables other customers to learn from your thread.
Related Content
- Discover the Benefits of Continuous Authorization and Monitoring for NIST RMF in GRC blog
- Prescriptive guide to be DORA complaint using ServiceNow, and readiness assessment. in GRC articles
- Simplify compliance to NERC CIP with ServiceNow in GRC blog
- 2024 Risk & ESG Events in GRC blog
- Documentation of GRC and Security Operations in GRC forum
