What ITIL, ServiceNow, and Risk & Compliance Have in Common

What is the connection between Risk & Compliance and ITIL?

There is a direct overlap between ITIL and most Governance, Risk, and Compliance (GRC) requirements. For years, companies have been treating Service Delivery and Compliance as two different functions, two different work efforts, thereby expending twice the resources. At Intreis, we use Performance-Based Controls Design, which means the same internal controls you depend on to ensure SOX and HIPAA compliance, for example, can also enable higher levels of performance for your core operations and service delivery teams.

To demonstrate the inherent overlap between IT controls (COBIT) and Service Management best practice (ITIL), see on the table below.

How does ITIL fit in with ServiceNow?

Since 2009, ServiceNow, the pioneer of modern PaaS for IT service automation, has maintained PinkVERIFY status, for their support of 11 IT Infrastructure Library (ITIL) processes. This designation is only applied to IT Service Management (ITSM) tools, which are objectively assessed by Pink Elephant, and determined to have met the functional requirements for ITIL compatibility. According to the PinkVERIFY assessment, Service-now.com effectively supports ITIL activities and IT best practices for:

• Incident management
• Problem management
• Knowledge management
• Request fulfillment
• Change management
• Release and deployment ⦁ Service asset and configuration
• Service level management
• Service catalog management
• Service portfolio management
• Financial management

About ServiceNow

 enterprise IT service automation platform combines ITIL v3 process support, platform-as-a-service (PaaS) delivery, and Web 2.0 functionality, to provide a flexible, intuitive and self-managing application. Service-now.com was founded by Fred Luddy, former CTO of Peregrine Systems and Remedy. The company is based in Santa Clara, California and has enterprise customers worldwide.

 

If ITIL aligns with GRC, and ServiceNow aligns with ITIL, it follows that…ServiceNow is the perfect platform for GRC.

The core capabilities of ServiceNow, such as the ticketing process, workflow automation, rules engine, reporting facility, database, and web services, combine to create the perfect engine for Risk and Compliance activities. This engine is not only able to power your internal controls framework, but will also improve operational effectiveness. These are our favorite reasons why you should integrate GRC on your ServiceNow platform:

1. Most of the evidence required by your controls framework (SOX, HIPAA, PCI, etc.) already lives in ServiceNow, because the platform is your single system of record for incidents, problems, changes, etc.
2. Effective Enterprise Risk Management (ERM) requires real-time ITSM, GRC, and Business Data, also found in ServiceNow.
3. ServiceNow is a strategic platform, not just an IT Service Management application. A significant number of ServiceNow customers leverage custom apps to include lines of business and not just IT. HR Case Management, Facilities, and Enterprise Project Management are just a few examples.
4. Stand-alone GRC platforms are expensive, require additional overhead to operate and develop, AND you have to manually gather evidence for audits. By going with ServiceNow, you can leverage existing staff and ensure that your single system of record is the single system of truth.

Learn more in “4 Reasons Why You Can (and Should) Enable ITSM and GRC Objectives on ServiceNow”

 

Think Audit might resist combining Risk & Compliance and Service Management?

Never fear! ServiceNow bridges the gap between IT and Audit. Leveraging the same platform increases much needed collaboration between these two organizations, and with the Enterprise. Furthermore, your audit department can rest assured that ServiceNow has the inherent security features required to keep your data and processes secure. These are just four examples of such security features:

1. Audit tracker for every table on the platform. The audit flag notes changes made to the table, the time those changes took place, and who made those changes. All change are kept in the activity field setup for each table.
2. Ability to encrypt data, lock down fields to read-only, and provide users with access to only what they need to see and touch, based on your organization’s security requirements.
3. With GRC built into the ServiceNow platform, data extracts and manual manipulation of data will no longer be required. Auditors can rest assured the sample data is being pulled from directly within the platform.
4. Four unique security roles out of the box that allow your organization to decide specifically who has the ability to:

• Create and edit policies, risks, controls, and authoritative sources
• Edit control tests, remediation, and audit records
• Create and edit audit definitions
• Read audit records and records associated with an audit
• Create control test definitions
• Read condition collections, conditions, and control tests
• Manage entities, risk criteria, condition collections, and conditions

Read: 6 Success Factors for Better Internal Audits

As you can see, ITIL best practice, ServiceNow, and Risk & Compliance all play very nicely together. Specifically, ServiceNow’s GRC module makes it easier than ever to have a complete ITSM and GRC integration on a single powerful (and secure) platform.
For more on how integrating Risk & Compliance and Service Management on ServiceNow can simplify your life, check out our Case Study: Integrating ITGRC and ITSM!

 

Much of the content for this post was pulled from the final chapters of our ITIL for Newbies…(Like Me) eBook, which were written by Morgan Hunter.