Blog

Here are 3 key areas to consider when looking at your current compliance posture. 1. Figure out where you are. Compare against standards like NIST CSF or CIS top 20 self-assessment . Better yet, get help from a third party who does this all the time and can help you understand how you stack up against other companies. 2. Be objective about your maturity in the context of meeting the standards. If you currently have manual processes, how are you going to scale? Are you able to get other departments to participate? What are your priorities and how will you make progress over time? 3. Evaluate systems you have in place now in the context of scale and staying up with standards. This is not the time to incur technical debt by purchasing something that is going to limit you from getting to your ultimate goal – taking the labor out of the process through automation. Look at platforms like ServiceNow that have the tools to modernize, optimize, and automate your processes all the way. SHAW Data Security is a US-based ServiceNow Premier partner, specializing in Security Operations and Governance Risk and Compliance (GRC). SHAW provides experience and expertise in bringing functional, standards-based Information Security and IT compliance programs to companies to execute their missions.

An important first step in establishing a security program is recognizing the need for one. You want to get started and continue to progress in maturity over time. A good Information Security program governs the company’s security practices, information technology, application development, privacy, and compliance. So how do you establish a baseline information security program and address urgent security concerns? Consider the following: Virtual CISO ( vCISO ). If your company doesn’t have the resources for a full-time CISO, a vCISO provides expert security guidance in as little as 5- 10 hours per month. Having a regularly scheduled dialogue will help you put your program in context. The vCISO helps interpret Penetration Testing results as well as to oversee information security program development, risk treatments, and remediations. Penetration Testing provides a baseline to understand your application’s ability to defend against attacks threatening the confidentiality, integrity, and availability of information. The testing is done using a “do no harm” approach and is based on standard Web Application Testing methodologies. Continuous Security Monitoring is a threat intelligence approach that automates the monitoring of information security controls, vulnerabilities, and other cyber threats. Using a tool like NormShield , you’ll be able to see what outside entities see when they evaluate your security program. We recommend these steps for a basic foundation for a security program. It doesn’t have to be a lot of labor, just get it going and keep moving forward. SHAW Data Security provides experience and expertise in bringing functional, standards-based Information Security and IT compliance programs to companies to preserve their ability to execute their missions.

Addressing regulatory requirements is not a technical problem, it’s a resource problem. You have to provide auditors proof that you are following the rules. Tracking people down to collect and approve the evidence is a huge amount of work, as well as a waste of your time and theirs. With ServiceNow Governance Risk and Compliance (GRC), the collection of compliance evidence is done by assigning tasks to appropriate departments and people. There is no need to chase down answers because automatic reminders are sent until a task is attested. You can see, review, and approve up-to-the-minute compliance status on a dashboard. Even better than that, ServiceNow can automate the whole process. How does that work? Many frameworks have control requirements for backups. Instead of asking your IT manager for screen shots to prove that a backup program is in place, ServiceNow monitors for backup process initiation and collects that information for you. If the backup program is not running, it can alert you that the control is not compliant. Your IT manager will be happy that they don’t have to answer a multitude of emails, and the auditor will be happy with non-repudiated evidence. Using ServiceNow, SHAW Data Security helps companies transform inefficient manual processes into labor-saving and scalable integrated risk programs. SHAW Data Security is a US-based ServiceNow Premier partner, one of only 10 partners in the world with the Governance Risk and Compliance (GRC) Product Line Achievement. We help customers modernize, optimize, and automate digital workflows.

Are you curious where you stand against a standard like CIS 20 or NIST CSF ? Maybe you are not feeling the pressure of audits or regulations right now, but you want to know where you stack up for things like data recovery, identity and access management, or incident response. You might have already started accumulating information from different departments and key players to see where you are. Does a spreadsheet seem like the easiest way to start? Sure. Will it help you in the long run? Definitely not. Starting out with spreadsheets is going to lead to an enormous duplication of effort. What happens when you add more employees in different locations? What about acquiring another company that is subject to different jurisdictions? As your systems grow, it’s going to require more and more resources to keep track of information, to the point that keeping track becomes your full-time job. Begin as you mean to go on and set yourself up for success with ServiceNow. It is the quickest way to get organized, roll out compliance, and be ready to scale for whatever complexities are coming your way. SHAW Data Security has worked with companies to get started with information security programs. We will help you figure out the best processes that fit your company with the least amount of pain and then custom-fit the implementation to your resources and regulatory requirements. SHAW Data Security is a US-based ServiceNow Premier partner, one of only 10 partners in the world with the Governance Risk and Compliance (GRC) Product Line Achievement. We help customers modernize, optimize, and automate digital workflows.

Losing a multi-million dollar opportunity is painful, but it will help your company’s stakeholders understand the necessity of compliance. Now that you know that you are subject to regulation, how are you going to start? If you are a mid-sized company, you may not have the resources for a fully-staffed compliance department - but you still have to meet several hundred requirements. Before you buy a Governance Risk and Compliance (GRC) solution, it’s important to put your processes in place. Which framework will you choose? NIST-CSF? SOC2? Then which controls are you going to start with? Password policy, encryption, or something else? Will it be practical to take productive time away from your subject matter experts to answer hundreds of questions over and over again? It’s important to get the right kind of help with GRC implementation - someone who knows how to engineer processes and workflows and then automate them. Plenty of consultants would be happy to sell you a GRC solution, but they would be missing a huge step - putting your processes in place first. SHAW Data Security has worked with companies who are at square one in implementing GRC. We will help you figure out the best processes that fit your company with the least amount of pain and then custom fit the GRC implementation to your resources and regulatory requirements. SHAW Data Security is a US-based ServiceNow Premier partner, one of only 10 partners in the world with the GRC Product Line Achievement. We help customers modernize, optimize, and automate digital workflows.

There are many consultants who would be happy to sell you GRC, but are inexperienced in the implementation of it. They will charge you more to factor in the unknown to “figure it out” as they go. A partner who is qualified with a ServiceNow GRC Product Line Achievement will guarantee competency, efficiency, and experience. Don’t hire someone who “dabbles,” work with someone who does this for a living. At SHAW Data Security, GRC and SecOps implementations are our specialty, and we know the best ways to integrate ITSM, CMDB and ITOM into the process as well. We advise and guide our customers through an efficient GRC implementation, customizing to their specific needs in the most efficient way. SHAW Data Security is a Boston-based ServiceNow Premier partner, one of only 10 partners in the world with the GRC Product Line Achievement. We help customers modernize, optimize, and automate digital workflows.

In the previous blog, we wrote about the benefits of professional help. Rather than spending time and money to learn how to work a one-time software implementation, we recommend you: Estimate the amount of time it is going to take you, your staff, and other departmental users to complete the project. Measure it in hours of analyzing, figuring out the one-time installation, identifying and planning with known best practices, and implementing the nuances of software package that is new to you. It’s likely that an experienced team can save you 30-50% of the time while doing it correctly. We suggest that the value of the saved time can be used to calculate how much you should consider spending to do it right the first time. If you get an exorbitant quote for services from a qualified ServiceNow partner, ask them if it is possible to have smaller or partial engagements. Also, check that the partner is qualified or even has a GRC Product Line achievement, since inexperienced partners or consultants often charge more to factor in the unknown. Implementing is not operating, but implementation skills are very expensive to acquire and make no sense for someone who plans to implement only once. You can operate the system just as efficiently whether you have a qualified experience partner help or if you implement it yourself. Shaw Data Security is a Premier ServiceNow partner, one of only 10 partners in the world has the GRC Product Line Achievement. We help companies transform inefficient manual processes into labor-saving and scalable integrated risk programs. Learn more here about why having an expert in your corner makes all the difference.

I have seen multiple posts on the ServiceNow GRC community website by employees of companies who want to automate their GRC workflows with ServiceNow and are asking for “how-to” documents. Does this sound daunting? Yes, and it should. It’s not an easy process. To “do-it-yourself,” these companies do the following time- and labor- intensive steps: Analyze and define their own objectives, priorities, and goals to drive a successful end-state with ServiceNow Take the time to learn the ServiceNow GRC platform themselves through reading documentation and community boards, completing multiple training courses, and experimenting with the software themselves Create a plan for meeting their needs both now and in the future with the single-use knowledge gained Implement their plan successfully the first time and roll it out to production or, if the plan was not successfully implemented, spend more time and resources on fixing the issue. Our customers have realized that having an experienced partner assisting with these steps is far more efficient and less risky than attempting to figure out and implement the workflows by themselves. In fact, reading the manual is a waste of your time. Click here to learn why. Don’t try to figure out how to hit a golf ball by watching YouTube videos - let us give you a professional golf lesson. Shaw Data Security is a Premier ServiceNow partner that helps companies transform inefficient manual processes into labor-saving and scalable integrated risk programs.

As an analyst, I help customers prepare for regulatory audits. One company was preparing for a SOC2 audit and I had weekly calls with various department heads to chase down proof that controls were in place. The project manager had to take time away from product development to produce a list of users with privileged access to the production environment and to prove that access was restricted to authorized users only. A waste of his time and talent? Definitely. Does it have to be that way? Absolutely not. How would I fix it? I would set the evidence to be gathered automatically with ServiceNow IRM/GRC from the systems that are already available to test. For example, most ServiceNow customers have Active Directory already integrated, so the evidence of user access is already available. Using a feature called “Automated Indicators” takes the labor out of the process. Not only does it provide evidence for a periodic audit, it also gives managers immediate notice of potential problems in real time. That’s a time saver for compliance personnel and management. And it is not difficult to set this up if you know what you’re doing, or if you implement a package like Clear Skye . SHAW’s partner Clear Skye is built natively on ServiceNow and simplifies Identity Governance and Administration (IGA) by automatically executing identity and application access policies. Evidence is collected with Indicators, so there is no need to update and review files manually to verify that a user was disabled if they left the project or company. When access is removed, a report is generated and emailed directly to the manager. If the project manager prepping for SOC2 had ServiceNow and Clear Skye in place, there would have been no need for weekly meetings or keeping spreadsheets on SharePoint. User access information is displayed on dashboards, providing up-to-the-minute compliance. Take the labor out of your security and compliance efforts and let your people focus on doing what they do best. Shaw Data Security is a Premier ServiceNow partner that helps companies transform inefficient manual processes into labor-saving and scalable integrated risk programs. Using ServiceNow and Clear Skye IGA, we will modernize your IAM, automate it, and give you peace of mind with real-time auditing.