The Integrated Risk Management (IRM) suite of applications manages releases through the ServiceNow Store rather than through platform family upgrades. This allows more frequent releases - typically, on a quarterly basis - of both enhancements and big fixes. With more frequent updates, it can be hard to determine what is and is not important; and, if you should upgrade all of your IRM applications every time. To simplify the decision-making, we've paired ServiceNow’s most noteworthy IRM release notes with in-depth insight ("What it Means for You"):
Stay tuned for more information on updates/fixes pertaining to the Security Operations suite of applications!
What it Means for You
ServiceNow has been emphasizing Workspaces in recent years, and the Tokyo release continues to build on functionality within the compliance workspace. Specifically, this release adds a new field, Functional Domain, to the settings tab on records in the Compliance Workspace. This new feature allows for records to be classified in different areas (IT Risk and Compliance is the focus in this release), which in turn grants distinct teams the ability to see items related to their domain within the workspace (i.e. IT teams can see tailored views of Controls, Issues, etc. within the IT Risk and Compliance domain).
What it Means for You
Continuing the trend of Policy Exception enhancements, the Tokyo release introduces OOB functionality enabling customer to leverage advanced risk assessment functionality to assess the riskiness of a Policy Exception. To enable this, a new Method field is added to Policy exceptions, so users can choose which option to exercise.
What it Means for You
An under the radar feature introduced in San Diego was the new compliance Policy as Code Engine, or PaCE. This feature allows for writing policies with executable code, which can then be associated with various items in the GRC space, allowing for increased automation in the compliance space (specifically around code deployment).
The Tokyo release builds on this functionality by adding in a new accelerator to this space, specifically geared towards DevOps compliance. This plugin loads some initial PaCE policies, which come linked to some key control objectives across regulations like CIS, NIST 800-53, ISO 27002, & PCI DSS.
What it Means for You
With the new San Diego release, ServiceNow introduced functionality allowing for greater record separation/access within the GRC modules. Now in Tokyo, ServiceNow has built on that functionality. In addition to some default confidentiality flag functionality on key records (i.e. Issues, Policy Exceptions, Evidence Requests), customers can now use confidentiality configuration records to add this functionality to any table in the GRC space.
What it Means for You
Loaded with the latest versions of the IRM applications, is a change to existing role inheritance and system Access Controls. GRC Business Users will no longer inherit the GRC Reader role, and thus will have slightly less read access in the space.
What it Means for You
After adding some enhancements to Policy Exceptions in San Diego (specifically the ability to have single exceptions against multiple controls), the Tokyo release continues the trend. In this release customers are able to increase the number of times a user can request an extension against a Policy Exception from once to a number of their choosing. For these extensions, justification can be updated, and reason can be adjusted
What it Means for You
Expired substate on the Policy exception record will help users quickly identify which policy exceptions had been approved, but now have passed their validity date.
What it Means for You
Policy exceptions submitted from will now have the option of going through an initial approval, called verification approval, if an approval rule for this has been set. These types of approval rules can be easily configured through the application’s existing approval rule configuration table.
What it Means for You
Starting in Tokyo, users of Advanced Risk Management can set-up more advanced approval workflows for their assessments, code-free. This will allow multi-level, or staggered approvals, which would only be triggered if the first wave of approval passes. This helps with escalation, and streamlining higher stakeholder approvals.
What it Means for You
In addition to the approval changes above, another update to Advanced Risk assessment is the ability to support grouped questions pertaining to controls and control data. Specifically, this adds better support for things like Control Design and Effectiveness testing as part of an Advanced Risk Assessment.
What it Means for You
Also new in Tokyo, is the ability to simulate a Risk Assessment. Now, instead of needing to send out an assessment and return it to see how questions looks, feel, and are scored, the platform supports the ability to simulate responses/workflow. This makes designed, and tweaking, advanced risk assessment workflow and scoring simpler and much more efficient.
What it Means for You
Continuing the trend of efficiency in Tokyo release, new functionality has also been added to help associate similar risk events together. New AI will help learn about reported Risk Events at a customer’s organization, and can then assist in linking those similar records together. This ensure similar events are being managed in the same ways, and helps in solutioning the mitigation of inciting events.
What it Means for You
Starting in San Diego, the Risk Workspace contained a Risk Heatmap Workbench for more advanced heat map functionality. Tokyo builds on this functionality, specifically adding in upstream/downstream risk visibility, trend data (how risk have moved on the heatmap), and more risk details when interacting. This is yet another element of valuable data extractable from the Risk Workspace.
What it Means for You
With the new San Diego release, ServiceNow introduced functionality allowing for greater record separation/access within the GRC modules. Now in Tokyo, ServiceNow has built on that functionality. In addition to some default confidentiality flag functionality on key records (i.e. Risk Events, Issues, Evidence Requests), customers can now use confidentiality configuration records to add this functionality to any table in the GRC space.
Specific to Risk, records found to have this confidentiality functionality enabled are:
- Risk Events
- Issues
- Remediation tasks
- Policy Exceptions
- Evidence Request tasks
What it Means for You
With the Tokyo release, ServiceNow has also introduced a new version of the Vendor Risk Management application (15.0.7). In addition to the new functionality around 4th party Risk, the latest version of VRM brings about a new-look Vendor Portal. This portal will more closely align to the new Employee Center, and new system UI. However, for existing customers, keep in mind that updating to this version of Vendor Risk Management will alter the display of your vendor risk portal and re-branding may be required.
What it Means for You
With the latest version of the Vendor Risk Management application, the option to have third-party vendor scores roll-up has been introduced. This give users more ability to leverage third-party scores, and see how that factors into the overall compliance scores of vendors and their parent vendors.
What it Means for You
With the Tokyo release, and the new version of the Vendor Risk Management application, ServiceNow has added new enhancements to the Provider Based Submission rules in the platform. These submission rules help kick off tasks, assessments, or issues, based on scoring provided by a Third-Party integration. The enhancements specifically expand the options you can take when a Third-Party integration informs you a Vendor’s score has changed.
What it Means for You
With the new Tokyo release, ServiceNow has introduced functionality allowing for users of the Operational Resilience module to analyze how different scenarios would affect business services at the organization. Scenario analysis is a new table, equipped with a workflow, fields, and related lists which all facilitate the ability to define a scenario and determine impact to services of your choosing by selecting those services, participants, and scenario events.
What it Means for You
The Tokyo release of operational resilience also emphasizes the importance of tracking business services to maximize value of this application. This new functionality relies on relationships in the CMDB to help define services and relationships in the Operational Resilience application. This data is then used, in combination with entity data from other GRC/Security Applications, to help define and drive resilience data, like the above scenario analysis and reporting functionality
What it Means for You
Tied to the above introduction of Business Service data to Operational Resilience, Tokyo brings about the ability to use questionnaires/assessments to help determine Importance and Impact Tolerance for an asset. These questionnaire templates contain scoring to determine a rating, and do have approval processes included.
What it Means for You
Similar to the above Importance and Impact Tolerance assessment, Tokyo also introduces Business Service self-assessments to the Operational Resilience application. These assessments can be used to gather current state details of a business services from the appropriate service owner. With this functionality, Service Owners can verify the status of their business services, determine if any service was breached, and self-attest the current status through generation of a self-attestation report which can be uploaded to the system.
Interested in more details? Concerned about the potential ramifications to your current environment? Curious about prior release notes? Feel prepared and confident before your next upgrade by talking to a certified ServiceNow expert.