Inadequate or misaligned controls are seemingly inevitable, even in the most secure technology environments. A standardized process to analyze and resolve these security holes is imperative to maintaining a strong information security program.
Within ServiceNow, these control gaps are called “Issues” and can be tracked from identification through closure via a centralized workflow connected to each application in the Integrated Risk Management (IRM) suite.
The following framework outlines four steps that are essential components of an impactful issue management strategy to enable such a process in ServiceNow:
Identification
Whether an issue is discovered as part of an audit or self-reported, there must be a channel in place for the identifying party to document the details surrounding the missing/ineffective control. In some instances, automation can be leveraged to populate key information like the impacted system, responsible parties, and the issue type, category, and source. Predetermining the entry points and required data attributes for the issue management process in this manner will enforce consistency, improving effectiveness.
Analysis
After an issue is reported, the primary objective becomes determining the impact or significance this control gap poses to the organization. Knowing the severity of the issue will inform treatment options and timelines. In many organizations, the person performing the review will often be a member of the information security team knowledgeable enough to accurately quantify the risk stemming from the issue and document relevant considerations to be accounted for when selecting a treatment path.
In advanced programs, the assignment of reviewers can be automated based on category, system, etc. or even in a round-robin format based on team member availability. Additionally, establishing expected review service level agreements (SLAs) will keep the process flowing in a timely manner.
Response
Once the severity of the issue and its details have been determined, a mitigation path must be selected for the resolution of the issue. Typically, there are two treatment options: risk acceptance and remediation.
It’s important to establish protocols to guide the selection of issue treatment activities, such as criteria for what types of issues can be accepted and at what risk levels. For example, there may be some categories of issues that must always be remediated, or provisions that risk acceptance is only available for issues with low or medium risk. Factors at play here may also include the cost and effort associated with remediation, and whether remediation is even possible for the issue in the first place. Additionally, there may be varying remediation timelines and levels of acceptance approval required based on the risk severity of the issue.
If remediation is chosen, an action plan must be put into effect to either fully resolve the compliance gap or reduce it to a level where it can be accepted. Depending on who is tasked with building out the remediation plan, it may be beneficial to have a review step in place to ensure alignment across stakeholder groups.
These criteria, decisions, and interactions can be configured within ServiceNow, helping to enforce the process and guide its execution.
Verification & Closure
Lastly, once an issue has been addressed, there needs to be a verification process to ensure the compliance gap has been resolved or is no longer present. For issues undergoing remediation, this would include a review of corrective actions to validate the issue has been successfully resolved. Accepted issues would reach the review and closure stage under different circumstances, such as the deactivation or removal of a system in the environment. The validation process is often carried out by information security personnel and may involve official approval/sign-off for closure.
Deploying this four-step issue management strategy within ServiceNow will ensure identified compliance gaps are tracked and managed through closure, ultimately strengthening security and improving confidence in your control environment.
Are you looking to implement or enhance your issue management program in ServiceNow? If you would like to discuss any of these concepts in more detail or talk about how you might incorporate some of these measures into your process, please reach out to info@lionwarellc.com.
Your success is our mission.
Comments