Case Study: Design and implementation of an IT control framework using Servicenow® GRC
Consumer goods, Chemical industry
The listed company bases its information security on the internationally recognized ISO 27000 standard, from which necessary controls were derived, but not uniformly for the entire organization. A comprehensive and continuous overview of the controls to be implemented and identified problems could therefore not be guaranteed. Subsequently, audits revealed that controls were implemented in different ways, some incomplete, some not at all, some with or without documentation.
The objective is to regularly monitor compliance with the controls and to demonstrably eliminate identified deficits. The tool Servicenow® GRC was used for the implementation.
An agile and risk-oriented process model was developed to achieve visible project results at an early stage:
- Creation of the organizational and technical requirements.
- Prioritization of the policies and assets to be considered and derivation of required controls. This defines a first “wave” of implementation.
- Implementation of the controls contained in the policy for the prioritized assets.
- Roll-out of the controls in the GRC module of Servicenow® for the respective assets.
- Processing of further waves. This can also be parallelized.
- Risk-oriented: Structured concept for securing corporate goals by means of effective management of IT risks while simultaneously fulfilling the prescribed controls.
- Ongoing process: Compliance with the requirements is checked regularly. Identified deficits are documented and demonstrably eliminated. Results and findings from activities are used sustainably for adjustments and improvements.
- Communication & Awareness: Implementation of awareness campaigns, creation of communication documents of all kinds, and the creation and implementation of training for the entire organization.
Today, the implemented IT control framework implements a sustainable process in which vulnerabilities are detected, documented and demonstrably eliminated through ongoing control activities. By focusing on identified risks in all areas of compliance, monitoring activities and risk management move closer together, thus achieving synergy effects.