This article is intended to provide information about the Global Risk Exchange integration with the ServiceNow Third-Party Risk Management module from an end user perspective.
If you need admin information on requirements or instructions for setting up the integration, check out the Setup Guide.
For information about supported ServiceNow versions, enhanced Integration functionality, and issues fixed, check out the Release Notes.
Integration Benefits
Easily Integrate between ServiceNow TPRM and ProcessUnity Global Risk Exchange
- Expedite business value with an integration between your existing ServiceNow TPRM ecosystem and the world's largest Third-party Risk Data Exchange
Sync Third Party Portfolio
- Decide which third parties in ServiceNow TPRM are synced with the Global Risk Exchange to gain access to Auto Cyber Inherent Risk
Prioritize Your Third Parties
- Enable business managers to answer the Impact Questionnaire in ServiceNow and get confirmed Cyber Inherent Risk to determine which vendors need to be assessed and at what level
Access to Industry Leading Assessment
- No need to configure an assessment in ServiceNow – leverage the GRX Cyber Controls questionnaire and validation
Manage Your Risk
- Use the assessment scores, answers, findings and GRX Risk Report to determine which third parties meet your security and risk standards
Integration Overview
There are three main components to the GRX integration with ServiceNow TPRM.
- Third Party Sync: Sync third party records between the two systems.
- Impact Tiering Assessment: Prioritize the third party using the integrated GRX Impact Questionnaire to understand the Inherent Risk and Automated Residual Risk.
- Cyber Controls Assessment: Request a GRX assessment, view status updates on the progress and then review the imported assessment results.
Keep reading for detailed information on each part of the integration. However, please note that this integration does not cover the full Exchange functionality. For example, the following is NOT included:
- ability to request documents
- ability to view or accept Shares from third parties
- ability to see Metric questions and answers, although answers do inform scores imported
- ability to see Predictive control scores
- ability to see Threat Intelligence or Perimeter Scanning scores from our data partners
This integration is designed to cover core functionality. Please submit an enhancement request if you are interested in additional functionality!
Global Risk Exchange View
To make the end user experience as seamless as possible, a "Global Risk Exchange" view has been created as part of the integration. When selected, the view controls what elements are shown in ServiceNow to focus the attention on the data and objects necessary for the integration.
To update the view, click on the three lines icon -> View -> Global Risk Exchange
If you are unable to change the view, talk to your ServiceNow admin about getting the "view_changer" role assigned to your ServiceNow account.
All screenshots below are taken with the "Global Risk Exchange" view enabled.
Third Party Sync
The first step in the process is to link the company record in ServiceNow to the corresponding company record in the Global Risk Exchange.
- Navigate to All -> Third-Party Risk Management -> Third Parties -> All Third Parties
- Select and open the third party record you want included in your GRX Third Party Portfolio
- If the third party record does not exist in ServiceNow, leverage the "New" button to create it
Sync with GRX
Select the "Sync with GRX" button at the top of the third party record to search existing companies in the Exchange and find the match. For best results, ensure both company name and website are populated. Review the search results, select the matching company and then "Sync with GRX Portfolio".
On "Sync with GRX Portfolio", the following occurs:
In the Exchange
- Company is added to your Third Party Portfolio in an Active status
In ServiceNow
- The "Sync with GRX" button is disabled and a "Unsync with GRX" button is enabled
- Data from the Exchange is saved to the third party record in the custom GRX Profile section
- GRX Profile -> GRX Info
- GRX Sync set to "true"
- GRX ID
- GRX Name
- GRX Industry
- Questionnaire Attest Date (if the company has an attested questionnaire on the Exchange)
- Validation Attest Date (if the company has a validated questionnaire on the Exchange)
- Assessment in Exchange (if applicable)
- GRX Profile -> Risk Info
- Inherent Risk Rating
- Inherent Risk Score
- Impact Status
- Residual Risk: Automated
- Residual Risk: Attested (if applicable)
- GRX Profile -> Assessment Info
- Questionnaire Requested (if applicable)
- Validation Requested (if applicable)
If there are no matching results for the third party in the Search GRX list, request a new company be added to the Exchange. When the record is created it will be added to your Third Party Portfolio and the same fields will be populated on the custom GRX Profile tab.
Occasionally, our duplicate checking algorithm will not create a new company if we believe that company is already on the Exchange. You can work with your Customer Success Manager to get the correct company created in the Exchange and then use the "Search GRX" functionality to find and sync the new company.
Unsync with GRX
If you no longer want to include a third party in the GRX integration, click the "Unsync with GRX" button at the top of the third-party record.
On "Unsync with GRX", the following occurs:
In the Exchange
- Company status is updated from Active to Archived in your Third Party Portfolio
In ServiceNow
- The "Sync with GRX" button will be re-enabled
- Data is updated on the third party record in the custom GRX Profile section
- GRX Profile -> GRX Info
- GRX Sync set to "false"
- Other fields are left as is for historical purposes, but will be overwritten if that third party is synced with another company record in GRX
The "Unsync with GRX" functionality is useful if the user accidentally selected the incorrect company in GRX and they want to break that link and then find the correct company instead.
Tags
Tags added to the third party record in ServiceNow are synced via a scheduled job to the corresponding company record in your GRX Third Party Portfolio. Tags are a versatile way to categorize your third parties for filtering, reporting or taking actions in bulk.
Impact Tiering Assessment
Now that the third party records are synced between ServiceNow and the Exchange, complete the Impact Questionnaire / Tiering Assessment to evaluate the third party's Inherent Risk.
Requesting a Tiering Assessment
A tiering questionnaire template named "GRX: Impact Questionnaire" has been included as part of the integration. These questions assess your level of interaction with the third party across eight assets. This tiering template is available for selection as a questionnaire when creating a Tiering Assessment on a third party record.
Other than the provided GRX template, the below flow is the out of the box ServiceNow Tiering process. See https://www.servicenow.com/docs/bundle/yokohama-governance-risk-compliance/page/product/grc-vendor-risk/concept/tprm-assessing-tpr.html for more information.
- Navigate to All -> Third-Party Risk Management -> Third Parties -> All Third Parties
- Select and open the third party record that needs prioriziation
- Ensure GRX Sync = true
- Select the "Tiering assessments" tab and click "New"
- Enter a name for the record, such as "Third Party Name Tiering Assessment"
- Update the "Assigned to" field
- To answer the questions, tiering assessors should have the snc_internal role
- Update the "Tiering assessors"
- Click Submit will save the record as a Draft
- selecting "Tiering Questionnaires" tab and click "Edit"
- Add the GRX: Impact Questionnaire and "Save"
- Lastly, clicking "Submit assessment" will update the state to "Awaiting Response" and trigger the questionnaire to go to the "Assigned to" user to answer the questions
Completing the Tiering Assessment
The internal business owner for the third party (selected on the "Assigned to") will see the tiering assessment available to complete in the ServiceNow user portal, in the "My assessments and surveys" area. They can provide the level of interaction with the vendor across eight asset classes: Business Process, People, Digital Identities, Applications, Data, Devices, Networks, and Facilities.
On "Submit" of the Impact Questionnaire, the following occurs:
In the Exchange
- Impact Answers are saved to the third party
- Inherent and Residual Risk are recalculated with the provided Impact Answers
In ServiceNow
- The Tiering assessment state updates to "Tiering assignment"
Tiering Assessment Results
Upon the completion of the tiering assessment, the user will have be able to review the Inherent and Residual Risk associated with that vendor, recalcuated based on the confirmed business relationship information.
The next time the scheduled Vendor Sync job runs, the following fields will have the recalculated risk values:
In ServiceNow
- Data is updated on the third party record in the custom GRX Profile section
- GRX Profile -> Risk Info
- Inherent Risk Rating
- Inherent Risk Score
- Impact Status is updated to "Confirmed"
- Residual Risk: Automated
- Residual Risk: Attested (if attested data is available)
- Third Party -> Tiering Assessment -> Tier level is populated
Cyber Controls Assessments
Based on the Inherent Risk results from the Tiering Assessment, along with criteria determined by your business process, decide if a Cyber Controls Assessment is needed.
Requesting an Assessment
Requesting a GRX assessment on a third party follows the ServiceNow flow. In the Assessment Draft state there are pre-configured options available in the Assessment template selection. These GRX assessment templates do not have hardcoded questions associated with them, which allows you to leverage the latest content releases from the Exchange whenever assessing a third party.
- Navigate to All -> Third-Party Risk Management -> Third Parties -> All Third Parties
- Select and open the third party record that needs an assessment
- Ensure GRX Sync = true
- Ensure at least one Third-party contact has been added
- Select the "Assessments" tab and click "New"
- Click the search icon on the "Assessment templates"
- Select the GRX template associated with the level of assessment required
- This will autopopulate a name for the assessment record
- Click "Submit" will save the record in the "Draft" state
- Lastly, clicking "Submit to Third Party" will update the state to "Submitted to Third Party" and trigger the assessment request
At least one third party contact is required prior to saving as a Draft or "Submit to Third Party". When the Assessment is moved into the "Submitted to Third Party" state, the contact information and selected template information is sent to the Exchange, which in turns requests the assessment from the third party.
In the Exchange
- Requests are created for the third party based on the assessment template selected
- An email is triggered to the third party contact to take action on the assessment request
In ServiceNow
- Third-party risk assessment record fields are updated
- GRX Assessment
- Questionnaire Requested is set to the assessment template tier
- Questionnaire Authorization is set to Requested
- Questionnaire Status is set to Not Started or In Progress, depending on if the third party has a completed questionnaire on the Exchange
- Validation Requested is set to True or False based on the assessment template
- Validation Authorization is set to Requested or Not Requested based on the assessment template
- Validation Status is set to Not Started or In Progress, depending on if the third party has completed validation on the Exchange
- Assessment Status is set to Pending
- GRX Assessment
Assessment Status
Assessments take time, especially if the third party does not have a completed questionnaire on the Exchange. To help keep track of what is going on with the assessment request, a new section called "GRX Assessment" has been created to hold custom fields in Third-party Risk Assessment area. A scheduled job checks on the assessment progress and updates the fields. The primary driver is the "Assessment Status" field.
- Empty: Assessment not yet requested
- Pending: Assessment requested and awaiting completion and/or authorization
- Available: Assessment is completed and has been authorized to be released
- Delivered: Assessment results have been imported into ServiceNow for review
Only when "Assessment Status" is Available will the Third-party risk assessment status update to "Responses Received".
Assessment Results
Once a Third-party risk assessment with a GRX template has moved to "Responses Received", a scheduled job will pull in the Assessment Results. Once complete, Assessment Status is updated and the Assessment State is updated.
In ServiceNow
- Third-party record fields are updated
- GRX Profile -> Assessment Info
- Latest Results Import Date is set to today
- Third-party risk assessment record fields are updated
- GRX Assessment
- Assessment Status is set to "DELIVERED"
- Results Import Date is set to today
- Third-party risk assessment status is set to "Generating Observations"
Risk Domain Scores
The controls in the ProcessUnity Cyber Risk Questionnaire are organized into Risk Domains. As part of the Assessment Results import, the scores and rating for each Risk Domain are saved as Questionnaires associated the Third-party Risk Assessment.
In ServiceNow
- Questionnaire record fields are updated
- Linked to the associated Assessment record
- Third-party risk area is set to "Cybersecurity Risk"
- Percent complete is set to 100%
- Name is set to the GRX Risk Domain
- GRX Coverage Score (custom field) is set to the GRX Risk Domain coverage score - how well the third party scored across that collection of questions
- GRX Risk Rating (custom field) is set to the GRX Risk Domain risk rating - rating associated with how well the third party scored across that collection of questions
If users want to see the GRX Risk Rating and GRX Coverage Score custom fields in the Questionnaire list table, they will need to use the gear icon to update the columns in the Questionnaire table.
When viewing a Questionnaire record, the user should be in the "Global Risk Exchange" view.
Spreadsheet Assessment Report
The GRX Assessment Report spreadsheet is uploaded to the Third-party Risk Assessment as a XLSX attachment. The report will only be imported for review if the "Import Report Spreadsheet" option is selected during the integration setup in the GRX Configurations. The framework view through which the report is generated is also determined during setup.
PDF Assessment Report
The GRX Assessment Report PDF is uploaded to the Third-party Risk Assessment as a PDF attachment. The report will only be imported for review if the "Import Report PDF" option is selected during the integration setup in the GRX Configurations. The framework view through which the report is generated is also determined during setup.
Assessment Issues
GRX identified findings based on the cyber control answers and scores will be uploaded to the third party record as Issues associated with the Third-party risk assessment record. Issue creation is driven by the "Import Issue Type" options selected during the integration setup in the GRX Configurations.
It is configurable to have all High, Medium and Low findings imported as Issues, or only High, only High and Medium, or have no issues created. If you want to see all the answers to the questionnaire, "Minor: NA" will import questions with a "Not Applicable" response and "Minor: Yes" will import questions with a "Yes" response as minor issues. "Not Validated" will import questions with a "Yes" response that failed validation as a high issue.
In ServiceNow
- Issue records are created with the following information
- Linked to the associated Third party record
- Linked to the associated Assessment record
- State is set to New
- Classification is set to Vendor Risk
- Correlation ID is set to the GRX Cyber Control ID
- Name is set to the GRX Cyber Control Name
- Priority is set based on the GRX Cyber Control "Finding Severity" or if the Control fails validation in the "Not Validated" case
- Impact is set based on the GRX Cyber Control "Max Impact", which is driven by the answers to the "GRX: Impact Questionnaire" Tiering Assessment
- Description is set to the GRX Control Prompt, Answer, Score, Comment, Mitigation, and Validation
- The following custom fields are populated: GRX Question Prompt, GRX Answer, GRX Score, GRX Score Basis, GRX Validation Status
Issues can be reviewed and addressed with the built in ServiceNow workflow functionality. Risks can be accepted, assigned to the vendor to remediate or provide additional information, or assigned internally for mitigation efforts.