1© 2017 ServiceNow All Rights Reserved© 2017 ServiceNow All Rights Reserved
Managing Privacy Risk & Compliance in Financial ServicesBrett HamiltonAdvisory Solutions ConsultantServiceNow
2© 2017 ServiceNow All Rights Reserved
Speaker Introduction
Brett has been a Solutions Consultant with ServiceNow for the last 2.5 years, most recently focusing on the Financial Services Sector; previous to that he has been working in the IT industry for various vendors focusing on Automation and Governance systems.
Name: Brett Hamilton
Title: Advisory Solutions Consultant
Function: Financial Services Industry
Company: ServiceNow
INSERT PHOTO
3© 2017 ServiceNow All Rights Reserved
Regulations Driving IT Spend
1%1%2%2%2%2%3%
6%17%
26%47%
50%51%
0 10 20 30 40 50 60
EU General Data Protection Regulation
Internal laws by country
PCI DDS
Sarbanes-Oxley
US state laws for data breach
GLBA
HIPAA (including HITECH)
NERC CIP
FISMA
FACTA
FCRA
Federal Privacy Act
CANSPAM
The regulations that matter the mostWhat regulations are driving the funding of your organisation IT security?
4© 2017 ServiceNow All Rights Reserved
Australian Mandatory Breach Notification
Organisations and agencies will be
required to notify when a breach has
occurred.
What Does This Mean?
Mid-sized to large organisations in
addition to government
agencies.
Who Does This Affect?
It is expected to go into full affect by 1
March 2018
When Does This Happen?Why Is This Relevant
To You?
Impact brand or agency reputation that could lead to financial
loss or government trust
5© 2017 ServiceNow All Rights Reserved
GDPR By The Numbers
201825th of May, 2018 the
regulation will be enforced
4%Potential fines as a percentage of global turnover
7Core individual rights
afforded under the GDPR
72Hours given to report
a data breach
250mCost of 4% fine for a typical FTSE 100
company
28,000Organisations potentially
in scope
190+Countries potentially in scope of the regulation
80+New requirements
in the GDPR
6© 2017 ServiceNow All Rights Reserved
GDPR—What Is It?
• The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a Regulation by which the European Commission intends to strengthen and unify data protection for European Union (EU) citizens, regardless of where the company is based
• Major goals of the General Data Protection Regulation (GDPR) (2016/679/EU) are: – Protect personal data of EU citizens
– Establish rules for free movement of personal data in the EU
– Extend to all organizations globally that engage EU citizens
• Requirements catalog is published in 28 languages and includes 99 articles and 1021 citations– EU GDPR Official Website
7© 2017 ServiceNow All Rights Reserved
• Unknown or High Costs
• Risks and Vulnerabilities
• Complexity in silos
• Losses Due to Non-compliance (investigations, fines, etc.)
• Lack of Confidence in People, Process and Technology
Challenge: Current State of GRC for Many
8© 2017 ServiceNow All Rights Reserved
GDPR Amps Up the Challenges
Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.
Must have consent to use an EU citizen’s personal data
Must protect their privacy
Must be able to send the data to other organizations if user requests it
Must be able to delete the personal data in all locations if the user requests it
“
”
9© 2017 ServiceNow All Rights Reserved
GDPR Amps Up the Challenges
• Data Protection Impact Assessments (Article 35) have to be conducted when specific risks occur to the rights and freedoms of data subjects.
• Risk assessment and mitigation is required and a prior approval of the DPA for high risks.
• Enterprises that process personal data for 5,000 EU citizens or more must hire a Data Protection Officer.
10© 2017 ServiceNow All Rights Reserved
Expanded definition of personal data & specific consent to
use required
Transport ordelete data when
requested
Breach Notification within 72 hours
Data Protection Impact
Assessments (DPIA) required
regularly
Specific GDPR Challenges
72hr
11© 2017 ServiceNow All Rights Reserved
ServiceNow Solution: Get to the Future State of GRC Now
• You Don’t Want to Pay the ENORMOUS Fines Associated with GDPR
• Reduce the Pain of Compliance and Audit
• Realistic Implementation Timeframes
• Measure Success
• Guidance is Available to Determine the Path Forward
• Return to Core Business
• Utilize a Common Integrated Platform
12© 2017 ServiceNow All Rights Reserved
Now there is much more traceability and
audit teams can instantly pull reports
from one system.
Compliance management is improved with
automation and real-time visibility
of key controls.
Compliance is streamlined and the team reclaimed over
75 hours a week by eliminatingmanual efforts.
Customer Benefits from ServiceNow GRC
The entire compliance exception lifecycle is
automated and traceable so the team can provide comprehensive, reliable evidence to regulators
for all exceptions.
13© 2017 ServiceNow All Rights Reserved 13© 2017 ServiceNow All Rights Reserved
ServiceNow GRC and GDPR
Supporting Your Compliance Journey With Our Scalable Solution
14© 2017 ServiceNow All Rights Reserved
Framework for GRC & Security Operations
ComplianceManagement
ComplianceManagement
ComplianceManagement
Policy Regulations Third Party
System of Internal Controls Security Operations
Security Incident Response
Vulnerability Response
Risk Management
Governance, Oversight, & Policy Management
Audit Management, Observations, and Remediation
External Legislation and Regulations
Inherent Exposure, Vulnerability &
Threats
Internal Goals and Objectives
Threat Intelligence
• ServiceNow can map identified GDPR
requirements directly into the application
with the underlying citation and controls
needed for compliance checks and
continuous monitoring.
• All GDPR requirements with description and
guidance can be imported in ServiceNow with
available UCF integration.
• A license to import the GDPR content from
Common Controls Hub is required.System of Internal Controls
GDPR Authority
Document & Citations
15© 2017 ServiceNow All Rights Reserved
Step 1: Align Organisational Policies with GDPR
• Data Protection Policy
• Security Policy
• Code of Conduct
• ServiceNow Capabilities:– ServiceNow offers a full Policy Life Cycle
Management. Drafting a policy according to requirements through Review, Approval, Publishing and Retirement stages are available out-of-the-box.
– A policy can include the GDPR requirements listed within it for alignment.
– Knowledge Base information can be automatically created while publishing the relevant policy.
Policy
KnowledgeBase
16© 2017 ServiceNow All Rights Reserved
Step 2: Schedule Data Protection Impact Assessments
ServiceNow Capabilities:
• Data Protection Assessments can be aligned
with Data Protection Policy and underlying
requirements in ServiceNow.
• All assessments requirements can be built with
the Assessments Designer or enhanced with
existing Data Protection Assessments.
• The assessments can be scheduled
to run at regular intervals.
Attestations
17© 2017 ServiceNow All Rights Reserved
Step 3: Gain Visibility into Compliance Status
ServiceNow Capabilities:
• Roles based access provides stakeholders
the information they need to make decisions
and there are specific dashboards for
contributors, approvals, audit, and
control testing.
• The compliance status can display in a
dashboard to easily view compliance levels
and take any needed remediation actions.
• Assessment outcomes are also reflected
in the Compliance Dashboard.
• Controls status is automatically updated.
• For any non-compliant outcomes, an issue
will be automatically created and assigned
to the responsible party to take actions on
requirement gaps.
Control Compliance
Compliance Dashboard
Issues & Remediation
18© 2017 ServiceNow All Rights Reserved
Step 4: Define Risk Framework
ServiceNow Capabilities:• ServiceNow provides a full Risk Management
Lifecycle process including robust scoring,
risk indicators, financial impact based
reporting, statistical reporting, etc.
• Regular risk assessments can be
implemented & assigned automatically.
• Risk identification & compliance stats can be
made transparent.
• Breach notifications with associated risks can
be sent automatically or manually to the
designated Supervisory Authority.
• Data processing on Information
layer with PII can be implemented.
• Pseudonymisation and encryption
functionalities support GDPR compliance.
RiskManagement
GDPR Risk Assessment
RiskDashboard
19© 2017 ServiceNow All Rights Reserved
Step 5: Measure Risk on Critical SystemsServiceNow Capabilities:
• CIA assurance of systems & applications.
Unauthorized disclosure of business records stored or processed by the
business service results in reputation damage, legal penalties, and/or fines.
Failure to maintaining the consistency, accuracy, and trustworthiness of data stored or processed by the business
service results in reputation damage, legal penalties, and/or fines.
Failure to maintain timely and reliable access to and use of information processed by the business service results in a loss of revenues, productivity,
and/or customer confidence.
CIA Risksfor GDPR
20© 2017 ServiceNow All Rights Reserved
Step 6: Manage Audit EngagementsServiceNow Capabilities:• GDPR Dashboards monitor the
global level of compliance to GDPR,
as well as by specific entities,
systems, units, etc.
• Design and run regular GDPR Audits
targeting the enterprise and its PII
sensitive systems.
• Generate remediation plans and
track Data Protection corrective
actions to conclusion.
• Same visibility, ease of management,
and overall process is available for
basically all regulations
AuditWorkbench
Issues & Remediation
21© 2017 ServiceNow All Rights Reserved
Step 7: Identify PII AssetsServiceNow Capabilities:• Manage information assets and
associate them to
other CIs.
• Profile information assets to
generate associated risks and
controls.
• Manage risks, continuous
control monitoring and data
protection impact assessments
on information assets as well as
on business services or on IT
CIs.
PII & PCIInformation
Relating Risks, Control, & Audit Engagements
to Information
22© 2017 ServiceNow All Rights Reserved
Step 8: Design PII Breach ProcessesServiceNow Capabilities:
• Leveraging ServiceNow CMDB to manage Information Assets and associate them to other CIs.
• Connecting PII Security Incidents to Information Assets to understand the Risks and Controls towards them.
• Managing PII Security Incidents to containment and root cause analysis.
• Escalating and reporting on PII Security Incidents to the wider Enterprise and to the DPO.
• Reporting PII Security Incidents to the Supervisory Authority
PII Information
SecOps & GRC
Security Incident
Workflow &
Treatment
23© 2017 ServiceNow All Rights Reserved
ServiceNow Capabilities:
• Implementing Vendor Risk Management from ServiceNow to:- Manage the Vendors portfolio
- Design a library of Assessments, based on questionnaires and evidence collection.
- Schedule the Data Privacy Assessments to Vendors, based on Tiers / Risks.
- Connect questionnaire questions to GRC controls, so that the Vendors’ response automatically sets the related control to Compliant / nonCompliant.
- Propose an external Vendor portal for Vendors to freely respond to the Privacy Assessments pushed to them.
- Managed identified Issues / Actions to resolution to improve Vendors GDPR compliance.
SecOps & GRC
Vendor Portal
Step 9: Assess your 3rd Parties GDPR Compliance
Vendor Portfolio
Privacy
Questionnaire
24© 2017 ServiceNow All Rights Reserved
ServiceNow Capabilities:
• Leveraging Performance analytics and the standard ServiceNow dashboarding / reporting engine:- Follow up the level of Compliance &
Risks for various dimensions (Group, Units, Processes, Systems, CIs, Information (PII), Projects, etc…
- Manage the DPIAs and their results
- Manage the GDPR Control Framework and follow the attestations, evidence, indicators of some critical controls.
- Review the progress of remediation Issues & Tasks to completion.
- Review the progress of PII breach Security Incident to completion.
- Trend to understand progress towards full compliance and evaluate predictive analytics.
- Report to the Supervisory Authority based on evidence.
SecOps & GRCFinally! DPO Processes & Dashboard Visibility
25© 2017 ServiceNow All Rights Reserved
Simplify Personal Data Record Compliance
ServiceNow Capabilities:
Use ServiceNow Customer Service Management to interact with EU
Citizens.
Provide personal data access for EU Citizens through CSM portals.
Provide GDPR
related information,
policies & procedures.
Manage requests for
personal data updates, transfers,
and deletions.
Manage specific
consents (opt-in, opt-out,
etc.)
Supply GDPR risk Information directly
to EU citizens.
26© 2017 ServiceNow All Rights Reserved
Simplify Personal Data Record Compliance
The same GDPR requirements apply
to more than customers and
prospects. Easily manage personal
data for employees, vendors, third
parties, and other types of EU citizens.
27© 2017 ServiceNow All Rights Reserved
What are customers saying about ServiceNow GRC
Rapid ROI
“We were up and running with full functionality in just eight weeks allowing the quarterly audit activities to proceed without a hitch.”
ProductivityGains
“Integrated GRC gave us back
over 9000 IT man hours
annually.”
“We’ve reduced our audit data
collection time by 93%”
Proactive RiskManagement“We are taking our controls
framework from being manual
and detective to being
automatic and preventative and
embedded within the processes
we are implementing in
ServiceNow”
Cost Avoidance
“We’re able to avoid large
fines ~$200MM per year, in
addition to large audit,
consulting, and project related
fees ~400MM per year.”
Reliable, Real-time Insight
“When we provide results to
executives, ServiceNow has
done the work for us with
accuracy and ease.”
“ServiceNow GRC gives us real-
time insight to metrics.”
Significant CostReduction
“Our annual audit costs were
reduced by 80%.”
“We’re expecting to save on
average ~$4MM per year per
control automation.”
28© 2017 ServiceNow All Rights Reserved
1 2 3
Top Takeaways
ServiceNow GRC is scalable to
accommodate many new and existing
regulations
The GDPR can be managed through ServiceNow’s GRC
application
The heavily regulated financial
industry can use the combination of GRC
and SecOps for GDPR and much
more