In a recent Forbes article that identifies The Top 10 Challenges and Priorities for CIOs in 2017, there was one challenge listed that especially stood out to me: “Put what data you can in the cloud–to shore up security”. The key point being made here that really resonated with me is that CIOs are pushing more toward moving onto an enterprise cloud provider to ensure the highest quality of security and compliance for the business.
The need to secure the cloud and demonstrate that the highest levels of security controls are in place have created a cascading effect where IT organizations are combining their efforts across digital security, architecture engineering, risk management, and IT compliance teams to work more closely together. The rationalization for bringing these areas together must start at the program level, where there is a defined set of objectives that drive the people, processes, and tools toward a governance framework that clearly outlines the mission. The reason for creating a new governance framework is to protect business information and customer data that will reside in the cloud by ensuring the levels of cyber-security needed are compliant with the strongest security framework standards available.
CIOs today need to be aware that in order to secure the cloud and provide the compliance asked by their customers, this is best managed through a single system of record that brings company-defined policies, security controls, and the management of risks together with a compliance process that can drive internal or external audit reviews. This single pane of glass that can help preserve the security needs for all cloud-hosted services is referred to as GRC.
What is GRC?
Governance, Risk, and Compliance (GRC) is a program designed to ensure that people, processes, and products involved in executing business goals can manage risks and meet compliance requirements. This strategic approach for bringing policies, controls, cyber-security, and risk together exists so that compliance can perform internal or external audits against IT security controls (as mentioned above).
Where CIOs are pushing quickly into a cloud-hosted solution, they are also having to re-evaluate the skills and processes needed to support the business with the appropriate urgency. Areas such as orchestration, operating IT with bi-modal priorities, and building strong cyber-security and compliance directly tie into delivering and supporting cloud systems efficiently and safely.
As AHEAD is witnessing this increase in demand first-hand, we’re partnering with many clients to build out GRC in ServiceNow, which does an amazing job of providing accurate data needed to effectively manage security controls and risk assessments across the technology organization. In the graph examples below, you’ll see how ServiceNow GRC dashboard data provides quick and accurate information that identifies the number of compliant vs. noncompliant controls, as well as a useful heatmap that calls out the highest and most likely risks.
GRC dashboard in ServiceNow
GRC can identify the compliance framework that your organization must establish, like strong and effective security controls to protect the cloud with. From there, the right processes are needed to ensure controls are in place and are being managed. The ability to gather evidence to prove that controls are effective is also a very important in order to certify and pass an IT audit. GRC brings into perspective the high-level compliance framework (such as FedRAMP, SOX, PCI, or ISO 27001) and shows what policies and controls are compliant against the requirements (see image below).
Compliance dashboard in ServiceNow
GRC and Change Management
External audit for compliance has always traditionally looked very closely at the change management process to ensure that infrastructure configuration and software updates to production services are recorded accurately. Compliance and IT operations teams have been traditionally required to manually run reports and search for historical change management records to find the evidence needed for an audit, which can take a long time to compile. It is one of the parts of an audit that is very time consuming and definitely not something people look forward to.
In AHEAD Lab, we are currently experimenting with developing custom business rules in ServiceNow that can find historical change management records in scope for an audit and automatically retrieve and share that data. It is a step in the right direction in streamlining GRC-related processes, and can provide high value to a CIO when data-driven decisions are becoming more urgent.
Configuration Management Database (CMDB) and GRC
Building out a Configuration Management Database (CMDB) is a stigma that has long been desired by CIOs, but has seemed almost impossible to do based on the complexity involved. Without a healthy and well-maintained CMDB, digging for audit data for historical configurations being made to infrastructure becomes a daunting–if not impossible–task. IT operations teams also have wanted infrastructure CI relationship data at their fingertips, and without a CMDB, have had to create their own spreadsheets out of necessity. When conducting an audit against IT, collecting historical process data against affected CIs and business services is a must have. Without a fully-populated and managed CMDB, audits can become a logistical nightmare, requiring countless hours of manual effort to deep dive into server log history in an attempt to locate reference to configuration updates. Hence, having a mature change management process, coupled with a healthy and well-maintained CMDB, will result in a life far less stressful life for the CIO.
The great news here is that in ServiceNow, there are several ways to build, manage, and maintain a CMDB the right way. AHEAD has been leading configuration management, Discovery tool integration, and ServiceWatch workshops for customers and has highly experienced technical experts and process consultants that can partner with an IT organization to capture that elusive, yet desired state for CMDB.
In a previous blog post from AHEAD’s Cloud Services Engineer, Zach Zeid, titled IT Governance in the Cloud, he identifies that public cloud providers like Amazon Web Services (AWS) and Microsoft Azure offer tools for writing automation scripts for compliance, which brings added value to IT leadership when building effective controls for security or performing an internal audit. In building out a federated CMDB, a diverse hybrid cloud platform can be quickly and consistently managed in a single federated view, and can also tie into enterprise service management processes when delivering, configuring, correcting, or auditing cloud-hosted services in this age of the customer.
The benefit of having a fully-populated and managed CMDB also means that control tests for compliance can be streamlined and automated, eliminating the need for manual intensive time and effort to conduct control testing and gather evidence into a spreadsheet, which I will uncover in my next blog post on GRC: Automating Compliance Through Cloud Automation and ServiceNow GRC.
I recommend that if you take the steps to build out a GRC program in your organization to align security and compliance controls for cloud management, that building a CMDB should also be a high priority so that you can take advantage of using orchestration and automation to streamline your request delivery process, but also to automate evidence testing and gathering for GRC.
AHEAD’s Enterprise Service Management team brings the strategic intelligence and technical skills needed to partner with an organization ready to start formalizing their security, risk, and compliance program into GRC. Make your CIO proud in being proactive to anticipate their needs around cloud management by identifying that security compliance with GRC is also a must-have requirement. Contact us today if you’re interested in learning more about how our team can help you establish a GRC strategy in your organization.