Need information on pre-requisitions or instructions for setting up the CyberGRX Risk Exchange integration with ServiceNow VRM? Check out the Implementation Guide.
Announcement
With the release of our CyberGRX API V2 and the planned End of Life for CyberGRX API V1, we are working on transitioning the ServiceNow Integration to the CyberGRX API V2. Previously released versions built on the API V1 will no longer function with the API V1 EOL and will be deprecated. The API V2 Integration with ServiceNow will allow for easier testing and additional functionality.
- API V2: Utah version - In Development, Targeted for availability in late Q2 2024
- API V2: Vancouver version - In Development, Targeted for availability in late Q2 2024
- API V2: Washington version - In Plan, Targeted for availability in early Q3 2024
CyberGRX / ServiceNow VRM Integration
Integration Overview
There are three main phases to the CyberGRX integration with ServiceNow VRM.
- Syncing the vendor records between the two systems and keeping them in sync.
- Prioritizing the vendor record using the integrated CyberGRX Tiering Questionnaire to understand the Inherent Risk for the vendor.
- Requesting a CyberGRX assessment, waiting for the assessment to be completed and authorized by the vendor, and reviewing and acting on the imported assessment results.
For a demo of the integration, check out our recording* on youtube: https://www.youtube.com/watch?v=ONk_6meEeTw
*Recording is from an earlier release and does not reflect all fields and functionality added in later iterations. When a new demo is available this link will be updated.
Company Syncing
Let's get the company records in ServiceNow linked to the corresponding company record in CyberGRX and start the data flowing.
Create from CyberGRX
If a new vendor record needs to be added to ServiceNow and there is not another process in place for creating new vendors, users can leverage the "Create from CyberGRX" feature.
This allows users to search the CyberGRX Exchange for companies. If a match is found, the vendor recorded is created in ServiceNow.
- Vendor Risk view -> CyberGRX -> Vendor Name is populated
- Vendor Risk view -> CyberGRX -> Website is populated
- Vendor Risk view -> CyberGRX -> Vendor Address is populated
- Vendor Risk view -> CyberGRX -> CyberGRX Sync set to "true"
- Vendor Risk view -> CyberGRX -> CyberGRX ID is populated
- Vendor Risk view -> CyberGRX -> CyberGRX Name is populated
- Third Party is added to the portfolio in CyberGRX
Sync with CyberGRX
If a vendor record already exists in ServiceNow, that company can also be added to the CyberGRX portfolio. Select the "Sync with CyberGRX" button to search companies on the exchange based on company name and url. Review the results and select the matching company.
- Vendor Risk view -> CyberGRX -> CyberGRX Sync set to "true"
- Vendor Risk view -> CyberGRX -> CyberGRX ID is populated
- Vendor Risk view -> CyberGRX -> CyberGRX Name is populated
- Vendor Risk view -> CyberGRX -> Threat Likelihood Score is populated
- Vendor Risk view -> CyberGRX -> Threat Likelihood Band is populated
- Vendor Risk view -> CyberGRX -> Business Impact Score is populated (if available - see Tiering Assessment)
- Vendor Risk view -> CyberGRX -> Business Impact Band is populated (if available - see Tiering Assessment)
- Vendor Risk view -> CyberGRX -> Assessment in Exchange is populated (if applicable)
- Vendor Risk view -> CyberGRX -> Assessment Requested is populated (if applicable)
- Third Party is added to the portfolio in CyberGRX
If there are no matching results for that company in the CyberGRX exchange, request a new company be added to the CyberGRX exchange. This request can take a few business days. When the record is created it will be added to the CyberGRX portfolio.
- Vendor Risk view -> CyberGRX -> CyberGRX Sync set to "Pending"
- Third Party is requested to be added to the CyberGRX exchange and portfolio
A scheduled job runs nightly to see if the Pending vendor records returns the newly created matching company in CyberGRX and updates CyberGRX Sync = true.
UnSync with CyberGRX
If the user no longer wants to include a vendor in the CyberGRX integration, they can click the "UnSync with CyberGRX" button. This is also useful if the user accidentally selected the incorrect company in CyberGRX and they want to break that link and then find the correct company instead.
- Vendor Risk view -> CyberGRX -> CyberGRX Sync set to "false"
- Vendor Risk view -> CyberGRX -> CyberGRX ID set to blank
- Other fields are left as is for historical purposes, but can be overwritten if vendor is synced with another company record
Please note the "UnSync with CyberGRX" functionality does not remove the company from the portfolio in CyberGRX. This is a manual action at this time.
Tags
Tags added to the Vendor record in ServiceNow are synced daily via a scheduled job to the Third Party record in CyberGRX. Tags are a versatile way to categorize your vendors for filtering, reporting or taking actions in bulk.
Please note the tags job does not remove tags from the vendor in CyberGRX if a tag is deleted from the vendor in ServiceNow. Removing tags from CyberGRX requires manual action at this time.
Tiering Assessment for Inherent Risk
Now that the company records are synced between the two systems, let's complete the Impact Questionnaire / Tiering Assessment to evaluate the Inherent Risk.
Requesting a Tiering Assessment
A CyberGRX Tiering Questionnaire Template has been published as part of the integration. These questions determine your level of interaction with the third party across eight assets.
This tiering template is available for selection as a questionnaire when creating a Tiering Assessment on a Vendor record. Upon submit the tiering assessment will move to Awaiting Response from the Tiering assessor.
Taking the Tiering Assessment
The internal business owner for the vendor will see the tiering assessment available to complete in the ServiceNow user portal. They can provide the level of interaction with the vendor across eight asset classes: Business Process, People, Digital Identities, Applications, Data, Devices, Networks, and Facilities.
Tiering Assessment Results
Upon the completion of the tiering assessment, the user will have a comprehensive view into the Inherent Risk associated with that vendor.
- Vendor Risk view -> CyberGRX -> Threat Likelihood Score is updated
- Vendor Risk view -> CyberGRX -> Threat Likelihood Band is updated
- Vendor Risk view -> CyberGRX -> Business Impact Score is populated
- Vendor Risk view -> CyberGRX -> Business Impact Band is populated
- Vendor Risk view -> CyberGRX -> Inherent Risk is populated
- Vendor Risk view -> Tiering Assessment -> Tier Level is populated
Security Controls Assessments
Based on the Inherent Risk results from the Tiering Assessment, you can determine if a Security Controls Assessment is needed and what tier is recommended base on your company's business process.
Requesting an Assessment
Requesting a CyberGRX assessment on a vendor follows the ServiceNow flow. In the Assessment Draft state there are 3 options available in the Assessment template selection.
- CyberGRX Tier 1 Validated
- CyberGRX Tier 2 Validated
- CyberGRX Tier 2
The CyberGRX templates do not have questions in them which allows you to leverage the latest content releases from CyberGRX whenever requesting an assessment.
At least one vendor contact is required prior to "Submit to Vendor". When the Assessment is moved into the "Submit to Vendor" state, a request is made to CyberGRX and that tier is requested from the vendor. On the Vendor record, the custom field is updated to reflect the request.
- Vendor Risk view -> CyberGRX -> Assessment Requested is populated
Assessment Progress
Security Controls Assessments can take a while if the vendor did not have a completed questionnaire on the CyberGRX exchange. To help keep track of what is going on with the assessment request, a new CyberGRX field "Assessment Status" has been created in the Vendor Risk Assessment area. The daily scheduled job checks on the progress and updates the status field.
- Empty: Assessment not yet requested
- Ordered: Assessment ordered but the vendor contact has not created their CyberGRX Account
- InProgress: The vendor contact has created their account and started the Assessment
- Validation: The assessment is completed and is in the validation phase (if applicable based on the Tier requested)
- AwaitingAuthorization: The assessment is completed and the only remaining step is for the vendor to authorize the release of the assessment
- Available: The assessment is completed and has been authorized to be released
- Received: The assessment results have been imported into ServiceNow for review
When the CyberGRX Assessment Status updates to "Available", the Assessment Status will be updated to Responses Received while the Assessment Results are loading. Once the results have been imported into ServiceNow, the Assessment Status will update to "Received" and the Assessment State will move to "Generating Observations".
- Vendor Risk Assessment -> CyberGRX -> Assessment ID is populated
- Vendor Risk Assessment -> CyberGRX -> Report ID is populated
- Vendor Risk Assessment -> CyberGRX -> Assessment Attested Date is populated with the date the vendor attested the assessment
Assessment Results
Once the vendor has completed the assessment and authorized the release of the information, the daily scheduled job will pull in the Assessment Results. While the results are being imported the Assessment will be in the Responses Received state. After all results are loaded the Assessment will move to the Generating Observations state.
PDF Report
The CyberGRX Assessment Report is uploaded to the Vendor Risk Assessment as a PDF attachment.
Note that the report will only be loaded for review if the "Import PDF" option is selected in the CyberGRX Configurations.
Assessment Scoring
Maturity Scores
- Vendor Risk Assessment -> CyberGRX -> Strategic Maturity is populated
- Vendor Risk Assessment -> CyberGRX -> Privacy Maturity is populated
- Vendor Risk Assessment -> CyberGRX -> Management Maturity is populated
- Vendor Risk Assessment -> CyberGRX -> Operational Maturity is populated
- Vendor Risk Assessment -> CyberGRX -> Core Maturity is populated
Coverage Scores & Risk Ratings
- Vendor Risk Assessment -> Questionnaires -> CyberGRX Strategic -> CyberGRX Coverage Score & Risk Rating is populated
- Vendor Risk Assessment -> Questionnaires -> CyberGRX Privacy -> CyberGRX Coverage Score & Risk Rating is populated
- Vendor Risk Assessment -> Questionnaires -> CyberGRX Management -> CyberGRX Coverage Score & Risk Rating is populated
- Vendor Risk Assessment -> Questionnaires -> CyberGRX Operational -> CyberGRX Coverage Score & Risk Rating is populated
- Vendor Risk Assessment -> Questionnaires -> CyberGRX Core -> CyberGRX Coverage Score & Risk Rating is populated
Issues and Risk Management
CyberGRX identified findings based on the security control assessment answers and the tiering assessment will be uploaded to the vendor as Issues associated with the Assessment record.
- Vendor Risk Issue -> Name is populated with the CyberGRX Finding Control Name
- Vendor Risk Issue -> Short Description is populated with the CyberGRX Finding Control Number
- Vendor Risk Issue -> Description is populated with CyberGRX Finding Control Number, Control Name, the Vendor Answer (Yes, No, NA, Skipped) and Comment (if supplied), as well as the Remediation Recommendation
- Vendor Risk Issue -> Priority is populated with the CyberGRX Finding Priority
Note that Issues will be created in the Generating Observations based on the "Import Issue Type" options selected in the CyberGRX Configurations. It is configurable to have all CyberGRX High, Medium and Low findings imported as Issues, or only High, only High and Medium, or have no issues created.
Issues can be reviewed and addressed with the built in ServiceNow functionality. Risks can be accepted, assigned to the vendor to remediate or provide additional information, or assigned internally for mitigation efforts.
Comments
0 comments
Article is closed for comments.