BitSight and ServiceNow Vendor Risk Management

    BitSight and ServiceNow Vendor Risk Management

    Ketan Shah, Senior Solution Consultant

    Do you know that a security breach can cost your organization millions? But it's not just the risk of a breach, anyone familiar with the General Data Protection Regulation (GDPR) knows that assessing your third-party risk is mandatory for compliance. In other words, managing your vendors’ risk has become essential to your business. Companies must be able to manage, report on, and remediate risk wherever it exists within your third-party network.

    GSI can help your organization manage third-party security risks with vendors that are doing work on your behalf.  We provide ServiceNow architecture and consulting services to protect you from security risks like loss of transaction records, data exfiltration, and credential theft.

    GSI can leverage BitSight to identify deficiencies in your security when your organization is negotiating or renewing contracts with third parties to improve the overall security controls.  GSI’s expertise with BitSight and ServiceNow will help you emphasize the clauses that need to be included and monitored with third-party contracts and create appropriate alerts when any violations are detected.  For example, when VPN/remote access is required by the vendor, automated analysis can help to guide your security team if it is safe to grant VPN access or if the vendor has a poor security posture and pose a risk where the request should be denied.  GSI’s solution leveraging ServiceNow & BitSight will ensure you have real-time-monitoring of the vendor risks.  If risks are detected, appropriate alerts are triggered to help the stakeholders review, assess, and remediate them before any incident were to occur.

    Through this solution, you can expect to reduce your costs of the Third-Party Risk Management (TPRM) programs, provide greater accountability to your executives, tailor contracts aligned to security safeguards, and vastly improve collaboration with vendors.  The aggregated vendor risks can also be applied in business terms to your stakeholders. Through the ServiceNow and BitSight integration, a centralized third-party repository will improve your ability to identify, assess, and respond with greater control and accountability with everyone involved.

    The solution architecture takes into account how the various teams like security, legal, procurement, and finance will use the integrated ServiceNow and BitSight system.  The BitSight integration is configured with ServiceNow Vendor Risk Management and Issue Management applications, which are also within the ServiceNow GRC architecture.  Vendors are associated with assets and processes they support, and associated risks are linked to your assets, controls, and policies.

    ServiceNow Consulting Services

    ServiceNow & BitSight Overview

    ServiceNow Vendor Risk Management, one of the applications in the ServiceNow GRC portfolio, provides a formalized process to manage your third-party risk resulting in improvements in productivity, communication, and reporting. This application integrates with BitSight Security Ratings of your vendors.  Security Ratings is critical to understanding third-party risks within the context of your business. Security ratings allow companies to gain the visibility to manage, report on, and remediate risk, enabling you to scale monitoring programs and build risk management programs.

    BitSight Security Ratings generate daily objective, quantitative measurements on a company’s security performance, using externally observable data on compromised systems, security diligence, user behavior, and public disclosures. These ratings are generated through analyzing existing security incidents and events data. All companies—regardless if they are a customer or not—are rated on the same criteria. The BitSight Security Rating, similar to a credit score, is between 250 and 900, with a higher rating correlating to better security posture and vice-versa. BitSight Ratings are the only security ratings to have third-party validation of the ratings correlation to public data breach.

    In ServiceNow, BitSight is used to perform integrated reporting, tailor alerts for different vendors, kick-off action plans and remediation activities, as well as inform adjusting the calculated vendor tier score or automate response activities. By displaying the BitSight Security Rating alongside other vendor information, vendors’ security performance can be compared to residual risk for daily monitoring, vendor selection, as well as contract renewal and negotiation. A contextual link back into the BitSight portal allows for targeted investigation and data driven outreach to vendors.

    The integration facilitates a more robust vendor risk management program through the following:

    • Increased, on-going visibility into the security of third-party vendors through pulling in the BitSight Security Rating and seeing a more well-rounded picture of vendor cybersecurity posture.
    • More meaningful, action-oriented conversation with vendors through leveraging the ratings as well as the more granular data in the BitSight portal, in conjunction with the vendor data in ServiceNow. Use this data for activities such as reporting for contract renewal and negotiating, as well as vendor onboarding.
    • Prioritized Resources and scale third-party risk management programs through using BitSight Security Ratings in conjunction with assessments, on-site visits, and other existing processes to calibrate your program and determine where resources should be allocated to most efficiently manage vendor risks.
    • Automation to speed response, validate & remediate through customized alerting around specific changes in the ratings and risk vector grades. ServiceNow’s vendor tiering assessments workflow allows vendor risk managers to route the assessments to the right person and helps vendor risk managers determine the right assessment for the vendor based on the tier. Any changes in the security rating can automatically generate a vendor risk assessment to reduce a vendor’s risk exposure.