guidebook.md

Apps and Dashboard

Goal

The goal of this lab is to understand General Data Protection Regulation (GDPR) requirements, its impact on your organization, and how ServiceNow can help your compliance journey to GDPR. ServiceNow Governance, Risk, and Compliance (GRC) helps bring order to an enterprise's compliance requirements to GDPR. It provides best practices to meet the GDPR requirements.
This lab explains key ServiceNow application to support GDPR and names the key citations (regulatory requirements) for GDPR.

Getting Started - Log on to Your Training Instance

1. Navigate to the unique instance URL provided to you. 


2. Log on with the provided credentials. 


3. Review your homepage.
   You can change your homepage to System Administration by selecting it from the dropdown list in the top-left of the page.
   
   

4. Review your favorite applications by clicking the star next to the application.

   

5. Discover the GRC applications and its modules by typing the first few letters of Policy and Compliance, Risk Management, or Audit Management.
   
   

Check Your Homepage

1. Click the ServiceNow logo.

   

2. In the homepage window (1), from the dropdown list, search for compliance.

   

3. Select Compliance Overview.

4. Review the initial Compliance status.
   You should see the GDPR Compliance report as empty for now. The related gauges/reports are updated as you progress with the lab.

Authority Document GDPR

Goal

This lab explores the GDPR authority document. It also explains the different citations for regulatory requirements.

GDPR Authority Document

1. In the Filter Navigator, enter authority, and then click Authority Documents.

2. Under Authority Documents, in the Common Name field, search for *EU (3).

   

   Note: Refer to the example below. If your Type field for EU GDPR Authority Document is empty, you can add the relevant type by double-clicking on the empty field.

   

3. Click the EU General Data Protection link (begins with AD00).
   You might have different authority document number.

4. Review the overall GDPR information.

5. Scroll to Related Lists and click Citations.

6. In the Reference field, search for Art. 35.

7. Review the relevant article, information, and respective subsections.

   

Policy Creation

Goal

This lab explains how to create an organizational policy and policy statements that matches requirements and describes the outlines for GDPR.

Policy Creation

1. Navigate to the Policy & Management application.

2. Search for Policies, and then click Policies to list them.

3. At the top of the policies page, click New.

   

   On the top of the record, a full Policy Life Cycle Stages list appears.

4. Fill out the new policy record with the following information.
   You can click the icon to add yourself (System Administrator) or click the lock icon to add Policy Approver.

   • Name: Data Protection Policy

   • Owner: Policy Owner

   • Type: Policy

   • Owning group: Policy Management

   • Description: Data Protection Policy

   

   Note: For the purpose of this lab, you can provide any valid dates. For simplicity, we have skipped any additional policy reviewer step here.

5. To save the record, right-click the policy header bar, and then from the dropdown menu click Save.

   

6. In the Filter Navigator (1), enter Knowledge, and then click the Knowledge application (2).

   

7. In the search bar, search for *gdpr (3), and then press enter to continue.

   The Lab Data Protection Policy appears.

8. Open the Policy.
   The Lab Data Protection Policy (4) describes the different sections required for a Data Protection policy.

9. Review the policy content.

   

10. Copy the content of the Lab Data Protection Policy.

11. To return to your policy, click the Your history icon (1), and then click the Policy (2) you just created.

    

    You should now be back in the policy record.

12. Paste the copied content into the Policy Text field.

13. To save the record, right-click the header bar and then click Save from the dropdown menu.

    

14. Assign relevant Policy Statements to the policy.

15. In the top-right of the page, click Add Statements to generate Policy Statements that are defined for the policy.

    

    a. Scroll to Related Lists and click Policy Statements.

    You should see nine policy statements added to the policy.

    

    b. Click any Reference number; for example 1. A Policy Statement window opens with underlying reference number.

    

    c. Under related lists, click the Citations tab and verify that at least one EU GDPR Regulation citation is aligned with that policy statement.

16. Navigate back to your policy.

17. Move forward into Policy Life Cycle.

18. Go to the next stage and click Ready for Review.

    

    The policy moves to the Review stage in the Life Cycle Flow. A reviewer can now review the policy.

19. For this lab, go directly to the Approval step.

20. Click Request Approval.
    The approval request goes to Policy Approver & System Administrator.
    The policy form field now becomes read-only as shown below in the second example.
    
    

    

    After requesting approval, policy life cycle state changes to Awaiting approval as shown below.

    

21. Scroll to related lists and click Policy approvals.

    

    There are two records waiting for approval.

22. Double-click next to Requested at the end of the word and then select Approved for each approver.

    

23. Reload the form.
    The Policy Record has moved to the Published state. Also, a Knowledge Article has been published.

    

24. Scroll to KB article and click the information icon at the end of the line.

    

    A Knowledge record window opens.

25. Under Related Links, scroll to View Articles.

26. Click View Article.

    The KB Article has automatically been created with related requirements listed at the bottom of the article.

    

You have just created a policy aligned with regulation requirements. You have completed a full Policy Life Cycle.

Profile Types, Profiles, and Risks

Goal

This lab explains how to create a Profile Type and assign a Risk Framework to assess compliance requirements for a profile. A profile -- An entity we need to check for compliance requirements --- will then have the associated policy and policy statements you just created. You add risks to the Profile Type and see what could be the potential impact of noncompliance to a profile.

Profile Type, Profile, and Risk Framework

1. Click the history icon to return to the Policy Record. (as in Lab 2.0)

2. Scroll to related lists and then, in the Policy record, click Profile Types (1).

3. Under Profile Types, click Edit (2).

4. In the left-hand selection list, click Organizations (3), move it into the right-hand selection list, and then click Save (4).
   

   You return to the policy record.

5. Scroll down to the Profile Types related list and click Organizations.

   The Profile Type record opens in a new window. A profile, ACME Inc., is assigned to this Profile Type.

   

   The Policies and Policy Statements created in earlier steps appear in the related list.

6. Return to the Dashboard and check the Compliance Overview.
   The GDPR Compliance gauge is created with an empty status.

   

7. Add a Risk Framework to the Profile Types as shown below.

   

8. Add a Corporate Risks to the Profile Type and then click Save.
   Corporate risks are related to the regulation requirements. The Risk Framework is now assigned to the Profile Type.

9. Reload the form.
   The Risk Statements are also automatically added to that Profile Type.

10. Click Risk Statements to see the assigned Risk Statements.
    You should have some Risk Statements (6), including Non-compliance with Law/ Regulations. We will revisit this Risk Statement later.

11. Under related lists, return to Profiles, and then click the profile ACME Inc.

    

    The Profile window contains Organizations in the Profile Types related list.

12. Click the Controls tab next to Profile Types.
    There are nine controls allocated to this Profile as requirements described in the policy.

    To see the assigned Risks, click Risks.

    

13. Click the Non-compliance with Law/ Regulations risk.
    You are now in the Risk record.

14. Change the Risk Life Cycle status in the form from none to Not Assessed, and then save the record.

    

15. Review all the fields in this risk record.
    a. Scroll down and click the Scoring tab.
    b. Check your inherent, residual, and calculated scores. c. Write down the Calculated scores! (ALE = Annual Loss Expectancy)

    

    Without having any controls implemented to reduce this risk, the likelihood to incur this risk, and in turn the impact, is high. The objective we want to achieve is to reduce the risk.

16. Change the Scoring record for Inherent and Residual impact & Likelihood as follows:

    

17. Save the record, and then Reload the risk record form to see the new values.

18. Add controls to associate GDPR requirements to the risk.

    a. Scroll down to related lists, click Controls, and then click Add.

    A new window opens allowing you to select controls to associate with the risk.

    b. Select All controls and then click Add Relationship.

    

    There are nine controls associated to that risk.

    

19. After adding these controls, save the record.
    The risk score remains the same since you have not yet executed controls.

    

Attestations

Goal

As you have prepared everything to test the compliance and risk states in previous labs, let start executing. This lab explains how to generate attestations for Data Protection requirements described in the Policy for the ACME Inc. Depending on attestations responses, controls status changes from draft to compliant or noncompliant, and has an effect on risk scoring (the more non-compliant controls, the higher the risk!).

1. Return to your Profile.

   

2. Click ACME Inc.
   The current state of all controls should be in Draft.

3. Click Generate DPIAs (Data Protection Impact Assessments, requirement from §35 EU GDPR).
   The Controls now shows changes to Attest.

   

   There are nine attestations created. Certainly, with ServiceNow GRC application, you can also create just one attestation by different category or different attestations by different categories for different stakeholders!

   

4. In the Filter Navigator, search for, and then click, My Attestations.

   

5. Expand the Profile ACME Inc profile to see the full record.
   You should now have nine attestations in the Ready to Take state.

6. Take one attestation (1,2,and 3) and submit it. If asked to attach evidence, attach any (small size) file from your laptop.
   You can also provide multiple attachments for the evidence.

   

7. Go back to the Acme Inc. Profile (2) and then click Controls (3).

   

   Depending on your response to that attestation, you should see the control status as Compliant or Noncompliant.

8. Return to the Dashboard (Compliance Overview) and then refresh your browser.

   

9. Note the GDPR Compliance status.

10. On the GDPR Compliance gauge, click the green part of pie chart (or red for non-compliant).
    There are additional citations related to that particular control in Compliant/Non-compliant status.

11. Return to the attestations and take remaining attestations.

    

12. Check the Controls status time-to-time and dashboards as in the previous steps (next example).

    

13. Check the Compliance Overview Dashboard.
    Your dashboard might look different than what is shown below. You may need to refresh your browser window.

    

14. After having 2-3 noncompliant controls, check the risk status as described in following steps:

    a. Go to History Icon ().

    b. Select Profile ACME Inc.

    c. Under the Risks tab in related lists, select the Non-Compliance with Laws/Regulations risk.

    d. In the Non-Compliance with Laws/Regulations risk window, select Scoring.

    There is a new score for the risk. Because of some noncompliant controls, Calculated Score is now higher. You may have a different score than shown below.

    

15. After finishing all attestations, go back to the Dashboard to see the latest status of GDPR Compliance.
    Your dashboard might be different than what is shown below.

    

16. Go back to your risk - Non-compliance with Laws/Regulations; find it using the Your history icon.

    

17. Check the final risk scoring.

18. Click the Monitoring tab to see the control compliance metrics.

    

19. Scroll down and locate one of the noncompliant controls (if you have any) by clicking the Controls tab in the related list.

20. Click the Name of a noncompliant control.

    

21. In the related list, click the Issues tab.
    An issue is automatically generated as a result of this noncompliant control.

22. Open the issue record.
    The record is in the New state in the Life Cycle (next example).

    Under the Details tab, the reason appears in the Description box. Now, an assignee can start working on resolving the issue (not part of this lab).

    

You can also check out the Task SLA information under related lists on this form.

Risk Dashboard

Goal

This lab explains how to create and add new content to the Risk Dashboard to get visibility on high impact risks instantly.

1. In te Filter Navigator, search for Risks.

2. Click All Risks.

3. Filter the Risks records by Profile: ACME Inc. as shown below.
   All the risks related to ACME Inc are listed (not in retired stage). Non-compliance with Laws/Regulations is also listed.

   

4. Make the following changes to see these risks by Calculated Score in the Risk Dashboard.

   

5. Right-click the Calculated Score field and then select Pie Chart.

   

   A new window opens.

6. Enter the report name in the Report Title (e.g., ACME Risks) field and then click Save.

   

7. On the Style tab, check the box Display data labels.

   

8. At the top-right of the report window, click Save and review the ACME Risks report.

   

9. Select Add to Dashboard by clicking on the Sharing button on the header bar.

   

10. Add to the report on your Homepage (Risk Overview) as shown below.

    

    You are automatically directed to the Risk Overview homepage.

    

DPO Dashboard and GRC Portal

Goal

This lab illustrates further elements -- DPO Dashboard, Portal, etc. - of the overall GDPR Lab. The DPO dashboard gives you as a DPO (or controller or processor) full visibility and transparency on current GDPR exposure.

1. In the Filter Navigator, search for Dashboard (1).

   

2. In the Dashboard dropdown menu, search for DPO and then select DPO Dashboard MP(v5) (3).

3. Review the different tabs on this dashboard:

   

   GRC Portal: Illustration of a GRC portal example.

4. Open a new bowser window with:
   Your Instance URL/grc_portal