Implement Vulnerability Response Application with confidence by following outlined process.
- Implement ServiceNow Vulnerability Response
Success Pillar: Get your ServiceNow foundations right
- Success Pillars for Implementing ServiceNow Application – Structure
State and measure your business goals Actively lead the transformation get your ServiceNow foundations right create excitement, drive adoption.
- State your transformation vision and outcomes.
- Engage an executive sponsor to drive change and remove roadblocks
- Manage to out of the box
- Design an engaging self-service employee and customer experience
- Build your business case
- Find, manage, and coordinate capable, certified partners
- Discover and map your service assets
- Design an optimal agent and rep experience
- Build a phased program plan, identify quick wins
- Build a dedicated, dynamic governance process, policies, and team
- Plan your architecture, instances, integrations, and data flows
- Create a change management plan
- Baseline and track performance, usage KPIs, and metrics
- Reimagine how you want work processes to flow
- Plan for upgrades at least once a year
- Build an internal team of ServiceNow experts and train users
- Define and map out your business services
- Build a community of champions
- Manage platform demand
- Implement ServiceNow Vulnerability Response (VR)
introduction effective vulnerability management program is one of the best ways to prevent a security breach. More than half of breaches are the result of known vulnerabilities that patches are available for. A study conducted by ServiceNow and Ponemon Institute showed that an average of 12 days is lost for every vulnerability patched due to team coordination challenges.
When vulnerability response is handled with spreadsheets and, it’s hard to get up-to-date visibility on the organization’s current risk exposure.ServiceNow Vulnerability Response workflow: ServiceNow® Vulnerability Response (VR) is an application that helps you respond faster and more efficiently to vulnerabilities, connect security and IT teams, and provide real-time visibility. It connects the workflow and automation capabilities of the Now Platform® with vulnerability scan data from leading vendors (Qualys, Rapid7, Tenable) to give your teams a single platform for a response that can be shared between security and IT. Ponemon Institute 2019, Costs and Consequences of Gaps in Vulnerability Response
Intended use this checklist provides: The recommended process for implementing ServiceNow VR Stage 1 of maturity (as shown in the maturity model below)A high-level list of actions for implementation of ServiceNow VR, to be completed with the assistance of a ServiceNow partner certified in the SecOps product suite (including training in the Vulnerability application) or ServiceNow Expert services outline of the lessons learned from previous ServiceNow VR implementations and suggestions to avoid common pitfalls through Practitioner InsightsAchieving Stage 1 of maturity—automated prioritization—is the recommended first step to quickly realizing value from ServiceNow VR. The benefits of using a readiness checklist are Faster implementation and time to value awareness of key implementation risks and guidance to avoid them enhanced efficiency and quality of the design to ensure the best possible value from your ServiceNow VRServiceNow Vulnerability ResponseStages of MaturityKey.
Step 1: Set your VR vision and outcomes
Your vision, business objectives, and measures of success for Vulnerability Management drive support from leadership and stakeholders and ensures your implementation creates measurable value. Begin by getting the right people involved and build a good understanding of the capabilities of ServiceNow Vulnerability Response. Then establish a vision of where you want to be after implementation. Identify the right people and teams product and process owners: ServiceNow platform team – The ServiceNow platform team will own and maintain ServiceNow VR. Some organizations elect a member or members from the vulnerability response team to own the VR administration duties. Vulnerability Response technical administrators – These administrators responsible for the administration and configuration of ServiceNow VR and third-party vulnerability response applications (like Qualys, Rapid7, and Tenable). Vulnerability Response business process owner – This person is responsible for vulnerability response policies and procedures. Vulnerability Response analysts – Conduct day-to-day vulnerability response activities, such as assigning remediation activities, tracking remediation progress, and acting as an escalation point for remediation teams.Remediation teams – These teams handle the remediation activities, like patching, on identified vulnerabilities.Key additional stakeholders to involve in planning: CISO (or CSO) – Frequently acts as the executive sponsor and must support the implementation for it to be successful change management team – Provides critical support for the remediation team when working through the change management process to perform remediationServiceNow Configuration Management Database (CMDB) team – Provides expertise on the setup and maintenance of your ServiceNow CMDB for integration with ServiceNow VR.
Review VR’s features and functionality read the ServiceNow VR overview on the ServiceNow website. Take note of the features, functionality, and benefits of ServiceNow VR. Review the ServiceNow VR VR product docs. These resources are more technical and provide additional functionality detail. Watch this webinar: Ask the Experts: Vulnerability Response. Answer the following questions to generate a clear, measurable definition of your vision and desired business outcomes for Vulnerability Response: What business outcomes do we want to achieve? Many organizations often cite one or more of these objectives: Singe system of record/actionAutomated vulnerability assignment and prioritizationImproved visibility greater accountability increased productivity risk-based prioritization what current challenge is associated with this outcome? For example, your vulnerability triage is time-consuming and error-prone.What problems or obstacles are keeping us from realizing our desired business outcomes? One problem could be that your vulnerabilities are assessed manually, so you often rely on tribal knowledge to determine their correct owner, and some tickets transfer between multiple owners. What future state can we envision to realize our desired business outcome? For example, you may envision automating vulnerability assessment, prioritization, and assignment = by matching vulnerability items with configuration items from the CMDB and risk-based prioritization rules. What measurable success criteria can define whether we’ve achieved our desired business outcomes? This might be something like 90% assignment accuracy, with tickets are assigned to the right team the first time, within one year of implementing Vulnerability Management.
Step 2: Assess team readiness
There are many processes involved in implementing ServiceNow VR. It’s important for the people involved in implementation to take advantage of the training ServiceNow offers to learn the terminology, functionality, and technical solutions of ServiceNow VR. Assess your team’s current state of readings identify your project management resources (including a dedicated project manager) to support implementation. Confirm that your executive sponsor is committed and fully engaged. Find out if the people and teams identified in Step 1 have completed the relevant training: Systems administrators and technical team members who will be involved in the implementation and post-go-live maintenance should complete the ServiceNow Fundamentals, Security Operations Fundamentals, and Vulnerability Response Implementation training before you design. The platform owner, ServiceNow VR product owner, and process owners should complete the ServiceNow Fundamentals and Security Operations Fundamentals training. Make sure that your system administrators and developers have access to Now Learning and Now Creators for continued skill development. Use the ServiceNow Success Navigator for an additional assessment and action plan to support your readiness.
Step 3: Choose an implementation partner
While you can implement Vulnerability Management on your own, we strongly advise you to work with a ServiceNow SecOps-certified partner (or ServiceNow Expert Services). There’s no substitute for experience when it comes to ensuring you achieve the desired business outcomes you set in Step 1. Our data shows that customers working with an implementation partner realize value faster than customers that go it alone. It’s critical to pick the right partner—one that has experience with Vulnerability Management.Define your strategy for choosing a partner (Use the outcomes and team readiness determined in Step 1.)List the skills, experience, and resources you have and those you need.List the ongoing support you expect the partner to provide.Document your expectations on outcomes (and include in the statement of work, if possible).Define your performance and success metrics.Search for candidatesIf you previously worked with a partner to implement ServiceNow, meet with that partner.Consider other subject matter experts, such as your:ServiceNow team (product line sales, local alliances)Peers (Take advantage of Now Community.)Use ServiceNow Partner Finder.Evaluate your candidatesReview their customer satisfaction scores.Evaluate their practice and platform experience.Look at your partner’s implementation team’s experience. For example, their years of security, ServiceNow SecOps and ServiceNow implementation experience, ServiceNow certification, etc.Practitioner insight: Don’t go it alone. Find a partner with ServiceNow Security Operations experience, not just ServiceNow ITSM experience, as well as expertise in managing organizational change. Make sure to plan 90-, 180-, and 360-day check-ins with your partner to keep things on track and to avoid surprises.
Step 4a: Create a structure for governance
Include implementation governance and post-implementation governance as part of your ServiceNow VR journey. Implementation governance you implement successfully, and post-implementation governance helps you achieve long-term success. Your implementation governance team should form your post-implementation governance team.Create an implementation governance committeeAssign your designated ServiceNow platform owner, process owners (vulnerability managers, remediation teams), partner representative, project manager, and other business stakeholders as required. Your executive sponsor should chair this committee. Define a meeting cadence, standard agenda, and decision process. In addition to standard project tracking, meetings should include: Project objectives – Clearly identify and prioritize your objectives, such as improvements to process performance, technical usability, etc. A review of your organizational change management (OCM) activities – See Slide 10 (next) for OCM plan development. Work with your executive sponsor and ServiceNow platform owner to develop a responsibility assignment matrix (RACI) to establish a common, documented understanding of the decision rights for your migration project. Make sure that your governance team is prepared to define measures of success for enterprise, security, and operational objectives. These measures of success should come from the goals and metrics discovered in Step 1.Establish a technical governance subcommitteeAssign technical stakeholders, including the staff responsible for support, administration, and integration. Your designated ServiceNow platform owner should chair this subcommittee, supported by your project manager. Define a meeting cadence, standard agenda, and decision process. In addition to standard project tracking, meetings should include: Identifying technical obstacles and strategies for resolution reviewing requests for new ServiceNow VR functionality note: New functionality should require a business justification process. Your technical governance subcommittee should report to your migration governance committee or steering group. Establish the decision rights between your migration governance committee and technical governance subcommittee in a RACI.Practitioner insight: The governance structure you establish for implementation should set an initial baseline for the governance you’ll need for post-go-live maintenance, especially to manage demand. See our Success Checklist on governance for additional details.
Step 4b: Create a structure for an OCM plan
For effective adoption and long-term success, take OCM activities into consideration throughout your planning and implementation processes. OCM is critically important for implementing ServiceNow VR since many process owners are unlikely to have been involved in the purchase decisions and initially may not understand the benefits of moving to new processes and a new vulnerability response application.Build an OCM plan:Make sure you have leadership and executive sponsor support for OCM, including the budget for an OCM program lead and/or ServiceNow expert support. This should also include an explicit definition from leadership on what good OCM looks like for your organization.Conduct an initial stakeholder analysis and prepare to update it biweekly. See our Success Checklist on change management* for more details.Conduct an OCM readiness assessment* to measure how ready your stakeholders are for the organizational change needed to support ServiceNow VR. Conduct this assessment before your design discussions. Based on your readiness assessment, use our Success Checklist to create an OCM plan* and develop an OCM impact analysis and risk assessment.*Tailor these resources to your use of ServiceNow VR and your business environment.
Step 4c: Review the ServiceNow Implementation Methodology
ServiceNow Implementation Methodology (SIM—shown below—is the ServiceNow best practice delivery methodology used by ServiceNow-certified partners and ServiceNow Expert Services to implement ServiceNow products. It’s important to review SIM at the outset of your ServiceNow Vulnerability Response implementation in order to fully understand your role and time commitment in the process.Review the five stages of the ServiceNow Implementation Methodology (SIM): Initiate – Define your objectives, collect prerequisite information, and define the key processes for implementation success. Prepare – Hold workshops to understand process and platform needs, finalize the engagement timeline, and refine configuration requirements. Create – This includes configuration and unit testing.Transition – This includes UAT, training, go-live, and post-go-live support.Close – The implementation team hands off to the platform maintenance team.
Step 4d: Evaluate your current VR processes
The implementation design process involves multiple teams, collaborative decision-making, and a thorough understanding of your current processes and technical environment. Because of this, your design phase can often take weeks or longer as you collect the necessary information, coordinate the right people, and solidify decisions. The action items in Step 2 help you proactively collect your design-related information and initiate engagement with the required stakeholders. This will enhance and expediate the design process.
Answer the following questions about your current state of VRWhat is your current vulnerability management team structure? (Select one.)A dedicated team assigned to only vulnerability management responsibilities team members are split between other security operations duties and vulnerability management internal team running vulnerability management An external or hybrid team running vulnerability management how do you handle vulnerability assignment and ownership? Are any existing groups using ServiceNow to perform vulnerability remediation activities, such as patching or system hardening? What logic do you use to assign ownership of remediation efforts, in other words, do you have Assignment Rule Conditions? For example, for Windows Server OS vulnerabilities identified on exchange servers, would the Windows Server team own remediation?
What is your vulnerability exception process?
Is there a current process by which vulnerability items are deemed as “risk accepted” today? This might be, for example, an inability to fix due to its impact on a mission-critical system. Who is the approving authority? How are risk exceptions managed and tracked? For example, are they tracked manually with spreadsheets or with a third-party solution such as a GRC tool, etc.?Are there any current processes to handle vulnerabilities or exposures deemed to be false positives? What are the required SLA time(s) for addressing and/or closing identified vulnerabilities? How does the SLA differ by severity, in other words, High/Medium/Low?
Step 4e: Assess your integration needs
Document your sources of vulnerability data service now VR integrates with leading third-party vulnerability scanning tools (Qualys, Tenable, and Rapid7) to bring identified vulnerabilities into ServiceNow to manage vulnerability response.What vulnerability data sources will be integrated with ServiceNow Vulnerability Response? (Select all that apply.)Active vulnerability scanned passive vulnerability identification toolsFlat file reports you have a copy of the API documentation of your scanning platform?Are technical staff available who are familiar with the API and scanning platforms? How often will you perform scans? Set a schedule.Do you perform a combination of both credentialed and non-credentialed scanning? What severity ranges (like low, medium, high, critical) of the vulnerabilities identified do you want within ServiceNow?Do you want to see all IP address network ranges identified by your scanning platform within ServiceNow? (That is, those for development, production, internal, DMZ, external.)Assess your CMDB health service now VR uses information from configuration items (CIs) in the ServiceNow CMDB to add business context to vulnerabilities. This information helps prioritize and assign ownership for the remediation of that vulnerability.Assess your CMDB management process against ServiceNow CMDB best practices. If you haven’t set up your CMDB, follow the steps in our Success Playbook on using Discovery to populate your CMDB to do so. Conduct a CMDB health check. Document how your CMDB is currently populated with information.Discovery via network-based tools (if so, what specific tools?)Manual data-gathering effortsVulnerability scanner(s)Determine if there’s an authoritative source for populating the CMDB with information.DiscoveryManual data gathering vulnerability scanner.
Step 5a: Conduct a design workshop
Creating VR workflows consists of three steps: design, build, and test. Your design phase is focused on generating approved and prioritized stories for development in collaboration with vulnerability management process owners. Begin with a formal kickoff meeting to get everyone on the same page.Conduct a formal kickoff meeting include all relevant stakeholders and project team members (including partners and ServiceNow staff). Your executive sponsor should: Reiterate the business purpose and objectives of the migration project reinforce your governance model for the project, including an explicit definition of how decisions will be madeDefine the expectations and requirements for all stakeholders and team members involved in the project or partner or ServiceNow engagement manager should:Introduce your partner and ServiceNow delivery team members walk through the implementation approach and project plan practitioner insight: Work to avoid customization. Challenge all requirements for customization using the scorecard method outlined in our Success Playbook on avoiding customization pitfalls.
The design workshop should bring together all relevant stakeholders (identified in Step 1) to: define the future state vulnerability response process and process workflow you’ll use within the Now Platform; design high-level solution architecture and integrations; and define configuration requirements in the form of user stories. In addition, use this workshop to determine your reporting and notifications needs. ServiceNow VR reporting provides visibility into the vulnerabilities in your environment and the status of your vulnerability response workflows.Determine your integration requirements – Use the information you collected in Step 2 to:Determine the vulnerability data to integrate into ServiceNow Vulnerability Management, for example, all data or a subset of data based on severities, findings of certain network segments, etc.)Develop a strategy to integrate third-party vulnerability solutions— Qualys, Tenable, Rapid7, etc.—including a plan for historical data loadsWork with the ServiceNow CMDB team to make sure the CMDB data is up to date with accurate data and establish CI lookup rules for how vulnerabilities are matched with CIs to aid in remediation.Define future state Vulnerability Response processes:Develop rules for assigning vulnerable items (VI) vulnerability grouping to determine how VIs are assigned for remediation.Design workflows for the vulnerability response lifecycle.Define risk scoring for VI prioritization.Detail the exception process and workflows.Select desired reports:Review examples of the reports you use today.Using the outcomes defined in Step 1, define your group and organizational goals. For example, you may want to remediate critical VIs within the time frame set by policy.For each goal, define the question(s) you need answered in order to determine your progress toward that goal. For example, what’s the number of critical VIs currently assigned for remediation within policy? How many critical VIs are currently assigned for remediation outside policy? What’s the number of critical VIs not assigned and/or outside policy?For each question, define the metric(s) you would gather in order to provide a quantitative answer to that question. For example, SLA – Critical Vulnerable Items closed within 5 business days.Select or configure the reports you need to provide the metric(s). For example, SLA report on assigned Critical Vulnerable Items or List of unassigned critical vulnerable items showing CI Ownership information.
Step 5b: Build and test your VR workflows
Follow an iterative or Agile approach when you build and test and include unit testing. Once you complete development, run a full set of tests, including user acceptance testing (UAT). Define your development plan document and review the stories from your design workshop with process owners. Document your process owners’ approval and agreement that the stories correctly represent the design agreed to in the implementation workshop. Prioritize the approved stories based on their contribution to your business objectives and available capacity. Have the migration governance committee you established (Step 4a) approve the prioritization. Assign prioritized stories to defined development sprints. Each sprint should have a defined outcome, such as implementing the core incident management process and should ideally last two weeks. Make sure these things happen at the end of each sprint: The process owner demonstrates the functionality built to test the desired outcome and allow for any necessary correctionsYour developers conducts unit tests for each story, ideally using ServiceNow Automated Test Framework and run a sprint scan through HealthScan to make sure that development has aligned with best practices your developers report on story completion and test results to your technical governance subcommittee, especially to surface any technical obstacles that may affect additional development complete final testing complete a full suite of tests after you finish development, including A repeat of all unit tests together to confirm functionality for both end-to-end processes and defined user scenarios – Testers (typically process managers and users) need to understand the intended design fully to avoid raising defects for correct functionality.
Step 6: Initiate OCM activities
Perform OCM activities and training should in parallel to your design, build, and test activities so they reinforce each other. Make sure your migration project plan includes adequate investment (including ServiceNow experts and/or internal staff) to support OCM and training so you can avoid any lag between your go-live and target adoption. Practitioner insight: Creating customized content, reviewing and finalizing materials, and preparing internal trainers takes a few weeks at a minimum. Begin planning for training early but defer content creation until go-live data is near to make sure that the content accurately mirrors the final configuration. For additional details, see our Success Quick Answer on the pitfalls to avoid when training process users. Prepare for train-the-trainer sessionsAssign dedicated internal trainers to your project. ServiceNow experts will provide train-the-trainer sessions to familiarize them with the ServiceNow VR product and support the development of an internal curriculum. Identify process managers and frontline users—vulnerability response analysts, remediation teams, etc.—who will be good candidates to lead peer-to-peer training. Don’t select these candidates based solely on their seniority and expertise but also on their ability to influence peers. Develop training plans for process users using your internal trainers (and peer-to-peer resources), provide training for the staff involved in related processes. Training should focus on establishing clarity around how new processes work in ServiceNow and how to work effectively with them. Deliver your training in modules so process users can focus on the processes most relevant to their day-to-day work. Plan go-live communications to support adoptionCreate content and for multi-channel communications to announce the go-live. Structures for the Capture and promote quick wins to demonstrate early success. Identify the functionality or features that have wide visibility among process users and end-users that are within scope for implementation. Promote these to drive wider interest in and adoption of ServiceNow.Identify ServiceNow champions among your process users who can promote quick wins and influence adoption among peers.
Step 7: Plan your go-live
When you plan your go-live, set your launch data, cutover strategy, support, and transition to “run.”Plan your go-live support make sure you have 24/7 support from a designated response team for at least two days after your go-live. Task your implementation team with providing hypercar for a period defined by your migration governance committee (typically two weeks) to address any issues or bugs.Plan your transition to “run” Transition the ownership of support from the implementation team to your internal ServiceNow platform team and ServiceNow VR owner. Most members of your ServiceNow platform team should be on the implementation team and familiar with the system.Transition governance to the functions responsible for strategic, portfolio, and technical governance.Make sure you have processes in place to intake and manage demand for additional configuration and functionality (including enhancements).Make sure you have processes in place for reporting bugs and providing support and resolution. Confirm that go-live communications are distributed and elicit feedback to ensure successful adoption. Plan your go-live date your technical governance subcommittee nominates a date based on your technical readiness. Your migration governance committee validates or changes this date based on your business readiness criteria, which includes: Determining whether enough staff have met the training requirementsAssessing the success of your OCM activities, and readinessAssessing whether there are any competing issues or priorities that will distract the stakeholders from assessing the readiness of any third parties that support your go-liveAssess whether there will be operational downtime and plan accordingly.
Step 8: Measure your success and adjust
Assuming you defined clear business and functional objectives before migration, your next step is to make sure you have the right key performance indicators (KPIs) and diagnostic metrics in place to assess your progress against objectives. Identify (and put tracking in place for) your KPIs and diagnostic metrics your governance functions—strategic, portfolio, and technical—should make sure that their kickoff agendas include definitions of relevant KPIs (measuring progress towards objectives) and diagnostic metrics (identifying risks to progress). Establish a clear line of sight from your business objectives to the KPIs and metrics created at the portfolio and technical level. For example, implementing a specific product or feature may represent a KPI at a technical level that should roll up to a KPI for value realization at a strategic level. Keep reporting and communications focused on a small number of KPIs that best reflect progress against your objectives and include usage/adoption targets. Keep your diagnostic metrics actionable. For more information, see our Success Playbook on KPIs and diagnostic metrics. Build playbooks that include the actions you can use to respond to any red flags seen in your diagnostic metrics set thresholds for risk in your diagnostic metrics that should trigger a response. Work with your process and service owners to make sure you have the right diagnostic metrics and to develop playbooks. Build dashboards to visualize your progress and support clear decision-making create dashboards using the dashboard requirements from your ServiceNow platform owner, service owners, process owners, and executive sponsor, and/or senior leaders (established in Step 2). See our Success Quick Answer on creating custom dashboards for additional details.
Related Source – ServiceNow Vulnerability Response Implementation Experience and ServiceNow Communities and Parter Reference Document.
To learn more about how Your ServiceNow Offshore Partner, can help you plan, implement and manage your ServiceNow across the platform, reach out to speak with an expert today!