It starts with integrating your SCA tool with ServiceNow® Security Operations. Pre- built integrations for Qualys and Tenable make setup easier. Data is imported from ServiceNow Vulnerability your SCA tool into ServiceNow, including tests, authoritative sources, and test Response results. Configuration Compliance is Configuration tests: settings or controls that a user enforces on assets (such as part of the ServiceNow password length). These configuration tests are grouped into policies that can be Vulnerability Response modified to meet the needs of every organization. Tests can also be organized by Enterprise Solution, built on the technology, with different versions of configuration tests based on the specific Now Platform®. Designed to technology. help security and IT teams respond faster and more Authoritative sources: these are industry-standard regulations that define known efficiently to incidents and software and hardware configurations. For example, this could encompass security vulnerabilities, using intelligent policies and procedures like PCI DSS. Authoritative sources can also report on workflows, automation, and a compliance to prepare for an audit. deep connection with IT to streamline response. Test results: the results of the configuration tests are imported into ServiceNow. When import is complete, calculations are run to prioritize the results. Prioritize Automatically Failed configuration test results are matched against assets in the ServiceNow® Configuration Management Database (CMDB) to help prioritize using business context. A customizable calculator uses both the severity of the misconfiguration andthe criticality of the affected asset to prioritize test results. With a prioritized list of configuration test failures, you can pinpoint which configuration issues to address first. Then group together failures based on the teams that will address them. Remediate quickly with workflows If remediation requires action from IT, the security analyst can easily create IT change tickets directly from a test result group or associate test results with existing ® change requests in ServiceNow IT Service Management. Remediation target rules define the expected time frame for remediation to see when dates are approaching or past due and ensure all failures are addressed. Alternately, when there are non-critical failures, exceptions can be requested and approved to defer remediation to a future date. Once failures are addressed, a follow-up scan confirms the fix and closes the issue Gain insights and manage risk Quickly see the status of configuration issues with the Configuration Compliance dashboard. Test results from Configuration Compliance can also feed into ® ServiceNow Governance, Risk, and Compliance to monitor risk. Configuration tests can be associated with a GRC policy to generate controls, profiles, and indicators. A test failure means the control is non-compliant, generating a risk issue. When the misconfiguration is remediated, the risk issue is closed automatically. This enables real-time visibility into configuration issues and allows organizations to take a proactive, risk-driven approach. Configuration Compliance works with ® ServiceNow Vulnerability Response for end-to-end assessment, management, and remediation of infrastructure, application, and configuration vulnerabilities. © 2023 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated. servicenow.com