AI Content Chat (Beta) logo

Integrated Risk and Compliance

Use Case Guide |

Integrated risk and compliance use case guide

Table of Contents An integrated risk program …………………………………………... 3 Use Case: monitor for critical vulnerabilities and understand the business impact …..………………………………………….…………. 5 Use Case: identify and address misconfigurations before they become business risks ……………………………..……….………….. 7 Use Case: embed risk and compliance management into the application release and change process ……………………..….. 9 Use Case: monitor HR policy requirements and identify onboarding risks …………………………………………………..……. 11 Use Case: ensure privacy standards are met …………..………… 13 Use Case: proactively address third-party issues, including ESG …………………………………………………………………...…… 15 Use Case: ensure your business program effectively supports your business services ………………………………………………..... 17 An integrated risk program for 21stcentury risk and compliance challenges ………………………………………………………….....… 19

Integrated Risk and Compliance - Page 2

An integrated risk program Imagine managing risk4be it digital, IT, compliance, or third-party4across every department and function without slowing down processes or overburdening your team. Picture a scenario where previously siloed processes become part of an 45% integrated risk program that extends across the enterprise. With ServiceNow, you can make this vision a reality. of security and IT Everyone knows the risks of regulatory noncompliance and ignoring vulnerabilities. execs expect a But the threats continue, and they9re constantly evolving. Inefficient processes, further rise in human error, new initiatives like digital transformation, and unforeseen delays all ransomware attacks. increase risk. The reality is that, despite best intentions, critical items keep falling through the cracks4and most companies can9t even identify what fell through, - PwC 2023 Global let alone the potential impact if left unaddressed. Digital Trust Insights At the same time, complexity keeps growing with each new regulation, process, application, and piece of hardware. It9s no surprise that legacy governance, risk, and compliance (GRC) products can9t keep up with this growing list of challenges. To manage risk and compliance in this ever-changing landscape, you need a modern, cloud-based platform that can continuously monitor activities, improve decision-making, and increase performance through automation and AI-powered user experiences. You can work the way you want, with the ability to easily collaborate with other departments and effectively communicate with business 19% users, the CEO, and the board. And user-friendly portals with mobile interfaces make it easy to work anytime and anywhere. of breaches occurred because of a compromise at a business partner. - IBM/Ponemon 2022 9% of annual revenue, what exploitable network misconfigurations cost organizations. - Titania 2022 3

Designed for cloud scale, the Now Platform® lets you share data and automate cross-functional workflows by consolidating enterprise and third-party data using open APIs. ServiceNow Integrated Risk management (IRM) builds on these platform capabilities, seamlessly embedding risk and compliance activities into everyday business processes so you can automatically collect evidence, quickly 90% assign tasks, and streamline audits. Identify business risks fast through continuous monitoring and risk events, and then easily roll these risks up to an enterprise-wide view. And reduce compliance complexity and turbocharge efficiency with a of organizations common control framework that lets you

Use case: Monitor for critical vulnerabilities and understand the business impact With legacy solutions, it9s an ongoing challenge to manage security vulnerabilities and risk across multiple departments and functions. Someone on the security team may be able to spot a vulnerability due to a missing application patch4but it takes an integrated risk platform to tell you that the vulnerability affects your point-of-sale (POS) system and has the potential to cost millions in lost revenue. An integrated risk management program can help you gauge the associated risk, understand how it compares to all other risks, and track it through to resolution. You can also easily communicate the risk status and potential business impact to upper management. Imagine a security manager tracking 50 identified vulnerabilities. They might not notice that one patch isn9t installed correctly. Maybe a machine is offline when the patch is pushed out, or perhaps the patch depends on other updates to fully address the vulnerability. Whatever the reason, vulnerabilities like these linger unless you have an integrated risk program to identify and enforce the needed security. Working through ServiceNow Vulnerability Response, ServiceNow IRM collects data from a variety of vulnerability scanners. It identifies outstanding vulnerabilities and prioritizes each one based on severity, the availability of exploits, relative risk (based on a customizable score), and the potential impact on services (based on asset and business insights). Issues are automatically routed to the correct vulnerability manager for immediate resolution, who can choose a prescribed remediation path for a given vulnerability using Vulnerability Solutions Management. Dashboards provide real-time updates to the risk manager and business stakeholders. And decision-makers can easily quantify and manage the overall risk posture of the enterprise. A risk manager at work As a risk manager, I9m responsible for monitoring threats on a minute-by-minute basis. I can see on my ServiceNow Risk dashboard that a new critical risk has appeared. Drilling into the alert reveals that the POS system has an unpatched vulnerability and reveals insights into its exploitability. The issue can affect overall system availability and make us vulnerable to fraud or data theft. Without ServiceNow, I would waste time figuring out who should address the issue. Figure 2: Risk is calculated based on the business impact. 5

Instead, I can immediately see the correct people responsible for taking action on the security and IT teams. The ServiceNow IRM risk management application also automatically calculates the risk score, taking into consideration the threat and the potential loss if we leave it unaddressed. For this particular threat, the risk score is high, and the calculated average loss expectancy (ALE) is almost $14M. If the calculations were within our predefined risk threshold of $8M, I could accept it. In this case, the level of risk is unacceptable, and I need to act. I can see this vulnerability has been active for two weeks. By clicking on the indicator9s related list, I can also identify which device has the unpatched vulnerability. A combination of continuous risk monitoring capabilities for essential business services and out-of-the-box risk indicators from ServiceNow helped us spot the risk. Looking at my controls list, I can see that

Use case: Identify and address misconfigurations before they become business risks It9s not unusual for IT teams to maintain thousands of different software packages, systems, and devices. While most teams have processes in place to verify configurations, mistakes still happen. A newly installed router might have a password entered in clear text, which leaves it visible. Maybe an access control for a new firewall isn9t set up properly, leaving an opening for intruders. Perhaps security isn9t configured correctly for an S3 storage bucket in the AWS cloud, leaving sensitive data publicly exposed. Or the user of a device might have admin privileges that allow them to install unauthorized software or change important security settings, leaving an opening for an attacker to gain unrestricted network access. Standards and external regulatory compliance obligations (for example, SOX, PCI, and ISO) often include elements that attempt to address the business risk of misconfigured software, older protocols, and weak passwords. Enterprises translate these requirements into configuration hardening policies. Too often, however, organizations only identify misconfigurations after an attack. A better approach is to identify misconfigurations before they put your business at risk. Working through ServiceNow Security Operations Configuration Compliance, you can monitor data from security configuration assessment tools. But you now want to extend ServiceNow IRM continuous monitoring to your configuration hardening policies so that you can identify a failed configuration test result, assess the potential business impact, automatically create an issue, and proactively engage the responsible party to address the weakness before it is exploited. A compliance manager at work Several failed controls have popped up on my Policy and Compliance dashboard. Drilling into them, I see that the latest scan by our security configuration assessment tool has spotted misconfigured software. The data shows multiple Windows servers that don9t have the appropriate setting for maximum software password age, meaning there may never be a prompt to change the password4which creates an opportunity for a clever attacker. This could be the result of a software update or new installation. Figure 4: Continuous monitoring of controls shows the entities affected and identifies any policy exceptions 7

ServiceNow Security Operations collects scan data and makes it available to IRM Continuous Monitoring. The IRM Configuration Compliance application then matches failed configuration test results to assets in the ServiceNow Configuration Management Database (CMDB). The CMDB shows the business importance of each asset, providing a criticality assessment that is combined with other factors to automatically calculate a risk score used to prioritize failed results. Figure 5: The Configuration Tests tab shows the source used to collect configuration data Just like my Policy and Compliance dashboard displayed the failed controls, my IRM Risk dashboard displays the risks associated with these misconfigurations alongside other identified enterprise risks. And the IT manager can see the criticality level of the failed test results on the Configuration Compliance dashboard. Although I could have had each noncompliant control automatically generate an issue and Tech Tip: send it to the IT manager, I would rather When you identify review configuration several similar issues, test failures before use grouping to make routing issues to the tracking easier. appropriate person. Because the same control is failing across multiple assets, I9ve elected to group the issues under a single parent issue with a single remediation task before assigning the Figure 6: The Configuration Compliance dashboard is group to the IT dynamically updated based on new test results. manager. If this type of issue becomes a common occurrence, I may create a rule to automatically group similar issues under a predefined parent issue to automate the process. I can then track the parent issue to completion. IT will update the issue, so I will know whether the configuration change will happen during the next update cycle, when the security team or IT will review and approve the change. Each team has visibility into the current status of the change, the next steps, and who is responsible. When a subsequent scan shows the configuration issue has been remediated (in other words, there is no longer a configuration test failure), the control will again be compliant. When the IT manager closes the parent issue, providing proof that the remediation process was successful, all child issues will also close. 8

Embed risk and compliance management into the application release and change process Your organization has hundreds4even thousands4of applications. Managing risk, compliance, and audit for each application is a massive undertaking if risk isn't embedded into the application lifecycle. Applications need to be continuously monitored to identify vulnerabilities quickly. Those that access, store, or process personally identifiable information have to be closely tracked to ensure regulatory compliance and avoid massive penalties. DevOps policies must be followed for in- house applications and audited for compliance. The list goes on. To successfully manage risk and application sprawl, aligning on a common risk library embedded into your application release and change processes is critical. Together, ServiceNow APM and IRM let you create this alignment, providing an integrated solution that helps risk managers, application owners, development teams, and compliance teams work seamlessly together using a Risk Identification Questionnaire that's completed before the application is released into production. This allows these traditionally siloed teams to collaborate frictionlessly throughout the application's lifespan. . A risk manager at work It's not a bad start to my day. We're going live today with a major application that many people are eager to learn about. When we first started planning for this new application, the application manager used ServiceNow APM to add the business application to the ServiceNow platform. APM helps manage licensing and maintenance and lets application managers and owners stay on top of the application lifecycle. Now I've got a notification that the application manager has changed the application state from design to inventory. I always get these types of notifications because IRM and APM work seamlessly together. As part of the process, I work with the application owner to fill out the ServiceNow risk identification questionnaire. We determine the type of data the application will access, store, or process. IRM uses this information to calculate inherent risk and automatically assign the appropriate controls. Once the application owner attests the controls are in place and working, the system calculates the residual risk. If any risks remain, no matter how low, I'll work with the application owner to create tasks to identify the proper courses of action should any of these risks ever materialize. I can track the risk to this application and other applications at the same time using the Heatmap workbench. I've implemented a risk assessment for the application. This assessment helps me continuously gather data from the application and IT owner. The assessment uses automated factors, which pull data from tables on the ServiceNow platform, but I could have also included manual factors, which require a manually entered response. Automated factors are continuously updated, so the assessment reflects the current risk to the business. 9

The leadership team wants to track reputational risk, so I've set up automated factors to monitor CSAT scores. A bad customer experience can affect business. There's one application that consistently stays high risk for reputational scores (bad CSAT scores), even though the other controls are compliant and there are no audit issues. Upon investigation, it looks like this application has had several outages. I'm going to need to bring together the development team and customer service manager to discuss a remediation plan Use approved IP ranges in config files. Tech Tip: Many organizations house their policies on a SharePoint site or other application. Consider Figure 7: Complying with policies doesn9t need to slow down development moving your policies into ServiceNow so that The DevOps team has been working hard and releasing code quickly. The you can easily outages are often a result of small data fixes and a few bad coding practices. We associate policies with need to add policies and controls for the DevOps team alongside the other controls and risks and policies and controls for the application. report on compliance. The application happens to be updated during the next dev cycle. We can see You can also request that the policy we put in place to ensure that developers have access to and are policy exceptions. using the right IP ranges in the config files identified a violation. Addressing these issues before customers are affected helps improve customer satisfaction scores. Integration with O365 A single platform that allows application managers, development teams, and risk and Word make it easy teams to share data and work together can help reduce the impact of business to collaborate, keep application development issues and application sprawl. policies current, and track versions. 10

Use case: Monitor HR policy requirements and identify onboarding risks Your organization. For instance, you might use one system for onboarding and another to manage policies, but the policies don9t map back to appropriate controls. And beyond internal policies and best practices, there9s a wide range of regulations across the employee journey that can vary greatly from state to state and country to country. • Is your company subject to local laws regarding pay for unused personal time off? • Have all appropriate steps been followed during onboarding and termination? • When was the last time employees confirmed the review of anti- harassment and insider-trading policies? • Have the appropriate pre-employment background checks been completed? • How do leave policies vary depending on where an employee resides? • Have the appropriate policies been followed for whistleblowers, non- discrimination, sexual harassment complaints, and investigations? • Have you implemented and approved the appropriate policies regarding separation of duty? Fortunately, there9s a relatively simple way to mitigate these risks. With a robust solution like ServiceNow HR Service Delivery working seamlessly in tandem with ServiceNow IRM, you have an integrated risk platform and an additional line of defense. IRM can monitor activity across solutions, automatically alert the appropriate teams when there is a compliance concern, track the concern through resolution, and prove that your organization has adhered to all requirements. The bottom line: our integrated risk platform lets you spend time on people, not processes. An HR manager at work As a talent manager, I need to work with my team to ensure that our organization is following all the local regulations and our internal policies. These can vary greatly depending on employee location. In my ServiceNow dashboard, I can view reports specifically configured to help me track our compliance efforts. In one case, I can see an onboarding risk resulting from an HR task that was closed but never completed. The HR compliance manager is identified, as is the new employee. When I drill into the closed but incomplete task, I see that a new employee (a much-needed account executive) hasn9t signed a required NDA as part of the onboarding process4but the hiring manager has signed off on the case. Looking 11

at the risk, I see it could have a significant impact on the business. The account executive is scheduled to start tomorrow. This is in direct violation of our process. Tech Tip: We follow a similar process to ensure that new employees acknowledge anti- harassment, insider trading, and other policies during the onboarding process. Figure 8: Drag and drop reports into your dashboard so it meets your unique needs. ServiceNow IRM continuously monitors IRM automatically identified the risk, but I can also see that the HR compliance for compliance across manager noticed the error. When I look at the compliance manager9s attestations, all policies and I see they indicated that the new-hire paperwork was not complete. regulations and helps us build a consistent response process that includes an audit trail. The CHRO also has a real-time view of the organization’s global risk posture through dynamic dashboards tailored to their needs. And the CHRO can easily share information with other Figure 9: Attestations allow you to ensure policies are being followed. executives and board members, making it When the system identified the risk, it automatically generated an issue and sent it simpler for the team to to the HR compliance manager. That person will work with the hiring manager to prove compliance. resolve this before tomorrow. The new employee will see the NDA in their to-do list on the employee portal. This situation also highlights the fact that we need to do more training for our hiring managers. I9ll create a task for the HR compliance manager to schedule a meeting so we can discuss how this happened and modify our process if necessary. The HR compliance manager will create a task for the hiring manager to repeat online training for the hiring process. If I don9t see it before our meeting, I9ll have the compliance manager create it directly afterward. I9m also going to monitor that the related issue and tasks are closed. When the signed document is uploaded, that will clear the violation on my dashboard. 12

Use case: Ensure privacy standards are met The General Data Protection Regulation (GDPR) has had an impact on virtually every company in the world with an online presence. Given the GDPR9s hefty fines of up to 4% of global annual revenue, companies are taking precautions to ensure compliance. One added benefit is that, by complying, they protect their reputation with customers. However, GDPR isn9t the only data protection regulation that organizations must follow. Countries such as Japan, Australia, Brazil, Canada, and the United States have approved similar legislation4adding to the compliance burden. Data Protection Laws of the World Source: DLP Piper Figure 10: The growing number of data protection regulations is adding complexity At ServiceNow, we take a different approach to compliance that allows you to easily meet all of these different privacy regulations. We identify the applications that touch personal data, gathering supporting evidence while tracking application compliance across functional groups. And we streamline access to critical risk, control, vendor, and security data. The result? You rapidly identify threats, improve efficiency, and protect your customers9 sensitive data. Key ServiceNow privacy protection capabilities include: • Importing data privacy requirements and descriptions through Policy Management • Distributing and tracking Data Protection Impact Assessments (DPIAs) • Executing risk evaluations and managing issues • Managing audit engagements • Addressing data subject requirements and requests • Facilitating Personally Identifiable Information (PII) mapping • Addressing 72-hour breach notifications • Managing third-party data privacy compliance • Addressing Data Protection Officer (DPO) requirements and providing visibility 13

A data protection officer (DPO) at work As the Data Protection Officer (DPO), I need to make sure the policy and risk posture of my organization is strong. To do that, I need real-time visibility into security privacy events, risks, and compliance violations that could affect the business. I9ve built my dashboard with those things in mind. Figure 11: The data protection officer needs real-time visibility into the security and risk posture of their organization. Tech Tip: One of my dashboard reports shows me data breaches by level of risk, and it Different privacy indicates there9s something I should be acting on. I have 5 major incidents with regulations can share high risks. By clicking on the report, I can see there are 2 major security incidents in many common the United States. Drilling into the incidents in New York, I see that one of the requirements. Be sure to incidents is linked to a possible attack on a server. Drilling in further, I see that my define a common team has already analyzed it and tagged it as a privacy concern using the GDPR controls framework so tag. As part of the workflow, the system automatically emails me and creates a task when the risk is escalated so that it appears on my dashboard. you can test a control When an incident is tagged as GDPR, the system automatically generates a new once and apply the task for Security and IT, informing them of the new risk. I can now drill into more results to multiple details to find out how this incident occurred and how to prevent it from regulations. You either happening again. I acknowledge that a breach occurred, and once I close my can do this manually or task, the system automatically alerts legal, PR, and other critical response teams. through integration with The workflow also includes tasks to execute the data privacy response plan. the Unified Compliance A link to the security incident is now part of the record and identifies which Framework or other business service or entity is affected. In this case, the incident impacts SAP content providers from Financial Accounting and involves a third party. I select the vendor and see there is a risk that the vendor may have disclosed confidential information. The risk is the ServiceNow store. calculated as moderate, which is higher than I9d like because my risk appetite is very low. I can also see the mitigating controls. Some are non-compliant, resulting in a moderate risk rating. The controls are common across the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). This incident causes the system to automatically trigger privacy and security assessments, which are sent through the Vendor Risk Management vendor portal. I9ll watch for these assessments to come back and keep an eye on the security incident9s progress as the responsible security analyst begins triage. An integrated risk platform can share information quickly between departments, including a complete audit trail to comply with stringent requirements such as the GDPR 72-hour breach notification. Built-in workflows accelerate risk response by automatically generating risks and issues and routing them to the right individuals. 14

Use Case: Proactively address third-party issues, including ESG It9s widely accepted that third parties are essential for business success, accelerating time to market, enabling innovation, and reducing costs. But these third-party relationships also represent a major business risk due to the massive business disruptions and reputational damage that can result from exposures. As vendor risk management programs have grown, they have typically focused on a limited range of governance issues such as financial viability and cybersecurity, and even with these risks, many organizations struggle to scale vendor risk management due to lack of visibility and time-consuming manual processes. Now, organizations are being asked to expand this scope to environmental, social, and governance (ESG) concerns due to both public pressure and recent regulations such as the EU Corporate Sustainability Reporting Directive (CSRD). For example, enterprises are increasingly expected to have a Net Zero strategy, and yet a significant part of a company9s carbon footprint often comes in the form of Scope 3 emissions from its third-party suppliers. Similarly, organizations are held accountable for the labor and human rights records of their vendors. With vendor risk management programs already under strain, ESG threatens to push these programs past the breaking point. ServiceNow transforms the way you manage third-party risks, including ESG. We provide consistent assessment and remediation processes, create transparency and accountability with an integrated view of risks across all your third parties, and reduce effort by automating key supplier risk management processes. And because these capabilities run on the Now Platform®, they work seamlessly with our broader set of integrated risk management capabilities, letting you holistically manage enterprise risk across your entire internal and external value chain. A third-party risk manager at work I start every morning in my tailored ServiceNow Third-party Risk Management third- party workspace, where I can get a status overview of all of my suppliers. The retailer I work for has many suppliers, so this makes it easy for me to see how we9re doing and identify any issues I need to focus on. I could look at the performance of my third parties in the performance tab, but I9m really here to look at the risk they pose to our business. I notice that one of our primary merchandise suppliers, ToysCo, has a high risk score. The score was calculated based on the vendor risk assessment and engagement assessment I just sent out. Both of these came back high, even though the combined rating the system has calculated based on my risk intelligence feeds from EcoVadis and Interos shows a moderate risk. I could look at ToysCo9s subsidiaries, but I9m here to look at the issues. I see a high- priority issue was generated from the Human Rights vendor risk assessment that indicates ToysCo9s SA8000 certification is no longer current. To get a better understanding of the issue, I click on the details tab. 15

Figure 12: The dashboard shows the calculated risk score and each risk area Tech Tip: If this were a less important issue, I might just create a task for someone to investigate or take a specific action. But this is more important. Since I9ve got the If you have IRM and IRM risk management product, I9m going to create a risk event. I can do this easily Third-party Risk using the button in the upper right-hand corner of the screen. Management, you can When the dialog box opens, it9s already prepopulated with some information. This tie controls to a specific issue is a critical risk with a financial impact, so I9ll make sure that9s selected and response to a question enter the expected loss, which is $100k. The risk event gets created and assigned on a questionnaire. An to the risk manager at the company as soon as I hit submit. The risk event will also show up automatically in the ESG Management workspace, so our ESG team will incorrect answer will know about it. result in a control failure Grace, the risk manager, sees the new risk event for ToysCo when she navigates to and automatically Show Risk Events in her workspace, along with all the information she entered. She generate an issue, checks out the impacted entity and decides to perform a root cause analysis. speeding time to After assigning the risk to herself, she lists the consequences and any actions resolution. already taken. She enriches the risk event by attaching the risk event to a specific

Use case: Ensure your compliance program effectively supports your business services Behind the curtain that separates the front and back office lies a battalion of systems, processes, and hardware. You9ll also find a variety of monitoring tools4 tools that create a mountain of data about compliance and security violations. These violations include faulty employee termination processes, unauthorized to mission-critical or sensitive data, security incidents, unpatched systems, unapproved hardware and software changes, emergency changes, and many others. Combing through this data manually to uncover and prioritize the most critical business risks is a formidable effort. Without automated processes to ensure compliance, system, process, and hardware owners spend huge amounts of time analyzing data so they can attest that they follow the proper policies. And manual processes create a high risk of errors and issues slipping through the cracks. By using the same integrated, automated ServiceNow risk platform you rely on every day, you can be confident you9re capturing the most critical issues while reclaiming thousands of work hours for high-value projects. You9re able to easily and confidently prove compliance, and you make providing supporting evidence for audits virtually painless. An audit manager at work As an internal auditor, I know from experience that planning is important. Recently, I9ve been working on my audit plan for the year. The business control owners have completed the risk assessments I sent them, and I9ve defined the scope of my audit for this year, including PCI and SOX, our SAP Financial Accounting business service, our Linux servers, and server hardening. These are all defined in my Configuration Management Database (CMDB), so scoping them was easy. I don9t have a very mature CMDB, but I9ve made sure the 20 most critical assets, processes, and systems are represented correctly. Based on the results of my risk assessments, I9ve decided to begin my audit with the SAP Financial Accounting business service. I can see from my dashboard that I have a compliance violation. Continuous Figure 13: Regular monitoring ensures best practices are being followed. 17

monitoring shows that someone implemented a change without a backout plan. As a result, the system automatically created an issue for the SAP Financial Tech Tip: Accounting service owner. As a starting point for The service owner decides to delegate the issue using the Assignment group field populating your CMDB, so a teammate can investigate why this happened. For instance, is there a history define a minimum with this type of issue, and Is there a training opportunity? desired state. For After a discussion with the manager of the team responsible for the violation, it turns example, a common out the history of the issue goes back just a few weeks. New team members criterion is

An integrated risk program for 21st century risk and compliance challenges It9s a relatively safe bet that the scope and potential impact of security threats will continue to increase4and that the compliance burden will continue to grow with them. On top of that, organizations undergoing a digital transformation face new challenges. To counter greater risks and increased pressures, you must embed risk management and compliance activities into new digital workflows and ensure various departments and functional areas think and act as one. They must share information more effectively, identify breaches and disruptions before they wreak significant damage, and utilize cross-functional workflows to enforce the required escalation, review, and response activities. Only an integrated risk program on a common platform can solve this challenge: • Continuously monitor for risk and compliance across the extended enterprise • Holistically prioritize risk based on business impact to improve decision making • Automate repetitive and redundant manual tasks to increase performance ServiceNow IRM helps make sure you not only comply with new regulations, but also thrive in this new era. Find out more about how with ServiceNow you can: Boost cyber resilience with security, risk, and IT working together Use Asset management and IRM – the more you know the lower the risk Manage business continuity risk Use the risk product portfolio to power your resilience business Learn more at www.servicenow.com/risk. © 2024 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated. servicenow.com 19