Problem Statement
Microsoft's Mixed Reality Governance, Risk, and Compliance (GRC) program is currently managed through various ticketing tools, dashboards, and automated workflows. As their processes become more intelligent and agile, they require an integrated and centralized platform to reduce operational overhead and improve efficiency. Since the team uses Common Controls, which play a significant role in efficiently securing information systems, they wanted their information loaded directly into ServiceNow for easier access and visibility. Additionally, they wanted the control framework/regulation changes to be automatically detected in order to ensure that their information is up-to-date and they can avoid adding these changes manually.
Target Stakeholders and Users
Stakeholders:
- Andy Herman, Sponsor
- Logan Shim, Compliance Manager
- Louis Wang & Evan Cottingham, Compliance Engineers
Users:
Our target users are the Mixed Reality GRC program members, who most often rely on the Common Controls data.
Benefits of our Solution
The goal of this project was populate an integrated, centralized and dynamic platform which would make it easier to manage and access the controls and any changes associated them. This platform, along with its many features, would benefit the MS team in the following ways:
- Saves time while making information more accessible and manageable.
- Removes the need to keep track of changes to the controls manually.
- Significantly increases the overall efficiency of the GRC program.
- Easier to do analytics with our dashboard tool and stay informed on the latest control frameworks’ data.
- Leads to more discussions and facilitates decision making.
- Assists the MS team to be in compliance with several cybersecurity and privacy controls.
Methodologies
Project Management
For this project, we used the Agile methodology to create a workflow and used the Azure DevOps (ADO) Board to manage our two-week sprints.
Technical Solution
Fig 1: Secure Controls Framework (SCF) Data Import Architecture
Data Source
- Secure Controls Framework (SCF) is a meta framework that maps to over 100 cybersecurity and privacy laws, regulations, and industry frameworks.
- The raw data resides in an Excel spreadsheet located on SCF’s GitHub repo, containing 1006 records and 251 variables. It includes control objective, citation, and authority document information. Each relevant column of this spreadsheet corresponds to one or multiple fields of ServiceNow target tables according to the below ERD diagram. These tables are called “Control Objectives,” “Authority Documents,” and “Citations.”
Fig 2: ERD diagram mapping source data to target fields in ServiceNow
Data Transformation
- We used Google Colab to collaborate on our coding and the R programming language to clean and transform the raw SCF data into a format compatible with ServiceNow target tables.
Data Storage & Management
- We load, map, and import the cleaned data into their target fields in ServiceNow. Relational information between the target tables was established during the import process.
- We also wrote an R script to automatically detect any changes to the raw data, which we then imported into ServiceNow to update the existing records.
Analytics
- We created a dashboard in ServiceNow to showcase a high-level overview of the imported data and enable further analytics.
Results and Output
Imported Data
After the data was cleaned and transformed, it was imported into ServiceNow with relationships established between the target tables. The above example with citation CC5.3 demonstrates these relationships, evidenced by the fact that each imported record in each table consists of associated information from at least one other table.
Fig 3: Data Import Process
ServiceNow Dashboard
Towards the completion of the project, we created this dashboard to provide a snapshot of the data available on ServiceNow. These reports allow the GRC team to track regulatory compliance information, which can be then used to report the compliance information to the management team.
Fig 4: Reports Available on the Dashboard