Implement Service Now Vulnerability Response Implement Service Now

Implement Service. Now Vulnerability Response

Implement Service. Now Vulnerability Response (VR) Introduction An effective vulnerability management program is one of the best ways to prevent a security breach. More than half of breaches are the result of known vulnerabilities that patches are available for. A study conducted by Service. Now and Ponemon Institute showed that an average of 12 days are lost for every vulnerability patched due to team coordination challenges. When vulnerability response is handled with spreadsheets and email, it’s hard to get up-to-date visibility on the organization’s current risk exposure. Service. Now Vulnerability Response workflow: Service. Now® Vulnerability Response (VR) is an application that helps you respond faster and more efficiently to vulnerabilities, connect security and IT teams, and provide real-time visibility. It connects the workflow and automation capabilities of the Now Platform® with vulnerability scan data from leading vendors (Qualys, Rapid 7, Tenable) to give your teams a single platform for response that can be shared between security and IT. 2 © 2020 Service. Now, Inc. All Rights Reserved.

Implement Service. Now VR (Continued) Intended use This checklist provides: Ø The recommended process for implementing Service. Now VR Stage 1 of maturity (as shown in the maturity model below) Ø A high-level list of actions for implementation of Service. Now VR, to be completed with the assistance of a Service. Now partner certified in the Sec. Ops product suite (including training in the Vulnerability application) or Service. Now Expert Services Ø An outline of the lessons learned from previous Service. Now VR implementations and suggestions to avoid common pitfalls through Practitioner Insights Achieving Stage 1 of maturity—automated prioritization—is the recommended first step to quickly realizing value from Service. Now VR. Service. Now Vulnerability Response Stages of Maturity The benefits of using a readiness checklist are: Ø Faster implementation and time to value Ø Awareness of key implementation risks and guidance to avoid them Ø Enhanced efficiency and quality of the design to ensure the best possible value from your Service. Now VR Key steps 1. Set VR vision and outcomes 2. Assess team readiness 3. Choose an implementation partner 5. Design, build, and test VR workflows 4. Plan for implementation 3 6. Initiate OCM activities 7. Plan go-live 8. Measure success and adjust © 2020 Service. Now, Inc. All Rights Reserved.

Step 1: Set your VR vision and outcomes Your vision, business objectives, and measures of success for Vulnerability Management drive support from leadership and stakeholders and ensures your implementation creates measurable value. Begin by getting the right people involved and build a good understanding of the capabilities of Service. Now Vulnerability Response. Then establish a vision of where you want to be after implementation. Identify the right people and teams q Product and process owners: q Service. Now platform team – The Service. Now platform team will own and maintain Service. Now VR. Some organizations elect a member or members from the vulnerability response team to own the VR administration duties. q Vulnerability Response technical administrators – These administrators responsible for the administration and configuration of Service. Now VR and third-party vulnerability response applications (like Qualys, Rapid 7, and Tenable). q Vulnerability Response business process owner – This person is responsible for vulnerability response policies and procedures. q Vulnerability Response analysts – Conduct day-to-day vulnerability response activities, such as assigning remediation activities, tracking remediation progress, and acting as an escalation point for remediation teams. q Remediation teams – These teams handle the remediation activities, like patching, on identified vulnerabilities. q Key additional stakeholders to involve in planning: q CISO (or CSO) – Frequently acts as the executive sponsor and must support the implementation for it to be successful q Change management team – Provides critical support for the remediation team when working through the change management process to perform remediation q Service. Now Configuration Management Database (CMDB) team – Provides expertise on the setup and maintenance of your Service. Now CMDB for integration with Service. Now VR 1. Set VR vision and outcomes 2. Assess team readiness 3. Choose an implementation partner 5. Design, build, and test VR workflows 4. Plan for implementation 4 6. Initiate OCM activities 7. Plan go-live 8. Measure success and adjust © 2020 Service. Now, Inc. All Rights Reserved.

Step 1: Set VR vision and outcomes (Continued) Review VR’s features and functionality q Read the Service. Now VR overview on the Service. Now website. Take note of the features, functionality, and benefits of Service. Now VR. q Review the Service. Now VR product docs. These resources are more technical and provide additional functionality detail. q Watch this webinar: Ask the Experts: Vulnerability Response. Answer the following questions to generate a clear, measurable definition of your vision and desired business outcomes for Vulnerability Response: q What business outcomes do we want to achieve? Many organizations often cite one or more of these objectives: q Singe system of record/action q Automated vulnerability assignment and prioritization q Improved visibility q Greater accountability q Increased productivity q Risk-based prioritization q What current challenge is associated with this outcome? For example, your vulnerability triage is time consuming and error prone. q What problems or obstacles are keeping us from realizing our desired business outcomes? One problem could be that your vulnerabilities are assessed manually, so you often rely on tribal knowledge to determine their correct owner, and some tickets transfer between multiple owners. q What future state can we envision to realize our desired business outcome? For example, you may envision automating vulnerability assessment, prioritization, and assignment = by matching vulnerability items with configuration items from the CMDB and risk-based prioritization rules. q What measurable success criteria can define whether we’ve achieved our desired business outcomes? This might be something like 90% assignment accuracy, with tickets are assigned to the right team the first time, within one year of implementing Vulnerability Management. 1. Set VR vision and outcomes 2. Assess team readiness 3. Choose an implementation partner 5. Design, build, and test VR workflows 4. Plan for implementation 5 6. Initiate OCM activities 7. Plan go-live 8. Measure success and adjust © 2020 Service. Now, Inc. All Rights Reserved.

Step 2: Assess team readiness There are many processes involved in implementing Service. Now VR. It’s important for the people involved in implementation to take advantage of the training Service. Now offers to learn the terminology, functionality, and technical solutions of Service. Now VR. Assess your team’s current state of readiness q Identify your project management resources (including a dedicated project manager) to support implementation. q Confirm that your executive sponsor is committed and fully engaged. q Find out if the people and teams identified in Step 1 have completed the relevant training: q Systems administrators and technical team members who will be involved in implementation and post go-live maintenance should complete the Service. Now Fundamentals, Security Operations Fundamentals, and Vulnerability Response Implementation trainings before you design. q The platform owner, Service. Now VR product owner, and process owners should complete the Service. Now Fundamentals and Security Operations Fundamentals trainings. q Make sure that your system administrators and developers have access to Now Learning and Now Creators for continued skill development. q Use the Service. Now Customer Success Center for an additional assessment and action plan to support your readiness. 1. Set VR vision and outcomes 2. Assess team readiness 3. Choose an implementation partner 5. Design, build, and test VR workflows 4. Plan for implementation 6 6. Initiate OCM activities 7. Plan go-live 8. Measure success and adjust © 2020 Service. Now, Inc. All Rights Reserved.

Step 3: Choose an implementation partner While you can implement Vulnerability Management on your own, we strongly advise you to work with a Service. Now Sec. Ops-certified partner (or Service. Now Expert Services). There’s no substitute for experience when it comes to ensuring you achieve the desired business outcomes you set in Step 1. Our data shows that customers working with an implementation partner realize value faster than customers that go it alone. It’s critical to pick the right partner—one that has experience with Vulnerability Management. q Evaluate your candidates q Define your strategy for choosing a partner (Use the outcomes and team readiness determined in Step 1. ) q Review their customer satisfaction scores. q List the skills, experience, and resources you have and those you need. q Evaluate their practice and platform experience. q List the ongoing support you expect the partner to provide. q Look at your partner’s implementation team’s experience. For example, their years of security, Service. Now Sec. Ops and Service. Now implementation experience, Service. Now certification, etc. q Document your expectations on outcomes (and include in the statement of work, if possible). q Define your performance and success metrics. q Search for candidates q If you previously worked with a partner to implement Service. Now, meet with that partner. q Consider other subject matter experts, such as your: q Service. Now team (product line sales, local alliances) q Peers (Take advantage of Now Community) q Use Service. Now Partner Finder 1. Set VR vision and outcomes 2. Assess team readiness 3. Choose an implementation partner Practitioner insight: Don’t go it alone. Find a partner with Service. Now Security Operations experience, not just Service. Now ITSM experience, as well as expertise in managing organizational change. Make sure to plan 90 -, 180 -, and 360 -day check-ins with your partner to keep things on track and to avoid surprises. 5. Design, build, and test VR workflows 4. Plan for implementation 7 6. Initiate OCM activities 7. Plan go-live 8. Measure success and adjust © 2020 Service. Now, Inc. All Rights Reserved.

Step 4 a: Create a structure for governance Include implementation governance and post-implementation governance as part of your Service. Now VR journey. Implementation governance you implement successfully, and post-implementation governance helps you achieve long-term success. Your implementation governance team should form your postimplementation governance team. Create an implementation governance committee Establish a technical governance subcommittee q Assign your designated Service. Now platform owner, process owners (vulnerability managers, remediation teams), partner representative, project manager, and other business stakeholders as required. Your executive sponsor should chair this committee. q Assign technical stakeholders, including the staff responsible for support, administration, and integration. Your designated Service. Now platform owner should chair this subcommittee, supported by your project manager. q Define a meeting cadence, standard agenda, and decision process. In addition to standard project tracking, meetings should include: q Identifying technical obstacles and strategies for resolution q Project objectives – Clearly identify and prioritize your objectives, such as improvements to process performance, technical usability, etc. q Reviewing requests for new Service. Now VR functionality q Note: New functionality should require a business justification process. q A review of your organizational change management (OCM) activities – See Slide 10 (next) for OCM plan development. q Your technical governance subcommittee should report to your migration governance committee or steering group. Establish the decision rights between your migration governance committee and technical governance subcommittee in a RACI. q Work with your executive sponsor and Service. Now platform owner to develop a responsibility assignment matrix (RACI) to establish a common, documented understanding of the decision rights for your migration project. q Make sure that your governance team is prepared to define measures of success for enterprise, security, and operational objectives. These measures of success should come from the goals and metrics discovered in Step 1. Set VR vision and outcomes 2. Assess team readiness 3. Choose an implementation partner Practitioner insight: The governance structure you establish for implementation should set an initial baseline for the governance you’ll need for post go-live maintenance, especially to manage demand. See support on Service. Now Governance for additional details. 5. Design, build, and test VR workflows 4. Plan for implementation 8 6. Initiate OCM activities 7. Plan go-live 8. Measure success and adjust © 2020 Service. Now, Inc. All Rights Reserved.

Step 4 b: Create a structure for an OCM plan For effective adoption and long-term success, take OCM activities into consideration throughout your planning and implementation processes. OCM is critically important for implementing Service. Now VR since many process owners are unlikely to have been involved in the purchase decisions and initially may not understand the benefits of moving to new processes and a new vulnerability response application. Build an OCM plan: q Make sure you have leadership and executive sponsor support for OCM, including the budget for an OCM program lead and/or Service. Now expert support. This should also include an explicit definition from leadership on what good OCM looks like for your organization. q Conduct an initial stakeholder analysis and prepare to update it biweekly. See our resources on change management* for more details. q Conduct an OCM readiness assessment* to measure how ready your stakeholders are for the organizational change needed to support Service. Now VR. Conduct this assessment before your design discussions. Based on your readiness assessment, use our Success Checklist to create an OCM plan* and develop an OCM impact analysis and risk assessment. *Tailor these resources to your use of Service. Now VR and your business environment. 1. Set VR vision and outcomes 2. Assess team readiness 3. Choose an implementation partner 5. Design, build, and test VR workflows 4. Plan for implementation 9 6. Initiate OCM activities 7. Plan go-live 8. Measure success and adjust © 2020 Service. Now, Inc. All Rights Reserved.

Step 4 c: Review the Service. Now Implementation Methodology (SIM—shown below—is the Service. Now best practice delivery methodology used by Service. Now-certified partners and Service. Now Expert Services to implement Service. Now products. It’s important to review SIM at the outset of your Service. Now Vulnerability Response implementation in order to fully understand your role and time commitment in the process. Review the five stages of the Service. Now Implementation Methodology (SIM): Initiate – Define your objectives, collect prerequisite information, and define the key processes for implementation success. Prepare – Hold workshops to understand process and platform needs, finalize the engagement timeline, and refine configuration requirements. Create – This includes configuration and unit testing. Transition – This includes UAT, training, go-live, and post go-live support. Close – The implementation team hands off to the platform maintenance team. 1. Set VR vision and outcomes 2. Assess team readiness 3. Choose an implementation partner 5. Design, build, and test VR workflows 4. Plan for implementation 10 6. Initiate OCM activities 7. Plan go-live 8. Measure success and adjust © 2020 Service. Now, Inc. All Rights Reserved.

Step 4 d: Evaluate your current VR processes The implementation design process involves multiple teams, collaborative decision-making, and a thorough understanding of your current processes and technical environment. Because of this, your design phase can often take weeks or longer as you collect the necessary information, coordinate the right people, and solidify decisions. The action items in Step 2 help you proactively collect your design-related information and initiate engagement with the required stakeholders. This will enhance and expediate the design process. Answer the following questions about your current state of VR q What is your current vulnerability management team structure? (Select one. ) q What is your vulnerability exception process? q A dedicated team assigned to only vulnerability management responsibilities q Team members are split between other security operations duties and vulnerability management q Is there a current process by which vulnerability items are deemed as “risk accepted” today? This might be, for example, an inability to fix due to its impact on a mission-critical system. q An internal team running vulnerability management q Who is the approving authority? q An external or hybrid team running vulnerability management q How are risk exceptions managed and tracked? For example, are they tracked manually with spreadsheets or with a third-party solution such as a GRC tool, etc. ? q How do you handle vulnerability assignment and ownership? q Are any existing groups using Service. Now to perform vulnerability remediation activities, such as patching or system hardening? q Are there any current processes to handle vulnerabilities or exposures deemed to be false positives? q What logic do you use to assign ownership of remediation efforts, in other words, do you have Assignment Rule Conditions? For example, for Windows Server OS vulnerabilities identified on exchange servers, would the Windows Server team own remediation? q What are the required SLA time(s) for addressing and/or closing identified vulnerabilities? How does the SLA differ by severity, in other words, High/Medium/Low? 1. Set VR vision and outcomes 2. Assess team readiness 3. Choose an implementation partner 5. Design, build, and test VR workflows 4. Plan for implementation 11 6. Initiate OCM activities 7. Plan go-live 8. Measure success and adjust © 2020 Service. Now, Inc. All Rights Reserved.

Step 4 e: Assess your integration needs Document your sources of vulnerability data Service. Now VR integrates with leading third-party vulnerability scanning tools (Qualys, Tenable, and Rapid 7) to bring identified vulnerabilities into Service. Now to manage vulnerability response. q What vulnerability data sources will be integrated with Service. Now Vulnerability Response? (Select all that apply. ) Assess your CMDB health Service. Now VR uses information from configuration items (CIs) in the Service. Now CMDB to add business context to vulnerabilities. This information helps prioritize and assign ownership for the remediation of that vulnerability. q Assess your CMDB management process against Service. Now CMDB best practices. If you haven’t set up your CMDB, follow the steps in our Success Playbook on using Discovery to populate your CMDB to do so. q Active vulnerability scanners q Passive vulnerability identification tools q Flat file reports q Conduct a CMDB health check. q Do you have a copy of the API documentation of your scanning platform? q Document how your CMDB is currently populated with information. q Discovery via network-based tools (if so, what specific tools? ) q Manual data-gathering efforts q Vulnerability scanner(s) q Are technical staff available who are familiar with the API and scanning platforms? q How often will you perform scans? Set a schedule. q Do you perform a combination of both credentialed and non-credentialed scanning? q Determine if there’s an authoritative source for populating the CMDB with information. q What severity ranges (like low, medium, high, critical) of the vulnerabilities identified do q Discovery you want within Service. Now? q Manual data gathering q Vulnerability scanner q Do you want to see all IP address network ranges identified by your scanning platform q Other within Service. Now? (That is, those for development, production, internal, DMZ, external. ) 1. Set VR vision and outcomes 2. Assess team readiness 3. Choose an implementation partner 5. Design, build, and test VR workflows 4. Plan for implementation 12 6. Initiate OCM activities 7. Plan go-live 8. Measure success and adjust © 2020 Service. Now, Inc. All Rights Reserved.

Step 5 a: Conduct a design workshop Creating VR workflows consists of three steps: design, build, and test. Your design phase is focused on generating approved and prioritized stories for development in collaboration with vulnerability management process owners. Begin with a formal kickoff meeting to get everyone on the same page. Conduct a formal kickoff meeting q Include all relevant stakeholders and project team members (including partners and Service. Now staff). Your executive sponsor should: q Reiterate the business purpose and objectives of the migration project q Reinforce your governance model for the project, including an explicit definition of how decisions will be made q Define the expectations and requirements for all stakeholders and team members involved in the project q Your partner or Service. Now engagement manager should: q Introduce your partner and Service. Now delivery team members q Walk through the implementation approach and project plan Practitioner insight: Work to avoid customization. Challenge all requirements for customization using the scorecard method outlined in our resources on avoiding customization pitfalls. 1. Set VR vision and outcomes 2. Assess team readiness 3. Choose an implementation partner 5. Design, build, and test VR workflows 4. Plan for implementation 13 6. Initiate OCM activities 7. Plan go-live 8. Measure success and adjust © 2020 Service. Now, Inc. All Rights Reserved.

Step 5 a: Conduct a design workshop (Continued) The design workshop should bring together all relevant stakeholders (identified in Step 1) to: define the future state vulnerability response process and process workflow you’ll use within the Now Platform; design high-level solution architecture and integrations; and define configuration requirements in the form of user stories. In addition, use this workshop to determine your reporting and notifications needs. Service. Now VR reporting provides visibility into the vulnerabilities in your environment and the status of your vulnerability response workflows. q Determine your integration requirements – Use the information you collected in Step 2 to: q Determine the vulnerability data to integrate into Service. Now Vulnerability Management, for example, all data or a subset of data based on severities, findings of certain network segments, etc. ) q Develop a strategy to integrate third-party vulnerability solutions—Qualys, Tenable, Rapid 7, etc. —including a plan for historical data loads q Work with the Service. Now CMDB team to make sure the CMDB data is up to date with accurate data and establish CI lookup rules for how vulnerabilities are matched with CIs to aid in remediation. q Define future state Vulnerability Response processes: q Develop rules for assigning vulnerable items (VI) vulnerability grouping to determine how VIs are assigned for remediation. q Select desired reports: q Review examples of the reports you use today. q Using the outcomes defined in Step 1, define your group and organizational goals. For example, you may want to remediate critical VIs within the time frame set by policy. q For each goal, define the question(s) you need answered in order to determine your progress toward that goal. For example, what’s the number of critical VIs currently assigned for remediation within policy? How many critical VIs are currently assigned for remediation outside policy? What’s the number of critical VIs not assigned and/or outside policy? q For each question, define the metric(s) you would gather in order to provide a quantitative answer to that question. For example, SLA – Critical Vulnerable Items closed within 5 business days. q Select or configure the reports you need to provide the metric(s). For example, SLA report on assigned Critical Vulnerable Items or List of unassigned critical vulnerable items showing CI Ownership information. q Design workflows for the vulnerability response lifecycle. q Define risk scoring for VI prioritization. q Detail the exception process and workflows. 1. Set VR vision and outcomes 2. Assess team readiness 3. Choose an implementation partner 5. Design, build, and test VR workflows 4. Plan for implementation 14 6. Initiate OCM activities 7. Plan go-live 8. Measure success and adjust © 2020 Service. Now, Inc. All Rights Reserved.

Step 5 b: Build and test your VR workflows Follow an iterative or Agile approach when you build and test and include unit testing. Once you complete development, run a full set of tests, including user acceptance testing (UAT). Define your development plan Complete final testing q Document and review the stories from your design workshop with process owners. Document your process owners’ approval and agreement that the stories correctly represent the design agreed to in the implementation workshop. q Complete a full suite of tests after you finish development, including: q A repeat of all unit tests together to confirm functionality q UAT for both end-to-end processes and defined user scenarios – Testers (typically process managers and users) need to understand the intended design fully to avoid raising defects for correct functionality. q Prioritize the approved stories based on their contribution to your business objectives and available capacity. Have the migration governance committee you established (Step 4 a) approve the prioritization. q Assign prioritized stories to defined development sprints. Each sprint should have a defined outcome, such as implementing the core incident management process, and should ideally last two weeks. Make sure these things happen at the end of each sprint: q The process owner demonstrates the functionality built to test the desired outcome and allow for any necessary corrections q Your developers conducts unit tests for each story, ideally using Service. Now Automated Test Framework and run a sprint scan through Health. Scan to make sure that development has aligned with best practices q Your developers report on story completion and test results to your technical governance subcommittee, especially to surface any technical obstacles that may affect additional development 1. Set VR vision and outcomes 2. Assess team readiness 3. Choose an implementation partner 5. Design, build, and test VR workflows 4. Plan for implementation 15 6. Initiate OCM activities 7. Plan go-live 8. Measure success and adjust © 2020 Service. Now, Inc. All Rights Reserved.

Step 6: Initiate OCM activities Perform OCM activities and training should in parallel to your design, build, and test activities so they reinforce each other. Make sure your migration project plan includes adequate investment (including Service. Now experts and/or internal staff) to support OCM and training so you can avoid any lag between your go-live and target adoption. Prepare for train-the-trainer sessions Practitioner insight: Creating customized content, reviewing and finalizing materials, and preparing internal trainers takes a few weeks at a minimum. Begin planning for training early but defer content creation until go-live data is near to make sure that the content accurately mirrors the final configuration. For additional details, see our Success Quick Answer on the pitfalls to avoid when training process users. q Assign dedicated internal trainers to your project. Service. Now experts will provide train-the-trainer sessions to familiarize them with the Service. Now VR product and support the development of an internal curriculum. q Identify process managers and frontline users—vulnerability response analysts, remediation teams, etc. —who will be good candidates to lead peerto-peer training. Don’t select these candidates based solely on their seniority and expertise but also on their ability to influence peers. Plan go-live communications to support adoption q Create content and for multi-channel communications to announce the go-live. Structures for this established in Step 3, Slide 11. Develop training plans for process users q Capture and promote quick wins to demonstrate early success. q Using your internal trainers (and peer-to-peer resources), provide training for the staff involved in related processes. Training should focus on establishing clarity around how new processes work in Service. Now and how to work effectively with them. q Identify the functionality or features that have wide visibility among process users and end-users that are within scope for implementation. Promote these to drive wider interest in and adoption of Service. Now. q Deliver your training in modules so process users can focus on the processes most relevant to their day-to-day work. 1. Set VR vision and outcomes 2. Assess team readiness 3. Choose an implementation partner q Identify Service. Now champions among your process users who can promote quick wins and influence adoption among peers. 5. Design, build, and test VR workflows 4. Plan for implementation 16 6. Initiate OCM activities 7. Plan go-live 8. Measure success and adjust © 2020 Service. Now, Inc. All Rights Reserved.

Step 7: Plan your go-live When you plan your go-live, set your launch data, cutover strategy, support, and transition to “run. ” Plan your go-live support Plan your transition to “run” q Make sure you have 24/7 support from a designated response team for at least two days after your go-live. q Transition the ownership of support from the implementation team to your internal Service. Now platform team and Service. Now VR owner. Most members of your Service. Now platform team should be on the implementation team and familiar with the system. q Task your implementation team with providing hypercare for a period defined by your migration governance committee (typically two weeks) to address any issues or bugs. q Transition governance to the functions responsible for strategic, portfolio, and technical governance. Plan your go-live date q Make sure you have processes in place to intake and manage demand for additional configuration and functionality (including enhancements). q Your technical governance subcommittee nominates a date based on your technical readiness. q Make sure you have processes in place for reporting bugs and providing support and resolution. q Your migration governance committee validates or changes this date based on your business readiness criteria, which includes: q Confirm that go-live communications are distributed and elicit feedback to ensure successful adoption. q Determining whether enough staff have met the training requirements q Assessing the success of your OCM activities and readiness q Assessing whethere any competing issues or priorities that will distract the stakeholders q Assessing the readiness of any third parties that support your go-live q Assess whethere will be operational downtime and plan accordingly. 1. Set VR vision and outcomes 2. Assess team readiness 3. Choose an implementation partner 5. Design, build, and test VR workflows 4. Plan for implementation 17 6. Initiate OCM activities 7. Plan go-live 8. Measure success and adjust © 2020 Service. Now, Inc. All Rights Reserved.

Step 8: Measure your success and adjust Assuming you defined clear business and functional objectives before migration, your next step is to make sure you have the right key performance indicators (KPIs) and diagnostic metrics in place to assess your progress against objectives. Build playbooks that include the actions you can use to respond to any red flags seen in your diagnostic metrics Identify (and put tracking in place for) your KPIs and diagnostic metrics q Your governance functions—strategic, portfolio, and technical—should make sure that their kickoff agendas include definitions of relevant KPIs (measuring progress towards objectives) and diagnostic metrics (identifying risks to progress). q Set thresholds for risk in your diagnostic metrics that should trigger a response. q Establish a clear line of sight from your business objectives to the KPIs and metrics created at the portfolio and technical level. For example, implementing a specific product or feature may represent a KPI at a technical level that should roll up to a KPI for value realization at a strategic level. q Keep reporting and communications focused on a small number of KPIs that best reflect progress against your objectives and include usage/adoption targets. 2. Assess team readiness 3. Choose an implementation partner Build dashboards to visualize your progress and support clear decisionmaking q Create dashboards using the dashboard requirements from your Service. Now platform owner, service owners, process owners, and executive sponsor and/or senior leaders (established in Step 2). See our Success Quick Answer on creating custom dashboards for additional details. q Keep your diagnostic metrics actionable. For more information, see our resources on KPIs and diagnostic metrics. 1. Set VR vision and outcomes q Work with your process and service owners to make sure you have the right diagnostic metrics and to develop playbooks. 5. Design, build, and test VR workflows 4. Plan for implementation 18 6. Initiate OCM activities 7. Plan go-live 8. Measure success and adjust © 2020 Service. Now, Inc. All Rights Reserved.

Related resources Success Playbook – Essentials for implementation success with Service. Now Success Playbook – Where to start the implementation journey with Service. Now Success Checklist – Build a phased program plan, identify quick wins Now Community – Security Operations—For New Customers Vulnerability Response Product Documentation Success Playbook – Integrate your Tenable. io and Tenable. sc with Service. Now Vulnerability Response Security Operations Value Calculator 19 © 2020 Service. Now, Inc. All Rights Reserved.

Customer Success Best Practices Service. Now’s Best Practice Center of Excellence provides prescriptive, actionable advice to help you maximize the value of your Service. Now investment. Definitive guidance on a breadth of topics Created and vetted by experts Strategic Best practice insights from customers, partners, and Service. Now teams Critical processes Management Expert insights Distilled through a rigorous process to enhance your success Tactical Designed for: Platform owners and teams Practical Actionable Valueadded Expertvalidated Based on thousands of successful implementations across the globe Technical Common pitfalls and challenges Executive sponsors Proven to help you transform with confidence Service and process owners Get started today. Visit Customer Success Center. 20 Contact your Service. Now team for personalized assistance. © 2020 Service. Now, Inc. All Rights Reserved.