Life science client achieves proactive compliance thanks to Clear Skye, SHAW Data Security, and ServiceNow Integrated Risk Management
Partner: SHAW Data Security
Expertise: Security Operations and Governance, Risk, and Compliance
Target Customers: Public companies operating in highly regulated industries that are looking to make the most of existing security and compliance processes
SHAW Data Security’s client – a medium-sized, public, and global medical life sciences manufacturer – had limited resources to devote to mandatory evidence-gathering and reporting for compliance in the United States, the European Union, and Asia. With regulatory requirements as well as industry standards both increasing in scale and complexity, the client needed a way to automate its audit and compliance reporting processes without adding labor.
Leveraging Clear Skye IGA native to the ServiceNow platform, SHAW Data Security’s client reduced a two-week access review process for Sarbanes-Oxley (SOX) compliance to a matter of minutes with our of the box alignment with ServiceNow’s Integrated Risk Management solution. The combined solution required no change to the everyday workflow of application managers or auditors. The company is now applying the new automated process to additional business units, products, and locations, collecting and analyzing compliance data in real-time. This proactive approach has transformed compliance from a limiting factor to an enabler for the company as it considers acquisition targets and other growth initiatives.
A Complex Compliance Review Process
SHAW Data Security, LLC has more than 20 years of experience in cybersecurity and risk compliance consulting. The firm focuses its efforts on highly regulated industries such as healthcare and life sciences and primarily works with medium-sized public companies who must comply with a range of government regulations as well as industry security standards. These companies are subject to the same mandatory rules and evidence-gathering requirements as multinational enterprises, and they already have compliance processes in place – but with fewer resources than the likes of a Fortune 100 company, they need to do more with less.
For one customer, a medical life sciences manufacturer, compliance was a complicated affair. Sarbanes-Oxley requires companies to prove separation of duties as well as access controls, to ensure that an application administrator isn’t also responsible for auditing. It’s critical to show which roles have access to which parts of the system, and who granted that access, but it’s a tall order: A company with 1,000 employees could have hundreds of thousands of roles within enterprise systems such as SAP or Microsoft Active Directory.
Manual reviews of security and access controls requires gathering evidence, sharing information via email and SharePoint, filling out a spreadsheet, and sitting down to look everything over. It’s a time-consuming process that can take two or more weeks, and even the best reviewers are bound to make mistakes.
And it’s not just Sarbanes-Oxley. SHAW Data Security’s customer also has to comply with ISO 27001 standards for information security, privacy regulations such as SOC 2, and reporting requirements for public companies operating in the European Union and Asia. There are also different regulatory requirements for different medical device product lines.
“You need to provide evidence that the audit has happened, and that the right steps have been taken. And it’s something that you need to do every quarter,” said Brian Bailey, Principal at SHAW Data Security. “You may not be the same size as a Coca-Cola or a Walmart, but you’re subject to the same rules. That’s hard for smaller companies. There’s not a lot of labor to throw at it.”
As a ServiceNow Premier partner, SHAW Data Security had already assisted this customer with a implementation of the ServiceNow Integrated Risk Management module for managing SOX compliance. Layering Clear Skye IGA on top of IRM enabled the customer to bring much greater efficiency to compliance reporting.
Automation Enables an Efficient – and Proactive – Approach
By running natively on ServiceNow IRM, Clear Skye IGA provides SHAW Data Security’s customer with a direct connection to SAP, Active Directory, and other enterprise systems where access review is required. The review process is automated, with the customer’s access settings and policies directly compared against SOX requirements. Any gaps or action that needs to be taken is automatically tracked as well.
“Clear Skye allows them to scale and empower the ServiceNow IRM solution by taking the labor and the disruptive steps out of the review process. It integrates with everyone’s workflow and lets them focus on the access review,” Bailey said. “You’re not changing the way that people work. You’re giving them time back to do the work they’re supposed to be doing, and you’re reducing the risk of human error.”
Automated access review enabled by Clear Skye on the Now Platform also sets the stage for a more proactive and continuous approach to compliance, Bailey added.
Instead of manually collecting information for reviews once a quarter, ServiceNow can collect and update this data twice a day. This enables users to automatically collect evidence to demonstrate compliance with SOX, SOC 2 and ISO 27001 – along with HITRUST, the NIST Cybersecurity Framework, and other cybersecurity standards that SHAW Data Security supports in its ServiceNow implementations.
This degree of automation offers three key benefits, Bailey said. First, it provides an at-a-glance view of whether the company is ready for an audit, as well as what steps need to be taken to ensure compliance.
Second, leveraging Clear Skye native to ServiceNow enables the creation of user onboarding and provisioning processes in direct compliance with regulations such as SOX, and with any policy exceptions clearly documented. “Instead of finding problems, you’re preventing them from happening in the first place,” Bailey said.
Third, an efficient, accurate, and extensible review process provides peace of mind for SHAW Data Security’s customer. The cumbersome process of international regulatory compliance is no longer an obstacle for continued growth, and the customer has plans to expand automated access review beyond SOX to products, business units, and locations impacted by additional regulations.
“Automation has changed their perspective,” Bailey said. “Now they’re ready to take the next step.”