More Related Content Similar to vulnerability-response-implementation.pptx Similar to vulnerability-response-implementation.pptx (20) vulnerability-response-implementation.pptx2. 2 © 2021 ServiceNow, Inc. All Rights Reserved.
Implement ServiceNow Vulnerability Response (VR)
Introduction
An effective vulnerability management program is one of
the best ways to prevent a security breach. More than half
of breaches are the result of known vulnerabilities that
patches are available for. A study conducted by ServiceNow
and Ponemon Institute showed that an average of 12 days
are lost for every vulnerability patched due to team
coordination challenges. When vulnerability response is
handled with spreadsheets and email, it’s hard to get up-to-
date visibility on the organization’s current risk exposure.
ServiceNow Vulnerability Response workflow:
ServiceNow® Vulnerability Response (VR) is an application
that helps you respond faster and more efficiently to
vulnerabilities, connect security and IT teams, and provide
real-time visibility. It connects the workflow and automation
capabilities of the Now Platform® with vulnerability scan
data from leading vendors (Qualys, Rapid7, Tenable) to give
your teams a single platform for response that can be
shared between security and IT.
3. 3 © 2021 ServiceNow, Inc. All Rights Reserved.
Implement ServiceNow VR (Continued)
Intended use
This checklist provides:
The recommended process for implementing ServiceNow VR Stage 1 of maturity (as shown in the maturity model below)
A high-level list of actions for implementation of ServiceNow VR, to be completed with the assistance of a ServiceNow partner certified in the SecOps product suite (including
training in the Vulnerability application) or ServiceNow Expert Services
An outline of the lessons learned from previous ServiceNow VR implementations and suggestions to avoid common pitfalls through Practitioner Insights
Key steps
ServiceNow Vulnerability Response
Stages of Maturity
Achieving Stage 1 of maturity—automated prioritization—is the recommended first step to quickly
realizing value from ServiceNow VR.
The benefits of using a readiness checklist are:
Faster implementation and time to value
Awareness of key implementation risks and guidance to avoid them
Enhanced efficiency and quality of the design to ensure the best possible value from your ServiceNow
VR
1. Set VR vision and
outcomes
2. Assess team
readiness
3. Choose an
implementation
partner
5. Design, build,
and test VR
workflows
6. Initiate OCM
activities
7. Plan go-live
8. Measure success
and adjust
4. Plan for
implementation
4. 4 © 2021 ServiceNow, Inc. All Rights Reserved.
Your vision, business objectives, and measures of success for Vulnerability Management drive support from leadership and stakeholders and ensures your implementation creates
measurable value. Begin by getting the right people involved and build a good understanding of the capabilities of ServiceNow Vulnerability Response. Then establish a vision of where
you want to be after implementation.
Step 1: Set your VR vision and outcomes
Identify the right people and teams
Product and process owners:
ServiceNow platform team – The ServiceNow platform team will own and maintain ServiceNow VR. Some organizations elect a member or members from the
vulnerability response team to own the VR administration duties.
Vulnerability Response technical administrators – These administrators responsible for the administration and configuration of ServiceNow VR and third-party
vulnerability response applications (like Qualys, Rapid7, and Tenable).
Vulnerability Response business process owner – This person is responsible for vulnerability response policies and procedures.
Vulnerability Response analysts – Conduct day-to-day vulnerability response activities, such as assigning remediation activities, tracking remediation progress, and
acting as an escalation point for remediation teams.
Remediation teams – These teams handle the remediation activities, like patching, on identified vulnerabilities.
Key additional stakeholders to involve in planning:
CISO (or CSO) – Frequently acts as the executive sponsor and must support the implementation for it to be successful
Change management team – Provides critical support for the remediation team when working through the change management process to perform remediation
ServiceNow Configuration Management Database (CMDB) team – Provides expertise on the setup and maintenance of your ServiceNow CMDB for integration with
ServiceNow VR
1. Set VR vision and
outcomes
2. Assess team
readiness
3. Choose an
implementation
partner
5. Design, build,
and test VR
workflows
6. Initiate OCM
activities
7. Plan go-live
8. Measure success
and adjust
4. Plan for
implementation
5. 5 © 2021 ServiceNow, Inc. All Rights Reserved.
Step 1: Set VR vision and outcomes (Continued)
Answer the following questions to generate a clear, measurable definition of your vision and desired business outcomes for Vulnerability Response:
What business outcomes do we want to achieve? Many organizations often cite one or more of these objectives:
Review VR’s features and functionality
Read the ServiceNow VR overview on the ServiceNow website. Take note of the features, functionality, and benefits of ServiceNow VR.
Review the VR Success Map to understand the processes and best practices you’ll need to implement and maintain to get maximum value.
Review the ServiceNow VR product docs. These resources are more technical and provide additional functionality detail.
Watch this webinar: Ask the Experts: Vulnerability Response.
1. Set VR vision and
outcomes
2. Assess team
readiness
3. Choose an
implementation
partner
5. Design, build,
and test VR
workflows
6. Initiate OCM
activities
7. Plan go-live
8. Measure success
and adjust
4. Plan for
implementation
Singe system of record and/or action
Automated vulnerability assignment and prioritization
Improved visibility
Greater accountability
Increased productivity
Risk-based prioritization
What current challenge is associated with this outcome? For example, your vulnerability triage may be time consuming and error prone.
What problems or obstacles are keeping us from realizing our desired business outcomes? One problem could be that your vulnerabilities are assessed manually, so you often rely
on tribal knowledge to determine their correct owner, and some tickets transfer between multiple owners.
What future state can we envision to realize our desired business outcome? For example, you may envision automating vulnerability assessment, prioritization, and assignment by
matching vulnerability items with configuration items from the CMDB and risk-based prioritization rules.
What measurable success criteria can define whether we’ve achieved our desired business outcomes? This might be something like 90% assignment accuracy, with tickets assigned
to the right team the first time, within one year of implementing Vulnerability Management.
6. 6 © 2021 ServiceNow, Inc. All Rights Reserved.
Step 2: Assess team readiness
Assess your team’s current state of readiness
Identify your project management resources (including a dedicated project manager) to support implementation.
Confirm that your executive sponsor is committed and fully engaged.
Find out if the people and teams identified in Step 1 have completed the relevant training:
Systems administrators and technical team members who will be involved in implementation and post go-live maintenance should complete the ServiceNow
Fundamentals, Security Operations Fundamentals, and Vulnerability Response Implementation trainings before you design.
The platform owner, ServiceNow VR product owner, and process owners should complete the ServiceNow Fundamentals and Security Operations Fundamentals
trainings.
Make sure that your system administrators and developers have access to Now Learning and Now Creators for continued skill development.
Use the ServiceNow Customer Success Center for an additional assessment and action plan to support your readiness.
There are many processes involved in implementing ServiceNow VR. It’s important for the people involved in implementation to take advantage of the training ServiceNow offers to
learn the terminology, functionality, and technical solutions of ServiceNow VR.
1. Set VR vision and
outcomes
2. Assess team
readiness
3. Choose an
implementation
partner
5. Design, build,
and test VR
workflows
6. Initiate OCM
activities
7. Plan go-live
8. Measure success
and adjust
4. Plan for
implementation
7. 7 © 2021 ServiceNow, Inc. All Rights Reserved.
Step 3: Choose an implementation partner
Define your strategy for choosing a partner (Use the outcomes and team readiness
determined in Step 1.)
List the skills, experience, and resources you have and those you need.
List the ongoing support you expect the partner to provide.
Document your expectations on outcomes (and include in the statement of work, if
possible).
Define your performance and success metrics.
Search for candidates
If you previously worked with a partner to implement ServiceNow, meet with that
partner.
Consider other subject matter experts, such as your:
ServiceNow team (product line sales, local alliances)
Peers (Take advantage of Now Community)
Use ServiceNow Partner Finder
While you can implement Vulnerability Management on your own, we strongly advise you to work with a ServiceNow SecOps-certified partner (or ServiceNow Expert Services).
There’s no substitute for experience when it comes to ensuring you achieve the desired business outcomes you set in Step 1. Our data shows that customers working with an
implementation partner realize value faster than customers that go it alone. It’s critical to pick the right partner—one that has experience with Vulnerability Management.
Evaluate your candidates
Review their customer satisfaction scores.
Evaluate their practice and platform experience.
Look at your partner’s implementation team’s experience. For example,
their years of security, ServiceNow SecOps and ServiceNow
implementation experience, ServiceNow certification, etc.
Practitioner insight: Don’t go it alone. Find a partner with ServiceNow Security Operations
experience, not just ServiceNow ITSM experience, as well as expertise in managing
organizational change. Make sure to plan 90-, 180-, and 360-day check-ins with your
partner to keep things on track and to avoid surprises.
1. Set VR vision and
outcomes
2. Assess team
readiness
3. Choose an
implementation
partner
5. Design, build,
and test VR
workflows
6. Initiate OCM
activities
7. Plan go-live
8. Measure success
and adjust
4. Plan for
implementation
8. 8 © 2021 ServiceNow, Inc. All Rights Reserved.
Create an implementation governance committee
Assign your designated ServiceNow platform owner, process owners (vulnerability
managers, remediation teams), partner representative, project manager, and other
business stakeholders as required. Your executive sponsor should chair this
committee.
Define a meeting cadence, standard agenda, and decision process. In addition to
standard project tracking, meetings should include:
Project objectives – Clearly identify and prioritize your objectives, such as improvements
to process performance, technical usability, etc.
A review of your organizational change management (OCM) activities – See Slide 10 (next)
for OCM plan development.
Work with your executive sponsor and ServiceNow platform owner to develop a
responsibility assignment matrix (RACI) to establish a common, documented
understanding of the decision rights for your migration project.
Make sure that your governance team is prepared to define measures of success for
enterprise, security, and operational objectives. These measures of success should
come from the goals and metrics discovered in Step 1.
Include implementation governance and post-implementation governance as part of your ServiceNow VR journey. Implementation governance you implement successfully, and post-
implementation governance helps you achieve long-term success. Your implementation governance team should form your post-implementation governance team.
Step 4a: Create a structure for governance
Establish a technical governance subcommittee
Assign technical stakeholders, including the staff responsible for support,
administration, and integration. Your designated ServiceNow platform owner should
chair this subcommittee, supported by your project manager.
Define a meeting cadence, standard agenda, and decision process. In addition to
standard project tracking, meetings should include:
Identifying technical obstacles and strategies for resolution
Reviewing requests for new ServiceNow VR functionality
Note: New functionality should require a business justification process.
Your technical governance subcommittee should report to your migration
governance committee or steering group. Establish the decision rights between
your migration governance committee and technical governance subcommittee in a
RACI.
Practitioner insight: The governance structure you establish for implementation should set an
initial baseline for the governance you’ll need for post go-live maintenance, especially to manage
demand. See support on ServiceNow Governance for additional details.
1. Set VR vision and
outcomes
2. Assess team
readiness
3. Choose an
implementation
partner
5. Design, build,
and test VR
workflows
6. Initiate OCM
activities
7. Plan go-live
8. Measure success
and adjust
4. Plan for
implementation
9. 9 © 2021 ServiceNow, Inc. All Rights Reserved.
For effective adoption and long-term success, take OCM activities into consideration throughout your planning and implementation processes. OCM is critically important for implementing
ServiceNow VR since many process owners are unlikely to have been involved in the purchase decisions and initially may not understand the benefits of moving to new processes and a new
vulnerability response application.
Step 4b: Create a structure for an OCM plan
Build an OCM plan:
Make sure you have leadership and executive sponsor support for OCM, including the budget for an OCM program lead and/or ServiceNow expert support. This should also include
an explicit definition from leadership on what good OCM looks like for your organization.
Conduct an initial stakeholder analysis and prepare to update it biweekly. See our resources on change management* for more details.
Conduct an OCM readiness assessment* to measure how ready your stakeholders are for the organizational change needed to support ServiceNow VR. Conduct this assessment
before your design discussions. Based on your readiness assessment, use our Success Checklist to create an OCM plan* and develop an OCM impact analysis and risk assessment.
*Tailor these resources to your use of ServiceNow VR and your business environment.
1. Set VR vision and
outcomes
2. Assess team
readiness
3. Choose an
implementation
partner
5. Design, build,
and test VR
workflows
6. Initiate OCM
activities
7. Plan go-live
8. Measure success
and adjust
4. Plan for
implementation
10. 10 © 2021 ServiceNow, Inc. All Rights Reserved.
The Now Create methodology is a proven methodology developed from thousands of ServiceNow implementations. It’s the recommended approach to implementation.
Step 4c: Review the ServiceNow implementation methodology, Now
Create
1. Set VR vision and
outcomes
2. Assess team
readiness
3. Choose an
implementation
partner
5. Design, build,
and test VR
workflows
6. Initiate OCM
activities
7. Plan go-live
8. Measure success
and adjust
4. Plan for
implementation
• Understand the business
objectives
• Establish program
governance
• Establish the project team
• Formally kick off the project
Initiate
• Conduct process, platform,
and integration workshops
• Define, review, and prioritize
the product backlog
• Plan the release
• Finalize the project timeline
• Document the test strategy
• Set up the environment
Plan
• Run agile scrum cycles
• Define support processes
and Hypercare approach
• Execute communications and
awareness roadshows
• Plan for UAT and system
testing
Execute
• Perform system testing and
UAT
• Plan the go-live
• Operational Readiness
• Train users
• Go live
Deliver
• Operational handoff
• Hypercare support
• lessons learned
• Measure value and
champion success
• Formally close the project
Close
11. 11 © 2021 ServiceNow, Inc. All Rights Reserved.
Step 4d: Evaluate your current VR processes
What is your current vulnerability management team structure? (Select one.)
A dedicated team assigned to only vulnerability management responsibilities
Team members are split between other security operations duties and vulnerability
management
An internal team running vulnerability management
An external or hybrid team running vulnerability management
How do you handle vulnerability assignment and ownership?
Are any existing groups using ServiceNow to perform vulnerability remediation
activities, such as patching or system hardening?
What logic do you use to assign ownership of remediation efforts, in other words, do
you have Assignment Rule Conditions? For example, for Windows Server OS
vulnerabilities identified on exchange servers, would the Windows Server team own
remediation?
Answer the following questions about your current state of VR
What is your vulnerability exception process?
Is there a current process by which vulnerability items are deemed as “risk
accepted” today? This might be, for example, an inability to fix due to its
impact on a mission-critical system.
Who is the approving authority?
How are risk exceptions managed and tracked? For example, are they
tracked manually with spreadsheets or with a third-party solution such as a
GRC tool, etc.?
Are there any current processes to handle vulnerabilities or exposures
deemed to be false positives?
What are the required SLA time(s) for addressing and/or closing identified
vulnerabilities? How does the SLA differ by severity, in other words,
High/Medium/Low?
The implementation design process involves multiple teams, collaborative decision-making, and a thorough understanding of your current processes and technical environment.
Because of this, your design phase can often take weeks or longer as you collect the necessary information, coordinate the right people, and solidify decisions. The action items in
Step 2 help you proactively collect your design-related information and initiate engagement with the required stakeholders. This will enhance and expediate the design process.
1. Set VR vision and
outcomes
2. Assess team
readiness
3. Choose an
implementation
partner
5. Design, build,
and test VR
workflows
6. Initiate OCM
activities
7. Plan go-live
8. Measure success
and adjust
4. Plan for
implementation
12. 12 © 2021 ServiceNow, Inc. All Rights Reserved.
Step 4e: Assess your integration needs
Document your sources of vulnerability data
ServiceNow VR integrates with leading third-party vulnerability scanning tools (Qualys, Tenable,
and Rapid7) to bring identified vulnerabilities into ServiceNow to manage vulnerability response.
What vulnerability data sources will be integrated with ServiceNow Vulnerability Response?
(Select all that apply.)
Active vulnerability scanners
Passive vulnerability identification tools
Flat file reports
Do you have a copy of the API documentation of your scanning platform?
Are technical staff available who are familiar with the API and scanning platforms?
How often will you perform scans? Set a schedule.
Do you perform a combination of both credentialed and non-credentialed scanning?
What severity ranges (like low, medium, high, critical) of the vulnerabilities identified do you
want within ServiceNow?
Do you want to see all IP address network ranges identified by your scanning platform within
ServiceNow? (That is, those for development, production, internal, DMZ, external.)
Assess your CMDB health
ServiceNow VR uses information from configuration items (CIs) in the ServiceNow
CMDB to add business context to vulnerabilities. This information helps prioritize
and assign ownership for the remediation of that vulnerability.
Assess your CMDB management process against ServiceNow CMDB best
practices. If you haven’t set up your CMDB, follow the steps in our Success
Playbook on using Discovery to populate your CMDB to do so.
Conduct a CMDB health check.
Document how your CMDB is currently populated with information.
Discovery via network-based tools (if so, what specific tools?)
Manual data-gathering efforts
Vulnerability scanner(s)
Determine if there’s an authoritative source for populating the CMDB with
information.
Discovery
Manual data gathering
Vulnerability scanner
Other
1. Set VR vision and
outcomes
2. Assess team
readiness
3. Choose an
implementation
partner
5. Design, build,
and test VR
workflows
6. Initiate OCM
activities
7. Plan go-live
8. Measure success
and adjust
4. Plan for
implementation
13. 13 © 2021 ServiceNow, Inc. All Rights Reserved.
Creating VR workflows consists of three steps: design, build, and test. Your design phase is focused on generating approved and prioritized stories for development in collaboration with
vulnerability management process owners. Begin with a formal kickoff meeting to get everyone on the same page.
Step 5a: Conduct a design workshop
Conduct a formal kickoff meeting
Include all relevant stakeholders and project team members (including partners and ServiceNow staff). Your executive sponsor should:
Reiterate the business purpose and objectives of the migration project
Reinforce your governance model for the project, including an explicit definition of how decisions will be made
Define the expectations and requirements for all stakeholders and team members involved in the project
Your partner or ServiceNow engagement manager should:
Introduce your partner and ServiceNow delivery team members
Walk through the implementation approach and project plan
Practitioner insight: Work to avoid customization. Challenge all requirements for
customization using the scorecard method outlined in our resources on avoiding
customization pitfalls.
1. Set VR vision and
outcomes
2. Assess team
readiness
3. Choose an
implementation
partner
5. Design, build,
and test VR
workflows
6. Initiate OCM
activities
7. Plan go-live
8. Measure success
and adjust
4. Plan for
implementation
14. 14 © 2021 ServiceNow, Inc. All Rights Reserved.
Step 5a: Conduct a design workshop (Continued)
Determine your integration requirements – Use the information you collected in Step 2
to:
Determine the vulnerability data to integrate into ServiceNow Vulnerability
Management, for example, all data or a subset of data based on severities, findings
of certain network segments, etc.)
Develop a strategy to integrate third-party vulnerability solutions—Qualys, Tenable,
Rapid7, etc.—including a plan for historical data loads
Work with the ServiceNow CMDB team to make sure the CMDB data is up to date
with accurate data and establish CI lookup rules for how vulnerabilities are matched
with CIs to aid in remediation.
Define future state Vulnerability Response processes:
Develop rules for assigning vulnerable items (VI) vulnerability grouping to determine
how VIs are assigned for remediation.
Design workflows for the vulnerability response lifecycle.
Define risk scoring for VI prioritization.
Detail the exception process and workflows.
The design workshop should bring together all relevant stakeholders (identified in Step 1) to: define the future state vulnerability response process and process workflow you’ll use within
the Now Platform; design high-level solution architecture and integrations; and define configuration requirements in the form of user stories. In addition, use this workshop to determine
your reporting and notifications needs. ServiceNow VR reporting provides visibility into the vulnerabilities in your environment and the status of your vulnerability response workflows.
Select desired reports:
Review examples of the reports you use today.
Using the outcomes defined in Step 1, define your group and organizational goals.
For example, you may want to remediate critical VIs within the time frame set by
policy.
For each goal, define the question(s) you need answered in order to determine your
progress toward that goal. For example, what’s the number of critical VIs currently
assigned for remediation within policy? How many critical VIs are currently assigned for
remediation outside policy? What’s the number of critical VIs not assigned and/or
outside policy?
For each question, define the metric(s) you would gather in order to provide a
quantitative answer to that question. For example, SLA – Critical Vulnerable Items closed
within 5 business days.
Select or configure the reports you need to provide the metric(s). For example, SLA
report on assigned Critical Vulnerable Items or List of unassigned critical vulnerable items
showing CI Ownership information.
1. Set VR vision and
outcomes
2. Assess team
readiness
3. Choose an
implementation
partner
5. Design, build,
and test VR
workflows
6. Initiate OCM
activities
7. Plan go-live
8. Measure success
and adjust
4. Plan for
implementation
15. 15 © 2021 ServiceNow, Inc. All Rights Reserved.
Complete final testing
Complete a full suite of tests after you finish development, including:
A repeat of all unit tests together to confirm functionality
UAT for both end-to-end processes and defined user scenarios – Testers (typically
process managers and users) need to understand the intended design fully to avoid
raising defects for correct functionality.
Step 5b: Build and test your VR workflows
Define your development plan
Document and review the stories from your design workshop with process owners.
Document your process owners’ approval and agreement that the stories correctly
represent the design agreed to in the implementation workshop.
Prioritize the approved stories based on their contribution to your business objectives
and available capacity. Have the migration governance committee you established
(Step 4a) approve the prioritization.
Assign prioritized stories to defined development sprints. Each sprint should have a
defined outcome, such as implementing the core incident management process, and
should ideally last two weeks. Make sure these things happen at the end of each
sprint:
The process owner demonstrates the functionality built to test the desired outcome and
allow for any necessary corrections
Your developers conducts unit tests for each story, ideally using ServiceNow Automated
Test Framework and run a sprint scan through HealthScan to make sure that
development has aligned with best practices
Your developers report on story completion and test results to your technical governance
subcommittee, especially to surface any technical obstacles that may affect additional
development
Follow an iterative or Agile approach when you build and test and include unit testing. Once you complete development, run a full set of tests, including user acceptance testing (UAT).
1. Set VR vision and
outcomes
2. Assess team
readiness
3. Choose an
implementation
partner
5. Design, build,
and test VR
workflows
6. Initiate OCM
activities
7. Plan go-live
8. Measure success
and adjust
4. Plan for
implementation
16. 16 © 2021 ServiceNow, Inc. All Rights Reserved.
Step 6: Initiate OCM activities
Prepare for train-the-trainer sessions
Assign dedicated internal trainers to your project. ServiceNow experts will provide
train-the-trainer sessions to familiarize them with the ServiceNow VR product and
support the development of an internal curriculum.
Identify process managers and frontline users—vulnerability response analysts,
remediation teams, etc.—who will be good candidates to lead peer-to-peer training.
Don’t select these candidates based solely on their seniority and expertise but also on
their ability to influence peers.
Develop training plans for process users
Using your internal trainers (and peer-to-peer resources), provide training for the
staff involved in related processes. Training should focus on establishing clarity
around how new processes work in ServiceNow and how to work effectively with
them.
Deliver your training in modules so process users can focus on the processes most
relevant to their day-to-day work.
Perform OCM activities and training should in parallel to your design, build, and test activities so they reinforce each other. Make sure your migration project plan includes adequate
investment (including ServiceNow experts and/or internal staff) to support OCM and training so you can avoid any lag between your go-live and target adoption.
Practitioner insight: Creating customized content, reviewing and finalizing materials, and
preparing internal trainers takes a few weeks at a minimum. Begin planning for training early but
defer content creation until go-live data is near to make sure that the content accurately mirrors
the final configuration. For additional details, see our Success Quick Answer on the pitfalls to
avoid when training process users.
Plan go-live communications to support adoption
Create content and for multi-channel communications to announce the go-live.
Structures for this established in Step 3, Slide 11.
Capture and promote quick wins to demonstrate early success.
Identify the functionality or features that have wide visibility among process users and
end-users that are within scope for implementation. Promote these to drive wider
interest in and adoption of ServiceNow.
Identify ServiceNow champions among your process users who can promote quick wins
and influence adoption among peers.
1. Set VR vision and
outcomes
2. Assess team
readiness
3. Choose an
implementation
partner
5. Design, build,
and test VR
workflows
6. Initiate OCM
activities
7. Plan go-live
8. Measure success
and adjust
4. Plan for
implementation
17. 17 © 2021 ServiceNow, Inc. All Rights Reserved.
Step 7: Plan your go-live
Plan your go-live support
Make sure you have 24/7 support from a designated response team for at least two
days after your go-live.
Task your implementation team with providing hypercare for a period defined by
your migration governance committee (typically two weeks) to address any issues
or bugs.
When you plan your go-live, set your launch data, cutover strategy, support, and transition to “run.”
Plan your go-live date
Your technical governance subcommittee nominates a date based on your
technical readiness.
Your migration governance committee validates or changes this date based on
your business readiness criteria, which includes:
Determining whether enough staff have met the training requirements
Assessing the success of your OCM activities and readiness
Assessing whether there are any competing issues or priorities that will distract the
stakeholders
Assessing the readiness of any third parties that support your go-live
Assess whether there will be operational downtime and plan
accordingly.
Plan your transition to “run”
Transition the ownership of support from the implementation team to your internal
ServiceNow platform team and ServiceNow VR owner. Most members of your
ServiceNow platform team should be on the implementation team and familiar with the
system.
Transition governance to the functions responsible for strategic, portfolio, and technical
governance.
Make sure you have processes in place to intake and manage demand for additional
configuration and functionality (including enhancements).
Make sure you have processes in place for reporting bugs and providing support and
resolution.
Confirm that go-live communications are distributed and elicit feedback to ensure
successful adoption.
1. Set VR vision and
outcomes
2. Assess team
readiness
3. Choose an
implementation
partner
5. Design, build,
and test VR
workflows
6. Initiate OCM
activities
7. Plan go-live
8. Measure success
and adjust
4. Plan for
implementation
18. 18 © 2021 ServiceNow, Inc. All Rights Reserved.
Step 8: Measure your success and adjust
Identify (and put tracking in place for) your KPIs and diagnostic metrics
Your governance functions—strategic, portfolio, and technical—should make sure that
their kickoff agendas include definitions of relevant KPIs (measuring progress towards
objectives) and diagnostic metrics (identifying risks to progress).
Establish a clear line of sight from your business objectives to the KPIs and metrics created
at the portfolio and technical level. For example, implementing a specific product or feature
may represent a KPI at a technical level that should roll up to a KPI for value realization at a
strategic level.
Keep reporting and communications focused on a small number of KPIs that best reflect
progress against your objectives and include usage/adoption targets.
Keep your diagnostic metrics actionable. For more information, see our resources on KPIs
and diagnostic metrics.
Assuming you defined clear business and functional objectives before migration, your next step is to make sure you have the right key performance indicators (KPIs) and diagnostic metrics
in place to assess your progress against objectives.
Build playbooks that include the actions you can use to respond to any red flags seen in your
diagnostic metrics
Set thresholds for risk in your diagnostic metrics that should trigger a response.
Work with your process and service owners to make sure you have the right diagnostic
metrics and to develop playbooks.
Build dashboards to visualize your progress and support clear decision-making
Create dashboards using the dashboard requirements from your ServiceNow platform
owner, service owners, process owners, and executive sponsor and/or senior leaders
(established in Step 2). See our Success Quick Answer on creating custom dashboards
for additional details.
1. Set VR vision and
outcomes
2. Assess team
readiness
3. Choose an
implementation
partner
5. Design, build,
and test VR
workflows
6. Initiate OCM
activities
7. Plan go-live
8. Measure success
and adjust
4. Plan for
implementation
19. 19 © 2021 ServiceNow, Inc. All Rights Reserved.
Related resources
Success Playbook – Where to start the implementation journey with ServiceNow
Success Checklist – Build a phased program plan, identify quick wins
Now Community – Security Operations—For New Customers
Vulnerability Response Product Documentation
Success Map – Vulnerability Response
Security Operations Value Calculator
20. 20 © 2021 ServiceNow, Inc. All Rights Reserved.
Customer Success Best Practices
ServiceNow’s Best Practice Center of Excellence provides prescriptive, actionable advice to help you
maximize the value of your ServiceNow investment.
Get started today. Visit Customer Success Center. Contact your ServiceNow team
for personalized assistance.
Definitive guidance on a
breadth of topics
Management Technical
Tactical
Strategic
Critical
processes
Expert
insights
Common
pitfalls and
challenges
Created and vetted
by experts
Distilled through a
rigorous process to enhance
your success
Based on thousands of successful
implementations
across the globe
Best practiceinsights
from customers, partners,
and ServiceNow teams
Proven to help you transform
with confidence
Practical Actionable
Value-
added
Expert-validated
Designed for:
Executive
sponsors
Platform
owners
and teams
Service
and process
owners
Editor's Notes ServiceNow customers aspire to exceptional business outcomes. They expect not only great products, but prescriptive guidance and insight to accelerate their journey to value. ServiceNow’s Best Practice Center of Excellence delivers this guidance through our Customer Success Center, a free resource available to all our customers and partners.
On the CSC, you’ll find best practices answering top customer questions on a range of topics from how to define your strategic roadmap to tactical questions like how to assess CMDB health. We comprehensively answer technical and management questions, whether you want to know how to manage customization or how to build your ServiceNow team. No matter what your role is, you’ll find resources that save you time and money.
We create these insights by working with ServiceNow experts from customers, partners, and our own teams. Think of these resources as the collective advice of the ServiceNow ecosystem, extending the power to your team. Customers like you are using these practical, actionable resources to save time and give them decision-making confidence.
I invite you visit the Customer Success Center today. Let’s make a plan on how you and your team can use it on your journey.