In this article:
ServiceNow for Vendor Risk Management is available with a paid SecurityScorecard plan. See our plans page for more information about levels of features and access.
What you can do with this integration
If you assess third-party vendors with ServiceNow's Governance, Risk, and Compliance (GRC): Vendor Risk Management plugin, use this app integration to:
- Set minimum cyber security ratings for vendors to maintain.
- Create rules to automatically require remediation by vendors when their grades do not meet your minimum standards.
- Gain insights and context about specific security challenges that vendors should prioritize to maintain your standards.
- Share detailed reports on vendor security issues with SecurityScorecard data and visualizations.
What you need to use the app
- A SecurityScorecard account with a paid plan (See our plans page for more information about levels of features and access.)
- A SecurityScorecard portfolio that contains companies that you want to assess in ServiceNow.
- Administrator permissions in SecurityScorecard, or access to a someone who has these permissions.
- Access to ServiceNow's Governance, Risk, and Compliance (GRC): Vendor Risk Management plugin with at least one of the following roles:
- Vendor risk assessor
[sn_vdr_risk_asmt.vendor_assessor] - Vendor risk manager
[sn_vdr_risk_asmt.vendor_risk_manager]
- Vendor risk assessor
- A role specific to the integration that allows you to see Scorecard data and use related automation features.
[x_sesri_ssc_vrm.user ]
Note: Contact your ServiceNow administrator for access and role assignment.
Install the app
Installation integrates the SecurityScorecard app with ServiceNow.
Note: If you are using Version 1.x of the app, uninstall it before installing a later version to ensure that deprecated features are removed in the update. See release notes for the app.
Take the following steps:
- In ServiceNow, select My Company's Applications under System Applications.
- Click Install for the latest version of SecurityScorecard for Vendor Risk Management.
The installer indicates when the installation is complete and displays the current version number for the app.
Configure the integration
Configuration enables the integration to pull portfolio data from SecurityScorecard so that it can initiate vendor assessment activity. It involves the following actions:
- Creating a bot user with an API token for ServiceNow
- Applying a portfolio ID
- Selecting issue-related settings
- Enabling linking to SecurityScorecard (optional)
- Enable and verify portfolio syncing
Note: After you finish these configuration actions, click Save on the Application Properties tab under SecurityScorecard for Vendor Risk.
Create a bot user with an API token, and apply the token
- Create a SecurityScorecard bot user with an API token.
- In ServiceNow, go to Application Properties under SecurityScorecard for Vendor Risk.
- Paste the API token in the appropriate text box.
Apply a portfolio ID
Take the following steps to identify the SecurityScorecard portfolio to sync with ServiceNow, so that you can assess the Scorecard data for relevant companies.
- In SecurityScorecard, select Portfolios from from the top navigation menu.
- Select the Portfolio that you want for the integration.
- On the portfolio page, copy the numeric portfolio ID from the URL in the navigation bar.
- In ServiceNow, go to the Application Properties tab under SecurityScorecard for Vendor Risk.
- Paste the portfolio ID in the appropriate text box.
- Optional: Enter alternate domain field names if necessary.
Tip: SecurityScorecard uses a company's domain name to identify it for syncing. By default, the integration pulls the company's website in the vendor profile for the domain name. In case the integration cannot find the domain from the website field, you can specify alternate fields, such as Address Book. Ask your ServiceNow admin if you need help with field names.
Configure issue-related settings
Determine how issues related to SecurityScorecard scores affect vendor assessments ServiceNow:
- In ServiceNow, go to the Application Properties tab under SecurityScorecard for Vendor Risk.
- Select a minimum priority level for issue creation.
A ServiceNow rule uses SecurityScorecard score changes to trigger creation of an issue and automatic submission of questionnaires to vendors. Each score drop margin maps to a priority level for the ServiceNow issue.
SecurityScorecard
score drop marginServiceNow issue
priority level81-100 1 (Critical) 61-80 2 (High) 41-60 3 (Moderate) 21-40 4 (Low) 0-20 5 (Minor)
So, if you select 2, any issue with a priority of 1 or 2, will trigger a questionnaire submission. - Enter the number of days to pause sending questionnaires to a vendor with repeating issues.
If a vendor's score drops frequently, this pause duration prevents ServiceNow from sending too many questionnaires to them within a shorter span of time.
Enable linking to SecurityScorecard
Optional
If you want ServiceNow users to link to SecurityScorecard to view more information about vendor scores, enable this option.
In ServiceNow, go to the Application Properties tab under SecurityScorecard for Vendor Risk. Select the Generate URLs... checkbox to enable linking to SecurityScorecard.
Note: Remember to click Save on the Application Properties tab after completing your configuration steps.
Enable and verify syncing
After you complete the configuration steps, enable syncing for relevant companies:
- In ServiceNow, go to the All Vendors tab under Vendors.
- Select a company to enable syncing for.
- In the SecurityScorecard Summary tab for that vendor, select the checkbox to enable syncing.
- Go to the Scheduler and click Execute Now for an initial full sync.
Tip: To initiate a sync at any time to get updates, click Sync Now.
Syncing takes approximately 20 minutes. To verify successful syncing, go to the All Vendors tab under Vendors and see whether synchronization is set to true.
Create automation rules
Automate assessment-related actions triggered by changes in vendor Scorecards:
- In ServiceNow, go to Vendor Risk - Score Based Submission Rules, and click New.
- In the rule creation form, select SecurityScorecard as the provider service.
- Set filter criteria to select vendors that the rule applies to.
- Select Scorecard changes that trigger actions.
- Select the actions that result from the changes.
- Click Submit.
View Scorecard insights for your vendors
Use data and visualizations pulled from SecurityScorecard to enrich your understanding of vendor security issues and inform your assessment actions:
Access Scorecard tabs
Note: Make sure the vendor companies you want to view have been synced between SecurityScorecard and ServiceNow.
-
In ServiceNow, go to the All Vendors tab under Vendors.
-
Select a vendor.
-
On the vendor page, select any SecurityScorecard tab. Learn about these tabs in the following sections.
SecurityScorecard Summary
SecurityScorecard Summary Details
See how 10 security factors influence the vendor's score to understand which aspects of threat management require greater attention. Go to the Issues tab to see specific issue findings associated with each factor.
SecurityScorecard Compliance
See which security issues found by SecurityScorecard are related to compliance framework questions. This provides insight into how your vendor's security issues are impacting their compliance efforts.
Select different frameworks to view using the drop-down list.
SecurityScorecard Issues
View all security issues found by SecurityScorecard for the vendor. See which ones are most prevalent and which have greatest impact on the vendor's score.
Run reports
Generate detailed PDF reports, so that you can share integrated SecurityScorecard data with stakeholders who do not use ServiceNow or SecurityScorecard:
-
In ServiceNow, go to the All Vendors tab under Vendors.
-
Select a vendor.
-
On the vendor page, select the SecurityScorecard Reports tab.
- Select one of the reports to generate.
A notification appears that the report is being generated.
The generated report appears in the table, where you can download it.
Tip: View all reports generated with this integration on the Reports tab under SecurityScorecard for Vendor Risk.
See also
Learn more about SecurityScorecard's ServiceNow for VRM integration:
See detailed guidance about ServiceNow's GRC: Vendor Risk Management plugin.
Get help
If you need help or have questions, submit a Support request.