Integrating scores from risk intelligence providers
Summarize
Summary of Integrating scores from risk intelligence providers
ServiceNow enables organizations to integrate risk scores from various risk intelligence providers to assess third-party trustworthiness and safety. These providers generate scores similar to personal credit scores, offering valuable insights into third-party risk domains. The integration focuses on third parties rather than specific engagements.
Show less
Working with Risk Intelligence Providers
- Register a Provider: Create a record for each risk intelligence provider from whom you will request risk data.
- Set up Provider Services: Specify which scoring or rating services you will use from the provider and map their scores to your internal Third-Party Risk Management (TPRM) ratings.
- Configure Request Types: Define request types to specify how you and your organization will request data from the provider.
- Add Risk Scores: Input raw scores from providers into the corresponding third-party records. These scores are normalized based on the mapping to reflect appropriate TPRM ratings.
- Automate Actions: Use provider-based submission rules to trigger automated responses—such as creating assessments, issues, tasks, or email notifications—when risk intelligence updates are received.
Integration Types and Supported Providers
ServiceNow supports several integration types for enriching third-party risk data:
- Independent Software Vendor (ISV) Integrations: Connect with third-party risk platforms like EcoVadis, BitSight, or Black Kite.
- Content Integrations: Incorporate external content such as regulatory databases and industry standards.
- Data Integrations: Integrate data from financial systems, security tools, or vendor management systems to analyze third-party risk.
- Environmental, Social, and Governance (ESG) Integrations: Include ESG factors in risk assessments.
Examples of ServiceNow-supported providers include:
- Shared Assessments: Industry-standard questionnaires.
- EcoVadis: Sustainability ratings supporting assessments and continuous monitoring.
Examples of partners providing integrations:
- BitSight, Security Scorecard, RiskRecon, Upguard, Recorded Future: Cyber risk ratings and continuous monitoring.
- Black Kite: Technical security, financial risk, ransomware susceptibility, and compliance scores.
- Interos: Multi-domain ratings including cyber, financial, ESG, and geopolitical factors.
- TruSight: Validated third-party risk assessments.
- ISS Corporate Solutions: Cyber risk and ESG ratings for vendor risk management.
- Securitybricks, Templarshield: Automated assessments and questionnaires for specific industries and compliance frameworks.
Practical Benefits for ServiceNow Customers
- Gain a comprehensive, normalized view of third-party risk across multiple domains by integrating external scores and assessments.
- Automate workflows triggered by risk score updates to efficiently manage risk assessments, tasks, and notifications.
- Leverage a broad ecosystem of risk intelligence providers and partners easily accessible through the ServiceNow Store.
- Customize scoring mappings and request types to align external risk data with your organization's TPRM framework.
Risk intelligence providers generate risk scores for a variety of third-party risk domains. Your organization can purchase services from providers that return data that is analogous to personal credit scores. The scores provide insight on how trustworthy and safe a particular third party can be.
Working with data from risk intelligence providers
- After you register a risk intelligence provider, you specify which of the provider's scoring or rating services you’ll use. You also specify how their scores or ratings map to your TPRM ratings. For more information, see Register a risk intelligence provider, Set up a risk intelligence provider service, and Set up a request type for a provider.
- You add a raw score from a provider to the provider service record for a third party. The system uses the mapping that you specified to normalize the value to the appropriate TPRM rating. For more information, see Add a risk intelligence score to risk data for a third party.
- A provider-based submission rule is a set of conditions and actions. In a rule, you can specify that an update to a rating from a risk intelligence provider is the condition that triggers the action that is specified in the rule. The action might be to create and send a third-party risk assessment, issue, task, or email. For more information, see Automate actions upon risk intelligence updates.
Integration types
Here are some examples of the types of integrations supported by ServiceNow and ServiceNow partners:
-
Independent software vendor (ISV) integration types involve integrating ISV services such as EcoVadis or Black Kite.
-
Content integration types involve integrating external content sources such as regulatory databases or industry standards.
-
Data integration types involve integrating external data sources to gather and analyze relevant data such as data from financial systems, security tools, or vendor management systems.
-
Environmental, social, and governance (ESG) integration types involve incorporating ESG factors into the TPRM process.
Integrations supported by ServiceNow
| Provider | Product name | Content | Service provided | Type |
|---|---|---|---|---|
| Shared Assessments | Standard information-gathering (SIG) questionnaire | Standard assessment | Industry standard questionnaire for use in assessments. | Content |
| EcoVadis | EcoVadis | Sustainability ratings | Sustainability scores in support of assessments and continuous monitoring. | ISV, data, ESG |
Integrations supported by ServiceNow partners
| Provider | Product name | Content | Use case | Type |
|---|---|---|---|---|
| BitSight | BitSight | Cyber risk ratings | Cyber risk scores in support of assessments and continuous third-party risk monitoring. | ISV, data |
| Security Scorecard | Security Scorecard | Cyber risk ratings | Cyber risk scores in support of assessments and continuous third-party risk monitoring. | ISV, data |
| RiskRecon | Risk Recon | Cyber risk ratings | Cyber risk scores in support of assessments and continuous third-party risk monitoring. | ISV, data |
| Upguard | Upguard Vendor Risk | Cyber risk | Cyber risk scores in support of assessments and continuous third-party risk monitoring. | ISV, data |
| Recorded Future | Recorded Future Intelligence | Cyber risk ratings | Cyber risk scores in support of assessments and continuous third-party risk monitoring. | ISV, data |
| Black Kite | Black Kite | Third-party risk management | Technical security, financial risk, ransomware susceptibility index, and compliance scores in addition to overall security ratings. |
ISV |
| Interos | Interos | Supply chain and multiple domain ratings | Cyber, financial, ESG, geopolitical, operations, and restrictions ratings to support risk assessments and monitoring. |
ISV, content |
| TruSight | TruSight | Third-party risk assessments | Access to TruSight-validated third-party risk assessments. |
ISV |
| ISS Corporate Solutions | ISS ESG Cyber Risk Score for Vendor Risk Management | ESG ratings | Access to a comprehensive view of ISS Corporate Solutions' cyber risk management program through cyber risk and supply chain. | ISV |
| Securitybricks | CMMC - NIST-800-171 - Vendor Compliance Assessment | Template | Access to an automated assessment for Federal organizations. | data, content |
| Templarshield | HECVAT-Questionnaire for Higher Education | Content | Access to an automated questionnaire for Higher education organizations. | ISV, content |