Upgrade: Helsinki

ServiceNow Tech Support: GRC in Helsinki and Beyond

The Rapid Growth of GRC Tools

Risk and compliance software systems have been in the news quite a bit lately. If you were standing in line at the Delta Airlines counters last week or spent days stranded during the Southwest Airline’s router failure the week before, you know why.

It’s perhaps because of these high-profile security back-up failures that GRC platforms and software tools have seen extraordinary growth in the past few years. According to PR Newswire, new GRC platform sales will increase nearly 10% every year through 2018.

New GRC Features in the ServiceNow Helsinki Release 

This rise in GRC budgets mean that technology companies, including ServiceNow, are paying more and more attention to the GRC offerings, and rolling out more features and functionality to meet their Security customers’ needs.

In addition to improved Customer Service Management (CSM) and Performance Analytics tools, ServiceNow’s May Helsinki update embedded a host of new tools to their GRC and Security Operations offering. These include; new threat intelligence and vulnerability response capabilities, as well as new built-in workflows and business impact scoring, all aimed at allowing your Security team to analyze and quickly respond to incidents in your environment.

Underscoring the rapid change in GRC products, the Helsinki update replaces several features from the Fuji update in October 2015. (For those keeping score, any GRC features that predate the May 2016 Helsinki update are now officially called “Legacy GRC” in NOW nomenclature.)


ServiceNow’s new GRC Products

Helsinki offers three primary GRC-related products:

  • Policy and Compliance Management
  • Risk Management
  • Audit Management

While some of the legacy GRC components have been incorporated into these products, many new capabilities are now included. Here are some of them:

1.    New plugins

Here’s a list of the new plugins available in the Helsinki release:

Plugin Name      ID Description
Data Certification com.snc.certification_v2 The Data Certification plugin provides tools for checking data gathered by ServiceNow for accuracy and compliance. This plugin includes certification filters, schedule, planning and overview.
Risk Management$ com.sn_risk Risk Management allows the definition, criterion and documentation of risks and helps correlate them with policies that avoid or mitigate those risks.
Audit Management$ com.sn_audit The Audit Management features help organizations prepare for and execute compliance audits in accordance with guidelines of governing bodies, and encompasses auditing definitions, test and tasks, walk-throughs and reporting.
Certification Core * com.snc.certification_core The Unified Compliance Framework plugin enables tools to facilitate the capture of authoritative documentation, including controls and citations.
UCF Import com.snc.ucf_import_add_on The UCF Import mines controls and documents from authoritative sources
Assessment (Core) * com.snc.assessment_core


Assessment Core and Certification Core are shared component plugins that augment the compliance tool set with test and certifications tools and utilities, offering survey tools for Assessment type and control test definitions.

(*) Dependency. Not installed separately.

($) Requires separate subscription.

2.  New Vulnerability Response, Analytics and optional integrations

With this update, ServiceNow provides a flexible set of tools for detecting and managing IT vulnerability via the Vulnerability Response plugin. This feature opens the door to vulnerability management by allowing the user to compare attributes of configuration items (CIs) in your configuration against authoritative data from sources like the National Vulnerability Database. Using this data, your team can quickly identify known weaknesses so that they may be contained.

Vulnerability Response also offers a new reporting tool available for visualizing vulnerabilities in your network which you can access by installing the Vulnerability Analytics plugin. This product is designed to be extensible, and as such opens the door to any number of custom or available vulnerability management integrations.

3. New compliance certifications

Based on your organization’s needs, the new Helsinki release allows you to choose from two types of compliance certification options:

  • Data Certification provides tools to automatically retrieve and compare values in selected records within your instance against desired values and/or ranges to ensure that these data are compliant.
  • Architecture Compliance in contrast, allows you to set up comparators to validate the configuration items (CIs) inside your Configuration Management Database (CMDB). For example, you may want to verify that sufficient space is provided or specific storage devices or ensure that the necessary software versions are installed on some machines.

Legacy GRC included a few tables which are no longer available and/or have been reincorporated as more refined features. Risk Approach Rules, for example, are not used in the new compliance framework.

4. Security Incident and Response plugin

The revised Security Incident and Response plugin provides a step-by-step User Interfaces (UIs) to assist with the creation and management of security incidents such as fraud, theft or policy violation or potential criminal activity. (For those familiar with the Geneva release, this plugin was released as part of the vulnerability management feature set.)

Overall, with the new ServiceNow GRC platform, you now have more embedded security tools in ServiceNow, giving you more seamless threat monitoring and response capabilities to keep up with ever-increasing threats such as ransomware, phishing, and hacking.

What You Lose in Helsinki’s GRC – Plugins

With all the new features and functionality in Helsinki, some of the now-legacy elements have been removed from the current version. Specifically, ServiceNow deprecated a few plugins for new activations and cannot be installed on Helsinki directly. In fact, even if you have them installed, these GRC plugins no longer show up in the plugins list.

Rather than leveraging a plugin solution, you will now have to install the new GRC related ‘products,’ and potentially update your licensing to use them.

Here’s a list of the old plugins that are no longer available in Helsinki:

Plugin Name ID Description
IT Governance, Risk and Compliance (ITGRC) com.snc.governance Fuji GRC solution
Governance, Risk, and Compliance Core * com.snc.governance_core


Components to support GRC: Planned Tasks, Managed Document support
Certification Core * com.snc.certification_core Certification functionality used to gain compliance
Assessment (Core) * com.snc.assessment_core


Survey tools for Assessment type Control Test Definitions

(*) Dependency. Not installed separately.

If you installed GRC features from the Fuji or Geneva versions and upgraded to Helsinki you can continue using those plugins, though you might face some challenges as you look to upgrade to some of the newer Helsinki options (we will deal with some suggestions on how to make that happen in a future blog._

If you need a custom integration, or help configuring your compliance, risk or vulnerability offering, contact Acorio to obtain expert assistance with these products.











Editor’s note: The goal of our blog is to provide our readers with a variety of types of content, from deep-dives and thought leadership, to ideas on how to optimize your ServiceNow instance. Our ServiceNow Tech Support section is designed to offer specific technical recommendations on how best to use current ServiceNow features.

Do you have an item you would like our ServiceNow Tech Support blog to address? Email us now at: