The OneTrust Privacy and Data Governance Cloud provides privacy and data governance automation to help organizations better understand their data across the business, meet regulatory requirements, and operationalize risk mitigation to provide transparency and choice to individuals.
$0
per month
ServiceNow Governance, Risk, and Compliance
Score 8.1 out of 10
N/A
ServiceNow Governance, Risk, and Compliance provides the tools businesses use to proactively manage risk by measuring, testing and auditing internal processes. This solution helps business users ensure compliance to regulations, policies, standards and frameworks. It is available via the Standard, Professional, and Enterprise editions, the latter two supporting GRC and internal auditing processes.
I strongly recommend it for general management of personal data privacy programs and risk and contract management, it complies with all major world legislation in addition to being easy and fast. Not recommended for data discovery still requires refinement.
Oracle EBS R12 requires a unique user skillset to understand how it handles user access and functions. Accordingly, ServiceNow has this high level of sophistication to manage this information and apply it to Sensitive Access and Segregation of Duties rules to identify exceptions. This depth of configuration is critical to accurately identify when Oracle Responsibilities (access) truly allows access and thus could be a violation. ERPs with less complexity may not require this customization of ServiceNow GRC, but you would be wise to raise these questions and examples in the demo to ensure it will work for you. In the past, we have found that risks of under-reporting exceptions or false positives become so voluminous that users don't always get to the accurate violations for timely remediation. Proper configuration up front will improve your effectiveness and ROI down the road.
Finding reported by the auditor. GRC helps us identify, assign, and track the resolution of this.
Exception to information security policy. These require quarterly reviews and setting up reminders to revisit these.
Building out new projects and baking security and compliance into the project and tracking it in GRC to ensure we deliver a compliant product on day one
Delivering more out of the box functionality that rivals other GRC platforms. The bare bones approach may not help companies that do not have expertise or capabilities to build effective GRC processes.
Easier way to implement workflow.
Offering better metrics without buying add-on tools.
I'm satisfied with our experience. The configuration was the biggest challenge, but we have moved onto the stage of user training and usability. We would appreciate having better user training documentation and possibly videos and/or computer-based training to help our international users adopt this software for their GRC needs.
We have used a shared hosted tenant managed by OneTrust for over three years with only one instance of a lengthy (4+ hours) unexpected outage which happened years ago.
We selected a European hosting location based on our initial use case, however, our usage of the OneTrust platform has expanded globally to where the majority of users sit in the Americas or Asia-Pacific regions. There is a noticeable lag when navigating the platform for users located far away from the hosting location.
As a user, you can mitigate any sluggish response time by the aggressive use of multiple browser tabs. I commonly have one tab open on an Inventory detail screen, another tab on an Assessment window, and maybe another tab on a customized inventory list screen. If one tab is slow I hop to another tab and work on that tab while the first tab responds.
Both our customer rights access and cookie consent advisors were responsive and helpful in getting us trained on using the platform and the various assets implemented on our website. We had multiple training sessions that were more than enough in getting all of the users on our team familiar with what we needed to do.
It's a good system, but I am awaiting key features in the new release. We hear that ServiceNow is continually adding new features and we look for improved reporting, better Oracle Integration, and user training opportunities. To the extent these materialize, we expect further improvements in our experience with ServiceNow GRC. Until that time, though, we believe we are meeting our objectives expected at the beginning of this project.
An implementation specialist worked with us remotely during our initial deployment. Due to the diverse geographic locations of my organization's participants, the implementation and training had to be done remotely (this was before COVID-driven remote work).
The implementation specialist was knowledgeable and helpful but to really get full benefit from the platform I encourage organizations to dedicate a specialist within your company to really study and learn the platform.
First, when we compare OneTrust Privacy and Data Governance Cloud to the software I mentioned above, OneTrust Privacy and Data Governance Cloud software was way more affordable than the other 2. Also, along with the other 2 software, OnTrust was one of the most user friendly tool/software we've ever used.
We just recently started using TrustArc for data privacy requests and I can already speak to the fact that TrustArc is a more confusing platform once there. The positives of ServiceNow would be that a majority of our URL's drive to owned websites which our employees are very comfortable with using versus pushing them to another website that feels unsafe.
The platform has exceptional capabilities to customize the user interface, reports, and recorded information. In most cases, the customization can be compartmentalized so that if the customization performed for Department A is determined to not impact Department B, the customization can be hidden from Department B.
We have four different departments using the IT Risk Management module. Three departments share their work in what we call the 'shared data risk management zone'. Another department is using IT Risk Management for a bespoke portfolio risk management task, and the customization for this department is largely hidden from the other departments.
