Proofpoint Intelligent Compliance vs. ServiceNow Governance, Risk, and Compliance

Proofpoint Intelligent Compliance is well suited for organizations with a large amount of employees, in my opinion, as they have a lot of options for grouping users in various ways to send specific learning content to them. For a smaller organization, the employees might utilize all of the built-in training videos, phishing simulations, and content more rapidly, which would not justify the pricey cost of the tool.

Incentivized

Oracle EBS R12 requires a unique user skillset to understand how it handles user access and functions. Accordingly, ServiceNow has this high level of sophistication to manage this information and apply it to Sensitive Access and Segregation of Duties rules to identify exceptions. This depth of configuration is critical to accurately identify when Oracle Responsibilities (access) truly allows access and thus could be a violation. ERPs with less complexity may not require this customization of ServiceNow GRC, but you would be wise to raise these questions and examples in the demo to ensure it will work for you. In the past, we have found that risks of under-reporting exceptions or false positives become so voluminous that users don't always get to the accurate violations for timely remediation. Proper configuration up front will improve your effectiveness and ROI down the road.

Incentivized

• Email archiving. Being able to access, on the fly, your entire email archive. Being able to filter by date, sender, attachment, etc. It can get really granular and is able to pull up records fast.
• Targeted Attack Protection for all incoming emails. Having the ability to automatically scan, quarantine, or re-write URLs within emails. Comparing incoming emails to potential phishing attempts already seen by other institutions.
• Email encryption & automatic encryption are based on certain rules set up on the firewall. e.g. automatically encrypt outgoing email if it has an attachment or contains a string of numbers that may be personal information.

Incentivized

• Finding reported by the auditor. GRC helps us identify, assign, and track the resolution of this.
• Exception to information security policy. These require quarterly reviews and setting up reminders to revisit these.
• Building out new projects and baking security and compliance into the project and tracking it in GRC to ensure we deliver a compliant product on day one

Incentivized

• The end-user interface is lacking in appeal/aesthetics and is not that intuitive. I have seen archive solutions that don't work very well have a better interface than this. I think the interface can be prettied up quite a bit.
• The admin interface is lacking in features and is not intuitive. It has more capabilities than the previous archives I've used, but utilizing these features is a little complicated without demos or being walked through it.
• We have had a lot of accounts not map properly. Apparently, there is a limit as to how many errors can be outstanding before you run into issues because all the emails tied to those issues are "queued" waiting for a home (and there is a storage limit for that). I have to set a reminder to check that periodically and resolve the issues manually.

Incentivized

• Delivering more out of the box functionality that rivals other GRC platforms. The bare bones approach may not help companies that do not have expertise or capabilities to build effective GRC processes.
• Easier way to implement workflow.
• Offering better metrics without buying add-on tools.

Incentivized

I'm satisfied with our experience. The configuration was the biggest challenge, but we have moved onto the stage of user training and usability. We would appreciate having better user training documentation and possibly videos and/or computer-based training to help our international users adopt this software for their GRC needs.

Incentivized

It's a good system, but I am awaiting key features in the new release. We hear that ServiceNow is continually adding new features and we look for improved reporting, better Oracle Integration, and user training opportunities. To the extent these materialize, we expect further improvements in our experience with ServiceNow GRC. Until that time, though, we believe we are meeting our objectives expected at the beginning of this project.

Incentivized

We did a bake off and for our particular needs Proofpoint was the right product. We used a matrix with requirements and their product checked all the boxes. Making it a easy decision.

Incentivized

We just recently started using TrustArc for data privacy requests and I can already speak to the fact that TrustArc is a more confusing platform once there. The positives of ServiceNow would be that a majority of our URL's drive to owned websites which our employees are very comfortable with using versus pushing them to another website that feels unsafe.

Incentivized

• Strengthened our staff's Cybersecurity Skills.
• Provided a variety of additional training content that is used throughout the year
• Allowed us to track and monitor which of our users need additional training in regard to Cybersecurity

Incentivized

• Effective Enterprise Risk Management
• Holistic Real-time Monitoring of your technology and Risk
• Negative - Asset Management has some issues and Ghost / Shadow IT is big issue