AddressTitle:ServiceNow Process SME
Duration: 2 Years
Location: Remote
Description:
The Contractor shall provide all labor, and material required to plan and facilitate this Professional Services Request for a ServiceNow Process SME for Integrated Risk Management (IRM) Buildout and Cybersecurity Risk Management Queue Optimization to Support NIST Risk Management Framework Implementation.
The contractor will be responsible for initiating and executing an independent project focused on the assessment of the existing cybersecurity risk assessment process at SMUD's ; the current methodology of ServiceNow Cybersecurity Risk ticket assignment, ticket types, ticket prioritization, processing times, and assessing the average level of effort (i.e. # of hours, collaboration with stakeholders internal or external to SMUD's ) required to resolve/close tickets. This assessment will also examine the current assignment workflow within SMUD's 's existing ServiceNow deployment with a focus on optimization/refinement of the existing process, as well as helping to establish realistic processing expectancies for stakeholders based on request type. This effort will also pay careful attention to the information/details being requested to process a ticket request and propose standardization improvements by helping establish cybersecurity risk documentation templates for SMUD's stakeholders to use when initiating ServiceNow ticket requests that will require cybersecurity risk assessments more efficiently. Review of historical ServiceNow Cybersecurity Risk ticket processing metrics will be necessary to help identify trends that illustrate peak ticket submission timeframes and propose efficiencies that can be implemented to effectively manage the cybersecurity risk ticket queue while considering the inherent resource constraints of having limited personnel to review, investigate, and process ticket submissions. Any proposed considerations will be formally presented to Cybersecurity Department Leadership for review and approval. All cybersecurity risk ticket processing recommendations that receive formal approval will be captured in a documented process methodology that outlines expected processing timelines, defines ticket processing minimum entrance criteria, as well as best practice recommendations for ticket submissions that will better assist the Cybersecurity Risk Team in being able to improve ticket processing timelines. The contractor will collaborate directly with SMUD's 's Cybersecurity Awareness, Training, and Education program lead to determine the best course of action to raise awareness for SMUD's users planning to submit a ticket that will require cybersecurity risk review/assessment. The contractor will also be directly responsible for helping execute the initial organizational pilot of the RMF process leveraging the ServiceNow IRM module to include assignment and refinement of the security control process (i.e. organization-level owned controls, system-level controls, hybrid controls), security artifact/evidence requirements; development of template/example documentation and job aids for organization stakeholders to leverage; as well as providing recommendations for the execution of continuous monitoring leveraging ServiceNow IRM. The contractor will be responsible for partnering with SMUD's 's Procurement Team to determine the plausibility of implementing ServiceNow's Vendor Risk Management capability to better continuously monitor, detect, assess, mitigate/remediate risks in vendor ecosystems.
Mandatory Requirements:
- A minimum of two years developing, analyzing, and creating efficiencies within ServiceNow workflow processes.
- A Minimum of two years' experience in customizing the Integrated Risk Management (IRM) capability within ServiceNow to align with the business objectives and risk appetite of mid to large sized organizations.
- A minimum of three years working within a governance, risk, and compliance environment with a proven track record of executing corporate projects and growth-based initiatives.
- A minimum of three years of experience working in cross-collaborative efforts involving establishing partnerships between business units, independently analyzing and engaging organizational stakeholders as-needed to ensure smooth process development and implementation across the organization for risk assessment functions.
- Experience developing professional templates in support of organization-level cybersecurity-focused risk assessment processes.
- A strong foundational understanding of NIST's Risk Management Framework process and hands on experience aligning the required functions of RMF within ServiceNow's IRM tool.
- Must be legally authorized to work in the United States without the need for employer sponsorship.
Minimum Years of Experience: 2 years.
Desirable Qualifications:
- ServiceNow Practitioner Implementer or above (e.g. Professional Implementer),
- ServiceNow Certified System Administrator (CSA),
- ServiceNow GRC: Integrated Risk Management (IRM) Implementer,
- ISC2 Certified Information Systems Security Professional (CISSP),
- ISC2 Certified Governance Risk and Compliance (CGRC) or Certified Authorization Professional (CAP),
- ISACA Certified Information Security Manager (CISM),
- ISACA Certified in Risk and Information Systems Control (CRISC),
- CompTIA Certified Advanced Security Practitioner (CASP+),
- CompTIA Security +. B.S. Computer Science (CS),
- Management of Information Systems (MIS), or Cybersecurity from an accredited university.
Assumptions:
It is expected that the contractor will be available during regular business operating hours (08:00am 05:00pm PST) to execute the above scope of work with minimal oversight from SMUD's Cybersecurity Department leadership, support/establish virtual meetings as needed; perform an independent gap analysis of existing processes, and work to create recommendations for process refinement; and or new process execution(s) based their findings. SMUD Cyber Security requirement is that candidate is required to work within the Unites States (U.S) while fulfilling tasks for this contract. Working outside the U.S will be viewed as a breach and contract will be terminated immediately.
