Edgile Releases ArC Q4 2021 Update for ServiceNow

This week, Edgile, the leading cyber risk and regulatory compliance consulting firm and ServiceNow Elite partner, announced the 2021 Q4 release of its Automated Regulatory Compliance (ArC) Content Service for ServiceNow.

Edgile’s award-winning ArC service delivers more than 650 harmonized laws, regulations and industry standards and automatically loads them into ServiceNow IRM. ArC subscribers also receive a quarterly summary of noteworthy regulatory news, risk trends and enforcement activities. 

What’s new with ArC in Q4?

The Q4 2021 content update adds just over 50 new authoritative sources to the ArC Master Library across Edgile’s three core risk taxonomies—Information Technology Risk Management (ITRM), Operational Risk Management (ORM) and Enterprise Risk Management (ERM)—plus a subset of Oil & Gas industry-specific requirements.

Additions to the ArC Master Library for this quarter include:

A package of financial services and insurance industry sources that focus on the improvement of industry-wide regulation, risk management, cybersecurity, data security, privacy control, and data processing, including:

• Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority)
• Central Bank of Ireland: Cross Industry Guidance in Respect of Information Technology and Cybersecurity Risks
• Guidelines on Information and Communication Technology Security and Governance (EIOPA–BoS–20/600)
• Cayman Islands Monetary Authority – Cybersecurity for Regulated Entities (Rules & Guidance)
• Bermuda Monetary Authority – Insurance Sector Operational Cyber Risk Management Code of Conduct
• Australian Prudential Regulation Authority – Information Security Prudential Standard (CPS234)
• Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council
• Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council
• Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, UKNF) – Information Processing by Supervised Entities Using Public or Hybrid Cloud Computing Service
• FFIEC Information Technology Examination Handbook – Architecture, Infrastructure, and Operations

A series of both federal- and state-level sources that address standardized approaches to improved organizational security and risk management postures, including:

• NIST SP 800-207 – Zero Trust Architecture
• Department of Defense: Instruction No. 8510.01 – Risk Management Framework (RMF) for DoD Information Technology (IT)
• Department of Homeland Security (DHS) 4300A Sensitive Systems Handbook
• State of Maryland Information Technology Security Manual
• California Department of Technology – Office of Information Security
  • SIMM 5300-B Foundational Framework
  • SIMM 5305-A Program Management Standard
  • SIMM 5310-A Privacy Statement and Notices Standard
  • SIMM 5310-B Privacy Individual Access Standard
  • SIMM 5310-C Privacy Threshold Assessment and Privacy Impact Assessments
  • SIMM 5315-A Email Threat Protection Standard
  • SIMM 5315-B Cloud Security Standard
  • SIMM 5320-A Phishing Exercise Standard
  • SIMM 5325-A Recovery Plan Instructions
  • SIMM 5325-B Technology Recovery Program Certification
  • SIMM 5330-A Designation Letter
  • SIMM 5330-B Information Security and Privacy Program Compliance Certification
  • SIMM 5330-C Information Security Compliance Reporting Schedule
  • SIMM 5335-A Event Notification and Response Standard
  • SIMM 5340-A Incident Reporting and Response Instructions
  • SIMM 5340-C Requirements to Respond to Incidents Involving a Breach of Personal Information
  • SIMM 5345-A Vulnerability Management Standard
  • SIMM 5355-A Endpoint Protection Standard
  • SIMM 5360-A Telework and Remote Access Security Standard

Additional Center for Information Security (CIS) Benchmarks sources, including:

• CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.0.0
• CIS Docker 1.13.0 Benchmark v1.0.0

A catalog of healthcare provider controls that focus on the effective management of risk, security and privacy for systems or data subject to the Affordable Care Act, including:

• Centers for Medicare & Medicaid Services MARS-E Document Suite, Version 2.0 Volume III: Catalog of Minimum Acceptable Risk Security and Privacy Controls for Exchanges Version 2.0

A set of oil and gas sources focused on regulating domain-specific considerations related to various production, conservation, transportation and environmental safety activities, including:

• Clean Air Act
• Clean Water Act
• Interstate Transportation of Petroleum Products
• Natural Gas Act
• Pipeline and Hazardous Materials Safety Administration (PHMSA) Regulations
• Bureau of Safety and Environmental Enforcement (BSEE) Regulations
• Bureau of Ocean Energy Management (BOEM) Regulations
• Bureau of Land Management (BLM) Regulations
• Texas Administrative Code (TAC) Title 16 – Economic Regulation Part 1 – Railroad Commission of Texas
• Oklahoma Corporation Commission Rules
• Alaska Oil and Gas Conservation Commission Rules
• Pennsylvania Department of Environmental Protection – Office of Oil & Gas Management – Regulations
• California Department of Conservation – Statutes & Regulations
• North Dakota Industrial Commission – North Dakota Administrative Code – Oil & Gas
• Ohio Department of Natural Resources – Division of Mineral Resources Management – Oil & Gas
• New Mexico Administrative Code – Oil Conservation Division – Chapter 15

Managing regulatory changes with Edgile ArC apps

Included in the ArC Content Service subscription is the Built on Now® Edgile Regulatory Change Management application. The solution provides a closed-loop process to surgically identify necessary changes to policies, standards and controls across the organization based on new statutes, regulations and standards. Intelligent automation and sustainment workflows are leveraged to load the desired regulatory content changes into ServiceNow IRM, using an easy-to-navigate IT risk management framework. 

The ArC Content Service is maintained by Edgile’s compliance experts in PCI DSS, Sarbanes Oxley, FFIEC, GLBA, FRB Reg A-YY, HIPAA, Privacy, FDA, NERC CIP, and more. ArC monitors federal regulatory amendments and state privacy laws, including state sources for personal information protection, security breaches, data sharing, identity theft and notification.

ArC subscriptions are available on a paid annual basis for the following 21 verticals: Medical Device Manufacturer, Pharmaceutical Life Sciences, Healthcare Provider, Healthcare Provider + Research, Healthcare Payer, Healthcare Payer + Medicaid, Financial Services – Banking, Financial Services – Banking and Broker/Dealer, Insurance – Property and Casualty, Insurance – Property, Casualty and Life, Casino Gaming, Utilities, Oil and Gas, Manufacturing, Technology, Retail, Government, Media, Transportation, Real Estate, and Privacy.

ServiceNow IRM Quick Start Packages

ArC Content is the backbone of Edgile’s comprehensive ServiceNow IRM Quick Start packages. Quick Starts help clients avoid the costs of integrating content with ServiceNow, and the expense (both time and money) of continuously monitoring, updating and operationalizing regulatory changes.

For details on ArC ServiceNow apps and solutions, or if you want to know if a particular regulation in your industry is covered, please contact Edgile’s Risk and Security team.