More than ITSM: How one customer uses TOPdesk for Governance, Risk Management and Compliance

Most TOPdesk customers use our software for IT and other service departments, but sometimes our customers surprise us when they tell us what else it can do. Keep reading to find out how TOPdesk helps keep track of Governance, Risk management and Compliance.

By André Kevenaar and Fijke Roelofsen 

GRC in Finance

The customer we’re talking about is an important player in the European financial market. The company processes millions of transactions every day. It’s imperative that their services are reliable and the transactions guaranteed. Serious problems can have big consequences for the stability of the financial market. So this company, and many others in the financial sector, often have to work with a range of risk, compliance and security measures, summarized under the name Governance, Risk Management and Compliance, or GRC.

“We have to be able to guarantee that the transactions we process are safe at any given time. Auditing and compliance to protocols are incredibly important,” The company’s CISO says. In addition to the yearly internal audits, assessments and the accountant financial review, the company is frequently audited by external parties throughout the year.


How to manage GRC and ITSM in the same software?

“When we started managing our own IT security in the past, we were focused on protecting our infrastructure at its borders, simply making sure nobody could get into the network. Cybersecurity wasn’t such a hot topic at the time,” the CISO explains. “But a lot has changed since then. When we did a cyber-resilience assessment a few years ago, we were doing ok, but there definitely was room for improvement. So for nearly two years, we installed a solid security governance structure and worked to improve our cyber security.”

Thankfully, the company didn’t have to start from scratch. They decided to use an existing and well known security framework: NIST. NIST provides a number of controls to ensure IT security, and the finance company added several more controls that were more specific to the organization. For instance, the company now has systems in place that help the security team to deal with the threat of DDOS attacks and additional systems were implemented for the detection of cyber security incidents.

The next step is to find software that helps manage and maintain the different controls, and that’s where TOPdesk comes in. “We needed a way to keep our controls up-to-date and store proof for auditors. We were looking into dedicated GRC tools, but then we came across the new Asset Management module in TOPdesk. We were already using the software for ITSM, but we realised that the new Asset Management module opened up new possibilities for GRC.

“The new Asset Management allows us to create or own forms and fields, so it wasn’t hard to create asset cards for our controls. And because you can link operational activities to assets, we could quickly create a system: Each control has an owner. We added activities for testing and annual reviewing and updating the control cards. TOPdesk now sends reminders to the right control owners every year when these activities are due and creates a review- or testing task for them. If any of the control owners don’t do their assigned tasks, I can see when the task goes overdue and take action accordingly.

It is our belief that the strength of cyber security largely depends on the quality and timeliness of very concrete repeating actions. TOPdesk Asset management and Operations Management provide a flexible and efficient way – without much manual work – to manage and monitor the security controls’ quality and status. 

Hopes for the future

“We’re happy with what we can do with TOPdesk right now, but we’re always looking for improvement. Here’s one concrete example: we test our measures against DDOS attacks every quarter. TOPdesk generates the activities needed for this and reminds us of the tasks we need to do. In the future, we hope to be able to quickly and easy get an overview of these kind of operational security tasks and the accompanying controls data out of TOPdesk. Auditors want that kind of proof when they ask us what we’re doing to protect our network against DDOS attacks. We are also very excited about the new possibilities to work with TOPdesk data with business intelligence tooling. We have started using Microsoft Power BI and have already created wonderful looking and very informative dashboards with the available TOPdesk data! I’m looking forward to seeing how TOPdesk will further expand its potential as a full-fledged GRC tool.”