Text preview & study summary
ServiceNow CIS-VR and CIS-RIM - Vulnerability Response Risk Compliance IRM
A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.
Want to test your knowledge? Launch the Interactive Exam Simulator
Question 1
A security analyst discovers that a web application vulnerability (SQL injection) exists in a vendor-supplied component that cannot be patched immediately. The risk needs to be formally accepted by the CTO for a 90-day period. What is the correct workflow in Vulnerability Response and IRM?
Explanation
Formal risk acceptance process in ServiceNow: (1) Risk Acceptance record: creates formal documentation linking the vulnerability (from VR), the business justification, the acceptance period, and the approver; (2) Approval Workflow: routes to the CTO with full vulnerability context (CVSS score, affected systems, business impact); (3) Digital approval: CTO approves in ServiceNow — timestamp and approver identity are captured; (4) Compensating Controls: documented on the Risk Acceptance (WAF rules blocking SQL injection patterns); (5) Expiry: after 90 days, Risk Acceptance expires; if not renewed or remediated, SLA breach reporting resumes; (6) Vulnerability Exception: links to the Risk Acceptance in VR, pausing SLA clock while acceptance is active; (7) Audit Trail: complete documentation satisfies SOX/PCI-DSS risk acceptance requirements. Verbal approval (option C) is undocumentable and fails audit scrutiny.
Question 2
A compliance team is preparing for a SOC 2 Type II audit. They need to demonstrate that controls were consistently in place and effective throughout the 12-month audit period, not just at one point in time. How does ServiceNow IRM help demonstrate continuous control effectiveness?
Explanation
Continuous control monitoring for SOC 2 Type II: (1) Scheduled Control Assessments: configure control tests to run at defined frequencies (monthly automated, quarterly manual sampling); (2) Test Results: each assessment creates a timestamped result record (Pass/Fail) with evidence; (3) Evidence Repository: supporting evidence (screenshots, log exports, configuration captures) attached to each assessment; (4) Audit Period Coverage: 12 months of monthly assessment results provide auditors with evidence of consistent control operation; (5) Exceptions: any failed assessment during the period is documented with remediation evidence; (6) Auditor Access: auditors can be given read-only access to the IRM compliance module to review evidence directly; (7) Automated controls (Configuration Compliance checks) provide tamper-proof continuous testing evidence. Point-in-time assessment (option A) can only support SOC 2 Type I certification, not Type II which requires evidence of sustained effectiveness.
Question 3
A company processes credit card payments and needs to demonstrate PCI-DSS compliance. Their QSA (Qualified Security Assessor) needs to review evidence for all 12 PCI-DSS requirements. How should ServiceNow IRM be configured to support the QSA review process?
Explanation
PCI-DSS compliance in ServiceNow IRM: (1) Framework Configuration: import PCI-DSS v4.0 requirements (all 12 requirements, 64+ sub-requirements) into IRM as a regulatory framework; (2) Control Mapping: each PCI requirement linked to the organization's specific controls (Requirement 2.2 → System Hardening Control → CIS Benchmarks Configuration Compliance tests); (3) Control Assessments: automated (Configuration Compliance scans) and manual assessments with evidence; (4) Evidence Repository: screenshots, logs, policies stored as evidence artifacts per requirement; (5) Compliance Report: formal PCI-DSS compliance report showing each requirement: In Compliance, Partial, Non-Compliant with remediation status; (6) QSA Portal Access: create QSA user with read-only access to the IRM Compliance module for direct evidence review; (7) Reduces assessment time by 50-70% vs. manual evidence collection. SharePoint (option C) lacks the control assessment linkage and formal reporting structure QSAs require.
Question 4
A risk and compliance analyst wants to map ServiceNow IRM controls to multiple regulatory frameworks simultaneously (SOC 2, ISO 27001, NIST CSF, GDPR). Instead of creating separate control assessments for each framework, she wants to assess each control once and map to all relevant frameworks. Which IRM feature enables this?
Explanation
ServiceNow IRM's Unified Controls Framework: (1) Control Library — a single set of controls that represent actual security/operational practices (e.g., "Multi-factor Authentication Required"); (2) Control Framework Mapping — each control is mapped to relevant requirements across all frameworks: SOC 2 CC6.1, ISO 27001 A.9.4.2, NIST CSF PR.AC-7, GDPR Article 32; (3) Single Assessment — when control effectiveness is tested, results automatically satisfy all mapped framework requirements; (4) Compliance Dashboard — shows compliance percentage per framework derived from the same underlying control evidence; (5) Audit Evidence — one set of evidence artifacts (screenshots, logs, configurations) satisfies multiple auditor requests. Creating separate control libraries (option A) creates redundant work — the same controls assessed 4 times for each framework.
Question 5
An organization discovers that 200 of their vulnerability findings were incorrectly classified by the vulnerability scanner with wrong CVSS scores — they should be Critical (CVSS 9.0+) but were scanned as Medium (CVSS 5.0). How should these findings be corrected in Vulnerability Response without reimporting all findings?
Explanation
Bulk vulnerability record correction: (1) Filter: identify the 200 affected records (by scanner, date, specific plugin ID, or manual identification list); (2) Background Script or Mass Update: use GlideRecord.updateMultiple() or the list-view mass update to correct the CVSS score field; (3) Risk Score Recalculation: trigger recalculation of the composite Risk Score based on updated CVSS (VR may need a business rule or script to recalculate after manual corrections); (4) SLA Adjustment: update the SLA target based on new severity — vulnerabilities now classified Critical get 15-day SLA applied; (5) Assignment Review: if assignment rules use severity, review assignments for the updated records; (6) Audit Note: document the correction reason in the affected records. Deleting and reimporting (option A) loses any work notes, exceptions, or remediation progress already documented on those records.
