There are various security standards from different countries like GDPR, FISMA, PDPA, and Privacy Act - and they do require that sensitive data should be protected.
Are your HR processes built under ITSM, HRSD, or Scoped App? Are you sure that the data is secure? Below I'll share some information about different types of encryptions and their benefits so you can stay compliant.
A user interacts in the following order when reaching your ServiceNow instance:
- Internet Services Layer (Firewall, IDS, Load Balancer, SIEM) - This is where you can configure either Edge Encryption or IP Address Access Control
- Application Layer (App Nodes, App Server) - SSO, MFA, Platform Encryption, Roles & Encryption
- Database Layer (Where all data lives).
Three types of encryption and differences:
Note. As per documents, encrypting the whole database layer would affect instance performance (about 5%).
Instance Security Center is your way to go in ServiceNow to control metrics like data export, external logins, quarantined files, untrusted incoming emails, failed logins, and so on… it acts like an Auditor sharing your current setup and score around security, and provides best practices documents and plugins so you can enhance your percentages so you don't have to begin your research from scratch.
When building an application, there are a few points that need to be considered first:
- The correct data model, which is the foundation of an application
- All relevant personas and their languages
- Documentation and who will support it
- Integrations - Exchanging data from ServiceNow to other external services
- Data imports/exports
- Reusability - Focus on reducing maintenance and avoiding the copy-and-paste mentality
- Clicks not code - Leverage a library of flows for reusable content and call actions from a script
- Need for many-to-many tables
- Need for an extended table or extended table hierarchy
Also, if you want to dive deep into applications and understand restricted caller access and cross-scope privileges, I recommend you read this article by Chris Nanda - Restricted Caller Access and Cross-Scope Privilege
Key takeaways:
- When presenting, the first topic should be talking about the solution, why you picked it (specifics), risks involved with considerations, finish by saying about additional solutions, and mention why you picked the first one among the other.
- When in a Scoped Application, you hold the keys to who has access to what and when - in terms of development it's way easier to configure if HR is built in an App and not with ITSM process.
- The Business Process Consultants have an important job at the workshops. This is a consultant role - they have to listen to the customer, present what is out of the box in the Platform, and document, and then the CTAs come into play to synthesize it into technical requirements.
Thanks for reading.
