Question on where to identify a device as relating to PCI, CI or asset
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-20-2018 10:11 AM
We are trying to identify PCI related devices in ServiceNow. A question that has come up is whether this identification should be under the device CI or the device asset record.
PCI isn't really a configuration, although it is the use of the device. Further, we may be able to create logic that automatically flags a device as PCI related based on discovery. So, I'm somewhat leaning towards CI.
Any thoughts? Honestly, this goes to the overall concept of where you would list any purpose of any device.
Thanks in advance,
Will
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-21-2018 06:52 AM
We use the CI for this, mostly because we find CIs that are not Assets and need a PCI scoping attribute, e.g. virtual servers. The question we generally will ask is "will this affect the workflow or approach to Change/Incident/Problem or this entity?" If it will, then generally speaking it's a CI attribute.
The PCI attribute on the server inherits a value in our model.
For us what makes a server CI be in scope for PCI or not is the the Business Application(s) that run on it. If the Bus App is in scope for PCI, then the server generally is too. We do allow for exceptions in the relationship, especially for non-Prod environments, and all of that is calculated in the inheritance.
Your last point really goes to this: the "purpose" of a device on the server side, for us, is "what Business Applications does it support, and by extension what Business Services does it support".
