Sensitive Data and Encryption

Will S_
Kilo Explorer

Wondering how other people have handled sensitive data (PCI, HIPAA, etc).  We have decided to leverage field encryption since edge encryption limits certain functionality, and adds other complexities.  

How have others handled encryption?

1.  How have you determined who sees the encrypted data?

2.  Have you limited access by field or by ticket (request, incident, etc.)?

3.  How have you implemented encrypted fields across the various tickets?  Incidents?  Requests? 

4.  With requests, what have you done for information flow between the top level request (RITM) and the tasks?  If there is encrypted data in the top level, do you allow people assigned to the tasks to see it?  If there is encrypted data in a task, do you allow people assigned to other tasks to see it?

Generally I'm looking for experiences on how people are handling encrypting sensitive data in tickets.  

Thanks,

Will

3 REPLIES 3

Valor1
Giga Guru

Field encryption has the same limitations as Edge Encryption, and in some cases is even more restrictive. For Field Encryption, once data is saved to an encrypted field, it's only readable by a human. IIRC, this means:

  • No integrations
  • No exports
  • No reports
  • No filters
  • No sorting
  • No emailing

For the above reasons and more, we have decided to implement (pending testing and verification) ServiceNow's new FULL DB Encryption offering. This is to satisfy GDPR's tacit encryption "requirement."

We have gone this route since it would cover the encryption at rest requirement put in place by our legal team, and also because it doesn't carry the same limitations as Edge or Field encryption.

If you're interested, ask your sales rep for details -- I was told it was a GA offering as of the end of K18.

 

If you're intent on implementing Field Encryption (it has largely the same limitations as Edge Encryption, and sometimes more), you'll want to be aware of this:

https://community.servicenow.com/community?id=community_question&sys_id=833ec7eddb9cdbc01dcaf3231f96196e

To explicitly answer your questions:

  1. Business decides the "need"
  2. Limit by field on ticket (only regional HR can see HIPAA field for users in that region)
  3. Same as #2?
  4. You can't transfer rights. ALSO--be careful of data in variables; it lives in plain-text on the sc_item_option_mtom table

We were also stuck in this discussion 2 months ago.

But we have now decided to move to FEDRamp which gives us guaranteed safety from ServiceNow.

https://www.servicenow.com/company/media/press-room/servicenow-gains-fedramp-certification.html

 

much cheaper to maintain--but yes--need to pay to ServiceNow.

Check with your sales team.

 

@Will, if I answered your question, mind marking it as such for other users? 

Thanks!