Has anyone out there had to tag CIs in their CMDB related to whether or not they contained PHI?
Conversation recently came up and it raised a number of questions/logistical concerns. Curious if others manage these things today with ServiceNow or how they might approach it:
- What do you tag as containing PHI? Service Instance, App, Database or associated infrastructure? Or all of the above?
- Would it be necessary to develop ACLs to block restricted users from being able to even see these CIs?
- Have you developed any tagging strategies around identifying CIs with PHI?
In my head, Server CIs are PHI-adjacent - they contain the application or database that truly houses the PHI, so I am thinking you should tag the app, service instance or database as appropriate.
Just curious if anyone out there has crossed this activity before and seen any approaches on how to handle.
