Best practice when using Information Objects
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-13-2020 03:19 AM
I'm planning on modeling PII (related to GDPR) as Information Objects like Name, phone number, email etc.
I have played with this on a ShowCase instance where all the expample PII Information Objects are Owned by the same person. My experience in this is that every Application owner is usually responsible of the PII data in their Application.
Should information object be generic CI:s that relates to all Applications where e.g. Name is used or can these be modeled per Application? Is there any best practice?
Thanks,
Kristoffer
- 3,546 Views
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-26-2020 03:35 AM
Hi Kristoffer,
My understanding is, that you would ideally have generic information objects like 'Social Security Number' related to the Business Applications in which this type of information resides.
You would then have a single owner of that type of information, who decides, whether or not to allow their information object to be used in a business application.
In turn you will have an application owner who knows more about the specifics, such as, what tables are storing the data, who has access to them and so on.
So from my perspective, it is a shared ownership between the information object owner and the application that uses that specific object.
Br.
Casper
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-26-2021 07:32 AM
I also have this type of task, specifically where the organization wants to have a granular view for the data type that is either being sent, consumed or relationship type. The CSDM 3.0 White paper mentions the Information Object table, where it is supposed to be used to identify the types of data a business application may possess such as PII, PCI and etc. There really is not to much guidance in the white paper when it comes to best practice in the identification of the actual data, so I think it is up to us to mock up and then maybe bring to ServiceNow for guidance.
The question from the client is: how do we capture this information about data/interfaces between app services, as a companion to the relationships we’ve already described using CMDB? What data should we be capturing?
Example for me;
Application Service Active Directory and Application Service ServiceNow. I have come up with either using the CI Class and maybe detailing or Identifying there, but want to also see what the value is in utilizing this NEW table - Information Object
