- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hello -
In a situation where we have CMDB implementation partially compleed and at maturity level 2 and IRM solutions started with analysis phase- I would like to know- what is the strategy to maintain CIA attributes?
I understand they are available at BP level but sure why? Why not at application or Infra level.
Thanks.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi @ppendyala
Check this post, if it helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi @ppendyala - Yes, CIA (Confidentiality, Integrity, and Availability) attribute values are maintained at BP level- more often custom fields created at other CI classes (Unfortunate & Its a strict NO in my opinion) to maintain them.
Why not at application level? - A BA may support diff. BPs of varying criticalities. Hence, placing attributes at the BP level prevents "over-classifying" an application based on its most sensitive use case.
Trust that also explains why not at underlying Infra level.
Additionally- The rationale for maintaining CIA (Confidentiality, Integrity, and Availability) attributes at the BP level originates from the fact that risk is fundamentally a business outcome, not a technical one.
"Hope that helps, if so, please mark it as Helpful"
BR, UD
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago - last edited 3 weeks ago
@ppendyala -
ServiceNow places CIA ratings at the BP level because-
1. it represents how the business operates to deliver value.
2. Business Continuity Management (BCM SN also has a solution) topics like BIA/BCP/BCM leverage BP as the primary unit for impact analysis.
3. It is the process(BP), not the software(BA), that has a recovery time objective (RTO) or a specific confidentiality requirement.
Regulatory topics like GDPR and DORA highlight how crucial data/info processing is in the business world. The "purpose of processing" is determined by the particular processes that are implemented, which then determine the key security measures needed for the applications involved.
"Hope it helps, if it does, please mark it helpful and accept the solution"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi @ppendyala - Yes, CIA (Confidentiality, Integrity, and Availability) attribute values are maintained at BP level- more often custom fields created at other CI classes (Unfortunate & Its a strict NO in my opinion) to maintain them.
Why not at application level? - A BA may support diff. BPs of varying criticalities. Hence, placing attributes at the BP level prevents "over-classifying" an application based on its most sensitive use case.
Trust that also explains why not at underlying Infra level.
Additionally- The rationale for maintaining CIA (Confidentiality, Integrity, and Availability) attributes at the BP level originates from the fact that risk is fundamentally a business outcome, not a technical one.
"Hope that helps, if so, please mark it as Helpful"
BR, UD
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Thank you @Uday Damaraju. That brings to the question, why its designed like that?
what If an organization maintains CIA values at business app level on a homegrown app or an excel, because in current scenario they do not have concept of BPs and want to migrate them to SN?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago - last edited 3 weeks ago
@ppendyala -
ServiceNow places CIA ratings at the BP level because-
1. it represents how the business operates to deliver value.
2. Business Continuity Management (BCM SN also has a solution) topics like BIA/BCP/BCM leverage BP as the primary unit for impact analysis.
3. It is the process(BP), not the software(BA), that has a recovery time objective (RTO) or a specific confidentiality requirement.
Regulatory topics like GDPR and DORA highlight how crucial data/info processing is in the business world. The "purpose of processing" is determined by the particular processes that are implemented, which then determine the key security measures needed for the applications involved.
"Hope it helps, if it does, please mark it helpful and accept the solution"
