Track SOX in CSDM

sg28 · ‎11-03-2022

Hi,

Currently I am implementing CSDM for a client and they are confused from which layer they should track SOX/GXP compliance, is it Business app, App service or Service offering. What does the best practice say?

CMDB Whisperer · ‎11-03-2022

The true answer to the question of compliance is about what the control states and how the configuration data can be used to determine whether a CI is in scope of the control, and if so, how it can indicate whether it is in compliance with the control objectives.

If you are looking to make a determination of whether an infrastructure CI is in scope, then you need to determine what Application Service it is part of. CSDM relationships will tell you what Business Application the Application Service was deployed, and what Information Objects are being used by that Business Application. For example, the Business Application may handle PII data or PCI data. The Information Objects and their Data Domains are one of the most important elements for determining what compliance controls should apply to the Application Services and Infrastructure CIs. To get that information you need to query across those CI relationships.

So to answer "do I need to include this Windows Server in my SOX audit" what you really need to answer is "is this Windows Server associated with an instance of a Business Application that uses Information Objects that are relevant to SOX compliance?" When you have determined that the CI is in scope of the audit, then the question you have to answer is, what control objectives exist for your compliance audit, and does the CMDB data provide enough information to indicate compliance or non-compliance with that control, or do you need to look to other sources to perform the audit for that CI.

That is the most typical use case that CSDM seeks to address from a compliance perspective. However, more broadly, the scoping of the audit as well as the indicators you create to measure compliance are based on the criteria of the policies and controls, which may include other factors such as where the infrastructure or application is being deployed, and who it is used by, and that data would need to be referenced from the relevant CIs and included in your audit criteria.

Bottom line: the important thing to remember is that it is about interpreting the controls that you are auditing against, and making sure you are pulling the right information from the right CIs and CI relationships to support your audit. In practice, Business Applications and Information Objects are where CSDM looks to define much of this compliance information.

The opinions expressed here are the opinions of the author, and are not endorsed by ServiceNow or any other employer, company, or entity.

View solution in original post

Kapilitsm · ‎03-29-2023

Hi,

Even I got stuck here, we have an attribute on server form for "SOX Relevant" however in case of shared server when you check this box then it becomes SOX relevant for other applications also.

I am also looking for a solution where if I mark a server as SOX relevant for one app then for others it should not be SOX relevant.

is there a way that we can have something in relationship, just a thought but not getting the clue to implement this.

Thanks,

Kapil Sharma

9811825294

Georgi2 · ‎01-26-2024

Anyone has any options. I am thinking of finding a way to associate a Business Application to another CMDB CI that is most suitable for SOX Compliance. Something like (Information Object = Sox Application) and then I draw relationships to all Business Apps, Servers etc that is under compliance. However, Information Object feels the wrong place to put this under.

SHagedorn · ‎01-26-2024

We built a custom table for information security to own and manage those types of attributes that uses the Business App table. We should have done it at the Application Service table level.