Where and how to store CIA (Confidentiality, Integrity, Availability) related information in the CMDB?

Jacques Clement · ‎04-04-2022

Hi -

I recently came across two customers that want to categorise their Business Applications using the CIA (Confidentiality, Integrity, Availability) model. I looked on the Community and could not find any discussion about this subject.

Long story, there's been debates about where to model this piece of information: e.g. should it be Biz App level, App Service level or some place else? Note that those customers are not at a point where they model their Information Objects (yet).

App Service would make sense to me, given that 2 deployments don't necessarily have the same requirements. E.g. a dev environment may have anonymized data, therefore making the Confidentiality point less of a problem.

So the question is twofold

Where would you store this information and,
Are there any existing out of the box fields that could fulfill this requirement. I looked into the base instance, but I don't know whether APM or other plugins/modules extends the CMDB with corresponding fields.

Thanks,
JC

SebastianKunzke · ‎04-04-2022

Hi,

I am not aware, that you can save the CIA information on a CI. I only know solutions, where the business criticality was calculated based on assessments, which were focusing to get the CIA values. But then you would use the business criticality and not the individual CIA values for the overall classification.

The CI level could be individual. But imagine you would like to use the values in the incident, change or other processes, to determine the priority, I would probably use the application service or business service object as this objects are often used in the processes.

Hope that helps

Sebastian

PS: If the customer has more deep requirements I would suggest him to have a look into IRM from ServiceNow.

Barry Kant · ‎04-04-2022

Hi Jaques. Sebastian,

I do agree with Sebastian. Also for the reason that CIA might differ per instantiation of the Business Application.
Business Applications can also be part of the impact analysis, so that on itself is not a blocker towards the processes.

Enjoy the day,

Barry

s4scott · ‎04-04-2022

In my organization we collect data types, business criticality and availability ratings in the Application Service CI. We do this because not all of the Application Service instances for a Business Application are the same.

A "survey" form is used to collect information from the groups that own the application service, which is then pulled into the Application Service CI.

Jiri Skala · ‎04-04-2022

Hi,

CIA triad is the concept that comes from the discipline of Information management, not Configuration management. Therefore also in ServiceNow, Confidentiality, Integrity, and Availability are not attributes of configuration items = you can find them in two OOTB applications within the GRC product:

Risk management, see details on page Create a business process in the Risk Workspace
Business continuity management, see details on page View business impact analysis details.

Regards

Jiri