The Zurich release has arrived! Interested in new features and functionalities? Click here for more

Cybersecurity SIR / Risk Assessment / VR

kathymorris
Tera Contributor

‎12-24-2024 07:44 AM

Hi All,

We do not have SIR / VR or IRM/GRC. Our team is using the Service Catalog to create security incidents and tasks to assign to our Cybersecurity team. The problem is that the user is entering confidential information in the description fields (i.e. IP Address / vulnerabilities / Host names etc). We provide safety for passengers in transportation. Therefore, when the video security cameras are not working properly, disclosing their IP Info, Host names etc.. to anyone is a risk. The user can also select PII or PCI hardware and enter info. All users with an ITIL license can view our organization's confidential info on the backend via a task or incident.  If audited, this would be a security breach. Posting this info in a task is providing unauthorized and possibly criminal misuse of information to the users.

Are other organizations using the Service Catalog or Cybersecurity issues? What workaround do you recommend to protect confidential data that a user is transmitting to our Security team? I thought of using App Engine to create a Cybersecurity custom app, however we do not own App Engine. When a request is submitted via the Service Catalog, can we pass the info to a scoped application? (i.e. build a Cybersecurity Scoped application). 

Our organization is evaluating ServiceNow's SecOps modules. However, this is new to them and will take at least a year before they would purchase. Before the Service Catalog, they were using spreadsheets. 

 

Anyone have any recommendations and/ or thoughts?

 

Thanks,

 

Kathy

 

 

0 Helpfuls
  • 891 Views
3 REPLIES 3

Dr Atul G- LNG
Tera Patron
Tera Patron

‎12-24-2024 12:54 PM

Hi @kathymorris 

 

I am not sure on catalogue item this can be possible unless you capture the IP /Hostname in separate variables and then put ACL to hide it.

 

 

*************************************************************************************************************
If my response proves useful, please indicate its helpfulness by selecting " Accept as Solution" and " Helpful." This action benefits both the community and me.

Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/atul_grover_lng [ Connect for 1-1 Session]

****************************************************************************************************************

kathymorris
Tera Contributor

‎12-26-2024 08:31 AM - edited ‎12-26-2024 10:25 AM

Hi, 

The data is captured in variables as free form text. However, there is no way of knowing what security information the user will need to enter into the text field (i.e. ip address, host name, firewall info, PII data, etc). What are organizations doing to secure confidential security information that is entered into the description field via the Service Catalog? Are other companies using the Service Catalog for Cybersecurity/Vulnerabilities etc?

 

 

0 Helpfuls

Dr Atul G- LNG
Tera Patron
Tera Patron
In response to kathymorris

‎12-27-2024 02:57 AM

Hi @kathymorris 

Sorry , I think in this case, speak to your SN account manager and he/she can guide you better.

*************************************************************************************************************
If my response proves useful, please indicate its helpfulness by selecting " Accept as Solution" and " Helpful." This action benefits both the community and me.

Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/atul_grover_lng [ Connect for 1-1 Session]

****************************************************************************************************************
0 Helpfuls