Security Concern around Mid-Server Installation for CMDB Discovery

Sherrina Job1 · ‎07-18-2022

I was directed by our ServiceNow customer contact to reach out to the ServiceNow CORE team to help us with the below. Appreciate your prompt guidance and help.

Background: Our company is implementing ServiceNow in partnership with one of the Elite implementation partners in Canada. In order to build a robust CDMB, we are relying on SNOW Discovery to scan and gather the CIs residing in various subnets.

Business Justification: Since we are in the FINTECH / PAYTECH domain, we need to be compliant with PCI DSS, ISO 27K, and SOC 1& 2 to name a few. Our security team would like to review the below SNOW audit reports before they can give the approval for the partner to proceed with the MID SERVER installations. At this point, our CMDB discovery exercise is on hold and we would like to get this moving.

Information Required

We are looking for relevant 3rd party audit reports or certifications, like:

1) PCI AoC

2) SOC1/2 Type II

3) ISO27001/2

4) Pen Test report for the S-NOW URL used by the MID servers, as well as Vulnerability Scans

Purpose

We need to do a risk assessment as well as validate the security posture of the cloud resource that will collect the information gathered by the MID servers before allowing information related to sensitive CIs to be collected by the MID Server using discovery.

Risk: Our current project is on hold until we get the reports.

Thanks

Sherrina

peterdelf · ‎07-19-2022

ServiceNow CORE is a library of documentation and attestations/reports that you sign up for and then have access to. It is not a team. You can request access to ServiceNow CORE (by signing an NDA) here.

joe_watson · ‎07-19-2022

Sherrina - you can engage your ServiceNow Account Manager to request a meeting with the ServiceNow Office of the CISO team to discuss these points as well. We'd be more than happy to have a conversation with your security team about this.