Chances are, if you are using or planning to use a cloud-based service, you have some questions on cloud security. You might be asking yourself:
Where can I find documentation about the Cloud Service Provider's security?
How does the Cloud Service Provider (CSP) keep its clients' data safe?
How does the CSP address compliance and clients' risk concerns?
What controls are available to me as an Administrator to configure the system to my specific security needs?
At ServiceNow, we have made it easy to find the answers to these questions. The goal of this post is to help you find available documentation to answer the questions above and provide additional information related to security in the Now Platform.
Start with these resources on ServiceNow platform security
If you are a prospective customer, please take a look at the following resources:
- The ServiceNow Trust Website: This site provides an overview of ServiceNow's platform security, our philosophy regarding trust, and how the concept of trust applies to our security posture as a CSP.
- ServiceNow CORE [Limited]: This version of the ServiceNow CORE (Compliance Operations Readiness Evidence) was developed to provide an open forum for ServiceNow partners and prospective customers to ask questions, discuss pre-implementation best practices, and access key overview and compliance documentation. Once the access to Limited CORE has been granted, you will be able to access the below documentations:
- ServiceNow AssurancePack (SNAP): The most comprehensive documentation on our security controls, with information on data security and the physical and logical aspects of ServiceNow's Advanced High Availability Architecture.
- Security white papers on topics such as Encryption, High Availability, Data Sanitization, FIPS, and more.
- Some certifications, attestations, and reports
Security documentation on HI Service Portal
If you have HI Service Portal access, The ServiceNow Trust and Compliance Center is your first stop. This link should be bookmarked as well as easily accessible by your Security and Privacy team, as it is the current central location for all available security documentation within HI.
Some of the resources you will find in the Trust and Compliance Center are:
- Security white papers (Encryption, Data Sanitization, ITOM Overview and more)
- ServiceNow security certifications, attestations, and reports
- GDPR-related documentation
- ServiceNow's Privacy Shield policy
- Pre-filled security questionnaires (SIG, CSA, etc.)
- Customer penetration test process
- Life Science-specific documentation
- VPN settings and why they are not necessary in the Now Platform
- Security incidents and notifications
- Information on application security, security testing, and secure development
- Email security with ServiceNow instances
- MID server security
- Upgrade and Quarterly Patch Program
Customers may also request access to the full version of ServiceNow CORE. CORE is a self-service documentation repository that will help you to support your internal audit and assessment requirements, prepare for onsite audits, and address regulatory requirements as well as FDA and other regulatory requirements. It is provided at no additional cost. Click here for additional information on ServiceNow CORE.
Another way to search for documentation is by security risk concern. In the table below are a few examples of some common risk concerns with a corresponding link to documentation on how ServiceNow addresses them. All of the documentation referenced is also contained in the previously mentioned resource centers.
|
Risk Concern |
Resource Link |
|
Data Isolation. How do you make sure another customer cannot access my data if we have shared resources in the cloud? |
We have a multi-instance architecture. To learn more about it, click one of the links below: |
|
Ok, I read all your documentation and you are doing great things, but how can I still make sure my data is safe? |
Do your own penetration test! Follow the procedure outlined here. |
|
How do you control internal ServiceNow employees from accessing client data? |
See the SNAP Documentation titled Safeguarding Your Data. |
|
What do you do with customer data when the contract ends? |
ServiceNow has a well-defined and documented process outlined here. |
|
I am regulated by HIPAA, how does ServiceNow support me? |
Download our HIPAA white paper here. |
|
How does ServiceNow make sure no malicious code can infect the ServiceNow platform? |
See the SNAP Documentation titled Securing the ServiceNow Platform, specifically the sections "Security Logging and Monitoring," "ServiceNow Infrastructure," and "Vulnerability Management." |
|
How does ServiceNow mitigate risks associated with DDOS attacks? |
See the SNAP Documentation titled Securing the ServiceNow Platform, specifically the section "Distributed Denial of Service (DDoS)." |
Enjoy ServiceNow securely and please do not hesitate to pass along your feedback on any topics, concerns, or questions regarding ServiceNow Cloud platform security.
Now it's our turn to ask you a questions: Have you learned something new here, and did these resources help to answer some of your ServiceNow platform security questions? Please add your comment below!
