In the previous article Cloud Movement Part 1: Checklist for your Successful Migration I have listed few tips how to plan migration of an on-Premise ServiceNow instance into the cloud. The next step is to get your plan approved by security, usually by ISOs (Information Security Officers). In some organizations it might be a long and a complex path. However, you can make it shorter if you follow few best practices which Iād like to share with you.
Find the right ISO as early as possible. In global companies it might be a challenge to find the right people responsible for your region or business unit. Assessment of your migration might be reassigned multiple times from one ISO to another, which can not only impact the timeline, but also become the most painful and bureaucratic part of the whole project. So, after you find an ISO, make sure he/she is indeed the one who can review and sign-off your migration solution.
Understand your data and its classification. Whatever data is stored on your instance, it's essential to understand security needs and concerns associated with it. Are there hardware or software assets, user credentials or other data related to the corporate infrastructure? What about financial information, such as project budgets and costs? Or maybe salaries, ID numbers and medical data of employees? Depending on those, your solution will have specific security requirements to comply with.
Consider all internal security assessment procedures and policies. Companies often have several siloed processes, such as vendor assessment, data classification or business impact analysis. Some of those can suddenly come up closely to a deadline. Therefore, make sure you know all the procedures and have access to the necessary people, tools & information to accomplish those. Also, check the availability of approvers.
Consider external regulatory requirements. Depending on your industry, region and data stored on your ServiceNow instance, you need to make sure you consider laws and regulations applied to your business. Typical examples would be GDPR for European companies, HMDA for financial sector or HIPAA for health care companies. To ensure which standards must be fulfilled, engage with your compliance team.
Understand platform capabilities. When convincing your ISO that ServiceNow is a fully secure platform, you will have to prove it. So, get ready to collect and review tons of security standards and policies, certificates, pentest reports and other materials which prove that ServiceNow follows the latest industry standards. This might require you not only to contact ServiceNow directly, but also search across the communities and resources, such as ServiceNow Trust Center. Sounds challenging? No worries, you can always engage with specialists who can help you find the right tools and materials.
Be prepared for changes in your solution. It's very likely that security assessment will result into new requirements, such as implementation of a VPN, IP Whitelisting, additional layer of encryption or a multi-factor authentication. It goes without saying that your team must be prepared for such enhancements.
I hope these tips and tricks will help you better prepare for security assessment prior the migration. In the next part I will share few thoughts on the solution design.
