Digital Transformation (DX) is a significant driving force for business transformation, involving the collection and utilization of various types of data. This data typically constitutes crucial business information, making its security and privacy extremely important. While appropriate use of this data can unlock new business opportunities, it also presents inherent risks. Consequently, how businesses manage and apply this data becomes a crucial issue.

Considering the tightening of privacy-related regulations and potential impacts of system downtime or cyber-attacks, security measures are indispensable when selecting a DX platform. ServiceNow provides resources on security policies and practices, aiding understanding of platform security. In this blog, we will introduce these resources role-by-role for those responsible for evaluating the security aspect of a DX platform under consideration.

Resources for CISOs and Project Sponsors

Firstly, we have resources suitable for CISOs and project sponsors of a DX platform. For companies considering the implementation of ServiceNow, it is vital to understand ServiceNow's security strategy and compliance status with global security standards to evaluate whether ServiceNow aligns with their security strategies and policies.

• Cloud Security FAQs

This resource compiles frequently asked questions about ServiceNow's security processes, physical, administrative, and logical controls. For CISOs and project sponsors looking to gain a comprehensive understanding of ServiceNow's security, this should be the first document to read. Once you have a general understanding, you can move on to other resources that interest you.

Resources for IT Security Managers and Security Architects

Next, we have materials for IT security professionals. No matter how advanced a cloud service's features are, if the security behind it is not robust, the service cannot be trusted. Evaluating reliable security measures is necessary when choosing a cloud service. Individuals in these roles carry out a comprehensive evaluation of security measures spanning physical, technical, and human management, and plan the organization's security measures based on these results.

• Protection of the Now Platform

This document provides detailed explanations on ServiceNow's security architecture, standard security controls, security incident response processes, and end-user data protection services. As a result, it allows for a concrete judgment of whether ServiceNow has trustworthy security measures.

• Shared Responsibility Model

This document explains the security responsibilities shared between ServiceNow and the user enterprise. Specifically, ServiceNow is responsible for the security of the cloud infrastructure, while the user enterprise is responsible for data encryption, user access management, and security settings of instances. This resource is a vital guideline for IT Security Managers to understand their organization's role and responsibilities, helping them to plan appropriate security measures.

Resources for Legal Professionals

As a legal professional, it is crucial to verify that ServiceNow is complying with legal regulations, especially those related to data protection and privacy. Moreover, it is necessary to clearly understand the obligations both ServiceNow and user companies hold in terms of data processing.

• FAQs on ServiceNow's Privacy and Security Program

ServiceNow's privacy and security program is designed to protect personal data that user companies submit to the ServiceNow cloud service. This resource is an essential source of information for legal professionals to understand ServiceNow's stance on privacy and security.

• FAQs about EU Personal Data International Transfer

The FAQs about EU personal data international transfer offer significant information from a data privacy perspective, especially detailed information regarding data protection regulations.

• Data Processing Addendum (DPA)

DPA is required for GDPR (General Data Protection Regulation) compliance. This document explains that the data processor (ServiceNow) processes personal data based on the instructions of the data controller (user companies) and the requirements of applicable data protection laws.

Resources for Risk Managers and Vendor Risk Managers

As a risk manager, you are responsible for evaluating the risks of the Cloud Service Provider (CSP), ServiceNow, and its services. General vendor risk assessment for CSPs requires many documents and pieces of information. However, ServiceNow provides this information selectively.

This information is consolidated in the Compliance and Operational Readiness Evidence (CORE) portal. The portal includes over 100 documents and provides comprehensive resources for performing vendor risk assessments.

• Compliance and Operational Readiness Evidence (CORE) Portal

Access to this portal requires permissions for the CORE portal, but once obtained, it grants access to white papers, pre-answered questionnaires (such as SIG or Cloud Control Matrix), ISO 27000 series certification certificates, SOC reports, penetration test reports, security policies, and security operational procedures. We also offer time-limited access to prospective customers, so please contact your sales representative for details.

Summary

ServiceNow not only serves as a DX platform but also plays a role as a tool to secure data privacy and security. In this blog, we explained how to utilize ServiceNow's security resources. By using these resources, customers considering ServiceNow can proceed with more concrete and efficient security measures. In our next blog, we will provide a detailed introduction of security resources available for administrators and developers in organizations that have already implemented ServiceNow.