|
CPS 234 Key requirements
|
CPS 234 Provisions
|
ServiceNow Response
|
|
Roles and responsibilities
|
13. The Board of an APRA-regulated entity (Board) is ultimately responsible for the information security of the entity. The Board must ensure that the entity maintains information security in a manner commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity.
|
This is a customer's responsibility.
Although ServiceNow is not an APRA regulated entity, ServiceNow is a publicly traded company on the New York Exchange, where ServiceNow is required to comply with The U.S. Securities and Exchange Commission (SEC) disclosure requirements such as Cyber Governance, Cyber risk management and strategy and Cyber incident reporting.
ServiceNow's security organization is led by ServiceNow's Chief Information Security Officer (CISO), who is also responsible for reporting to ServiceNow's Board.
|
|
14. An APRA-regulated entity must clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals with responsibility for decision-making, approval, oversight, operations and other information security functions.
|
|
Information security capability
|
15. An APRA-regulated entity must maintain an information security capability commensurate with the size and extent of threats to its information assets, which enables the continued sound operation of the entity
|
This is a customer's responsibility.
|
|
16. Where information assets are managed by a related party or third party, the APRA-regulated entity must assess the information security capability of that party, commensurate with the potential consequences of an information security incident affecting those assets.
|
ServiceNow, as a provider of a Platform and Software as a Service to APRA-regulated entities, delivering digital experiences to automate, predict, digitize, and optimize business processes and tasks across the enterprise. ServiceNow customers gain the benefits of a common, highly standardized cloud infrastructure, while realizing the security benefits of customer‑specific isolation at the application and database layers.
It is important to note ServiceNow’s security framework is based on ISO/IEC 27002:2013. ServiceNow has been an ISO 27001 certified organization since 2012 and is also ISO/IEC 27017:2015 and 27018:2019 certified. Additionally, ServiceNow’s Australian Region Cloud Services provides two distinct cloud services, namely:
• Commercial Cloud, which has been assessed to meet "OFFICIAL" data classification security controls detailed the Information Security Manual (ISM).
• PROTECTED Platform, which has been assessed to meet "PROTECTED" data classification security controls detailed the Information Security Manual (ISM).
However, as with all PaaS and SaaS Cloud service providers, the overall security responsibilities are shared between customers, ServiceNow, and the data center provider.
As the data controller, ServiceNow customers are the controller of the data that gets stored in their ServiceNow instance and is responsible for the data life cycle management for all data placed into their instance, such as determining who has access rights to their instance and the data stored in it.
As the data processor, ServiceNow provides its customers with extensive capabilities and tools to configure, secure, manage and audit their instances to meet their own security policies and requirements. In general, from an operational perspective, ServiceNow does not access customer data, but it is sometimes necessary during the course of resolving customer support tickets.
ServiceNow customers have control over the security of their instance and their data within the ServiceNow cloud. ServiceNow customers have the ability to control specific security settings within the instance to harden the application or platform settings to meet their unique security or compliance requirements.
ServiceNow customers, as examples, can choose from several data-at-rest encryption options, manage application-level role-based access controls, tagging and classification of sensitive data and authentication mechanisms. Additional ServiceNow recommendations include, and not restricted to, ServiceNow customers should:
• conduct an annual application-level penetration test.
• Export instance logs for continuous monitoring.
To assist ServiceNow customers in evaluating the information security capabilities of ServiceNow's cloud services, a number of resources are available:
• ServiceNow Trust and Compliance Center, latest information regarding ServiceNow's Platform security, privacy, availability and compliance - https://www.servicenow.com/au/company/trust.html
• Compliance and Operational Readiness Evidence (CORE) portal. Details for obtaining CORE access can be reviewed here - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0564067 . The portal includes over 100 documents and provides comprehensive resources for performing vendor risk assessments (such as SIG, ISO 27000 series certification certificates, SOC reports, penetration test reports, security policies, and security operational procedures) - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0959484
• eBook providing detailed description of ServiceNow's Cloud architecture and operational practices - https://blogs.servicenow.com/content/dam/servicenow-assets/public/en-us/doc-type/resource-center/ebo...
• ServiceNow's Security Best Practice Guide for customers - https://www.servicenow.com/content/dam/servicenow-assets/public/en-us/doc-type/success/playbook/inst...
• ServiceNow’s self-assessed Cloud Security Alliance (CSA) Cloud Controls Matrix (aka The Consensus Assessments Initiative Questionnaire (CAIQ)) containing responses to over 300 questions - https://cloudsecurityalliance.org/star/registry/servicenow/
|
|
17. An APRA-regulated entity must actively maintain its information security capability with respect to changes in vulnerabilities and threats, including those resulting from changes to information assets or its business environment.
|
|
Policy framework
|
18. An APRA-regulated entity must maintain an information security policy framework commensurate with its exposures to vulnerabilities and threats.
|
This is a customer's responsibility.
It is important to note ServiceNow’s security framework is based on ISO/IEC 27002:2013. ServiceNow has been an ISO 27001 certified organization since 2012 and is also ISO/IEC 27017:2015 and 27018:2019 certified. Additionally, ServiceNow’s Australian Region Cloud Services provides two distinct cloud services, namely:
• Commercial Cloud, which has been assessed to meet "OFFICIAL" data classification security controls detailed the Information Security Manual (ISM).
• PROTECTED Platform, which has been assessed to meet "PROTECTED" data classification security controls detailed the Information Security Manual (ISM).
Further information on ServiceNow's Information Security Program, Polices and Procedures are available from ServiceNow's Compliance and Operational Readiness Evidence (CORE) portal - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0959484 . Details for obtaining CORE access can be reviewed here - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0564067
As the data controller, ServiceNow customers are the controller of the data that gets stored in their ServiceNow instance and is responsible for the data life cycle management for all data placed into their instance, such as determining who has access rights to their instance and the data stored in it.
As the data processor, ServiceNow provides its customers with extensive capabilities and tools to configure, secure, manage and audit their instances to meet their own security policies and requirements. In general, from an operational perspective, ServiceNow does not access customer data, but it is sometimes necessary during the course of resolving customer support tickets.
ServiceNow customers have control over the security of their instance and their data within the ServiceNow cloud. ServiceNow customers have the ability to control specific security settings within the instance to harden the application or platform settings to meet their unique security or compliance requirements. Further details can be reviewed here: https://www.servicenow.com/content/dam/servicenow-assets/public/en-us/doc-type/success/playbook/inst...
|
|
19. An APRA-regulated entity’s information security policy framework must provide direction on the responsibilities of all parties who have an obligation to maintain information security.
|
|
Information asset identification and classification
|
20. An APRA-regulated entity must classify its information assets, including those managed by related parties and third parties, by criticality and sensitivity. This classification must reflect the degree to which an information security incident affecting an information asset has the potential to affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries, or other customers.
|
ServiceNow customers remain the data controller (i.e. data owner) for all data they store in their ServiceNow instance and should therefore apply data classifications according to their data classification policies. For more information review Data Classification: https://docs.servicenow.com/csh?topicname=data-classification.html&version=latest
As the data processor, ServiceNow uses a very specific data classification scheme and any customer data that is stored or processed by a ServiceNow instance is classified as 'Customer Confidential' regardless of whether the customer deems the data to be sensitive or non-sensitive. All ServiceNow assets containing data is marked and labelled in the configuration management database (CMDB) according to the Information Security Policy and the Data Classification Standard. ServiceNow classifies customer data as 'Customer Restricted' ServiceNow does not inspect or monitor its customers’ data and has no ability to understand how any data may have been classified by individual customers.
Further information is available from ServiceNow's Compliance and Operational Readiness Evidence (CORE) portal:
• Information Security Policy - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0958726
• Data Classification Standard - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0958735
Details for obtaining CORE access can be reviewed here - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0564067
|
|
Implementation of controls
|
21. An APRA-regulated entity must have information security controls to protect its information assets, including those managed by related parties and third parties, that are implemented in a timely manner and that are commensurate with: (a) vulnerabilities and threats to the information assets; (b) the criticality and sensitivity of the information assets; (c) the stage at which the information assets are within their life cycle; and (d) the potential consequences of an information security incident
|
It is important to note ServiceNow’s security framework is based on ISO/IEC 27002:2013. ServiceNow has been an ISO 27001 certified organization since 2012 and is also ISO/IEC 27017:2015 and 27018:2019 certified. Additionally, ServiceNow’s Australian Region Cloud Services provides two distinct cloud services, namely:
• Commercial Cloud, which has been assessed to meet "OFFICIAL" data classification security controls detailed the Information Security Manual (ISM).
• PROTECTED Platform, which has been assessed to meet "PROTECTED" data classification security controls detailed the Information Security Manual (ISM).
ServiceNow’s IRAP assessment reports can be made available to ServiceNow customers. If required, please reach out to your ServiceNow account team and request for a copy of ServiceNow’s IRAP assessment report.
In addition to the above, APRA-regulated entities can evaluate ServiceNow's information security controls by reviewing:
• Information Security Policy - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0958726
• Information Security Standards - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0958674
• Case Management SOP - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0959724
• Security Incident Response SOP - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0958838
• Cloud Vulnerability Management SOP - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0958878
• ServiceNow’s self-assessed Cloud Security Alliance Cloud Control Matrix (aka The Consensus Assessments Initiative Questionnaire (CAIQ)) security, privacy, compliance and risk management requirements - https://cloudsecurityalliance.org/star/registry/servicenow/
Additional guidance for ServiceNow customers, Instance Security Best Practice Guide - https://www.servicenow.com/content/dam/servicenow-assets/public/en-us/doc-type/success/playbook/inst...
|
|
22. Where an APRA-regulated entity’s information assets are managed by a related party or third party, the APRA-regulated entity must evaluate the design of that party’s information security controls that protects the information assets of the APRA-regulated entity.
|
|
Incident management
|
23. An APRA-regulated entity must have robust mechanisms in place to detect and respond to information security incidents in a timely manner.
|
Security is generally a shared responsibility between cloud service providers (CSPs) and their customers, this includes the monitoring of any security events. Further details on ServiceNow's shared responsibility model can be reviewed here: https://www.servicenow.com/content/dam/servicenow-assets/public/en-us/doc-type/resource-center/white...
As part of its responsibilities, ServiceNow continually monitors its internal systems and activities relevant to customer instances of the Now Platform in order to detect potential security issues or incidents. APRA-regulated entities can evaluate the following:
• Information Security Policy - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0958726
• Information Security Standards - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0958674
• Case Management SOP - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0959724
• Security Incident Response SOP - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0958838
The Now Platform incorporates features which customers can leverage towards a defence-in-depth approach to security, this includes the Instance Security Center (ISC) which can presents much of this information out-of-the-box, such as the security compliance score for an instance, monitor its overall security health, and apply security related settings. Further information can be reviewed here: https://docs.servicenow.com/csh?topicname=instance-security-center.html&version=latest
An instance of ServiceNow also provides extensive logging of transactions, events, and system level activity. Customers may leverage these to run regular reports, set alerts, or have the system create cases or start workflows when a customer-defined criteria is met. For example, if failed logins are detected or where access to customer specific record types have occurred. Customers may also forward events from the instance to their own syslog service using the Syslog Probe functionality, in conjunction with the ServiceNow Management, Instrumentation, and Discovery (MID) Server component. Further information can be reviewed here: https://docs.servicenow.com/csh?topicname=mid-server-landing.html&version=latest
ServiceNow can also support customers' compliance through "Breach Notification" commitments detailed in ServiceNow's Data Security Addendum - https://www.servicenow.com/content/dam/servicenow-assets/public/en-us/doc-type/legal/data-security-a...
|
|
24. An APRA-regulated entity must maintain plans to respond to information security incidents that the entity considers could plausibly occur (information security response plans).
|
|
25. An APRA-regulated entity’s information security response plans must include the mechanisms in place for (a) managing all relevant stages of an incident, from detection to post-incident review; and (b) escalation and reporting of information security incidents to the Board, other governing bodies and individuals responsible for information security incident management and oversight, as appropriate.
|
|
26. An APRA-regulated entity must annually review and test its information security response plans to ensure they remain effective and fit for purpose.
|
|
Testing control effectiveness and internal audit
|
27. An APRA-regulated entity must test the effectiveness of its information security controls through a systematic testing program. The nature and frequency of the systematic testing must be commensurate with: (a) the rate at which the vulnerabilities and threats change; (b) the criticality and sensitivity of the information asset; (c) the consequences of an information security incident; (d) the risks associated with exposure to environments where the APRA-regulated entity is unable to enforce its information security policies; and (e) the materiality and frequency of change to information assets
|
The effectiveness of ServiceNow's security controls are tested via multiple external audits and assessments. ServiceNow has established and maintained sufficient controls to meet certification and attestation for the objectives stated in ISO27001, ISO27018, SSAE 18 / SOC 1 and SOC 2 Type 2 (or equivalent standards) for the Security Program. At least once per calendar year, an assessment against such standards and audit methodologies by an independent third-party auditor will be obtained for environments where Customer data is stored.
ServiceNow's customers are responsible for testing the effectiveness of their own information security controls and may use the available ServiceNow resources from ServiceNow's external audits and assessments. ServiceNow will allow for and contribute to audits that include inspections by granting Customer access to reasonable and industry recognized documentation evidencing the policies and procedures governing the security and privacy of Customer Data and the Security Program through a self-access documentation portal - ServiceNow's Compliance and Operational Readiness Evidence (CORE) portal.
It is important to note ServiceNow’s security framework is based on ISO/IEC 27002:2013. ServiceNow has been an ISO 27001 certified organization since 2012 and is also ISO/IEC 27017:2015 and 27018:2019 certified. Additionally, ServiceNow’s Australian Region Cloud Services provides two distinct cloud services, namely:
• Commercial Cloud, which has been assessed to meet "OFFICIAL" data classification security controls detailed the Information Security Manual (ISM).
• PROTECTED Platform, which has been assessed to meet "PROTECTED" data classification security controls detailed the Information Security Manual (ISM).
ServiceNow’s IRAP assessment reports can be made available to ServiceNow customers. If required, please reach out to your ServiceNow account team and request for a copy of ServiceNow’s IRAP assessment report.
ServiceNow's certifications, third party attestations and assessment reports are available from ServiceNow's Compliance and Operational Readiness Evidence (CORE) portal, these includes and not limited to:
• ServiceNow’s current ISO 27001/ISO 27017/ISO 27018 Certificate and Report Summary - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0958929
• SSAE18 SOC 2 Type 2 Report - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0958932
• Penetration Test: Network (Cloud) - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0959738
• Other certification and assessment reports can be access via the CORE directory listing - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0959484
Details for obtaining CORE access can be reviewed here - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0564067
ServiceNow is committed to continually improve the effectiveness of ServiceNow's security program. ServiceNow's approach, at a high level can be reviewed here: https://blogs.servicenow.com/content/dam/servicenow-assets/public/en-us/doc-type/resource-center/ebo...
|
|
28. Where an APRA-regulated entity’s information assets are managed by a related party or a third party, and the APRA-regulated entity is reliant on that party’s information security control testing, the APRA-regulated entity must assess whether the nature and frequency of testing of controls in respect of those information assets is commensurate with paragraphs 27(a) to 27(e) of this Prudential Standard.
|
|
29. An APRA-regulated entity must escalate and report to the Board or senior management any testing results that identify information security control deficiencies that cannot be remediated in a timely manner.
|
|
30. An APRA-regulated entity must ensure that testing is conducted by appropriately skilled and functionally independent specialists.
|
|
31. An APRA-regulated entity must review the sufficiency of the testing program at least annually or when there is a material change to information assets or the business environment.
|
|
32. An APRA-regulated entity’s internal audit activities must include a review of the design and operating effectiveness of information security controls, including those maintained by related parties and third parties (information security control assurance).
|
|
33. An APRA-regulated entity must ensure that the information security control assurance is provided by personnel appropriately skilled in providing such assurance
|
|
34. An APRA-regulated entity’s internal audit function must assess the information security control assurance provided by a related party or third party where: (a) an information security incident affecting the information assets has the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers; and (b) internal audit intends to rely on the information security control assurance provided by the related party or third party.
|
|
APRA notification
|
35. An APRA-regulated entity must notify APRA as soon as possible and, in any case, no later than 72 hours, after becoming aware of an information security incident that: (a) materially affected, or had the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers; or (b) has been notified to other regulators, either in Australia or other jurisdictions.
|
ServiceNow support customers' APRA notification compliance, by reporting to Customer any accidental or unlawful destruction, loss, alteration, unauthorized disclosure, of or access to Customer Data (“Breach”) without undue delay following determination by ServiceNow that a Breach has occurred. ServiceNow's "Breach Notification" commitments are detailed in ServiceNow's Data Security Addendum - https://www.servicenow.com/content/dam/servicenow-assets/public/en-us/doc-type/legal/data-security-a...
After ServiceNow notifies the customer of an information security incident, the customer is then responsible for determining whether notification (within 72 hours) to APRA is required. Additionally, the customer must also notify (within 10 days) APRA if the material control weakness cannot be remediated in a timely manner.
It is important to note that security incident monitoring is a shared responsibility. As part of its responsibilities, ServiceNow continually monitors its internal systems and activities relevant to customer instances of the Now Platform in order to detect potential security issues or incidents.
ServiceNow customers are expected to and is responsible to detect security incidents related to their instances. In general, from an operational perspective, ServiceNow does not access customer data, and will not have visibility into the activities with a customer's instance. An instance of ServiceNow also provides extensive logging of transactions, events, and system level activity. Customers may leverage these to run regular reports, set alerts, or have the system create cases or start workflows when a customer-defined criteria is met. For example, if failed logins are detected or where access to customer specific record types have occurred. Customers may also forward events from the instance to their own syslog service using the Syslog Probe functionality, in conjunction with the ServiceNow Management, Instrumentation, and Discovery (MID) Server component. Further information can be reviewed here: https://docs.servicenow.com/csh?topicname=mid-server-landing.html&version=latest
Further details on ServiceNow's shared responsibility model can be reviewed here: https://www.servicenow.com/content/dam/servicenow-assets/public/en-us/doc-type/resource-center/white...
|
|
36. An APRA-regulated entity must notify APRA as soon as possible and, in any case, no later than 10 business days, after it becomes aware of a material information security control weakness that the entity expects it will not be able to remediate in a timely manner.
|
