Sensitive data over email
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-23-2015 09:37 AM
How do you protect sensitive data which is coming in and being sent out from ServiceNow via email? This has just been raised by our internal IT Security team as an issue (not an issue for IT users who aren't dealing in confidential/sensitive information). We are grappling with this as part of our current implementation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-23-2015 09:57 AM
There is actually a related discussion on this topic here: Prevent a specific notification to not be CC to the delegates.
I can also say that I've spoke with the Product Mananger for notifications and he said that providing an easier way of disabling delegates for notifications is on our roadmap. What you can do, however, it choose not to embed sensitive information into the body of the email. You can also run a business rule to flag and stop notifications that look like they have certain key words or regular patterns (e.g. xxx-xx-xxxx) from going out.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-24-2015 09:12 AM
Melanie,
For inbound email that results in the creation or update of (based on how you're inbound email actions) records in ServiceNow you can use ACLs to restrict who has access to these records in ServiceNow. For Outbound notifications there are a few places you could place logic to evaluate what type of notification, what the email contains, or who the email is being sent to and take action (e.g., decide to not send the message, modify the message body based on key words or patterns). Business rules as Eric mentioned are a great way to do this, in addition this could be done in a mail script.
Hope this helps and let me know if you want to have a further discussion. If you have more specific requirements please let me know as I'd be curious to hear them.
-Bryan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-24-2015 09:29 AM
Any rule that's going to scan text content for human data entry has to have a failure rate factored. I would anticipate no less than a 30% failure rate if you're scanning emails for keywords in order to interrupt sends. This failure rate includes unintended sends and unintended blockages.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-08-2015 08:23 AM
For our HR implementation we explicitly decided not to include any information about the user or case. The communication does have a link back to the case record which is secured to only the user and case manager. This setup should be sufficient to address IT Securities concerns.
What we just ran into, that Eric spoke about is that if someone has Delegates with CC Notifications = true, then those delegates receive a copy of the email no matter what table the source record was from. Until SN has a solution for this, we're going to have to come up with something creative to remove the delegates from the cc of the email.