- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-19-2013 02:02 PM
Is there a recommended method to scan for (and remove) personally identifiable information (PII) from a ServiceNow instance?
Thanks -Aric
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-23-2016 01:41 PM
Crom's beard, do I feel your pain.
Unless you've been *both* OCD about data structure *and* the biggest a-hole in the universe with respect to email based ticket creation, PII is going littered all over your short_description and description fields. If you think I'm joking, I once worked an instance where I spent 4 hours / day scouring inbound email table cleaning out names, addresses, phone numbers, SSN's, credit card numbers... you name it.
Option 1 - Prevention
If you're in an industry that cares about PII (hah!) you now have a perfect justification for tighter control over data structure. This should also give you leverage for all those times people want *yet another* inbound email action where the initiating party is a human. If you're in the unenviable position of having humans outside your company initiating email, your in big trouble - see option 3
Option 2 - Clean up
This is nothing more than running scripts to detect & redact PII. You'll need someone with a mastery of regular expressions to help you pull patterns out of the volume of records you'll be dealing with. Depending on the size of your data set, this will almost certainly *not* capture all the rogue PII entries. Also, I know of no good way to figure out if an attachment has PII (and believe me, I've seen plenty!)
Option 3 - Encryption
You can't rely on humans to know the rules and obey them. Auditors won't care how many times you warned your target audience anyway. So a good option is to encrypt various types of incoming data. There are 4 major players dealing with Encryption on ServiceNow. My company has evaluated all 4 and we definitely have a preference. Happy to discuss this with your further at your discretion. In the interim, please read my Encyrption blog - Encryption: How not to get $#%&ed
And Finally..If you're bold enough, call out your company when it comes to designs/processes that exacerbate the PII problem. One company in particular thought I was a grouch for how vociferously I raged against public inbound actions... until I showed them suicide notes, sexual harassment complaints, collection agency notices, and customers hoping to purchase stuff with hand written credit card numbers. All there in plain text.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-13-2013 02:46 PM
Have you received any information or tips? Having to remove PII in our instance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-23-2016 01:41 PM
Crom's beard, do I feel your pain.
Unless you've been *both* OCD about data structure *and* the biggest a-hole in the universe with respect to email based ticket creation, PII is going littered all over your short_description and description fields. If you think I'm joking, I once worked an instance where I spent 4 hours / day scouring inbound email table cleaning out names, addresses, phone numbers, SSN's, credit card numbers... you name it.
Option 1 - Prevention
If you're in an industry that cares about PII (hah!) you now have a perfect justification for tighter control over data structure. This should also give you leverage for all those times people want *yet another* inbound email action where the initiating party is a human. If you're in the unenviable position of having humans outside your company initiating email, your in big trouble - see option 3
Option 2 - Clean up
This is nothing more than running scripts to detect & redact PII. You'll need someone with a mastery of regular expressions to help you pull patterns out of the volume of records you'll be dealing with. Depending on the size of your data set, this will almost certainly *not* capture all the rogue PII entries. Also, I know of no good way to figure out if an attachment has PII (and believe me, I've seen plenty!)
Option 3 - Encryption
You can't rely on humans to know the rules and obey them. Auditors won't care how many times you warned your target audience anyway. So a good option is to encrypt various types of incoming data. There are 4 major players dealing with Encryption on ServiceNow. My company has evaluated all 4 and we definitely have a preference. Happy to discuss this with your further at your discretion. In the interim, please read my Encyrption blog - Encryption: How not to get $#%&ed
And Finally..If you're bold enough, call out your company when it comes to designs/processes that exacerbate the PII problem. One company in particular thought I was a grouch for how vociferously I raged against public inbound actions... until I showed them suicide notes, sexual harassment complaints, collection agency notices, and customers hoping to purchase stuff with hand written credit card numbers. All there in plain text.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-03-2016 03:45 AM
The trick with PII seems to be that automation is out of the question, so each reported instance of PII appearing in a record requires a systematic - but manual - process.
In addition to Robert's terrific advice here I would suggest establishing an organizational "PII handling policy" that documents:
Who is responsible for doing the cleanup work (since they will be viewing the PII and will require elevated privileges)
What the standard process is for conducting the search (log in as admin, view the record history, search the email log, etc)
To what depth the cleanup may go (destroy the entire record, redact only PII text itself, somewhere in between)
How the cleanup will be verified.
I think our team does a pretty good job with the first three on this list, but we have not thoroughly addressed the fourth due to resource constraints.
- Brian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-08-2016 04:03 PM
We were having the same problem with protecting PII with an HR customer. We found an application in the ServiceNow Store called Data Masker which uses business rules to completely remove PII, or any data you choose from view. We have been using the trial version, but so far it's worked great.
