Personally Identifiable Information (PII) Removal

Aric3 · ‎04-19-2013

Is there a recommended method to scan for (and remove) personally identifiable information (PII) from a ServiceNow instance?

Thanks -Aric

Uncle Rob · ‎05-23-2016

Crom's beard, do I feel your pain.

Unless you've been *both* OCD about data structure *and* the biggest a-hole in the universe with respect to email based ticket creation, PII is going littered all over your short_description and description fields. If you think I'm joking, I once worked an instance where I spent 4 hours / day scouring inbound email table cleaning out names, addresses, phone numbers, SSN's, credit card numbers... you name it.

Option 1 - Prevention

If you're in an industry that cares about PII (hah!) you now have a perfect justification for tighter control over data structure. This should also give you leverage for all those times people want *yet another* inbound email action where the initiating party is a human. If you're in the unenviable position of having humans outside your company initiating email, your in big trouble - see option 3

Option 2 - Clean up

This is nothing more than running scripts to detect & redact PII. You'll need someone with a mastery of regular expressions to help you pull patterns out of the volume of records you'll be dealing with. Depending on the size of your data set, this will almost certainly *not* capture all the rogue PII entries. Also, I know of no good way to figure out if an attachment has PII (and believe me, I've seen plenty!)

Option 3 - Encryption

You can't rely on humans to know the rules and obey them. Auditors won't care how many times you warned your target audience anyway. So a good option is to encrypt various types of incoming data. There are 4 major players dealing with Encryption on ServiceNow. My company has evaluated all 4 and we definitely have a preference. Happy to discuss this with your further at your discretion. In the interim, please read my Encyrption blog - Encryption: How not to get $#%&ed

And Finally..If you're bold enough, call out your company when it comes to designs/processes that exacerbate the PII problem. One company in particular thought I was a grouch for how vociferously I raged against public inbound actions... until I showed them suicide notes, sexual harassment complaints, collection agency notices, and customers hoping to purchase stuff with hand written credit card numbers. All there in plain text.

View solution in original post

Paul Curwen · ‎06-01-2017

Have a look at:

https://store.servicenow.com/$appstore.do#!/store/application/d0aee0190f62e640c783cd8ce1050e34/3.0.1...

***If Correct/Helpful please take time mark as Correct/Helpful. It is much appreciated.***

Regards

Paul

achauhan1 · ‎09-11-2017

HI Guys,

CipherCloud have developed an application on ServiceNow Store (https://store.servicenow.com/sn_appstore_store.do#!/store/application/6203c014db9c0300e748f11ebf9619... ) Which may help with some of your questions. CipherCloud also allow protecting the ServiceNow Data.. Please feel free to contact me to know more details...Thanks Ajay Chauhan achauhan@ciphercloud.com

richelle_pivec · ‎09-11-2017

I found these recommendations (Re: how to delete/modify/edit Work Notes ) very helpful for removing data (permanently) from our instance.

Richelle

ark6 · ‎09-12-2017

Hi Aric,

I did a project on the PII removal where the requirement is to remove all the PIIs within 21 days after a person has resigned (the info needs to be deleted from comments or activity logs as well).

So what I did is below.

1. I have written a scheduled job and check for the person who has resigned 21 days back(can be done with filter active=false).

2. When I found out the same, I have deleted his entries from the sys_user table

3. Then I have to remove his records from the below three tables

a. Sys_Audit

b. Sys_history_set

c. Sys_history line