Welcome to K23 Human Resources (HR) Implementation Pre-Conference Training - Marco Polo 707

Here is your link for KPI library!

http://kpilibrary.com/

Is there an online source or product document where I can see the list of ALL COEs, Topic Categories, Topic Details, and HR Services?

Question on Application Restricted access. 

When you mark a status as denied, is there a way to have a cleaner or configured message shown to the end user? We try to keep end user messages very clear about what they are and what is going on.

Is there an online source or product document where I can see the list of ALL COEs, Topic Categories, Topic Details, and HR Services?

The ServiceNow capability for translations tasks is called Dynamic Translations.

Allows you to plug into auto translation but then generate tasks to have people come behind and verify the translation.

https://docs.servicenow.com/bundle/utah-platform-administration/page/administer/dynamic-translation/...

Here is your blueprint for the exam:

https://nowlearning.servicenow.com/lxp?id=kb_article_view&sys_kb_id=4aee11eb97b161548934b67e6253afaa

Link to NowLearning - https://nowlearning.service-now.com/

Protecting Sensitive Employee Information

by Eric Hemmer

This question comes up for every new customer, and rightly so.   Below are the techniques hundreds of our customers have employed to keep personal information confidential in ServiceNow.

First — Address Fundamental Questions

• Who administrates your current HCM system?
• Do you have an HRIS resource or does someone in IT do it?
• Do administrators already have access to sensitive information?
• How do you prevent them from seeing personal information today?
• Do you have periodic audits and control tests in place?
• Do you conduct periodic training, and do you require attestations or confidentiality and ethical conduct from employees who have access to sensitive information?

Second - You are in Good Company

ServiceNow has hundreds of enterprise HR, Healthcare, Financial Services, and Governmental customers who employee a variety of techniques to protect the integrity of their data.

We understand that security is paramount. For that reason, we allow you to create access control lists (ACL's) that leverage contextual security. This allows you to restrict access to tables and columns to those people who have the appropriate roles. For example, you can encrypt information in custom fields and only provide the role required to decrypt the fields to those people in your HR group(s).   You can also configure ACL's to grant access based on your relationship to the case (e.g. I opened it, or I belong to the group that is assigned to it, or I am an HR supervisor and it is marked as private.)

Techniques

1. Classify sensitive data and only import that which is necessary.   Put sensitive information in the hr_profile table. HRSA comes with ACL's that prevent IT from seeing data in HR tables, like the hr_profile table.   Customers can also create their own ACL's and encrypt custom fields.
2. Review ACL's for your hr tables and ensure that Admin Overrides is unchecked, if necessary.
3. Create custom fields and encrypt them at the column level.   Only employees with specific roles can see those fields. You should generally avoid encrypting OOB fields when possible as that can impact business rules and reporting because the ServiceNow system account cannot interpret fields that you encrypt.
4. Aggregate sensitive information onto a specific tab on the form.   Train your agents that if you must put sensitive information into a case, it goes into one of the fields on this tab and nowhere else.  This is like social engineering for your team.
5. Do not grant your administrators permanent admin access in your Production environment. If the admin needs access to troubleshoot an issue in production, force them to submit a change request to temporarily grant that privilege and keep an audit record. (Orchestration is a great way to ensure the elevated privilege is automatically removed after a set amount of time.) When cloning data from production back to Dev, exclude sensitive data from your hr_profile table.
6. Configure a special security event and notification in when an admin attempts to give himself or herself a role that would allow him or her to see the encrypted fields on hr tables. You would then be notified and can review the log files to see what the admin was doing.
7. Set up periodic controls to view logs for admins assigning themselves roles. Consider using our Governance, Risk and Control (GRC) application to schedule and document this activity.
8. Encrypt the attachments table in case an errant screenshot is uploaded with personal information on it.
9. Content Masking uses clients scripts that look for text in free form text fields that may match a common PII format (e.g. xxx-xx-xxxx) or key words that you set up. If it detects such a format or words, it can warn the agent or employee and/or redact the data before it is saved to the database. It can also create a follow-on task for a supervisor to review the record in question. [Update April 2018 - ServiceNow professional services has implemented a solution for this on multiple occasions.  You set up regular expressions (e.g. xxx-xx-xxxx) and key words (e.g. cancer) and those words are redacted from the plain text field and replaced with a generic marker that indicates text was redacted.  The text is moved into a custom, encrypted field that before the record is committed to the database.  Only a select number of people in your organization have access to the custom encrypted field and there is an audit trail.  This is great automation and alleviates the need to encrypt OOB fields such as Short_description, Description, and journal fields such as Comments.  One of our partners also offers this solution on the ServiceNow store.  Here is a link to that solution.
10. Use Coaching Loops to provide feedback to agents regarding proper process and policy.
11. Use GRC to create periodic controls tests to sample cases for adherence to process and policy.
12. Some customers train their admins and have them sign confidentiality agreements — the same as people in HRIS sign.
13. Customers should consider cloning carefully.   If your access rights are not as tight in non-production environments, then exclude the hr_profile table from clones, so your developers cannot see this information.   You may also use Clean Up Scripts within the Cloning application to remove or scramble certain fields.
14. With Geneva, ServiceNow added additional safeguards to limit access to cases and HR Profiles, so that even administrators who impersonate someone in HR cannot see potentially confidential employee information.   (Of course, your System Administrator should not have the admin role in Production environment anyway as a best practice.   See #5.)     Read more on that here HR profile security.
15. Here is another recommendation: Prevent delegates from receiving certain notifications that could contain personal information.   There is a checkbox called, "Exclude delegates" that was introduced in Geneva exactly for this reason.
16. With the Istanbul release, ServiceNow scoped the HR Service Delivery application.  This allows the HR Administrator to control access to any part of the HR application and lock-out the IT administrator as well if desired.  It provides HR full autonomy over access and configuration of the HR suite of applications.
17. Some customers inquire about Edge Encryption.  However, the steps listed above provide the necessary protection without Edge Encryption.  In fact, as of April 2018, only 1 out of 500+ HRSD customers is currently using Edge Encryption as part of their strategy.  

@AHinton , 

Each HR Center of Excellence is an extension of the HR Case [sn_hr_core_case] table and is organized around a functional discipline, such as employee relations, lifecycle events, payroll, talent management, workforce administration, total rewards, HRIT operations, benefits, compensation, corporate communications, and global mobility.

Hi!

My name is Monica, H2R specialist within the Global Enterprise Services in Cemex. I am currently working to implement HRSD globally and facing some challenges with language and HR Service Catalog, looking forward to learning on best practices, digital transformation and unifying HR platforms with ServiceNow.

@ ServiceNow team,

Would it be possible for you to share the list of the HR Services available in your HR Catalog at the portal (as a SNOW employee)? Just trying to get an insight of the general queries on a global perspective.