ServiceNow-wp-shared-responsibility-model.pdf
TiagoMacul
294 views
23 slides
Jul 18, 2024
Slide 1 of 23
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
About This Presentation
ServiceNow-wp-shared-responsibility-model.pdf
Slide Content
Shared Responsibility Model
Shared Responsibility Model _v2.1 | May 2024
Release: Washington, DC
Introduction
Security is a partnership between ServiceNow
®
and the customer, both with specific
responsibilities. Therefore, it is essential that each party understands their role in
this partnership.
Customer: As the data controller, the customer is responsible for determining how data is
collected, stored, used, shared, archived, destroyed, and for maintaining the
accuracy and confidentiality of that data.
ServiceNow: As the data processor, ServiceNow supports the data controllers by
providing features to enable access and control of data processing
activities and obligations.
See the Safeguarding Your Data white paper for more information on these roles
and responsibilities.
Please note: All information in this document is related to the standard Now Platform commercial environment.NEXT
Home
2? 2024 ServiceNow, Inc. All rights reserved.
Release: Washington, DC
Introduction
Security is a partnership between ServiceNow
®
and the customer, both with specific
responsibilities. Therefore, it is essential that each party understands their role in
this partnership.
Customer: As the data controller, the customer is responsible for determining how data is
collected, stored, used, shared, archived, destroyed, and for maintaining the
accuracy and confidentiality of that data.
ServiceNow: As the data processor, ServiceNow supports the data controllers by
providing features to enable access and control of data processing
activities and obligations.
See the Safeguarding Your Data white paper for more information on these roles
and responsibilities.
Please note: All information in this document is related to the standard Now Platform commercial environment.NEXT
Home
2? 2024 ServiceNow, Inc. All rights reserved.
Shared Responsibility Model _v2.1 | May 2024
Release: Washington, DC
Shared Responsibility Model overview
This table shows the areas of
responsibility for the main aspects
of Now Platform
®
security.
Click on any area of responsibility
to find out more information.
When finished click the
icon (upper right corner)
to return to this page.
Responsibility
Area of Responsibility
Customer ServiceNow
Colocation
(Data center providers)
Secure configuration of instance
Authentication and authorization
Data management (classification and retention)
Data encryption at rest
Data encryption in transit
Encryption key management
Security logging and monitoring
Secure SDLC processes
Penetration testing
Vulnerability management
Privacy
Compliance: regulatory and legal
Employee vetting or screening
Physical security/environment controls
Cloud infrastructure security management
Infrastructure management
Media disposal and destruction
Backup and restore
Business continuity and disaster recovery
TOC
Introduction . . . . . . . . . . . . . . . . . . . 2
Shared Responsibility Model overview . . . 3
Secure configuration of instance . . . . . . . 4
Authentication and authorization . . . . . . 5
Data management . . . . . . . . . . . . . . . 6
Data encryption at rest . . . . . . . . . . . . 7
Data encryption in transit . . . . . . . . . . . 8
Encryption key management . . . . . . . . . 9
Security logging and monitoring . . . . . . 10
Secure SDLC processes . . . . . . . . . . . . 11
Penetration testing . . . . . . . . . . . . . . . 12
Vulnerability management . . . . . . . . . . 13
Privacy . . . . . . . . . . . . . . . . . . . . . .14
Compliance: regulatory and legal . . . . . 15
Employee vetting and screening . . . . . . 16
Physical security/environmental controls . . 17
Cloud infrastructure security mgmt . . . . . 18
Infrastructure management . . . . . . . . . 19
Media disposal and destruction . . . . . . 20
Backup and restore . . . . . . . . . . . . . . 21
Business continuity and disaster recovery . 22
Resources . . . . . . . . . . . . . . . . . . . . 23NEXT
Home
3? 2024 ServiceNow, Inc. All rights reserved.
Release: Washington, DC
Shared Responsibility Model overview
This table shows the areas of
responsibility for the main aspects
of Now Platform
®
security.
Click on any area of responsibility
to find out more information.
When finished click the
icon (upper right corner)
to return to this page.
Responsibility
Area of Responsibility
Customer ServiceNow
Colocation
(Data center providers)
Secure configuration of instance
Authentication and authorization
Data management (classification and retention)
Data encryption at rest
Data encryption in transit
Encryption key management
Security logging and monitoring
Secure SDLC processes
Penetration testing
Vulnerability management
Privacy
Compliance: regulatory and legal
Employee vetting or screening
Physical security/environment controls
Cloud infrastructure security management
Infrastructure management
Media disposal and destruction
Backup and restore
Business continuity and disaster recovery
TOC
Introduction . . . . . . . . . . . . . . . . . . . 2
Shared Responsibility Model overview . . . 3
Secure configuration of instance . . . . . . . 4
Authentication and authorization . . . . . . 5
Data management . . . . . . . . . . . . . . . 6
Data encryption at rest . . . . . . . . . . . . 7
Data encryption in transit . . . . . . . . . . . 8
Encryption key management . . . . . . . . . 9
Security logging and monitoring . . . . . . 10
Secure SDLC processes . . . . . . . . . . . . 11
Penetration testing . . . . . . . . . . . . . . . 12
Vulnerability management . . . . . . . . . . 13
Privacy . . . . . . . . . . . . . . . . . . . . . .14
Compliance: regulatory and legal . . . . . 15
Employee vetting and screening . . . . . . 16
Physical security/environmental controls . . 17
Cloud infrastructure security mgmt . . . . . 18
Infrastructure management . . . . . . . . . 19
Media disposal and destruction . . . . . . 20
Backup and restore . . . . . . . . . . . . . . 21
Business continuity and disaster recovery . 22
Resources . . . . . . . . . . . . . . . . . . . . 23NEXT
Home
3? 2024 ServiceNow, Inc. All rights reserved.
Shared Responsibility Model _v2.1 | May 2024
Release: Washington, DCCustomer Responsibility
Links and additional resources
ServiceNow Security Best Practices Guide
Security Best Practices YouTube video
ServiceNow Security Center (SSC)
Secure configuration of instance
There are several topics to consider when securing a Now Platform instance. Some of these are
configuration parameters within the application, while others relate to the customer’s environment
and how they are integrated. Examples include:
• Security contact details
• Now Platform Security Center
• Email Security
• Access Control
• Authentication
• MID Server Security
• Encryption
• Software Updates
• Customer Penetration Test Program
These topics, and more, are covered in the ServiceNow Security Best Practices Guide and in the
Security Best Practices YouTube video. NEXT
Home
4? 2024 ServiceNow, Inc. All rights reserved.
Release: Washington, DCCustomer Responsibility
Links and additional resources
ServiceNow Security Best Practices Guide
Security Best Practices YouTube video
ServiceNow Security Center (SSC)
Secure configuration of instance
There are several topics to consider when securing a Now Platform instance. Some of these are
configuration parameters within the application, while others relate to the customer’s environment
and how they are integrated. Examples include:
• Security contact details
• Now Platform Security Center
• Email Security
• Access Control
• Authentication
• MID Server Security
• Encryption
• Software Updates
• Customer Penetration Test Program
These topics, and more, are covered in the ServiceNow Security Best Practices Guide and in the
Security Best Practices YouTube video. NEXT
Home
4? 2024 ServiceNow, Inc. All rights reserved.
Shared Responsibility Model _v2.1 | May 2024
Release: Washington, DCCustomer Responsibility
Links and additional resources
Identity and Authentication
Roles
Groups
ACL Troubleshooting reference
Authentication and authorization
Authentication
ServiceNow provides various authentication options for customers. The customer is responsible for
configuring the instance using the supported authentication model or capabilities like SAML 2.0,
OpenID Connect, Cloud IDP like Ping/Okta, or Adaptive Authentication.
Authorization
Customers have the ability to configure the following:
• Roles and Groups
• Role-based ACL
• Context-based securing of records
Once a user has successfully authenticated, access to parts of the instance interface, functions,
and the data within it are controlled with Access Control Lists (ACLs) and Role Based Access
Control (RBAC).
ACLs use the account ID and associated Groups to determine what access should be granted to an
object (e.g., read, write, delete, and create).NEXT
Home
5? 2024 ServiceNow, Inc. All rights reserved.
Release: Washington, DCCustomer Responsibility
Links and additional resources
Identity and Authentication
Roles
Groups
ACL Troubleshooting reference
Authentication and authorization
Authentication
ServiceNow provides various authentication options for customers. The customer is responsible for
configuring the instance using the supported authentication model or capabilities like SAML 2.0,
OpenID Connect, Cloud IDP like Ping/Okta, or Adaptive Authentication.
Authorization
Customers have the ability to configure the following:
• Roles and Groups
• Role-based ACL
• Context-based securing of records
Once a user has successfully authenticated, access to parts of the instance interface, functions,
and the data within it are controlled with Access Control Lists (ACLs) and Role Based Access
Control (RBAC).
ACLs use the account ID and associated Groups to determine what access should be granted to an
object (e.g., read, write, delete, and create).NEXT
Home
5? 2024 ServiceNow, Inc. All rights reserved.
Shared Responsibility Model _v2.1 | May 2024
Release: Washington, DCCustomer Responsibility
Links and additional resources
Data Classification
Data Archiving
Data Discovery
Securing the Now Platform
(Information lifecycle and data management section)
Data management
Data Classification
Customers are responsible for their own data classification and labeling such as confidential,
restricted, etc.
Customers can either use ServiceNow-provided data classifications, or define their own based on
their industry, geographic, and business needs.
Data Retention
Customers control what information is to be stored, how it is to be used, and how long it is retained,
and are therefore responsible for defining the duration of active data in the instance and archiving or
deleting the unused data.
Data Discovery
Data Discovery is a new additional cost feature that ServiceNow provides to help customers identify
and classify their data in the Now Platform. Data Discovery can scan the data stored in the platform
and assign labels based on predefined or custom rules.
Data Discovery can also generate reports and dashboards to show the data distribution and
compliance status.
Data Discovery is a component of the Data Privacy product (which is also included with ServiceNow
Vault).NEXT
Home
6? 2024 ServiceNow, Inc. All rights reserved.
Release: Washington, DCCustomer Responsibility
Links and additional resources
Data Classification
Data Archiving
Data Discovery
Securing the Now Platform
(Information lifecycle and data management section)
Data management
Data Classification
Customers are responsible for their own data classification and labeling such as confidential,
restricted, etc.
Customers can either use ServiceNow-provided data classifications, or define their own based on
their industry, geographic, and business needs.
Data Retention
Customers control what information is to be stored, how it is to be used, and how long it is retained,
and are therefore responsible for defining the duration of active data in the instance and archiving or
deleting the unused data.
Data Discovery
Data Discovery is a new additional cost feature that ServiceNow provides to help customers identify
and classify their data in the Now Platform. Data Discovery can scan the data stored in the platform
and assign labels based on predefined or custom rules.
Data Discovery can also generate reports and dashboards to show the data distribution and
compliance status.
Data Discovery is a component of the Data Privacy product (which is also included with ServiceNow
Vault).NEXT
Home
6? 2024 ServiceNow, Inc. All rights reserved.
Shared Responsibility Model _v2.1 | May 2024
Release: Washington, DCCustomer Responsibility
Links and additional resources
Data Encryption white paper
Encryption and Key Management
Cryptography Standards
(requires access to the CORE Compliance Portal)
Data encryption at rest
Data at rest encryption is not enabled by default for non-regulated market customers outside
of the Now Protected Platform subscription services. ServiceNow provides customers with a
suite of encryption options for data at rest, which includes a free option and premium options at
additional cost.
Customers are required to define and map their encryption requirements and align them with the best
solution offering available from ServiceNow.
Data at rest encryption options include application-centric column-based encryption, as well as
solutions that provide full backend volume-based encryption.
The Now Platform also supports various data at rest encryption key management requirements.NEXT
Home
7? 2024 ServiceNow, Inc. All rights reserved.
Release: Washington, DCCustomer Responsibility
Links and additional resources
Data Encryption white paper
Encryption and Key Management
Cryptography Standards
(requires access to the CORE Compliance Portal)
Data encryption at rest
Data at rest encryption is not enabled by default for non-regulated market customers outside
of the Now Protected Platform subscription services. ServiceNow provides customers with a
suite of encryption options for data at rest, which includes a free option and premium options at
additional cost.
Customers are required to define and map their encryption requirements and align them with the best
solution offering available from ServiceNow.
Data at rest encryption options include application-centric column-based encryption, as well as
solutions that provide full backend volume-based encryption.
The Now Platform also supports various data at rest encryption key management requirements.NEXT
Home
7? 2024 ServiceNow, Inc. All rights reserved.
Shared Responsibility Model _v2.1 | May 2024
Release: Washington, DCLinks and additional resources
Customer and ServiceNow Shared Responsibility
Data encryption in transit
Customer responsibility
The Now Platform offers customers secure access to instance APIs via HTTPS and many ways to
integrate with customer or third-party systems for data transfer, including HTTPS, FTPS, and SCP.
Customers need to use data transfer methods in accordance with their security policies and
use cases.
ServiceNow responsibility
The Now Platform provides encryption in transit by default with TLS (TLS 1.2 as a minimum) sessions
to protect customer data.
Now Platform instance email supports opportunistic TLS for email sent or received on Now
Platform instances.
If the customer email system is configured to support TLS encryption, that will be negotiated
during the SMTP handshake.
Data Encryption white paperNEXT
Home
8? 2024 ServiceNow, Inc. All rights reserved.
Release: Washington, DCLinks and additional resources
Customer and ServiceNow Shared Responsibility
Data encryption in transit
Customer responsibility
The Now Platform offers customers secure access to instance APIs via HTTPS and many ways to
integrate with customer or third-party systems for data transfer, including HTTPS, FTPS, and SCP.
Customers need to use data transfer methods in accordance with their security policies and
use cases.
ServiceNow responsibility
The Now Platform provides encryption in transit by default with TLS (TLS 1.2 as a minimum) sessions
to protect customer data.
Now Platform instance email supports opportunistic TLS for email sent or received on Now
Platform instances.
If the customer email system is configured to support TLS encryption, that will be negotiated
during the SMTP handshake.
Data Encryption white paperNEXT
Home
8? 2024 ServiceNow, Inc. All rights reserved.
Shared Responsibility Model _v2.1 | May 2024
Release: Washington, DCLinks and additional resources
Customer and ServiceNow Shared Responsibility
Data Encryption white paper
Understanding the Key Management Framework
Edge Encryption
Now Learning — Key Management
Framework: Introduction
Encryption key management
Customer responsibility
The Now Platform Key Management Framework (KMF) allows customers to manage how
cryptographic operations are performed on the customer instance. Customers are responsible for the
following:
• Segregation of duties through the use of dedicated roles for cryptographic management and
operations, auditing, and integration
• Key lifecycle management to generate, rotate, revoke, and suspend keys
• If the customer chooses to use customer supplied keys for Cloud Encryption (CE) or Column Level
Encryption Enterprise (CLEE), the customer is responsible for generating and transferring the keys
to the customer instance
Edge Encryption: Key management, storage, backup and escrow are solely customer responsibilities.
ServiceNow responsibility
The Now Platform provides a secure interface for instance-side cryptographic key management
services with the Key Management Framework (KMF).
ServiceNow manages keys for Full Disk Encryption.NEXT
Home 9? 2024 ServiceNow, Inc. All rights reserved.
Release: Washington, DCLinks and additional resources
Customer and ServiceNow Shared Responsibility
Data Encryption white paper
Understanding the Key Management Framework
Edge Encryption
Now Learning — Key Management
Framework: Introduction
Encryption key management
Customer responsibility
The Now Platform Key Management Framework (KMF) allows customers to manage how
cryptographic operations are performed on the customer instance. Customers are responsible for the
following:
• Segregation of duties through the use of dedicated roles for cryptographic management and
operations, auditing, and integration
• Key lifecycle management to generate, rotate, revoke, and suspend keys
• If the customer chooses to use customer supplied keys for Cloud Encryption (CE) or Column Level
Encryption Enterprise (CLEE), the customer is responsible for generating and transferring the keys
to the customer instance
Edge Encryption: Key management, storage, backup and escrow are solely customer responsibilities.
ServiceNow responsibility
The Now Platform provides a secure interface for instance-side cryptographic key management
services with the Key Management Framework (KMF).
ServiceNow manages keys for Full Disk Encryption.NEXT
Home 9? 2024 ServiceNow, Inc. All rights reserved.
Shared Responsibility Model _v2.1 | May 2024
Release: Washington, DCLinks and additional resources
Customer and ServiceNow Shared Responsibility
Log Types (System Logs)
Log History
Auditing
Impersonation Logs
Log Export Service
Avoid Log Tampering
MID Server Command Audit Log
ServiceNow Security Center (SSC)
Security logging and monitoring
Customer responsibility
Extensive logging of transactions, events, and system-level activity information is stored within tables
in a customer’s instance. Customers have access to various security related information, including:
• Customer end-user activity
• Failed login attempts
• Audit trails and record histories
• Administrative escalation
• Access by ServiceNow support personnel
Now Platform transaction logs are retained within the instance for around 30 days, event logs are
stored for about seven days, and audit histories are retained indefinitely in the instance. If customers
require a longer retention or want to correlate activity, logs can be downloaded to the customers’
environment using a log aggregator/SIEM via a syslog probe, API export, or log export service.
ServiceNow responsibility
ServiceNow has implemented a SIEM system to review and correlate logs from multiple network/
infrastructure related sources, and a Scheduled Security Operations Checklist that includes
procedures for performing daily reviews of Linux, Windows, Network Device, IDS, behavioral and
identified issue logs.
High-risk issues, such as intrusion detection events trigger real-time alerts that are emailed to the
Security Incident Response Team for review. Network/infrastructure log events are retained for a
minimum of 90 days.NEXT
Home
10? 2024 ServiceNow, Inc. All rights reserved.
Release: Washington, DCLinks and additional resources
Customer and ServiceNow Shared Responsibility
Log Types (System Logs)
Log History
Auditing
Impersonation Logs
Log Export Service
Avoid Log Tampering
MID Server Command Audit Log
ServiceNow Security Center (SSC)
Security logging and monitoring
Customer responsibility
Extensive logging of transactions, events, and system-level activity information is stored within tables
in a customer’s instance. Customers have access to various security related information, including:
• Customer end-user activity
• Failed login attempts
• Audit trails and record histories
• Administrative escalation
• Access by ServiceNow support personnel
Now Platform transaction logs are retained within the instance for around 30 days, event logs are
stored for about seven days, and audit histories are retained indefinitely in the instance. If customers
require a longer retention or want to correlate activity, logs can be downloaded to the customers’
environment using a log aggregator/SIEM via a syslog probe, API export, or log export service.
ServiceNow responsibility
ServiceNow has implemented a SIEM system to review and correlate logs from multiple network/
infrastructure related sources, and a Scheduled Security Operations Checklist that includes
procedures for performing daily reviews of Linux, Windows, Network Device, IDS, behavioral and
identified issue logs.
High-risk issues, such as intrusion detection events trigger real-time alerts that are emailed to the
Security Incident Response Team for review. Network/infrastructure log events are retained for a
minimum of 90 days.NEXT
Home
10? 2024 ServiceNow, Inc. All rights reserved.
Shared Responsibility Model _v2.1 | May 2024
Release: Washington, DCLinks and additional resources
Customer and ServiceNow Shared Responsibility
Software Development Lifecycle SOP
(requires access to the CORE Compliance Portal)
Maintenance Release Management SOP
(requires access to the CORE Compliance Portal)
ServiceNow Secure Coding Guide for
Instance Developers
(requires a Now Support account)
Secure SDLC processes
Customer responsibility
Customers are responsible for any custom code they develop on the Now Platform.
ServiceNow responsibility
ServiceNow has adopted a “Build Security In” (BSI) strategy to help identify and reduce risk
throughout the Software Development Lifecycle (SDLC) of its products.
This approach encompasses security education, best practices, iterative security design, and
various continuous security analysis approaches, enabling product teams to deliver robust and
secure software. NEXT
Home
11? 2024 ServiceNow, Inc. All rights reserved.
Release: Washington, DCLinks and additional resources
Customer and ServiceNow Shared Responsibility
Software Development Lifecycle SOP
(requires access to the CORE Compliance Portal)
Maintenance Release Management SOP
(requires access to the CORE Compliance Portal)
ServiceNow Secure Coding Guide for
Instance Developers
(requires a Now Support account)
Secure SDLC processes
Customer responsibility
Customers are responsible for any custom code they develop on the Now Platform.
ServiceNow responsibility
ServiceNow has adopted a “Build Security In” (BSI) strategy to help identify and reduce risk
throughout the Software Development Lifecycle (SDLC) of its products.
This approach encompasses security education, best practices, iterative security design, and
various continuous security analysis approaches, enabling product teams to deliver robust and
secure software. NEXT
Home
11? 2024 ServiceNow, Inc. All rights reserved.
Shared Responsibility Model _v2.1 | May 2024
Release: Washington, DCLinks and additional resources
Customer and ServiceNow Shared Responsibility
Customer Penetration Testing Policy
(requires a Now Support account)
Penetration testing
Customer responsibility
Customer application penetration testing
Customers may perform application penetration testing against their sub-production instance(s) in
accordance with the ServiceNow Customer Penetration Testing Policy.
ServiceNow responsibility
Continuous testing
As part of its secure Software Development Lifecycle (SDLC), ServiceNow performs nightly third-party
web application security testing using automated and manual testing techniques, utilizing various
security-scanning tools.
This analysis ensures that security assessment is incorporated during code development. Findings
identified as part of this testing are reviewed by the ServiceNow Product Security Team and then
forwarded to development for remediation.
Major release testing
Prior to each major release (twice per year) , ServiceNow contracts an independent external third-
party to perform comprehensive application penetration testing using industry standard testing
methodologies. The assessment generally takes place over a number of months and is an iterative
process whereby findings from the third-party are remediated by the ServiceNow security and
development teams.NEXT
Home
12? 2024 ServiceNow, Inc. All rights reserved.
Release: Washington, DCLinks and additional resources
Customer and ServiceNow Shared Responsibility
Customer Penetration Testing Policy
(requires a Now Support account)
Penetration testing
Customer responsibility
Customer application penetration testing
Customers may perform application penetration testing against their sub-production instance(s) in
accordance with the ServiceNow Customer Penetration Testing Policy.
ServiceNow responsibility
Continuous testing
As part of its secure Software Development Lifecycle (SDLC), ServiceNow performs nightly third-party
web application security testing using automated and manual testing techniques, utilizing various
security-scanning tools.
This analysis ensures that security assessment is incorporated during code development. Findings
identified as part of this testing are reviewed by the ServiceNow Product Security Team and then
forwarded to development for remediation.
Major release testing
Prior to each major release (twice per year) , ServiceNow contracts an independent external third-
party to perform comprehensive application penetration testing using industry standard testing
methodologies. The assessment generally takes place over a number of months and is an iterative
process whereby findings from the third-party are remediated by the ServiceNow security and
development teams.NEXT
Home
12? 2024 ServiceNow, Inc. All rights reserved.
Shared Responsibility Model _v2.1 | May 2024
Release: Washington, DCLinks and additional resources
Customer and ServiceNow Shared Responsibility
Securing the Now Platform
(Vulnerability Management section)
Cloud Vulnerability Management SOP
(requires access to the CORE Compliance Portal)
Application Vulnerability Management SOP
(requires access to the CORE Compliance Portal)
Vulnerability management
Customer responsibility
Customers are responsible for determining the collection, storage, usage, sharing, archiving, and
destruction of data processed in their Now Platform instances.
As the data controller , the customer is responsible for meeting the requirements of applicable privacy
legislation in the jurisdictions in which they operate and collect personal data.
Customers are responsible for installing patches and keeping their instances up to date (quarterly
patching schedule with monthly updates).
ServiceNow responsibility
ServiceNow maintains an ongoing infrastructure vulnerability program described in the Cloud
Vulnerability Management SOP, using third-party commercial and in-house tools to identify
vulnerabilities in the ServiceNow perimeter and for all cloud and corporate systems.
ServiceNow produces two releases of the Now Platform annually. In addition, patches and hotfixes
are produced throughout the supported lifetime of a major release and rolled into the codebase for
inclusion in the next version.NEXT
Home
13? 2024 ServiceNow, Inc. All rights reserved.
Release: Washington, DCLinks and additional resources
Customer and ServiceNow Shared Responsibility
Securing the Now Platform
(Vulnerability Management section)
Cloud Vulnerability Management SOP
(requires access to the CORE Compliance Portal)
Application Vulnerability Management SOP
(requires access to the CORE Compliance Portal)
Vulnerability management
Customer responsibility
Customers are responsible for determining the collection, storage, usage, sharing, archiving, and
destruction of data processed in their Now Platform instances.
As the data controller , the customer is responsible for meeting the requirements of applicable privacy
legislation in the jurisdictions in which they operate and collect personal data.
Customers are responsible for installing patches and keeping their instances up to date (quarterly
patching schedule with monthly updates).
ServiceNow responsibility
ServiceNow maintains an ongoing infrastructure vulnerability program described in the Cloud
Vulnerability Management SOP, using third-party commercial and in-house tools to identify
vulnerabilities in the ServiceNow perimeter and for all cloud and corporate systems.
ServiceNow produces two releases of the Now Platform annually. In addition, patches and hotfixes
are produced throughout the supported lifetime of a major release and rolled into the codebase for
inclusion in the next version.NEXT
Home
13? 2024 ServiceNow, Inc. All rights reserved.
Shared Responsibility Model _v2.1 | May 2024
Release: Washington, DCLinks and additional resources
Customer and ServiceNow Shared Responsibility
Data Processing Addendum
Services Privacy Statement
Privacy/GDPR section in ServiceNow CORE
(requires access to the CORE Compliance Portal)
Privacy
Customer responsibility
ServiceNow customers are responsible for determining the collection, storage, usage, sharing,
archiving, and destruction of data processed in their ServiceNow instances.
As the data controller, customers are responsible for meeting the requirements of applicable privacy
legislation in the jurisdictions in which they operate and collect personal data.
The customer remains the data owner and retains all rights for the data they store in their Now
Platform instances.
ServiceNow responsibility
ServiceNow fulfills the role of the data processor , ensuring that appropriate controls are in place
to protect customer data and assist the data controlle r in their responsibilities. ServiceNow also
complies with any other applicable statutory, or regulatory, obligations as the data processor.
ServiceNow has no visibility or understanding of the conditions under which customer data is
collected, if appropriate permission was obtained, or whether it is being used in accordance with
those conditions. This remains the obligation of the data controller (customer).NEXT
Home
14? 2024 ServiceNow, Inc. All rights reserved.
Release: Washington, DCLinks and additional resources
Customer and ServiceNow Shared Responsibility
Data Processing Addendum
Services Privacy Statement
Privacy/GDPR section in ServiceNow CORE
(requires access to the CORE Compliance Portal)
Privacy
Customer responsibility
ServiceNow customers are responsible for determining the collection, storage, usage, sharing,
archiving, and destruction of data processed in their ServiceNow instances.
As the data controller, customers are responsible for meeting the requirements of applicable privacy
legislation in the jurisdictions in which they operate and collect personal data.
The customer remains the data owner and retains all rights for the data they store in their Now
Platform instances.
ServiceNow responsibility
ServiceNow fulfills the role of the data processor , ensuring that appropriate controls are in place
to protect customer data and assist the data controlle r in their responsibilities. ServiceNow also
complies with any other applicable statutory, or regulatory, obligations as the data processor.
ServiceNow has no visibility or understanding of the conditions under which customer data is
collected, if appropriate permission was obtained, or whether it is being used in accordance with
those conditions. This remains the obligation of the data controller (customer).NEXT
Home
14? 2024 ServiceNow, Inc. All rights reserved.
Shared Responsibility Model _v2.1 | May 2024
Release: Washington, DCLinks and additional resources
Customer/ServiceNow/Colocation Responsibility
Compliance: regulatory and legal
Customer responsibility
The customer is responsible for determining how data is collected, stored, used, shared, archived, and
destroyed, as well as maintaining the accuracy of that data.
The customer is also responsible for meeting their requirements as a data controller under the
applicable data protection laws, including the GDPR.
ServiceNow responsibility
ServiceNow has a dedicated audit, risk, and compliance (ARC) team responsible for several
governance and compliance efforts across the organization, including managing the ServiceNow
compliance program.
ServiceNow is reviewed on an annual basis by independent third-party auditors. ServiceNow will
establish and maintain sufficient controls to meet certification and attestation for the objectives
stated in ISO27001, ISO27017, ISO27018, ISO 27701, SSAE 18 / SOC 1 and SOC 2 Type 2 (or equivalent
standards) for the Security Program.
Colocation responsibility
Data centers procured by ServiceNow are provided by specialist colocation data center operators.
These operators provide ServiceNow with a secure and reliable space to operate in. The data centers
are highly secure facilities with 24/7 security guards, CCTV, multiple levels of entry controls, and strict
procedures for physically entering the facility. The data centers are highly available facilities with
redundant electrical and mechanical systems.
The details of individual data centers may vary slightly; however, all facilities have similar operating
characteristics. In all cases, the data center providers must be either ISO/IEC 27001 accredited
and/or conduct regular SSAE18 SOC 2 Type 2 audits.
Specific products/services subscribed by the customers, are governed by additional terms such
as “Third Party Hosted Product Addendum” and/or “Product-Specific Terms.”
ServiceNow CORE Compliance Portal
How to access the CORE Compliance Portal
Data Center Certifications
(requires access to the CORE Compliance Portal)
Data Processing Addendum
Customer Agreements and Terms
ServiceNow CertificationsNEXT
Home
15? 2024 ServiceNow, Inc. All rights reserved.
Release: Washington, DCLinks and additional resources
Customer/ServiceNow/Colocation Responsibility
Compliance: regulatory and legal
Customer responsibility
The customer is responsible for determining how data is collected, stored, used, shared, archived, and
destroyed, as well as maintaining the accuracy of that data.
The customer is also responsible for meeting their requirements as a data controller under the
applicable data protection laws, including the GDPR.
ServiceNow responsibility
ServiceNow has a dedicated audit, risk, and compliance (ARC) team responsible for several
governance and compliance efforts across the organization, including managing the ServiceNow
compliance program.
ServiceNow is reviewed on an annual basis by independent third-party auditors. ServiceNow will
establish and maintain sufficient controls to meet certification and attestation for the objectives
stated in ISO27001, ISO27017, ISO27018, ISO 27701, SSAE 18 / SOC 1 and SOC 2 Type 2 (or equivalent
standards) for the Security Program.
Colocation responsibility
Data centers procured by ServiceNow are provided by specialist colocation data center operators.
These operators provide ServiceNow with a secure and reliable space to operate in. The data centers
are highly secure facilities with 24/7 security guards, CCTV, multiple levels of entry controls, and strict
procedures for physically entering the facility. The data centers are highly available facilities with
redundant electrical and mechanical systems.
The details of individual data centers may vary slightly; however, all facilities have similar operating
characteristics. In all cases, the data center providers must be either ISO/IEC 27001 accredited
and/or conduct regular SSAE18 SOC 2 Type 2 audits.
Specific products/services subscribed by the customers, are governed by additional terms such
as “Third Party Hosted Product Addendum” and/or “Product-Specific Terms.”
ServiceNow CORE Compliance Portal
How to access the CORE Compliance Portal
Data Center Certifications
(requires access to the CORE Compliance Portal)
Data Processing Addendum
Customer Agreements and Terms
ServiceNow CertificationsNEXT
Home
15? 2024 ServiceNow, Inc. All rights reserved.
Shared Responsibility Model _v2.1 | May 2024
Release: Washington, DCLinks and additional resources
Customer/ServiceNow/Colocation Responsibility
Employee vetting and screening
Customer responsibility
Customers are responsible for vetting their employees per their company policies.
ServiceNow responsibility
Upon commencement of the employment process for all prospective candidates, ServiceNow
undertakes background checks and screening. Subject to per-country restrictions, these include
criminal, employment, financial, citizen status, and government watch lists. Drug testing also takes
place in jurisdictions that allow it.
Colocation responsibility
Upon commencement of the employment process for all prospective candidates, collocation facilities
conduct background checks and screening. Subject to per-country restrictions, these include criminal,
employment, financial, citizen status, and government watch lists. Drug testing also takes place in
jurisdictions that allow it.
Background Screening SOPs
(requires access to the CORE Compliance Portal)NEXT
Home
16? 2024 ServiceNow, Inc. All rights reserved.
Release: Washington, DCLinks and additional resources
Customer/ServiceNow/Colocation Responsibility
Employee vetting and screening
Customer responsibility
Customers are responsible for vetting their employees per their company policies.
ServiceNow responsibility
Upon commencement of the employment process for all prospective candidates, ServiceNow
undertakes background checks and screening. Subject to per-country restrictions, these include
criminal, employment, financial, citizen status, and government watch lists. Drug testing also takes
place in jurisdictions that allow it.
Colocation responsibility
Upon commencement of the employment process for all prospective candidates, collocation facilities
conduct background checks and screening. Subject to per-country restrictions, these include criminal,
employment, financial, citizen status, and government watch lists. Drug testing also takes place in
jurisdictions that allow it.
Background Screening SOPs
(requires access to the CORE Compliance Portal)NEXT
Home
16? 2024 ServiceNow, Inc. All rights reserved.
Shared Responsibility Model _v2.1 | May 2024
Release: Washington, DCLinks and additional resources
ServiceNow and Colocation Responsibility
Physical security/environmental controls
ServiceNow responsibility
ServiceNow performs data center vendor reviews annually, and periodically performs onsite
assessments of physical and environmental controls.
ServiceNow data center operations, security, and procurement personnel review the colocation data
center provider SOC 2 Type 2 reports or other available assessments (e.g., ISO27001) on an annual
basis. Additionally, through periodic visits to the facility, data center operations and compliance
personnel review the controls applicable to the services provided to ServiceNow.
• Routine meetings are held with vendor account management personnel to help ensure services
are provided according to expectations.
• Cloud Operations personnel review access activity within the co-location data center cages on
a periodic basis to ensure access is appropriate.
Colocation responsibility
Data centers procured by ServiceNow are provided by specialist colocation data center providers
who are responsible for physical security and environmental controls at the data centers.
These data centers are highly secure, with 24/7 security guards, CCTV, multiple levels of entry control,
and strict procedures for physical facility access. They provide redundant electrical and mechanical
systems and environmental controls including heating, ventilation, and air conditioning (HVAC)
systems. All data centers feature fire detection and suppression systems.
Colocation data center providers are the only third-party vendors used in the commercial cloud
environment. They are never granted logical access to customer data.
Dedicated ServiceNow onsite personnel exclusively provide management, installation, maintenance,
and support in the ServiceNow-managed colocation spaces.
Securing the Now Platform
(Physical and logical architecture section)
Data Center Certifications
(requires access to the CORE Compliance Portal)
Data Center Access Audit Management SOP
(requires access to the CORE Compliance Portal)NEXT
Home
17? 2024 ServiceNow, Inc. All rights reserved.
Release: Washington, DCLinks and additional resources
ServiceNow and Colocation Responsibility
Physical security/environmental controls
ServiceNow responsibility
ServiceNow performs data center vendor reviews annually, and periodically performs onsite
assessments of physical and environmental controls.
ServiceNow data center operations, security, and procurement personnel review the colocation data
center provider SOC 2 Type 2 reports or other available assessments (e.g., ISO27001) on an annual
basis. Additionally, through periodic visits to the facility, data center operations and compliance
personnel review the controls applicable to the services provided to ServiceNow.
• Routine meetings are held with vendor account management personnel to help ensure services
are provided according to expectations.
• Cloud Operations personnel review access activity within the co-location data center cages on
a periodic basis to ensure access is appropriate.
Colocation responsibility
Data centers procured by ServiceNow are provided by specialist colocation data center providers
who are responsible for physical security and environmental controls at the data centers.
These data centers are highly secure, with 24/7 security guards, CCTV, multiple levels of entry control,
and strict procedures for physical facility access. They provide redundant electrical and mechanical
systems and environmental controls including heating, ventilation, and air conditioning (HVAC)
systems. All data centers feature fire detection and suppression systems.
Colocation data center providers are the only third-party vendors used in the commercial cloud
environment. They are never granted logical access to customer data.
Dedicated ServiceNow onsite personnel exclusively provide management, installation, maintenance,
and support in the ServiceNow-managed colocation spaces.
Securing the Now Platform
(Physical and logical architecture section)
Data Center Certifications
(requires access to the CORE Compliance Portal)
Data Center Access Audit Management SOP
(requires access to the CORE Compliance Portal)NEXT
Home
17? 2024 ServiceNow, Inc. All rights reserved.
Shared Responsibility Model _v2.1 | May 2024
Release: Washington, DCLinks and additional resources
ServiceNow Responsibility
Information Security Policies
(requires access to the CORE Compliance Portal)
Network Overview and Flow Diagrams
(requires access to the CORE Compliance Portal)
System Configuration Management SOP
(requires access to the CORE Compliance Portal)
Security Incident Response SOP
(requires access to the CORE Compliance Portal)
ServiceNow Controlled Access (SNCA) Policy
(requires access to the CORE Compliance Portal)
Global Training Policy
(requires access to the CORE Compliance Portal)
Cloud infrastructure security mgmt
ServiceNow responsibility
ServiceNow is responsible for ensuring the customer cloud environments maintain a secure
architecture that consists of hardened configurations and supporting processes.
Maintaining a secure infrastructure is crucial for protecting sensitive data and ensuring the integrity of
systems and networks. The ServiceNow customer cloud environment includes security measures such
as firewalls, secure logical access procedures, and intrusion detection systems.
In addition, ServiceNow regularly monitors systems for malicious activities and vulnerabilities.
ServiceNow also has a mature incident response plan to support security incidents when they
arise. Additionally, regular security training for employees helps ensure everyone is aware of their role
in maintaining the security of the ServiceNow environments.NEXT
Home
18? 2024 ServiceNow, Inc. All rights reserved.
Release: Washington, DCLinks and additional resources
ServiceNow Responsibility
Information Security Policies
(requires access to the CORE Compliance Portal)
Network Overview and Flow Diagrams
(requires access to the CORE Compliance Portal)
System Configuration Management SOP
(requires access to the CORE Compliance Portal)
Security Incident Response SOP
(requires access to the CORE Compliance Portal)
ServiceNow Controlled Access (SNCA) Policy
(requires access to the CORE Compliance Portal)
Global Training Policy
(requires access to the CORE Compliance Portal)
Cloud infrastructure security mgmt
ServiceNow responsibility
ServiceNow is responsible for ensuring the customer cloud environments maintain a secure
architecture that consists of hardened configurations and supporting processes.
Maintaining a secure infrastructure is crucial for protecting sensitive data and ensuring the integrity of
systems and networks. The ServiceNow customer cloud environment includes security measures such
as firewalls, secure logical access procedures, and intrusion detection systems.
In addition, ServiceNow regularly monitors systems for malicious activities and vulnerabilities.
ServiceNow also has a mature incident response plan to support security incidents when they
arise. Additionally, regular security training for employees helps ensure everyone is aware of their role
in maintaining the security of the ServiceNow environments.NEXT
Home
18? 2024 ServiceNow, Inc. All rights reserved.
Shared Responsibility Model _v2.1 | May 2024
Release: Washington, DCLinks and additional resources
ServiceNow Responsibility
Advanced High Availability Architecture
white paper
Infrastructure management
ServiceNow, as the SaaS Cloud Solution Provider, is responsible for managing the cloud infrastructure
to ensure the availability, scalability, security, and performance of the system. This includes tasks
such as developing and configuring security policies and controls, monitoring for potential threats,
implementing access controls, and ensuring compliance with relevant regulations and industry
standards within the jurisdictions in which we operate.
Additional ServiceNow responsibilities include performing security assessments, penetration testing,
and responding quickly to potential incidents.
ServiceNow infrastructure functions:
All links below require access to the ServiceNow CORE Compliance Portal find out how to access here .
• Change Management SOP
• Patching Program SOP
• System Configuration Management SOP
• Backup and Restoration SOP
• ServiceNow Controlled Access (SNCA) Policy
• Corporate Business Continuity Management Policy
• Information System Contingency Plan (ISCP) and Test Report
• Information Security PolicyNEXT
Home
19? 2024 ServiceNow, Inc. All rights reserved.
Release: Washington, DCLinks and additional resources
ServiceNow Responsibility
Advanced High Availability Architecture
white paper
Infrastructure management
ServiceNow, as the SaaS Cloud Solution Provider, is responsible for managing the cloud infrastructure
to ensure the availability, scalability, security, and performance of the system. This includes tasks
such as developing and configuring security policies and controls, monitoring for potential threats,
implementing access controls, and ensuring compliance with relevant regulations and industry
standards within the jurisdictions in which we operate.
Additional ServiceNow responsibilities include performing security assessments, penetration testing,
and responding quickly to potential incidents.
ServiceNow infrastructure functions:
All links below require access to the ServiceNow CORE Compliance Portal find out how to access here .
• Change Management SOP
• Patching Program SOP
• System Configuration Management SOP
• Backup and Restoration SOP
• ServiceNow Controlled Access (SNCA) Policy
• Corporate Business Continuity Management Policy
• Information System Contingency Plan (ISCP) and Test Report
• Information Security PolicyNEXT
Home
19? 2024 ServiceNow, Inc. All rights reserved.
Shared Responsibility Model _v2.1 | May 2024
Release: Washington, DCLinks and additional resources
ServiceNow Responsibility
Securing the Now Platform
(Media disposal section)
Media Sanitization & Hardware Destruction SOP
(requires access to the CORE Compliance Portal)
Media disposal and destruction
Media disposal and destruction
This refers to the disposal of hard drives in our data centers. ServiceNow follows NIST 800-88
guidelines for destroying hard drives and rendering the media infeasible for future use.NEXT
Home
20? 2024 ServiceNow, Inc. All rights reserved.
Release: Washington, DCLinks and additional resources
ServiceNow Responsibility
Securing the Now Platform
(Media disposal section)
Media Sanitization & Hardware Destruction SOP
(requires access to the CORE Compliance Portal)
Media disposal and destruction
Media disposal and destruction
This refers to the disposal of hard drives in our data centers. ServiceNow follows NIST 800-88
guidelines for destroying hard drives and rendering the media infeasible for future use.NEXT
Home
20? 2024 ServiceNow, Inc. All rights reserved.
Shared Responsibility Model _v2.1 | May 2024
Release: Washington, DCLinks and additional resources
ServiceNow Responsibility
Advanced High Availability Architecture
white paper
Backup and Restoration SOP
(requires access to the CORE Compliance Portal)
Backup and restore
Datacenter Backups, Hot/Cold Backups
ServiceNow is responsible for customer backups.
At all times during the term of the contract and prior to termination, or expiration of the agreement
with ServiceNow, customers can self-export their data from their instance using features in the Now
Platform, or they may request that ServiceNow export their data in a standard format. Please see
Exporting Data from the product documentation for more details.
The current backup schedule consists of:
• A full backup is completed every 7 days
• Differential backups are completed every 24hrs
— Production instances are backed up in both data centers within the pair
• ServiceNow data centers are arranged in pairs with full redundancy
Backup Restoration
ServiceNow is responsible for performing the restoration of customer data upon request.NEXT
Home
21? 2024 ServiceNow, Inc. All rights reserved.
Release: Washington, DCLinks and additional resources
ServiceNow Responsibility
Advanced High Availability Architecture
white paper
Backup and Restoration SOP
(requires access to the CORE Compliance Portal)
Backup and restore
Datacenter Backups, Hot/Cold Backups
ServiceNow is responsible for customer backups.
At all times during the term of the contract and prior to termination, or expiration of the agreement
with ServiceNow, customers can self-export their data from their instance using features in the Now
Platform, or they may request that ServiceNow export their data in a standard format. Please see
Exporting Data from the product documentation for more details.
The current backup schedule consists of:
• A full backup is completed every 7 days
• Differential backups are completed every 24hrs
— Production instances are backed up in both data centers within the pair
• ServiceNow data centers are arranged in pairs with full redundancy
Backup Restoration
ServiceNow is responsible for performing the restoration of customer data upon request.NEXT
Home
21? 2024 ServiceNow, Inc. All rights reserved.
Shared Responsibility Model _v2.1 | May 2024
Release: Washington, DCLinks and additional resources
ServiceNow Responsibility
Business continuity and disaster recovery
Disaster recovery
ServiceNow operates a disaster recovery program for customer instances called the Information
System Contingency Plan (ISCP).
In the event of a disaster, ServiceNow activates a failover process that transfers customer operations
to the unaffected data center.
In this model, the targeted recovery point objective (RPO) and recovery time objective (RTO) durations
are one and two hours, respectively.
Business continuity
A separate business continuity plan and processes are in place to ensure availability for the
ServiceNow corporate organization and the services it relies on. This is tested on an annual basis.
Advanced High Availability Architecture
white paper
Information System Contingency Plan (ISCP)
(requires access to the CORE Compliance Portal)
Corporate Business Continuity
Management Policy
(requires access to the CORE Compliance Portal)NEXT
Home
22? 2024 ServiceNow, Inc. All rights reserved.
Release: Washington, DCLinks and additional resources
ServiceNow Responsibility
Business continuity and disaster recovery
Disaster recovery
ServiceNow operates a disaster recovery program for customer instances called the Information
System Contingency Plan (ISCP).
In the event of a disaster, ServiceNow activates a failover process that transfers customer operations
to the unaffected data center.
In this model, the targeted recovery point objective (RPO) and recovery time objective (RTO) durations
are one and two hours, respectively.
Business continuity
A separate business continuity plan and processes are in place to ensure availability for the
ServiceNow corporate organization and the services it relies on. This is tested on an annual basis.
Advanced High Availability Architecture
white paper
Information System Contingency Plan (ISCP)
(requires access to the CORE Compliance Portal)
Corporate Business Continuity
Management Policy
(requires access to the CORE Compliance Portal)NEXT
Home
22? 2024 ServiceNow, Inc. All rights reserved.
Shared Responsibility Model _v2.1 | May 2024
Release: Washington, DC
Resources
Product documentation
ServiceNow CORE Compliance Portal — learn how to access CORE here
ServiceNow Security Center
ServiceNow Trust Site
White papers:
Securing the Now Platform
Safeguarding Your Data
Security Best Practices Guide
Best Practices YouTube VideoNEXT
Home
23? 2024 ServiceNow, Inc. All rights reserved.
Release: Washington, DC
Resources
Product documentation
ServiceNow CORE Compliance Portal — learn how to access CORE here
ServiceNow Security Center
ServiceNow Trust Site
White papers:
Securing the Now Platform
Safeguarding Your Data
Security Best Practices Guide
Best Practices YouTube VideoNEXT
Home
23? 2024 ServiceNow, Inc. All rights reserved.
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 294
- Slides 23
- Age 504 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
35 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
32 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
29 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
30 views