Shared Responsibility Model 

Overall security responsibilities are shared between customers, ServiceNow, and the data center provider. ServiceNow provides its customers with extensive capabilities to configure their instances to meet their own security policies and requirements. 

Customer instances of the Now Platform are designed to be accessible via the internet, providing maximum flexibility on how, when, and from where they are accessed. The internet, however, is a public network and therefore communications can potentially be intercepted if they are not encrypted or otherwise protected.   

As the data controller, customers are responsible for meeting the requirements of applicable privacy legislation in the jurisdictions in which they operate and collect personal data. Other key customer responsibilities include the secure configuration of their instance(s), authentication and authorization, data management (classification and retention), and encryption in transit and at rest.  

At rest encryption is not enabled by default, but ServiceNow provides customers with a suite of encryption options for data at rest, including free and premium options at an additional cost. At rest encryption options include application-centric or column-based encryption, as well as solutions that provide full backend volume-based encryption.   

Most activities within an instance can be recorded in an audit log, and the Now Platform includes comprehensive access, event, and transaction logging. The extent of logging is customer configurable, and detailed logging can be used to record and report on all activity within an instance.  

It is strongly recommended that you review the documentation on the Shared Responsibility Model and bookmark it for future reference.  

Security Center  

ServiceNow Security Center is an included application that helps system administrators manage, monitor, and improve the security of their instance. It brings together a suite of purpose-built security related tools to assist administrators in maintaining the highest levels of security monitoring and security configurations . 

When navigating to Security Center (All > Security Center > Admin > Security Center), administrators are met with the home page that displays a dashboard with information about the various parts of the application.    

Key features and functions of Security Center include: 

• Best Practices: The starting point for setting up initial security configurations in the instance. This step-by-step guidance helps in creating and maintaining the Instance Security Maturity level. 
• Hardening: How the instance security properties adhere to ServiceNow’s recommended values. This feature is also available for compliance score modifications. The Score Trends tab provides information over time to see how the instance is performing.You can create filters, identify KPI signals, set targets, and thresholds. 
• Scanner: A tool that scans your instance against a set of security checks for misconfigurations and other insecure behavior. 
• Customer Actions:  Addresses areas in the Now Platform that may need attention (for example, 3DES deprecation in Password2 fields). Workflows assist in walking admins through steps to modify settings that may be unnecessary or expose risk.
• Learning: Similar to a Knowledge Base, the Learning section is a central resource for security documentation and provides easy access to compliance docs, portals, and additional resources. 
• Metrics: Where you can monitor and analyze different security key performance indicators (KPIs), identify security threats, and risky behaviors to avoid security breaches. 
• Notifications: Where administrators can set up thresholds that trigger alerts to notify stakeholders of any changes in the Security Center. Administrators may create their own alerts or leverage existing ones.   

Why Security Contacts are Important  

ServiceNow will primarily interact with your organization via the named Security Contacts listed for your account within the Now Support Portal. The named security contacts will periodically receive security-related information from the ServiceNow Security Office, usually by email.  

If there is a security concern ServiceNow needs to urgently communicate about, it is critical that we always have the correct Security Contact readily available. Instructions for how administrators can update this field can be found by searching the ServiceNow Support site for: Company Key Contacts and Notifications List Overview on Now Support.  

 It is essential that named security contacts are authorized to deal with potentially sensitive security matters and are always contactable. Therefore, we strongly advise that you include both an email distribution list and an individual to fulfill this requirement. 

These contact details will be used exclusively for this purpose, and no other. Please ensure this contact information is kept up to date. 

Summary 

By understanding and fulfilling their responsibilities according to the Shared Responsibility Model, customers can optimize their security posture and protect their data. The ServiceNow Security Center further supports this effort by simplifying the configuration and management of security settings, ensuring a robust and proactive security strategy. 

Collaboration and clarity are crucial in maintaining security in an instance. By following these guidelines and using the available tools, customers and administrators can confidently navigate the intricacies of data protection in the Now Platform.