How to Engage the ServiceNow Security Office (SSO) - Security

How to Engage the ServiceNow Security Office (SSO) <div style="font-family: Arial, Helvetica, sans-serif; display: flex; align-items: stretch; flex-wrap: nowrap; width: 89%; background-position-x: initial; background-position-y: initial; background-size: initial; background-repeat-x: initial; background-repeat-y: initial; background-origin: initial; background-clip: initial; background-color: #032d42; height: auto; min-height: 90px; padding: 10px 0px 10px 0px;"> How to Engage with the ServiceNow Security Office (SSO) ServiceNow has a dedicated "follow-the-sun" global security team protecting customer data 24 hours a day, 365 days a year. All security concerns and incidents should be reported via the Now Support Portal . Security Contacts in the Now Support Portal All security communications including incident response notifications are sent to the Security Contact named in the Now Support Portal.

It is critical that a suitably qualified person is entered into the Security Contact field and that this field is kept current at all times .

A named Security Contact is essential for the communication of security alerts and security events (e.g. a breach notification) and will also be informed of security updates/patches, new security features in the platform, and threat intelligence information that could impact customer data. We also strongly recommend that a Security Incident Response or SOC email distribution list is added for 24/7 coverage. Please reach out to your organization’s ServiceNow Administrator to ensure that the correct Security Contact is added to the Now Support Portal.

Reporting a security or privacy incident to ServiceNow There are two methods available for customers to raise a security or privacy issue or concern:

Create a case in Now Support Portal – preferred method (requires a Now Support account) Contact Global Technical Support by phone – who will create a case in Now Support on your behalf

ServiceNow incident response workflow The diagram below provides an overview of the Security Incident Response SOP (requires access to CORE, find out how to access here ).

Activation → A security event, incident, or vulnerability is detected and reported An internal bridge may be set up between relevant internal teams (as needed) Triage is conducted to validate the incident and assign the appropriate priority level A Security Incident Response Team (SIRT) is created, bringing internal resources together A customer bridge may also be set up (as needed) Response → Incident briefing is conducted by the Security Incident Response Team (SIRT) Mitigation plan is created Remediation plan is created Communications plan for both internal and external stakeholders is created The SIRT sends communications to relevant stakeholders Resolution The mitigation and remediation plans are carried out and overseen by the Security Incident Response Team (SIRT) A post-mortem report is created including: A summary of the incident Mitigation and remediation activities Effects of the incident Lessons learned Next steps The case is updated and closed All customer communications are sent at a cadence appropriate to the urgency of the incident via the case in the Now Support Portal (and via a customer bridge as appropriate) until the case is closed by the customer.

Useful links to security resources Publicly available resources:

ServiceNow Security Center – a set of tools designed to help companies maintain the security of ServiceNow deployments, improve their security posture, and strengthen compliance levels with a seamless user experience Instance Security Hardening Settings – contains detailed descriptions and the recommended compliance values for the security-related system properties and plugins in the Now Platform ServiceNow Trust Website – website containing security documentation and information regarding compliance, security, and privacy on the Now Platform Resources requiring Now Support Portal Account (provisioned by your ServiceNow Admin):

Security Contact KB – How to update and maintain the security contact field. The Security Contact receives communications from the ServiceNow Security Office (SSO) on security-related issues. ServiceNow Security Best Practice Guide – An easy-to-follow guide to the main security features provided by the Now Platform and how to best use them to secure an instance.