Security is a shared responsibility and partnership between ServiceNow and its customers. In the past couple of years, we have increased the sharing of security-related information in order to enable our customers to combat threats that pose a risk to their data. However, customers have informed us that the exchange of information was delayed due to indirect communications between the customer and ServiceNow security teams. Therefore, in a continued effort to improve and expedite communications and coordination associated with security-related events and alerts, ServiceNow has created a new “security contact” multi-user field in each company account.
This security contact field enables the ServiceNow Security Office (SSO) to directly communicate with customer security personnel on security-related issues. Specifically, security contacts are critical for the communication of security alerts and security events (for example, breach notification, etc.). Additionally, security contacts will be informed of security updates/patches, new security features in the platform (for example, the instance hardening tool), and threat intelligence information that could impact customer data.
Who is an ideal security contact?
Most organizations have various types of security personnel who range in focus from governance/risk/compliance, to security operations/issue response, to auditing, and to security engineers. Any of this personnel may be appropriate as a security contact for your ServiceNow customer account. However, to ensure the most effective communications between our two security teams, ServiceNow recommends that the security contacts have the following:
- Familiarity and understanding of the ServiceNow service
- Understanding of how your organization is utilizing ServiceNow
- Knowledge of the types of data, and associated security concerns of the data, hosted in your instance
- Ability to quickly reach out to business owners/leadership if necessary
- Willingness to accept security-related email and phone calls from ServiceNow’s security team
- Authorized by your organization to discuss security-related information/events
ServiceNow recommends that customers add at least 2 security contacts to the new field to ensure adequate coverage, but you are welcome to add as many security contacts as you deem appropriate given the criteria above.
ServiceNow does not recommend using distribution lists or group aliases as security contacts. Our experience is that distribution lists can cause confusion and delay in communications as often not all individuals in the distribution may have a sufficient understanding of the ServiceNow service. Additionally, in the event of a security event, ServiceNow’s security team will need to authenticate an individual (confirm they are speaking to an authorized representative from your organization) before they are able to share any specifics about the security event.
Who is an ideal security contact if I'm a ServiceNow Partner?
If you have an MSP or some other partner relationship, the Security Contact should be the CISO from the entity that has a contractual agreement with ServiceNow. This will allow ServiceNow to communicate security-related issues directly to the individuals associated with the platform instances. Additional security contacts can be added for greater visibility.
How to add security contacts to your account
For instructions on how to manage company contacts in HI see KB0547262