CLOUD CONTROLS MATRIX VERSION 3.0.

Cloud Service Delivery Model Scope

Architectural Relevance Supplier Relationship
Applicability Applicability
Corp Gov
CCM V3.0 Relevance FedRAMP Security Controls FedRAMP Security Controls
Control Domain Updated Control Specification Service Tenant / AICPA AICPA AICPA BITS Shared Assessments BITS Shared Assessments CSA Enterprise Architecture CSA Guidance Mexico - Federal Law on Protection of Personal Data Held by Private ServiceNow Rating ServiceNow Public Explanation
Control ID Phys Network Compute Storage App Data SaaS PaaS IaaS BSI Germany Canada PIPEDA CCM V1.X COBIT 4.1 COBIT 5.0 COPPA ENISA IAF 95/46/EC - European Union Data Protection Directive (Final Release, Jan 2012) (Final Release, Jan 2012) FERPA GAPP (Aug 2009) HIPAA / HITECH Act ISO/IEC 27001-2005 ISO/IEC 27001-2013 ITAR Jericho Forum NERC CIP NIST SP800-53 R3 NIST SP800-53 R3 App J NZISM ODCA UM: PA R2.0 PCI DSS v2.0 PCI DSS v3.0
Provider Consumer 2009 TSC Map Trust Service Criteria (SOC 2SM Report) 2014 TSC AUP v5.0 SIG v6.0 (formerly Trusted Cloud Initiative) V3.0 Parties
--LOW IMPACT LEVEL-- --MODERATE IMPACT LEVEL--

Domain > Container > Capability Public Private PA ID PA level

Application & Interface AIS-01 Applications and programming interfaces (APIs) shall be designed, X X X X X X X X S3.10.0 (S3.10.0) Design, acquisition, implementation, configuration, CC7.1 I.4 G.16.3, I.3 Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 SA-04 AI2.4 APO09.03 312.8 and Application Services > shared x Domain 10 6.03.01. (c) Article: 27 (3) NIST SP 800-53 R3 SC-5 NIST SP 800-53 R3 SA-8 1.2.6 45 CFR 164.312(e)(2)(i) A.11.5.6 A9.4.2 Commandment #1 CIP-007-3 - R5.1 SC-2 AR-7 The organization 14.5 PA17 SGP 6.5 6, 6.5 Complaint ServiceNow develops using a formalized Software Development Life Cycle
Security developed, deployed, and tested in accordance with leading industry modification, and management of infrastructure and software APO13.01 312.10 Development Process > Software NIST SP 800-53 R3 SC-6 NIST SP 800-53 R3 SC-2 A.11.6.1 A9.4.1, Commandment #2 SC-3 designs information 14.6 PA31 BSGP (SDLC) which takes into account OWASP in developer training and software
Application Security standards (e.g., OWASP for web applications) and adhere to applicable are consistent with defined system security policies to enable BAI03.01 Quality Assurance NIST SP 800-53 R3 SC-7 NIST SP 800-53 R3 SC-4 A.12.2.1 8.1*Partial, A14.2.3, Commandment #4 SC-4 systems to support testing.
legal, statutory, or regulatory compliance obligations. authorized access and to prevent unauthorized access. BAI03.02 NIST SP 800-53 R3 SC-12 NIST SP 800-53 R3 SC-5 A.12.2.2 8.1*partial, A.14.2.7 Commandment #5 SC-5 privacy by automating
BAI03.03 NIST SP 800-53 R3 SC-13 NIST SP 800-53 R3 SC-6 A.12.2.3 A12.6.1, Commandment #11 SC-6 privacy controls. ServiceNow makes use of Defense in Depth and DDOS protection to ensure its
(S3.10.0) Design, acquisition, implementation, configuration, BAI03.05 NIST SP 800-53 R3 SC-14 NIST SP 800-53 R3 SC-7 A.12.2.4 A18.2.2 SC-7 public facing interfaces are available and to reduce the risk of exposure of data.
S3.10.0 modification, and management of infrastructure and software MEA03.01 NIST SP 800-53 R3 SC-7 (1) A.12.5.2 SC-8
are consistent with defined processing integrity and related MEA03.02 NIST SP 800-53 R3 SC-7 (2) A.12.5.4 SC-9 Within the ServiceNow tool itself authentication and authorization mechanism
security policies. NIST SP 800-53 R3 SC-7 (3) A.12.5.5 SC-10 such as LDAP and SAML can be used in accordance with the operations of
NIST SP 800-53 R3 SC-7 (4) A.12.6.1 SC-11 those standards.
NIST SP 800-53 R3 SC-7 (5) A.15.2.1 SC-12
NIST SP 800-53 R3 SC-7 (7) SC-13
NIST SP 800-53 R3 SC-7 (8) SC-14
NIST SP 800-53 R3 SC-7 (12) SC-17
NIST SP 800-53 R3 SC-7 (13) SC-18
NIST SP 800-53 R3 SC-7 (18) SC-20
NIST SP 800-53 R3 SC-8 SC-21
NIST SP 800-53 R3 SC-8 (1) SC-22
NIST SP 800-53 R3 SC-9 SC-23
NIST SP 800-53 R3 SC-9 (1)
NIST SP 800-53 R3 SC-10
NIST SP 800-53 R3 SC-11
NIST SP 800-53 R3 SC-12
NIST SP 800-53 R3 SC-12 (2)
NIST SP 800-53 R3 SC-12 (5)
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-13 (1)
NIST SP 800-53 R3 SC-14
NIST SP 800-53 R3 SC-17
NIST SP 800-53 R3 SC-18

Application & Interface AIS-02 Prior to granting customers access to data, assets, and information X X X X X X X X X X X X S3.2.a (S3.2.a) a. Logical access security measures to restrict access CC5.1 C.2.1, C.2.3, C.2.4, C.2.6.1, 10 (B) Schedule 1 (Section 5) 4.1 Accountability, Subs. 4.1.3 SA-01 APO09.01 312.3, BOSS > Legal Services > shared x Domain 10 Article 17 (1), (2) NIST SP 800-53 R3 CA-1 NIST SP 800-53 R3 CA-1 1.2.2 A.6.2.1 A9.1.1. Commandment #6 CA-1 AP-1 The organization 9.2 4.1.1, 4.2, 4.3 Compliant ServiceNow does not enter into any agreements with any customers without first
Security systems, identified security, contractual, and regulatory requirements for to information resources not deemed to be public. H.1 11 (A+) APO09.02 312.8 and Contracts NIST SP 800-53 R3 CA-2 NIST SP 800-53 R3 CA-2 1.2.6 A.6.2.2 Commandment #7 CA-2 determines and coming to a mutually agreeable contract with the customer. There is a joint
Customer Access customer access shall be addressed. APO09.03 312.10 NIST SP 800-53 R3 CA-2 (1) NIST SP 800-53 R3 CA-2 (1) 6.2.1 A.11.1.1 Commandment #8 CA-5 documents the legal responsibility between ServiceNow and the customer to arrive at a contract that
Requirements APO13.01 NIST SP 800-53 R3 CA-5 NIST SP 800-53 R3 CA-5 6.2.2 CA-6 authority that permits the addresses the security requirements of both parties.
BAI02 NIST SP 800-53 R3 CA-6 NIST SP 800-53 R3 CA-6 collection, use,
DSS05 maintenance, and sharing
of personally identifiable
information (PII), either
generally or in support of
a specific program or
information system need.

Application & Interface AIS-03 Data input and output integrity routines (i.e., reconciliation and edit X X X X X X X X X X I3.2.0 (I3.2.0) The procedures related to completeness, accuracy, PI1.2 I.4 G.16.3, I.3 Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 SA-05 DSS06.02 312.8 and Application Services > shared x Domain 10 NIST SP 800-53 R3 SI-2 NIST SP 800-53 R3 SI-2 1.2.6 45 CFR 164.312 (c)(1) A.10.9.2 A13.2.1, Commandment #1 CIP-003-3 - R4.2 SI-10 AR-7 The organization 14.5 PA25 GP 6.3.1 6.3.1 Compliant ServiceNow conducts appropriate escaping and integrity checking on fields and
Security checks) shall be implemented for application interfaces and databases to timeliness, and authorization of inputs are consistent with the PI1.3 DSS06.04 312.10 Programming Interfaces > Input NIST SP 800-53 R3 SI-3 NIST SP 800-53 R3 SI-2 (2) 45 CFR 164.312 (c)(2) A.10.9.3 A13.2.2, Commandment #9 SI-11 designs information 14.6 6.3.2 6.3.2 parameters.
Data Integrity prevent manual or systematic processing errors, corruption of data, or documented system processing integrity policies. PI1.5 Validation NIST SP 800-53 R3 SI-3 45 CFR 164.312(e)(2)(i) A.12.2.1 A9.1.1, Commandment #11 SI-2 systems to support
misuse. NIST SP 800-53 R3 SI-3 (1) A.12.2.2 A9.4.1, SI-3 privacy by automating Customers are able to customize their implementations of ServiceNow to add
I3.3.0 (I3.3.0) The procedures related to completeness, accuracy, NIST SP 800-53 R3 SI-3 (2) A.12.2.3 A10.1.1 SI-4 privacy controls. additional integrity capabilities based on the type of data and the rules
timeliness, and authorization of system processing, including NIST SP 800-53 R3 SI-3 (3) A.12.2.4 A18.1.4 SI-6 associated with their data.
error correction and database management, are consistent with NIST SP 800-53 R3 SI-4 A.12.6.1 SI-7
documented system processing integrity policies. NIST SP 800-53 R3 SI-4 (2) A.15.2.1 SI-9
NIST SP 800-53 R3 SI-4 (4)
I3.4.0 (I3.4.0) The procedures related to completeness, accuracy, NIST SP 800-53 R3 SI-4 (5)
timeliness, and authorization of outputs are consistent with the NIST SP 800-53 R3 SI-4 (6)
documented system processing integrity policies. NIST SP 800-53 R3 SI-6
NIST SP 800-53 R3 SI-7
I3.5.0 (I3.5.0) There are procedures to enable tracing of information NIST SP 800-53 R3 SI-7 (1)
inputs from their source to their final disposition and vice versa. NIST SP 800-53 R3 SI-9
NIST SP 800-53 R3 SI-10
NIST SP 800-53 R3 SI-11

Application & Interface AIS-04 Policies and procedures shall be established and maintained in support of X X X X X X X X X X S3.4 (S3.4) Procedures exist to protect against unauthorized access CC5.6 B.1 G.8.2.0.2, G.8.2.0.3, G.12.1, 6 (B) Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 SA-03 DS5.11 APO09.01 312.8 and BOSS > Data Governance > Rules shared x Domain 10 6.02. (b) Article 17 (1), (2),(3), (4) NIST SP 800-53 R3 AC-1 NIST SP 800-53 R3 AC-1 1.1.0 A.10.8.1 A13.2.1, All AC-1 AR-7 The organization 16.5 PA20 GP 2.3 2.3 Compliant ServiceNow has implemented a wide range of policies and procedures to
Security data security to include (confidentiality, integrity and availability) across to system resources. G.12.4, G.12.9, G.12.10, 26 (A+) APO09.02 312.10 for Information Leakage 6.04.03. (a) NIST SP 800-53 R3 SC-1 NIST SP 800-53 R3 AC-4 1.2.2 A.10.8.2 A13.2.2, AC-4 designs information 16.8 PA25 P 3.4.1 3.4.1 support its operations and its customers operations.
Data Security / multiple system interfaces, jurisdictions and business functions to prevent G.16.2, G.19.2.1, G.19.3.2, APO09.03 Prevention NIST SP 800-53 R3 SC-13 NIST SP 800-53 R3 SC-1 1.2.6 A.11.1.1 A9.1.1, SC-1 systems to support 17.4 PA29 SGP 4.1 4.1
Integrity improper disclosure, alteration, or destruction. G.9.4, G.17.2, G.17.3, G.17.4, APO13.01 NIST SP 800-53 R3 SC-8 4.2.3 A.11.6.1 A9.4.1, SC-16 privacy by automating 4.1.1 4.1.1 ServiceNow is an ISO 27001 certified organization and, as such, has had its
G.20.1 DSS05.02 5.2.1 A.11.4.6 A10.1.1 privacy controls. 6.1 6.1 policies and procedures certified. ServiceNow is Safe Harbor certified for the EU-
DSS06.06 7.1.2 A.12.3.1 A18.1.4 6.3.2a 6.3.2a US and Swiss-US certified.
MEA03.01 7.2.1 A.12.5.4 6.5c 6.5c, 7.1, 7.2, 7.3, 8.1,
MEA03.02 7.2.2 A.15.1.4 8.3 8.2, 8.3, 8.4, 8.5, 8.6, 8.7, ServiceNow does not collect, alter or destroy any customer data or choose
7.2.3 10.5.5 8.8 where data is located and which jurisdictions it is collected in. ServiceNow's
7.2.4 11.5 10.5.5, 10.8 customers perform the role of data controller and ServiceNow only processes
8.2.1 11.5, 11.6 data based on their instructions. ServiceNow does not pass customer data to
8.2.2 third parties.
8.2.3
8.2.5
9.2.1

Audit Assurance & AAC-01 Audit plans shall be developed and maintained to address business X X X X X X X X X X X S4.1.0 (S4.1.0) The entity’s system security is periodically reviewed CC4.1 L.1, L.2, L.7, L.9, L.11 58 (B) CO-01 ME 2.1 APO12.04 Title 16 BOSS > Compliance > Audit shared x Domain 2, 4 6.01. (d) NIST SP 800-53 R3 CA-2 NIST SP 800-53 R3 CA-2 10.2.5 45 CFR 164.312(b) Clause 4.2.3 e) Clauses Commandment #1 CA-2 AR-4 Privacy Auditing 5.1, 5.3, 5.4 PA15 SGP 2.1.2.b Compliant Security auditing and continuous monitoring take a number of forms within
Compliance process disruptions. Auditing plans shall focus on reviewing the and compared with the defined system security policies. ME 2.2 APO12.05 Part 312 Planning NIST SP 800-53 R3 CA-2 (1) NIST SP 800-53 R3 CA-2 (1) Clause 4.2.3b 4.3(a), Commandment #2 CA-7 and Monitoring. To ServiceNow including the following"
Audit Planning effectiveness of the implementation of security operations. All audit PO 9.5 APO12.06 NIST SP 800-53 R3 CA-7 NIST SP 800-53 R3 CA-7 Clause 5.1 g 4.3(b), Commandment #3 PL-6 promote accountability,
activities must be agreed upon prior to executing any audits. S4.2.0 (S4.2.0) There is a process to identify and address potential PO 9.6 MEA02.01 NIST SP 800-53 R3 CA-7 (2) Clause 6 5.1(e), organizations identify and 1) Annual external assessments for both ISO 27001 and SSAE 16 require
impairments to the entity’s ongoing ability to achieve its MEA02.02 NIST SP 800-53 R3 PL-6 A.15.3.1 5.1(f), address gaps in privacy external auditors to examine ServiceNow's controls, procedures and practices.
objectives in accordance with its defined system security 6.2(e), compliance,
policies. 9.1, management, 2) Continuous monitoring of the environment through security operations
9.1(e), operational, and technical
9.2, controls by conducting 3) Penetration testing that includes both ServiceNow, third party and customer
9.3(f), regular assessments testing provide continuous feedback on application security.
A12.7.1 (e.g., internal risk
assessments). Audit for
effective implementation
of all privacy controls
identified in this appendix,
organizations assess
Audit Assurance & AAC-02 Independent reviews and assessments shall be performed at least X X X X X X X X X X X X S4.1.0 (S4.1.0) The entity’s system security is periodically reviewed CC4.1 L.2, L.4, L.7, L.9, L.11 58 (B) CO-02 DS5.5 APO12.04 Title 16 BOSS > Compliance > shared x Domian 2, 4 6.03. (e) NIST SP 800-53 R3 CA-1 NIST SP 800-53 R3 CA-1 1.2.5 45 CFR 164.308 (a)(8) Clause 4.2.3e Clauses Commandment #1 Chapter VI, Section 1 CIP-003-3 - R1.3 - R4.3 CA-1 whether
AR-4. they: (i)
Privacy Auditing 6.1 PA18 GP 11.2 11.2 Compliant ServiceNow undergoes annual ISO 27001, SSAE 16 SOC 1 Type II, and SOC 2
Compliance annually to ensure that the organization addresses nonconformities of and compared with the defined system security policies. 59 (B) ME2.5 APO12.05 Part 312 Independent Audits 6.07.01. (m) NIST SP 800-53 R3 CA-2 NIST SP 800-53 R3 CA-2 1.2.7 45 CFR 164.308(a)(1)(ii)(D) Clause 5.1 g 4.3(a), Commandment #2 Article 39, I. and VIII. CIP-004-3 R4 - R4.2 CA-2 and Monitoring. These 11.3 11.3 Type II audits.
Independent Audits established policies, standards, procedures, and compliance obligations. 61 (C+, A+) ME 3.1 DSS05.07 6.07.01. (n) NIST SP 800-53 R3 CA-2 (1) NIST SP 800-53 R3 CA-2 (1) 4.2.1 Clause 5.2.1 d) 4.3(b), Commandment #3 CIP-005-3a - R1 - R1.1 - R1.2 CA-6 assessments can be self- 6.6 6.3.2, 6.6
S4.2.0 (S4.2.0) There is a process to identify and address potential 76 (B) PO 9.6 MEA02.06 NIST SP 800-53 R3 CA-6 NIST SP 800-53 R3 CA-6 8.2.7 Clause 6 5.1(e), Chapter 8 RA-5 assessments or thirdparty 12.1.2.b 11.2.1, 11.2.2, 11.2.3,
impairments to the entity’s ongoing ability to achieve its 77 (B) MEA02.07 NIST SP 800-53 R3 RA-5 NIST SP 800-53 R3 RA-5 10.2.3 A.6.1.8 5.1(f), Article 59 audits that result in 11.3.1, 11.3.2, 12.1.2.b,
objectives in accordance with its defined system security MEA02.08 NIST SP 800-53 R3 RA-5 (1) 10.2.5 9.1, reports on compliance 12.8.4
policies. MEA03.01 NIST SP 800-53 R3 RA-5 (2) 9.2, gaps identified in
NIST SP 800-53 R3 RA-5 (3) 9.3(f), programs, projects, and
NIST SP 800-53 R3 RA-5 (6) A18.2.1 information systems.
NIST SP 800-53 R3 RA-5 (9)

Audit Assurance & AAC-03 Organizations shall create and maintain a control framework which X X X X X X X X X X X X S3.1.0 (S3.1.0) Procedures exist to (1) identify potential threats of CC3.1 L.1, L.2, L.4, L.7, L.9 76 (B) Schedule 1 (Section 5) 4.5 - Limiting Use, Disclosure and CO-05 ME 3.1 APO12.01 312.4 BOSS > Compliance > Information shared x Domain 2, 4 6.10. (a) NIST SP 800-53 R3 AC-1 NIST SP 800-53 R3 AC-1 1.2.2 ISO/IEC 27001:2005 Clauses Commandment #1 AC-1 1.2 3.1.1 3.1 Compliant ServiceNow has a formal control framework that covers various legal, regulatory
Compliance captures standards, regulatory, legal, and statutory requirements relevant disruption to systems operation that would impair system 77 (B) Retention, Subsec. 4.1.3 APO12.02 System Regulatory Mapping 6.10. (b) NIST SP 800-53 R3 AT-1 NIST SP 800-53 R3 AT-1 1.2.4 Clause 4.2.1 b) 2) 4.2(b), Commandment #2 AT-1 2.2 3.1 and statutory requirements standards. This control framework is based of
Information System for their business needs. The control framework shall be reviewed at least security commitments and (2) assess the risks associated with 78 (B) APO12.03 6.10. (c) NIST SP 800-53 R3 AU-1 NIST SP 800-53 R3 AU-1 1.2.6 Clause 4.2.1 c) 1) 4.4, Commandment #3 AU-1 3.3 ServiceNow Information Security Policy and Standards. Control are reviewed on
Regulatory Mapping annually to ensure changes that could affect the business processes are the identified threats. 83 (B) MEA03.01 6.10. (d) NIST SP 800-53 R3 CA-1 NIST SP 800-53 R3 CA-1 1.2.11 Clause 4.2.1 g) 5.2(c), CA-1 5.2 and annual bases or when business process or the control environment
reflected. 84 (B) 6.10. (e) NIST SP 800-53 R3 CM-1 NIST SP 800-53 R3 CM-1 3.2.4 Clause 4.2.3 d) 6) 5.3(ab), CM-1 changes.
x3.1.0 (x3.1.0) Procedures exist to (1) identify potential threats of 85 (B) 6.10. (f) NIST SP 800-53 R3 CP-1 NIST SP 800-53 R3 CP-1 5.2.1 Clause 4.3.3 6.1.2, CP-1
disruptions to systems operations that would impair system 6.10. (g) NIST SP 800-53 R3 IA-1 NIST SP 800-53 R3 IA-1 Clause 5.2.1 a - f 6.1.3, IA-1
[availability, processing integrity, confidentiality] commitments 6.10. (h) NIST SP 800-53 R3 IA-7 NIST SP 800-53 R3 IA-7 Clause 7.3 c) 4) 6.1.3(b), IA-7
and (2) assess the risks associated with the identified threats. 6.10. (i) NIST SP 800-53 R3 IR-1 NIST SP 800-53 R3 IR-1 A.7.2.1 7.5.3(b), IR-1
NIST SP 800-53 R3 MA-1 NIST SP 800-53 R3 MA-1 A.15.1.1 7.5.3(d), MA-1
NIST SP 800-53 R3 MP-1 NIST SP 800-53 R3 MP-1 A.15.1.3 8.1, MP-1
NIST SP 800-53 R3 PE-1 NIST SP 800-53 R3 PE-1 A.15.1.4 8.3 PE-1
NIST SP 800-53 R3 PL-1 NIST SP 800-53 R3 PL-1 A.15.1.6 9.2(g), PL-1
NIST SP 800-53 R3 PS-1 NIST SP 800-53 R3 PS-1 9.3, PM-1
NIST SP 800-53 R3 RA-1 NIST SP 800-53 R3 RA-1 9.3(b), PS-1
NIST SP 800-53 R3 RA-2 NIST SP 800-53 R3 RA-2 9.3(f), RA-1
NIST SP 800-53 R3 SA-1 NIST SP 800-53 R3 SA-1 10.2, RA-2
NIST SP 800-53 R3 SA-6 NIST SP 800-53 R3 SA-6 A.8.2.1, SA-1
NIST SP 800-53 R3 SC-1 NIST SP 800-53 R3 SC-1 A.18.1.1, SA-6
NIST SP 800-53 R3 SC-13 NIST SP 800-53 R3 SC-13 A.18.1.3, SC-1
NIST SP 800-53 R3 SI-1 NIST SP 800-53 R3 SC-13 (1) A.18.1.4, SC-13
NIST SP 800-53 R3 SC-30 A.18.1.5 SI-1
NIST SP 800-53 R3 SI-1

Business Continuity BCR-01 A consistent unified framework for business continuity planning and plan X X X X X X X X X X X X A3.1.0 (A3.1.0) Procedures exist to (1) identify potential threats of CC3.1 K.1.2.3. K.1.2.4, K.1.2.5, RS-03 DSS04.01 BOSS > Operational Risk Managemen
provider x Domain 7, 8 6.07. (a) Article 17 (1), (2) NIST SP800-53 R3 CP-1 NIST SP800-53 R3 CP-1 45 CFR 164.308 (a)(7)(i) Clause 5.1 Clause 5.1(h) Commandment #1 CP-1 UL-2 INFORMATION 6.4 12.9.1 12.9.1 Compliant ServiceNow has a defined and published disaster recovery architecture that
Management & development shall be established, documented and adopted to ensure all disruptions to systems operation that would impair system K.1.2.6, K.1.2.7, K.1.2.11, DSS04.02 6.07. (b) NIST SP800-53 R3 CP-2 NIST SP800-53 R3 CP-2 45 CFR 164.308 (a)(7)(ii)(B) A.6.1.2 A.17.1.2 Commandment #2 CP-2 SHARING WITH THIRD 12.9.3 12.9.3 includes the recovery of all customer services in a given geography. This
Operational Resilience business continuity plans are consistent in addressing priorities for availability commitments and (2) assess the risks associated A1.2 K.1.2.13, K.1.2.15 DSS04.03 6.07. (c) NIST SP800-53 R3 CP-3 NIST SP800-53 R3 CP-2 (1) 45 CFR 164.308 (a)(7)(ii)(C) A.14.1.3 A.17.1.2 Commandment #3 CP-3 PARTIES - a. Shares 12.9.4 12.9.4 includes processes for declaring and recovering from a disaster including all
Business Continuity testing, maintenance, and information security requirements. with the identified threats. DSS04.05 NIST SP800-53 R3 CP-4 NIST SP800-53 R3 CP-2 (2) 45 CFR 164.308 (a)(7)(ii)(E) A.14.1.4 CP-4 personally identifiable 12.9.6 12.9.6 required stakeholders.
Planning Requirements for business continuity plans include the following: A1.3 NIST SP800-53 R3 CP-9 NIST SP800-53 R3 CP-3 45 CFR 164.310 (a)(2)(i) CP-6 information (PII)
• Defined purpose and scope, aligned with relevant dependencies A3.3.0 (A3.3.0) Procedures exist to provide for backup, offsite storage, NIST SP800-53 R3 CP-10 NIST SP800-53 R3 CP-4 45 CFR 164.312 (a)(2)(ii) CP-7 externally, only for the ServiceNow High Availability architecture is documented in its Advanced High
• Accessible to and understood by those who will use them restoration, and disaster recovery consistent with the entity’s NIST SP800-53 R3 CP-4 (1) CP-8 authorized purposes Availability (AHA) architecture white paper available from www.servicenow.com.
• Owned by a named person(s) who is responsible for their review, defined system availability and related security policies. NIST SP800-53 R3 CP-6 CP-9 identified in the Privacy AHA provides for disaster recovery in the case of failure of infrastructure at one
update, and approval NIST SP800-53 R3 CP-6 (1) CP-10 Act and/or described in its data site.
• Defined lines of communication, roles, and responsibilities (A3.4.0) Procedures exist to provide for the integrity of backup NIST SP800-53 R3 CP-6 (3) PE-17 notice(s) or for a purpose
• Detailed recovery procedures, manual work-around, and reference A3.4.0 data and systems maintained to support the entity’s defined NIST SP800-53 R3 CP-7 that is compatible with
information system availability and related security policies. NIST SP800-53 R3 CP-7 (1) those purposes; b. Where
• Method for plan invocation NIST SP800-53 R3 CP-7 (2) appropriate, enters into
NIST SP800-53 R3 CP-7 (3) Memoranda of
NIST SP800-53 R3 CP-7 (5) Understanding,
NIST SP800-53 R3 CP-8 Memoranda of
NIST SP800-53 R3 CP-8 (1) Agreement, Letters of
NIST SP800-53 R3 CP-8 (2) Intent, Computer
NIST SP800-53 R3 CP-9 Matching Agreements, or
NIST SP800-53 R3 CP-9 (1) similar agreements, with
NIST SP800-53 R3 CP-9 (3) third parties that
NIST SP800-53 R3 CP-10 specifically describe the
NIST SP800-53 R3 CP-10 (2) PII covered and
NIST SP800-53 R3 CP-10 (3) specifically enumerate the
NIST SP800-53 R3 PE-17 purposes for which the PII
may be used; c. Monitors,
audits, and trains its staff
on the authorized sharing
BCR-02 X X X X X X X X X X X X A3.3 A1.2 RS-04 DSS04.04 BOSS > Operational Risk Managemen
provider x Domain 7, 8 45 CFR 164.308 (a)(7)(ii)(D) A.14.1.5 A17.3.1 of PII with third parties PA15 SGP 12.9.2 12.9.2, 12.10.2 Compliant
Business Continuity Business continuity and security incident response plans shall be subject (A3.3) Procedures exist to provide for backup, offsite storage, K.1.3, K.1.4.3, K.1.4.6, K.1.4.7, 52 (B) 6.07.01. (b) NIST SP800-53 R3 CP-2 NIST SP800-53 R3 CP-2 Commandment #1 CP-2 4.4 ServiceNow's customer disaster recovery and incident response plans are tested
Management & to testing at planned intervals or upon significant organizational or restoration, and disaster recovery consistent with the entity’s K.1.4.8, K.1.4.9, K.1.4.10, 55 (A+) 6.07.01. (j) NIST SP800-53 R3 CP-3 NIST SP800-53 R3 CP-2 (1) Commandment #2 CP-3 5.2(time limit) on at least an annual basis. In both plans there are customer contact
Operational Resilience environmental changes. Incident response plans shall involve impacted defined system availability and related security policies. K.1.4.11, K.1.4.12 6.07.01. (l) NIST SP800-53 R3 CP-4 NIST SP800-53 R3 CP-2 (2) Commandment #3 CP-4 6.3(whenever change occurs) requirements.
Business Continuity customers (tenant) and other business relationships that represent critical NIST SP800-53 R3 CP-3
Testing intra-supply chain business process dependencies. NIST SP800-53 R3 CP-4
NIST SP800-53 R3 CP-4 (1)

Business Continuity BCR-03 Datacenter utilities services and environmental conditions (e.g., water, X X X X X X A3.2.0 (A3.2.0) Measures to prevent or mitigate threats have been A1.1 F.1 F.1.6, F.1.6.1, F.1.6.2, F.1.9.2, 9 (B) Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 RS-08 DSS01.03 312.8 and 3Infra Services > Facility Security provider x Domain 7, 8 6.08. (a) Article 17 (1), (2) NIST SP800-53 R3 PE-1 NIST SP800-53 R3 PE-1 A.9.2.2 A11.2.2, Commandment #1 PE-1 10.1 PA15 SGP 4.1, 4.1.1, 9.1, 9.2 Compliant ServiceNow uses commercial co-location data centers which are required to
Management & power, temperature and humidity controls, telecommunications,and implemented consistent with the risk assessment when A1.2 F.2.10, F.2.11, F.2.12 10 (B) DSS01.04 6.09. (c) NIST SP800-53 R3 PE-13 NIST SP800-53 R3 PE-4 A.9.2.3 A11.2.3 Commandment #2 PE-4 10.2 have redundant power, network access, environmental controls as well as 24x7
Operational Resilience internet connectivity) shall be secured, monitored, maintained, and tested commercially practicable. DSS01.05 6.09. (f) NIST SP800-53 R3 PE-13 (1) NIST SP800-53 R3 PE-13 Commandment #3 PE-13 10.3 monitoring of all services in the data center.
Datacenter Utilities / for continual effectiveness at planned intervals to ensure protection from A1.3 DSS04.03 6.09. (g) NIST SP800-53 R3 PE-13 (2) NIST SP800-53 R3 PE-13 (1) Commandment #4 10.4
Environmental unauthorized interception or damage, and designed with automated fail- A3.4.0 (A3.4.0) Procedures exist to protect against unauthorized NIST SP800-53 R3 PE-13 (3) NIST SP800-53 R3 PE-13 (2) Commandment #9 10.5 ServiceNow requires their data centers to be ISO 27001 certified and/or have a
Conditions over or other redundancies in the event of planned or unplanned access to system resource. NIST SP800-53 R3 PE-13 (3) Commandment #11 10.6 valid SSAE 16 SOC 1 Type II attestation to prove that they are a high quality
disruptions. service provider. ServiceNow also requires data centers to be at least Tier III or
equivalent design and construction to support their redundancy capabilities.

Business Continuity BCR-04 Information system documentation (e.g., administrator and user guides, X X X X X X X X X X S3.11.0 (S3.11.0) Procedures exist to provide that personnel CC1.3 G.1.1 56 (B) Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 OP-02 DS 9 BAI08 312.8 and 3SRM > Policies and Standards > shared x Domain 7, 8 Article 17 NIST SP 800-53 R3 CP-9 NIST SP 800-53 R3 CP-9 1.2.6 Clause 4.3.3 Clause 9.2(g) Commandment #1 CIP-005-3a - R1.3 CP-9 10.5 12.1 1.1.2, 1.1.3, 2.2, 12.3 Compliant ServiceNow has an extensive wiki (wiki.servicenow.com) that provides both
Management & and architecture diagrams) shall be made available to authorized responsible for the design, development, implementation, and CC1.4 57 (B) DS 13.1 BAI10 Job Aid Guidelines NIST SP 800-53 R3 CP-10 NIST SP 800-53 R3 CP-9 (1) A.10.7.4 Commandment #2 CIP-007-3 - R9 CP-10 13.5 12.2 12.6 administrative and user guides for the software and the platform.
Operational Resilience personnel to ensure the following: operation of systems affecting security have the qualifications DSS01.01 NIST SP 800-53 R3 SA-5 NIST SP 800-53 R3 CP-9 (3) Commandment #4 SA-5 17.1 12.3
Documentation • Configuring, installing, and operating the information system and resources to fulfill their responsibilities. CC2.1 NIST SP 800-53 R3 CP-10 Commandment #5 SA-10 12.4
• Effectively using the system’s security features NIST SP 800-53 R3 CP-10 (2) Commandment #11 SA-11
A.2.1.0 (A.2.1.0) The entity has prepared an objective description of NIST SP 800-53 R3 CP-10 (3)
the system and its boundaries and communicated such NIST SP 800-53 R3 SA-5
description to authorized users. NIST SP 800-53 R3 SA-5 (1)
NIST SP 800-53 R3 SA-5 (3)
NIST SP 800-53 R3 SA-10
NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11 (1)

Business Continuity BCR-05 Physical protection against damage from natural causes and disasters, as X X X X X X A3.1.0 (A3.1.0) Procedures exist to (1) identify potential threats of CC3.1 F.1 F.2.9, F.1.2.21, F.5.1, F.1.5.2, Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 RS-05 DSS01.03 Infra Services > Facility Security provider x Domain 7, 8 6.07. (d) Article 17 (1), (2) NIST SP800-53 R3 PE-1 NIST SP800-53 R3 PE-1 8.2.4 45 CFR 164.308 (a)(7)(i) A.9.1.4 A11.1.4, Commandment #1 CIP-004-3 R3.2 PE-1 8.1 PA15 SGP 3.5.2, 3.6.3, 3.7, Compliant ServiceNow's data centers are purpose built facilities with walls, external fences,
Management & well as deliberate attacks, including fire, flood, atmospheric electrical disruptions to systems operation that would impair system F.2.1, F.2.7, F.2.8 DSS01.04 6.08. (a) NIST SP800-53 R3 PE-13 NIST SP800-53 R3 PE-13 45 CFR 164.310(a)(2)(ii) A.9.2.1 A11.2.1 Commandment #2 PE-13 8.4 5.1, 5.2, 5.3, external cameras, onsite accommodation for data center staff, data center halls
Operational Resilience discharge, solar induced geomagnetic storm, wind, earthquake, tsunami, availability commitments and (2) assess the risks associated A1.1 DSS01.05 6.09. (a) NIST SP800-53 R3 PE-14 NIST SP800-53 R3 PE-13 (1) Commandment #3 PE-14 6.1, 6.2, not connected to external walls and built to local design standards. The data
Environmental Risks explosion, nuclear accident, volcanic activity, biological hazard, civil with the identified threats. A1.2 6.09. (b) NIST SP800-53 R3 PE-15 NIST SP800-53 R3 PE-13 (2) PE-15 7.1, 7.2, centers are at least 50Km apart by policy and much further in practice to prevent
unrest, mudslide, tectonic activity, and other forms of natural or man- 6.09. (d) NIST SP800-53 R3 PE-13 (3) PE-18 9.1, 9.2, 9.3, 9.4, 9.5, 9.6, both data centers being affected by a single event.
made disaster shall be anticipated, designed, and have countermeasures A3.2.0 (A3.2.0) Measures to prevent or mitigate threats have been NIST SP800-53 R3 PE-14 9.7, 9.8, 9.9,
applied. implemented consistent with the risk assessment when NIST SP800-53 R3 PE-15 12.2
commercially practicable. NIST SP800-53 R3 PE-18

Business Continuity BCR-06 To reduce the risks from environmental threats, hazards, and X X X X X X A3.1.0 (A3.1.0) Procedures exist to (1) identify potential threats of CC3.1 F.1 F.2.9, F.1.2.21, F.5.1, F.1.5.2, 53 (A+) Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 RS-06 DSS01.04 312.8 and Infra Services > Facility Security provider x Domain 7, 8 6.07. (d) Article 17 (1), (2) NIST SP800-53 R3 PE-1 NIST SP800-53 R3 PE-1 45 CFR 164.310 (c) A.9.2.1 A11.2.1 Commandment #1 PE-1 8.1 PA15 SGP 9.1.3 9.1.3 Compliant ServiceNow maintains complete redundancy between data centers with
Management & opportunities for unauthorized access, equipment shall be kept away from disruptions to systems operation that would impair system F.2.1, F.2.7, F.2.8 75 (C+, A+) DSS01.05 312.10 6.08. (a) NIST SP800-53 R3 PE-14 NIST SP800-53 R3 PE-5 Commandment #2 PE-5 9.5 9.5 considerable physical separation between data centers. The data centers
Operational Resilience locations subject to high probability environmental risks and availability commitments and (2) assess the risks associated A1.1 6.09. (a) NIST SP800-53 R3 PE-15 NIST SP800-53 R3 PE-14 Commandment #3 PE-14 9.6 9.6 themselves have been built to be resistant to these types of threats.
Equipment Location supplemented by redundant equipment located at a reasonable distance. with the identified threats. A1.2 6.09. (b) NIST SP800-53 R3 PE-15 PE-15 9.9 9.9
6.09. (d) NIST SP800-53 R3 PE-18 PE-18 9.9.1 9.9.1, 12.2
A3.2.0 (A3.2.0) Measures to prevent or mitigate threats have been
implemented consistent with the risk assessment when
commercially practicable.

Business Continuity BCR-07 Policies and procedures shall be established, and supporting business X X X X X X X X X X X A3.2.0 (A3.2.0) Measures to prevent or mitigate threats have been A1.1 F.2.19 1 (B) OP-04 A13.3 BAI03.10 Infra Services > Equipment provider x Domain 7, 8 6.09. (h) Article 17 (1) NIST SP 800-53 R3 MA-2 NIST SP 800-53 R3 MA-2 5.2.3 45 CFR 164.310 (a)(2)(iv) A.9.2.4 A11.2.4 Commandment #2 CIP-007-3 - R6.1 - R6.2 - R6.3 MA-2 3.3 PA8 BSGP 10.8, 11.6 Compliant ServiceNow's data center operators are required to provide maintenance
Management & processes and technical measures implemented, for equipment implemented consistent with the risk assessment when A1.2 BAI04.03 Maintenance > NIST SP 800-53 R3 MA-4 NIST SP 800-53 R3 MA-2 (1) 8.2.2 Commandment #5 - R6.4 MA-3 12.1 PA15 SGP schedules for the equipment in the data centers, electrical, mechanical and
Operational Resilience maintenance ensuring continuity and availability of operations and support commercially practicable. BAI04.04 NIST SP 800-53 R3 MA-5 NIST SP 800-53 R3 MA-3 8.2.3 Commandment #11 MA-4 12.5 security systems. ServiceNow maintains a full inventory of the equipment that it
Equipment personnel. CC4.1 DSS03.05 NIST SP 800-53 R3 MA-3 (1) 8.2.4 MA-5 14.5 (software) owns and has comprehensive monitoring of its entire environment to be able to
Maintenance A4.1.0 (A4.1.0) The entity’s system availability and security NIST SP 800-53 R3 MA-3 (2) 8.2.5 MA-6 conduct proactive as well as reactive maintenance.
performance is periodically reviewed and compared with the NIST SP 800-53 R3 MA-3 (3) 8.2.6
defined system availability and related security policies. NIST SP 800-53 R3 MA-4 8.2.7
NIST SP 800-53 R3 MA-4 (1)
NIST SP 800-53 R3 MA-4 (2)
NIST SP 800-53 R3 MA-5
NIST SP 800-53 R3 MA-6

Business Continuity BCR-08 Protection measures shall be put into place to react to natural and man- X X X X X X X X A3.2.0 (A3.2.0) Measures to prevent or mitigate threats have been A1.1 F.1 F.1.6, F.1.6.1, F.1.6.2, F.1.9.2, 54 (A+) Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 RS-07 DSS01.04 312.8 and 3Infra Services > Facility Security provider x Domain 7, 8 6.08. (a) Article 17 (1), (2) NIST SP800-53 R3 PE-1 NIST SP800-53 R3 CP-8 A.9.2.2 A.11.2.2, Commandment #1 CP-8 8.1 PA15 SGP Compliant ServiceNow addresses this control through its use of redundant data centers
Management & made threats based upon a geographically-specific Business Impact implemented consistent with the risk assessment when A1.2 F.2.10, F.2.11, F.2.12 DSS01.05 6.09. (e) NIST SP800-53 R3 PE-12 NIST SP800-53 R3 CP-8 (1) A.9.2.3 A.11.2.3, Commandment #2 PE-1 8.2 where all equipment is replicated in a separate building separated by hundreds
Operational Resilience Assessment commercially practicable. DSS04.01 6.09. (f) NIST SP800-53 R3 PE-13 NIST SP800-53 R3 CP-8 (2) A 9.2.4 A.11.2.4 Commandment #3 PE-9 8.3 or even thousands of KM apart. All equipment within data centers is either
Equipment Power DSS04.02 NIST SP800-53 R3 PE-14 NIST SP800-53 R3 PE-1 PE-10 8.4 redundant or is available via redundant paths.
Failures DSS04.03 NIST SP800-53 R3 PE-9 PE-11
NIST SP800-53 R3 PE-10 PE-12
NIST SP800-53 R3 PE-11 PE-13
NIST SP800-53 R3 PE-12 PE-14
NIST SP800-53 R3 PE-13
NIST SP800-53 R3 PE-13 (1)
NIST SP800-53 R3 PE-13 (2)
NIST SP800-53 R3 PE-13 (3)
NIST SP800-53 R3 PE-14

Business Continuity BCR-09 There shall be a defined and documented method for determining the X X X X X X X X X X X X A3.1.0 (A3.1.0) Procedures exist to (1) identify potential threats of CC3.1 K.2 RS-02 BAI06.01 ITOS > Service Delivery > Informatiprovider x Domain 7, 8 6.02. (a) Article 17 (1), (2) NIST SP 800-53 R3 CP-1 NIST SP 800-53 R3 CP-1 45 CFR 164.308 (a)(7)(ii)(E) ISO/IEC 27001:2005 A.17.1.1 Commandment #1 CIP-007-3 - R8 - R8.1 - R8.2 - RA-3 6.4 PA8 BSGP Compliant ServiceNow has a documented and tested Information Disaster Recovery (DR)
Management & impact of any disruption to the organization (cloud provider, cloud disruptions to systems operation that would impair system BAI10.01 6.03.03. (c) NIST SP 800-53 R3 CP-2 NIST SP 800-53 R3 CP-2 A.14.1.2 A.17.1.2 Commandment #2 R8.3 PA15 SGP plan that has been designed to work with the architecture to provide a Recovery
Operational Resilience consumer) that must incorporate the following: availability commitments and (2) assess the risks associated A1.2 BAI10.02 6.07. (a) NIST SP 800-53 R3 RA-3 NIST SP 800-53 R3 RA-3 A 14.1.4 Commandment #3 Point Objective (RPO) of one hour and a Recovery Time Objective (RTO) of two
Impact Analysis • Identify critical products and services with the identified threats. BAI10.03 6.07. (b) hours.
• Identify all dependencies, including processes, applications, business A1.3 DSS04.01 6.07. (c)
partners, and third party service providers A3.3.0 (A3.3.0) Procedures exist to provide for backup, offsite storage, DSS04.02
• Understand threats to critical products and services restoration, and disaster recovery consistent with the entity’s
• Determine impacts resulting from planned or unplanned disruptions and defined system availability and related security policies.
how these vary over time
• Establish the maximum tolerable period for disruption (A3.4.0) Procedures exist to provide for the integrity of backup
• Establish priorities for recovery A3.4.0 data and systems maintained to support the entity’s defined
• Establish recovery time objectives for resumption of critical products system availability and related security policies.
and services within their maximum tolerable period of disruption
• Estimate the resources required for resumption

Business Continuity BCR-10 Policies and procedures shall be established, and supporting business X X X X X X S2.3.0 (S2.3.0) Responsibility and accountability for the entity’s CC3.2 G.1.1 45 (B) OP-01 DS13.1 APO01 SRM > Policies and Standards > shared x Domain 7, 8 6.03. (c) NIST SP 800-53 R3 CM-2 NIST SP 800-53 R3 CM-2 8.2.1 Clause 5.1 Clause 5.1(h) Commandment #1 CM-2 12.1 4.3, 10.8, Compliant ServiceNow has documented policies and procedures for IT service
Management & processes and technical measures implemented, for appropriate IT system availability, confidentiality of data, processing integrity, APO07.01 Operational Security Baselines NIST SP 800-53 R3 CM-4 NIST SP 800-53 R3 CM-2 (1) A 8.1.1 A.6.1.1 Commandment #2 CM-3 12.2 11.1.2, management (ITSM) and personnel are trained as required per policy.
Operational Resilience governance and service management to ensure appropriate planning, system security and related security policies and changes and APO07.03 NIST SP 800-53 R3 CM-6 NIST SP 800-53 R3 CM-2 (3) A.8.2.1 A.7.2.1 Commandment #3 CM-4 12.3 12.1 ServiceNow's core business is ITSM and this is an integral part of its service.
Policy delivery and support of the organization's IT capabilities supporting updates to those policies are communicated to entity personnel APO09.03 NIST SP 800-53 R3 MA-4 NIST SP 800-53 R3 CM-2 (5) A 8.2.2 A.7.2.2 Commandment #6 CM-5 12.4 12.2 ServiceNow uses instances of its own product to manage many aspects of its
business functions, workforce, and/or customers based on industry responsible for implementing them. DSS01.01 NIST SP 800-53 R3 SA-3 NIST SP 800-53 R3 CM-3 A.10.1.1 A.12.1.1 Commandment #7 CM-6 12.3 environment and this includes any disaster situation.
acceptable standards (i.e., ITIL v4 and COBIT 5). Additionally, policies NIST SP 800-53 R3 SA-4 NIST SP 800-53 R3 CM-3 (2) CM-9 12.4
and procedures shall include defined roles and responsibilities NIST SP 800-53 R3 SA-5 NIST SP 800-53 R3 CM-4 MA-4 12.5, 12.5.3,
supported by regular workforce training. NIST SP 800-53 R3 CM-5 SA-3 12.6, 12.6.2,
NIST SP 800-53 R3 CM-6 SA-4 12.10
NIST SP 800-53 R3 CM-6 (1) SA-5
NIST SP 800-53 R3 CM-6 (3) SA-8
NIST SP 800-53 R3 CM-9 SA-10
NIST SP 800-53 R3 MA-4 SA-11
NIST SP 800-53 R3 MA-4 (1) SA-12
NIST SP 800-53 R3 MA-4 (2)
NIST SP 800-53 R3 SA-3
NIST SP 800-53 R3 SA-4
NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
NIST SP 800-53 R3 SA-5
NIST SP 800-53 R3 SA-5 (1)
NIST SP 800-53 R3 SA-5 (3)
NIST SP 800-53 R3 SA-8
NIST SP 800-53 R3 SA-10
NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11 (1)
NIST SP 800-53 R3 SA-12

Business Continuity BCR-11 Policies and procedures shall be established, and supporting business X X X X X X X X X X A3.3.0 (A3.3.0) Procedures exist to provide for backup, offsite storage, A1.2 D.2.2.9 36 (B) Schedule 1 (Section 5) 4.5 - Limiting Use, Disclosure and DG-04 DS 4.1 BAI09.01 312.3 BOSS > Data Governance > Data shared x Domain 5 6.03. (h) Article 6(1) e NIST SP 800-53 R3 CP-2 NIST SP 800-53 R3 CP-2 5.1.0 45 CFR 164.308 (a)(7)(ii)(A) Clause 4.3.3 Clauses EAR 15 § Commandment #11 Chapter II CIP-003-3 - R4.1 CP-2 FTC Fair Information 6.4 PA10 BSGP 3.1 3.1 Compliant For customer systems, ServiceNow does not require the deletion of data.
Management & processes and technical measures implemented, for defining and restoration, and disaster recovery consistent with the entity’s Retention, Subsec. 4.5.2 DS 4.2 BAI09.02 Retention Rules 6.07.01. (c) NIST SP 800-53 R3 CP-9 NIST SP 800-53 R3 CP-2 (1) 5.1.1 45 CFR 164.310 (d)(2)(iv) A.10.5.1 9.2(g) 762.6 Period Article 11, 13 CP-6 Principles 13.1 PA29 SGP 3.1.1 3.1.a Customers are able to keep their data in their instances for as long as it is
Operational Resilience adhering to the retention period of any critical asset as per established defined system availability and related security policies. A1.3 DS 4.5 BAI09.03 NIST SP 800-53 R3 CP-2 (2) 5.2.2 45 CFR 164.308(a)(7)(ii)(D) A.10.7.3 7.5.3(b) of Retention CP-7 3.2 3.2 required. ServiceNow then backs up a copy of this as a disaster recovery
Retention Policy policies and procedures, as well as applicable legal, statutory, or DS 4.9 DSS04.01 NIST SP 800-53 R3 CP-6 8.2.6 45 CFR 164.316(b)(2)(i) (New) 5.2 (c) EAR 15 CFR CP-8 Integrity/Security 9.9.1 9.9.1 mechanism, not for archiving purposes. This allows customers to manage their
regulatory compliance obligations. Backup and recovery measures shall (A3.4.0) Procedures exist to provide for the integrity of backup DS 11.6 DSS04.02 NIST SP 800-53 R3 CP-6 (1) 7.5.3(d) § 786.2 CP-9 9.5 9.5. 9.5.1 data retention within the service.
be incorporated as part of business continuity planning and tested A3.4.0 data and systems maintained to support the entity’s defined DSS04.03 NIST SP 800-53 R3 CP-6 (3) 5.3(a) Recordkeepi SI-12 Security involves both 9.6 9.6. 9.7, 9.8
accordingly for effectiveness. system availability and related security policies. I3.21 DSS04.04 NIST SP 800-53 R3 CP-7 5.3(b) ng AU-11 managerial and technical 10.7 10.7, 12.10.1
DSS04.07 NIST SP 800-53 R3 CP-7 (1) 8.1 measures to protect
(I3.20.0) Procedures exist to provide for restoration and MEA03.01 NIST SP 800-53 R3 CP-7 (2) 8.3 against loss and the
I3.20.0 disaster recovery consistent with the entity’s defined NIST SP 800-53 R3 CP-7 (3) A.12.3.1 unauthorized access,
processing integrity policies. NIST SP 800-53 R3 CP-7 (5) A.8.2.3 destruction, use, or
NIST SP 800-53 R3 CP-8 disclosure of the data.(49)
(I3.21.0) Procedures exist to provide for the completeness, NIST SP 800-53 R3 CP-8 (1) Managerial measures
I3.21.0 accuracy, and timeliness of backup data and systems. NIST SP 800-53 R3 CP-8 (2) include internal
NIST SP 800-53 R3 CP-9 organizational measures
NIST SP 800-53 R3 CP-9 (1) that limit access to data
NIST SP 800-53 R3 CP-9 (3) and ensure that those
individuals with access do
not utilize the data for
Change Control & CCC-01 Policies and procedures shall be established, and supporting business X X X X X X X X X X S3.12.0 (S3.12.0) Procedures exist to maintain system components, CC7.2 I.2 I.1.1, I.1.2, I.2. 7.2, I.2.8, I.2.9, Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 RM-01 A12 APO01.02 ITOS > IT Operation > Architecture shared x None 6.03. (a) NIST SP 800-53 R3 CA-1 NIST SP 800-53 R3 CA-1 1.2.6 A.6.1.4 A.14.1.1 Commandment #1 CA-1 unauthorized purposes. 12.1 6.3.2 6.3.2, 12.3.4 Compliant ServiceNow has a number of controls within this domain including:
Configuration processes and technical measures implemented, to ensure the including configurations consistent with the defined system I.2.10, I.2.13, I.2.14, I.2.15, A16.1 APO01.06 Governance NIST SP 800-53 R3 CM-1 NIST SP 800-53 R3 CM-1 A.6.2.1 A.12.5.1 Commandment #2 CM-1
Management development and/or acquisition of new data, physical or virtual security policies. CC7.1 I.2.18, I.2.22.6, L.5 BAI02.04 NIST SP 800-53 R3 PL-1 NIST SP 800-53 R3 CM-9 A.12.1.1 A.14.3.1 Commandment #3 CM-9 1) The purchase of major infrastructure such as data center capacity must go
New Development / applications, infrastructure network and systems components, or any BAI06.01 NIST SP 800-53 R3 PL-2 NIST SP 800-53 R3 PL-1 A.12.4.1 A.9.4.5 PL-1 through a procurement process that includes RFPs, onsite audit, finance review
Acquisition corporate, operations and/or datacenter facilities have been pre- S3.10.0 (S3.10.0) Design, acquisition, implementation, configuration, CC7.4 NIST SP 800-53 R3 SA-1 NIST SP 800-53 R3 PL-2 A.12.4.2 8.1* (partial) A.14.2.7 PL-2 and contractual oversight.
authorized by the organization's business leadership or other accountable modification, and management of infrastructure and software NIST SP 800-53 R3 SA-3 NIST SP 800-53 R3 SA-1 A.12.4.3 A.18.1.3 SA-1
business role or function. are consistent with defined system security policies. NIST SP 800-53 R3 SA-4 NIST SP 800-53 R3 SA-3 A.12.5.5 A.18.1.4 SA-3 2) Development process that is a documented and include extensive validation
NIST SP 800-53 R3 SA-4 A.15.1.3 SA-4 and sign off by senior management.
(S3.13.0) Procedures exist to provide that only authorized, NIST SP 800-53 R3 SA-4 (1) A.15.1.4
S3.13.0 tested, and documented changes are made to the system. NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)

Change Control & CCC-02 External business partners shall adhere to the same policies and X X X X X X X X X X S3.10.0 (S3.10.0) Design, acquisition, implementation, configuration, CC7.1 C.2 C.2.4, G.4, G6, I.1, I.4.4, I.4.5, 27 (B) Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 RM-04 ITOS > IT Operation > Architectur shared x None PA17 SGP Compliant
Configuration procedures for change management, release, and testing as internal modification, and management of infrastructure and software I.1 I.2.7.2, I.2.8, I.2.9, I
Management developers within the organization (e.g. ITIL service management are consistent with defined system availability, confidentiality of CC7.4 I.2
Outsourced processes). data, processing integrity, systems security and related security I.4
Development policies.

S3.13 (S3.13) Procedures exist to provide that only authorized,

tested, and documented changes are made to the system.

CCC-03 X X X X X X X X X Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 RM-03 PO 8.1 shared x None Compliant

CCC-04 X X X X X X X X Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 RM-05 312.8 and 3ITOS > Service Support > Configur shared x None 14.1 Partially Compliant

CCC-05 X X X X X X X X X X X I.2.17, I.2.20, I.2.22 Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 RM-02 shared x None 6.03. (a) 1.2.6 CIP-003-3 - R6 PA14 SGP Compliant

DSI-01 X X X X X X X X X X D.1.3, D.2.2 DG-02 312.3 shared x Domain 5 6.04.03. (a) NIST SP 800-53 R3 RA-2 A.7.2.1 A.8.2.1 Commandment #9 General Provisions, Article 3, V. and VI. CIP-003-3 - R4 - R5 PA10 SGP Not Applicable

DSI-02 -- Domain 5 NIST SP 800-53 R3 SC-30 Complaint

DSI-03 X X X X X X X Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 IS-28 DS 5.10 5.11 shared x Domain 2 Article 17 Not Applicable

DSI-04 X X X X X X X X X X S3.2.a CC5.1 G.13 D.2.2 DG-03 312.2 shared x Domain 5 6.03.05. (b) 99.31.(a)(1)(ii) CIP-003-3 - R4 - R4.1 13.1 Not Applicable

DSI-05 X X X X X X X I.2.18 DG-06 SRM > Policies and Standards > Tecshared x Domain 5 6.03. (d) 1.2.6 45 CFR 164.308(a)(4)(ii)(B) CIP-003-3 - R6 17.8 6.4.3 6.4.3 Partially Compliant

DSI-06 X X X X X X X X X C.2.5.1, C.2.5.2, D.1.3, L.7 DG-01 312.4 shared x Domain 5 Article 4 6.2.1 45 CFR 164.308 (a)(2) CIP-007-3 - R1.1 - R1.2 3.4 Compliant

DSI-07 X X X X X X X X X D.2.2.10, D.2.2.11, D.2.2.14, 37 (B) DG-05 DS 11.4 312.3 shared x Domain 5 6.03. (h) Commandment #11 Compliant

DCS-01 X X X X X Schedule 1 (Section 5), 4.7 Safeguards, Subsec. 4.7.3 FS-08 ITOS > Service Support > Configuraprovider x Domain 8 Article 17 Annex A.8 12.3 Compliant

DCS-02 X X X X X A3.6.0 CC5.5 F.2 7 (B) Schedule 1 (Section 5), 4.7 Safeguards, Subsec. 4.7.3 FS-03 312.8 and 3 provider x Domain 8 Article 17 99.31.a.1.ii 8.2.3 PA4 BSGP Compliant

DCS-03 X X X X X S3.2.a CC5.1 D.1 D.1.1, D.1.3 Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 SA-13 DS5.7 > > Domain 10 6.05. (a) Article 17 NIST SP 800-53 R3 IA-4 A.11.4.3 Compliant

DCS-04 X X X X X X X X F.2.18, F.2.19, Schedule 1 (Section 5), 4.7 Safeguards, Subsec. 4.7.5 FS-06 SRM > Facility Security > Asset Hanprovider x Domain 8 Article 17 PA4 BSGP 9.6.3 Compliant

DCS-05 X X X X X X X X X X X X S3.4 CC5.6 D.1 D.1.1, D.2.1. D.2.2, Schedule 1 (Section 5), 4.7 Safeguards, Subsec. 4.7.5 FS-07 BOSS > Data Governance > Secureprovider
D x Domain 8 Article 17 NIST SP 800-53 R3 CM-8 45 CFR 164.310 (d)(2)(iii) CM-8 12.6 PA4 BSGP Not Applicable

DCS-06 X X X A3.6.0 CC5.5 H.6 7 (B) Schedule 1 (Section 5), 4.7 Safeguards, Subsec. 4.7.3 FS-01 SRM > Policies and Standards > Inform
provider x Domain 8 Article 17 99.31.a.1.ii PA4 BSGP 9.1 Compliant

DCS-07 X X X X X X X X X X A3.6.0 CC5.5 F.2 7 (B) Schedule 1 (Section 5), 4.7 Safeguards, Subsec. 4.7.3 FS-04 DS 12.3 312.8 and 3 provider x Domain 8 Article 17 99.31.a.1.ii 8.2.3 A.9.1.6 A.11.1.6 CIP-006-3c R1.2 - R1.3 - R1.4 PA4 BSGP Compliant

DCS-08 X X X X X X X X A3.6.0 CC5.5 G.21 F.2.18 Schedule 1 (Section 5), 4.7 Safeguards, Subsec. 4.7.3 FS-05 SRM > Policies and Standards > Inform
provider x Domain 8 Article 17 99.31.a.1.ii 45 CFR 164.310 (d)(1) PA4 BSGP Compliant

DCS-09 X X X X X A3.6.0 CC5.5 F.2 Schedule 1 (Section 5), 4.7 Safeguards, Subsec. 4.7.3 FS-02 DS 12.3 312.8 and 3Infra Services > Facility Security > Domain 8 Article 17 99.31.a.1.ii 8.2.3 A.9.1.1 A.11.1.1 9.1 Compliant

EKM-01 Compliant

PA36
EKM-02 X X X X X X X X X L.6 Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 IS-19 DS5.8 shared x Domain 2 Article 17 16.2 PA36 Partially Compliant

EKM-03 X X X X X X X X X X Schedule 1 (Section 5) 4.7 Safeguards, Subs. 4.7.3 IS-18 shared x Domain 2 Article 17 CIP-003-3 - R4.2 16.1 PA25 GP Compliant where applicable

EKM-04 X X X X X X X -- shared x Domain 11 Not Compliant

GRM-01 X X X X X X X X X X X CC3.2 L.2 L.2, L.5, L.7 L.8, L.9, L.10 Schedule 1 (Section 5), 4.7 - Safeguards IS-04 312.8 and 3 shared x Domain 2 Article 17 Chapter II, Article 19 and Chapter VI, Section I, Article 39 Compliant

GRM-02 X X X X X X X X X X L.4, L.5, L.6, L.7 34 (B) Schedule 1 (Section 5), 4.7 - Safeguards DG-08 312.1 shared x Domain 5 Article 6, Article 8, Article 17 (1) 12.2 Compliant

GRM-03 X X X X X X CC3.2 E.1 E.4 Schedule 1 (Section 5) 4.1 Accountability; 4.7 Safeguards, Sub 4.7.4 IS-14 312.8 and 3 shared x Domain 3, 9 3.2 12.6, 7.3, 8.8, 9.10 Compliant

GRM-04 X X X X X X X X X X X X x1.2. A.1, B.1 Schedule 1 (Section 5), 4.1 - Accountability; 4.7 Safeguards IS-01 shared x Domain 2 Article 17 99.31.(a)(1)(ii) 8.2.1 Chapter II, Article 19 4.1 PA8 BSGP Compliant

GRM-05 X X X X X S1.3.0 CC1.2 C.1 5 (B) Schedule 1 (Section 5), 4.1 Safeguards, Subsec. 4.1.1 IS-02 DS5.1 shared x Domain 2 Article 17 NIST SP 800-53 R3 CM-1 NIST SP 800-53 R3 CM-1 8.2.1 Chapter VI, Section I, Article 39 CIP-003-3 - R1 - R1.1 4.1 12.5 12.4 Compliant

GRM-06 X X X X X X B.1 Schedule 1 (Section 5) 4.1 Accountability, Subsec 4.1.4 IS-03 DS5.2 shared x Domain 2 6.02. (e) Article 17 Chapter VI, Section I, Article 39 PA30 BSGP Compliant

GRM-07 X X X X X X B.1.5 Schedule 1 (Section 5) 4.1 Accountability, Subs. 4.1.4 IS-06 PO 7.7 shared x Domain 2 Article 17 99.31(a)(i)(ii) 10.2.4 45 CFR 164.308 (a)(1)(ii)(C) A.8.2.3 A7.2.3 Chapter X, Article 64 Compliant

GRM-08 X X X X X X X X X X X X Schedule 1 (Section 5), 4.7 - Safeguards RI-04 PO 9.6 312.8 and 3 shared x Domian 2, 4 6.03. (a) Article 17 (1), (2) CIP-009-3 - R2 4.3 12.1.3 12.2 Compliant

GRM-09 X X X X X X S1.1.0 CC3.2 B.2 B.1.33. B.1.34, IS-05 shared x Domain 2 Article 17 12.1.3 12.1.1 Compliant Senior leadership are responsible for an bi-annual review of ServiceNow's policies.

GRM-10 X X X X X X X X X X X X C.2.1, I.4.1, I.5, G.15.1.3, I.3 Schedule 1 (Section 5), 4.7 - Safeguards RI-02 PO 9.4 APO12 shared x Domain 2, 4 Article 17 (1), (2) 45 CFR 164.308 (a)(1)(ii)(A) 12.1.2 12.2 Compliant

GRM-11 X X X X X X X X X X X X CC3.1 L.2 A.1, L.1 Schedule 1 (Section 5), 4.7 - Safeguards RI-01 PO 9.1 shared x Domain 2, 4 Article 17 (1), (2) 1.2.4 CIP-009-3 - R4 12.1.2 12.2 Compliant

HRS-01 X X X X X X X X X X X X S3.4 CC5.6 D.1 E.6.4 IS-27 BOSS > Human Resources Securityprovider x Domain 2 Article 17 NIST SP 800-53 R3 PS-4 NIST SP 800-53 R3 PS-4 45 CFR 164.308 (a)(3)(ii)(C) PS-4 2.2 9.3 Compliant

HRS-02 X X X X X X X S3.11.0 E.2 E.2 63 (B) Schedule 1 (Section 5), 4.7 Safeguards, Subsec. 4.7.3 HR-01 PO 7.6 312.8 and 3 shared x None 6.01. (a) Article 17 1.2.9 A.8.1.2 A.7.1.1 CIP-004-3 - R2.2 9.29 PA27 BSGP Compliant

HRS-03 X X X X X X X X X X X X S2.2.0 C.1 E.3.5 66 (B) Schedule 1 (Section 5) 4.7 Safeguards, Subsec. 4.7.4 HR-02 DS 2.1 shared x None Article 17 9.2 PA27 BSGP Compliant

HRS-04 X X X X X X CC5.4 E.6 HR-03 PO 7.8 shared x None Article 17 45 CFR 164.308 (a)(3)(ii)(C) A.8.3.1 A.7.3.1 PA27 BSGP Compliant ServiceNow's onboarding and offboarding procedures define these roles.
Human Resources HRS-05 Policies and procedures shall be established, and supporting business X X X X X X X X X X X X S3.4 (S3.4) Procedures exist to protect against unauthorized access CC5.6 G.11, G12, G.20.13, G.20.14 Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 IS-32 DS5.11 APO01.08 312.8 and Presentation Servies > shared x Domain 2 Article 17 NIST SP 800-53 R3 AC-17 NIST SP 800-53 R3 AC-17 1.2.6 45 CFR 164.310 (d)(1) A.7.2.1 A.8.2.1 ITAR 22 All CIP-007-3 - R7.1 AC-17 19.1 PA33 SGP 9.7 11.1 Compliant ServiceNow has form BYOD and mobile device policy. This policy contains
Mobile Device processes and technical measures implemented, to manage business to system resources. DS5.5 APO13.01 312.10 Presentation Platform > Endpoints NIST SP 800-53 R3 AC-18 NIST SP 800-53 R3 AC-17 (1) 3.2.4 A.10.7.1 A.8.3.1 CFR § AC-18 19.2 PA34 SGP 9.7.2 12.3 procedures and methodologies that help manage buisiness risk.
Management risks associated with permitting mobile device access to corporate APO13.02 - Mobile Devices - Mobile Device NIST SP 800-53 R3 AC-19 NIST SP 800-53 R3 AC-17 (2) 8.2.6 A.10.7.2 A.8.3.2 120.17 AC-19 19.3 9.8
resources and may require the implementation of higher assurance DSS05.01 Management NIST SP 800-53 R3 MP-2 NIST SP 800-53 R3 AC-17 (3) A.10.8.3 A.8.3.3 EAR 15 CFR MP-2 9.9
compensating controls and acceptable-use policies and procedures (e.g., DSS05.02 NIST SP 800-53 R3 MP-6 NIST SP 800-53 R3 AC-17 (4) A.11.7.1 A.6.2.1 §736.2 (b) MP-4 11.1
mandated security training, stronger identity, entitlement and access DSS05.03 NIST SP 800-53 R3 AC-17 (5) A.11.7.2 A.6.2.2 MP-6 12.3
controls, and device monitoring). DSS05.07 NIST SP 800-53 R3 AC-17 (7) A.15.1.4 A.18.1.4
DSS06.03 NIST SP 800-53 R3 AC-17 (8)
DSS06.06 NIST SP 800-53 R3 AC-18
NIST SP 800-53 R3 AC-18 (1)
NIST SP 800-53 R3 AC-18 (2)
NIST SP 800-53 R3 AC-19
NIST SP 800-53 R3 AC-19 (1)
NIST SP 800-53 R3 AC-19 (2)
NIST SP 800-53 R3 AC-19 (3)
NIST SP 800-53 R3 MP-2
NIST SP 800-53 R3 MP-2 (1)
NIST SP 800-53 R3 MP-4
NIST SP 800-53 R3 MP-4 (1)
NIST SP 800-53 R3 MP-6
NIST SP 800-53 R3 MP-6 (4)

Human Resources HRS-06 Requirements for non-disclosure or confidentiality agreements reflecting X X X X X X X S4.1.0 (S4.1.0) The entity’s system availability, confidentiality, CC4.1 C.2.5 Schedule 1 (Section 5), 4.7 - Safeguards LG-01 APO01.02 312.8 and 3BOSS > Compliance > Intellectual Prshared x Domain 3 Article 16 NIST SP 800-53 R3 PL-4 NIST SP 800-53 R3 PL-4 1.2.5 ISO/IEC 27001:2005 A.13.2.4 ITAR 22 Commandment #6 PL-4 DI-2 DATA INTEGRITY PA7 BSGP 12.8.2 Partially Compliant All staff must sign NDAs as part of the on-boarding process.
Non-Disclosure the organization's needs for the protection of data and operational processing integrity and security performance is periodically APO01.03 NIST SP 800-53 R3 PS-6 NIST SP 800-53 R3 PS-6 Annex A.6.1.5 CFR § Commandment #7 PS-6 AND DATA INTEGRITY 12.8.3
Agreements details shall be identified, documented, and reviewed at planned reviewed and compared with the defined system availability APO01.08 NIST SP 800-53 R3 SA-9 NIST SP 800-53 R3 SA-9 120.17 Commandment #8 SA-9 BOARD 12.8.4
intervals. and related security policies. APO07.06 NIST SP 800-53 R3 SA-9 (1) EAR 15 CFR Commandment #9 a. Documents processes
APO09.03 §736.2 (b) to ensure the integrity of
APO10.04 personally identifiable
APO13.01 information (PII) through
APO13.03 existing security controls;
and
b. Establishes a Data
Integrity Board when
appropriate to oversee
organizational Computer
Human Resources HRS-07 Roles and responsibilities of contractors, employees, and third-party X X X X X X X X X X X X S1.2.f (S1.2.f) f. Assigning responsibility and accountability for system B.1 B.1.5, D.1.1,D.1.3.3, E.1, F.1.1, 5 (B) Schedule 1 (Section 5) 4.1 Accountability IS-13 DS5.1 APO01.02 312.3, 312. BOSS > Human Resources shared x Domain 2 Article 17 NIST SP 800-53 R3 PL-4 NIST SP 800-53 R3 PL-4 99.31(a)(1)(ii) 1.2.9 Clause 5.1 c) Clause 5.3 Commandment #6 AT-3 AR-1 GOVERNANCE 2.2 PA9 BSGP 12.8.5 Compliant ServiceNow has standardized roles and grants entitlements based on those roles.
Roles / Responsibilities users shall be documented as they relate to information assets and availability, confidentiality, processing integrity and related H.1.1, K.1.2 APO01.03 Security > Roles and NIST SP 800-53 R3 PS-1 NIST SP 800-53 R3 PS-1 8.2.1 A.6.1.2 A.6.1.1 Commandment #7 PL-4 AND PRIVACY PA24
security. security. APO01.08 Responsibilities NIST SP 800-53 R3 PS-2 NIST SP 800-53 R3 PS-2 A.6.1.3 A.6.1.1 Commandment #8 PM-10 PROGRAM
APO07.06 NIST SP 800-53 R3 PS-6 NIST SP 800-53 R3 PS-6 A.8.1.1 PS-1 Control: The organization:
APO09.03 NIST SP 800-53 R3 PS-7 NIST SP 800-53 R3 PS-7 PS-6 Supplemental Guidance:
APO10.04 PS-7 The development and
APO13.01 implementation of a
Human Resources HRS-08 Policies and procedures shall be established, and supporting business X X X X X X X X S1.2 (S1.2) The entity’s security policies include, but may not be CC3.2 B.3 B.1.7, D.1.3.3, E.3.2, E.3.5.1, Schedule 1 (Section 5) 4.1 Accountability, Subs. 4.1.4 IS-26 DS 5.3 APO01.03 312.4, SRM > Policies and Standards > shared x Domain 2 Article 5, Article 6 NIST SP 800-53 R3 AC-2 NIST SP 800-53 R3 AC-8 8.1.0 45 CFR 164.310 (b) A.7.1.3 A.8.1.3 Commandment #1 AC-8 comprehensive 2.2 12.3.5 12.3 Compliant ServiceNow's BYOD, Mobile Device and Acceptable Use Policy defines the
Technology processes and technical measures implemented, for defining allowances limited to, the following matters: E.3.5.2 APO01.08 312.8 and Information Security Policies Article 7 NIST SP 800-53 R3 AC-8 NIST SP 800-53 R3 AC-20 Commandment #2 AC-20 5.2 permitted usage of ServiceNow assets. ServiceNow does not allow the storage
Acceptable Use and conditions for permitting usage of organizationally-owned or managed CC6.2 APO13.01 312.10 NIST SP 800-53 R3 AC-20 NIST SP 800-53 R3 AC-20 (1) Commandment #3 PL-4 4.2 of any customer data outside of its data center on any devices, whether
user end-point devices (e.g., issued workstations, laptops, and mobile S3.9 (S3.9) Procedures exist to provide that issues of APO13.02 NIST SP 800-53 R3 PL-4 NIST SP 800-53 R3 AC-20 (2) ServiceNow owned or not.
devices) and IT infrastructure network and systems components. noncompliance with security policies are promptly addressed DSS05.04 NIST SP 800-53 R3 PL-4
Additionally, defining allowances and conditions to permit usage of and that corrective measures are taken on a timely basis. DSS06.06
personal mobile devices and associated applications with access to
corporate resources (i.e., BYOD) shall be considered and incorporated as
appropriate.

Human Resources HRS-09 A security awareness training program shall be established for all X X X X X X X X X X X X S1.2.k (S1.2.k) The entity's security policies include, but may not be CC2.2 E.1 E.4 65 (B) Schedule 1 (Section 5) 4.1 Accountability, Subs. 4.1.4; 4.7 IS-11 PO 7.4 APO01.03 312.8 and SRM > GRC > shared x Domain 2 6.01. (c) NIST SP 800-53 R3 AT-1 NIST SP 800-53 R3 AT-1 99.31(a)(1)(ii) 1.2.10 45 CFR 164.308 (a)(5)(i) Clause 5.2.2 Clause 7.2(a), 7.2(b) Commandment #3 Chapter VI, Section I, Article 39 and Chapyer VI, Section II, Article 41 CIP-004-3 - R1 - R2 - R2.1 AT-1 AR-5 PRIVACY 9.1 PA28 BSGP 12.6 12.6 Compliant All ServiceNow staff receive general security training and recertify on an annual
Training / Awareness contractors, third-party users, and employees of the organization and limited to, the following matters: CC2.3 Safeguards, Subs. 4.7.4 APO01.08 312.10 6.02. (e) NIST SP 800-53 R3 AT-2 NIST SP 800-53 R3 AT-2 8.2.1 45 CFR 164.308 (a)(5)(ii)(A) A.8.2.2 A.7.2.2 Commandment #6 AT-2 AWARENESS AND 12.6.1 basis. The Code of Conduct policy and Ethics training are also conducted on an
mandated when appropriate. All individuals with access to organizational k. Providing for training and other resources to support its APO07.03 NIST SP 800-53 R3 AT-3 NIST SP 800-53 R3 AT-3 AT-3 TRAINING 12.6.2 annual basis.
data shall receive appropriate awareness training and regular updates system security policies APO07.06 NIST SP 800-53 R3 AT-4 NIST SP 800-53 R3 AT-4 AT-4 Control: The organization:
in organizational procedures, processes, and policies relating to their APO13.01 a. Develops, implements,
professional function relative to the organization. S2.2.0 (S2.2.0) The security obligations of users and the entity’s APO13.03 and updates a
security commitments to users are communicated to authorized comprehensive training
users. and awareness strategy
aimed at ensuring that
Human Resources HRS-10 All personnel shall be made aware of their roles and responsibilities for: X X X X X X X X X X X X S2.3.0 (S2.3.0) Responsibility and accountability for the entity’s CC3.2 E.1 E.4 65 (B) Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.4 IS-16 PO 4.6 APO01.02 312.8 and BOSS > Human Resources shared x Domain 2 Article 17 NIST SP 800-53 R3 AT-2 NIST SP 800-53 R3 AT-2 1.2.10 45 CFR 164.308 (a)(5)(ii)(D) Clause 5.2.2 Clause 7.2(a), 7.2(b) Commandment #5 Chapter VI, Section I, Article 39 and Chapyer VI, Section II, Article 41 AT-2 UL-1 INTERNAL USE 9.1 8.5.7 12.4 Compliant ServiceNow staff undergo Code of Conduct training which includes expected
User Responsibility • Maintaining awareness and compliance with established policies and system availability, confidentiality, processing integrity and 66 (B) APO01.03 312.10 Security > Employee Awareness NIST SP 800-53 R3 AT-3 NIST SP 800-53 R3 AT-3 8.2.1 A.8.2.2 A.7.2.2 Commandment #6 AT-3 Control: The organization 12.6.1 behaviors within ServiceNow's environment at new hire. Annual security training
procedures and applicable legal, statutory, or regulatory compliance security policies and changes and updates to those policies are APO01.08 NIST SP 800-53 R3 AT-4 NIST SP 800-53 R3 AT-4 A.11.3.1 A.9.3.1 Commandment #7 AT-4 uses personally also includes behaviors required for a safe environment.
obligations. communicated to entity personnel responsible for implementing APO07.03 NIST SP 800-53 R3 PL-4 NIST SP 800-53 R3 PL-4 A.11.3.2 A.11.2.8 PL-4 identifiable information
• Maintaining a safe and secure working environment them. APO07.06 (PII) internally only for the
APO13.01 authorized purpose(s)
APO13.03 identified in the Privacy
Human Resources HRS-11 Policies and procedures shall be established to require that unattended X X X X X X X X S3.3.0 (S3.3.0) Procedures exist to restrict physical access to the CC5.5 E.1 E.4 Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 IS-17 APO01.02 312.8 and 3BOSS > Data Governance > Clear Dshared x Domain 2 NIST SP 800-53 R3 MP-1 NIST SP 800-53 R3 AC-11 8.2.3 Clause 5.2.2 Clause 7.2(a), 7.2(b) ITAR 22 Commandment #5 AC-11 8.1 8.1.8 Compliant ServiceNow has a fifteen minute lockout for all workstations and laptops.
Workspace workspaces do not have openly visible (e.g., on a desktop) sensitive defined system including, but not limited to, facilities, backup APO01.03 NIST SP 800-53 R3 MP-2 NIST SP 800-53 R3 MP-1 A.8.2.2 A.7.2.2 CFR § Commandment #6 MP-2
documents and user computing sessions are disabled after an established media, and other system components such as firewalls, CC5.6 APO01.08 NIST SP 800-53 R3 MP-2 A.9.1.5 A.11.1.5 120.17 Commandment #7 MP-3
period of inactivity. routers, and servers. APO07.03 NIST SP 800-53 R3 MP-2 (1) A.11.3.1 A.9.3.1 EAR 15 CFR Commandment #11 MP-4
APO07.06 NIST SP 800-53 R3 MP-3 A.11.3.2 A.11.2.8 §736.2 (b)
S3.4.0 (S3.4.0) Procedures exist to protect against unauthorized APO13.01 NIST SP 800-53 R3 MP-4 A.11.3.3 A.11.2.9
access to system resources. APO13.03 NIST SP 800-53 R3 MP-4 (1)
DSS05.03
Identity & Access IAM-01 Access to, and use of, audit tools that interact with the organization's X X X X X X X X X X S3.2.g (S3.2.g) g. Restriction of access to system configurations, CC5.1 Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 IS-29 DS 5.7 APO01.03
DSS06.06 312.8 and 3SRM > Privilege Management shared x Domain 2 6.03. (i) NIST SP 800-53 R3 AU-9 NIST SP 800-53 R3 AU-9 8.2.1 A.15.3.2 Commandment #2 CIP-003-3 - R5.2 AU-9 15.4 10.5.5 10.5 Compliant ServiceNow logs all security events from its infrastructure to its central logging.
Management information systems shall be appropriately segmented and restricted to superuser functionality, master passwords, powerful utilities, APO01.08 Infrastructure > Privilege Usage 6.03. (j) NIST SP 800-53 R3 AU-9 (2) Commandment #5 AU-11 7.1.2 This system is configured and maintained according to the vendors best practice
Audit Tools Access prevent compromise and misuse of log data. and security devices (for example, firewalls). APO13.01 Management Commandment #11 AU-14 7.1.4 to ensure that logs can not be access or modified by unauthorized personnel.
APO13.02 7.2
DSS05.03 8.1
DSS05.05 8.1.5
8.5
Identity & Access IAM-02 User access policies and procedures shall be established, and supporting X X X X X X X X X X X S3.2.0 (S3.2.0) Procedures exist to restrict logical access to the B.1 B.1.8, B.1.21, B.1.28, E.6.2, 8 (B) Schedule 1 (Section 5) 4.1 Accountability, Subs. 4.1.4; 4.7 IS-07 DS 5.4 APO01.02 312.8 and SRM > Policies and Standards > shared x Domain 2 6.01. (b) Article 17 NIST SP 800-53 R3 AC-1 NIST SP 800-53 R3 AC-1 8.1.0 45 CFR 164.308 (a)(3)(i) A.11.1.1 A.9.1.1 ITAR 22 Commandment #6 CIP-007-3 - R5.1 - R5.1.2 AC-1 15.1 3.5.1 3.5.1, 7.0 Compliant ServiceNow customers control the authentication, authorization, auditing and
Management business processes and technical measures implemented, for ensuring defined system including, but not limited to, the following H.1.1, K.1.4.5, 40 (B) Safeguards, Subs. 4.7.4 APO01.03 312.10 6.01. (d) NIST SP 800-53 R3 AC-7 NIST SP 800-53 R3 AC-7 45 CFR 164.312 (a)(1) A.11.2.1 A.9.2.1, CFR § Commandment #7 IA-1 15.2 8.5.1 8.0 compliance requirements for their instances. The procedures for these items can
Credential Lifecycle / appropriate identity, entitlement, and access management for all internal matters: 41 (B) APO01.08 6.02. (e) NIST SP 800-53 R3 AC-14 NIST SP 800-53 R3 AC-10 45 CFR 164.312 (a)(2)(ii) A.11.2.4 A.9.2.2 120.17 Commandment #8 12.5.4 12.5.4 be found on the ServiceNow wiki.
Provision Management corporate and customer (tenant) users with access to data and c. Registration and authorization of new users. 42 (B) APO13.01 6.03. (b) NIST SP 800-53 R3 IA-1 NIST SP 800-53 R3 AC-14 45 CFR 164.308(a)(4)(ii)(B) A.11.4.1 A.9.2.5 EAR 15 CFR
organizationally-owned or managed (physical and virtual) application d. The process to make changes to user profiles. 43 (B) APO13.02 6.03.04. (b) NIST SP 800-53 R3 IA-1 45 CFR 164.308(a)(4)(ii)(c ) A.11.5.2 A.9.1.2 §736.2 (b) ServiceNow maintains its own internal provisioning in accordance with its
interfaces and infrastructure network and systems components. These g. Restriction of access to system configurations, superuser 44 (C+) DSS05.04 6.03.04. (c) A.11.6.1 A.9.4.1 policies.
policies, procedures, processes, and measures must incorporate the functionality, master passwords, powerful utilities, and security DSS05.05 6.03.05. (b)
following: devices (for example, firewalls). DSS05.06 6.03.05. (d)
• Procedures and supporting roles and responsibilities for provisioning DSS06.03 6.03.06. (b)
and de-provisioning user account entitlements following the rule of least DSS06.06 6.04.01. (c)
privilege based on job function (e.g., internal employee and contingent 6.04.01. (f)
staff personnel changes, customer-controlled access, suppliers' business 6.04.02. (a)
relationships, or other third-party business relationships) 6.04.02. (b)
• Business case considerations for higher levels of assurance and multi- 6.04.02. (c)
factor authentication secrets (e.g., management interfaces, key 6.04.03. (b)
generation, remote access, segregation of duties, emergency access, 6.04.06. (a)
large-scale provisioning or geographically-distributed deployments, and 6.04.08. (a)
personnel redundancy for critical systems) 6.04.08. (b)
• Access segmentation to sessions and data in multi-tenant architectures 6.04.08. (c)
by any third party (e.g., provider and/or other customer (tenant)) 6.04.08.03. (a)
• Identity trust verification and service-to-service application (API) and 6.04.08.03. (b)
information processing interoperability (e.g., SSO and federation)
• Account credential lifecycle management from instantiation through
revocation
• Account credential and/or identity store minimization or re-use when
feasible
• Authentication, authorization, and accounting (AAA) rules for access to
data and sessions (e.g., encryption and strong/multi-factor, expireable,
non-shared authentication secrets)
• Permissions and supporting capabilities for customer (tenant) controls
over authentication, authorization, and accounting (AAA) rules for access
to
data and sessions
• Adherence to applicable legal, statutory, or regulatory compliance
requirements

Identity & Access IAM-03 User access to diagnostic and configuration ports shall be restricted to X X X X X X X S3.2.g (S3.2.g) g. Restriction of access to system configurations, CC5.1 H1.1, H1.2, G.9.15 Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 IS-30 DS5.7 APO13.01 312.8 and 3SRM > Privilege Management provider x Domain 2 NIST SP 800-53 R3 CM-7 NIST SP 800-53 R3 CM-7 A.10.6.1 A.13.1.1 Commandment #3 CIP-007-3 - R2 CM-7 15.4 9.1.2 1.2.2 Compliant ServiceNow data center architecture requires limited physical access and this
Management authorized individuals and applications. superuser functionality, master passwords, powerful utilities, DSS05.02 Infrastructure > Privilege Usage NIST SP 800-53 R3 MA-4 NIST SP 800-53 R3 CM-7 (1) A.11.1.1 A.9.1.1 Commandment #4 MA-3 7.1 access is closely controlled. Access to the actual diagnostic and configuration
Diagnostic / and security devices (for example, firewalls). DSS05.03 Management - Resource NIST SP 800-53 R3 MA-5 NIST SP 800-53 R3 MA-3 A.11.4.4 A.9.4.4 Commandment #5 MA-4 7.1.2 ports is therefore very restricted.
Configuration Ports DSS05.05 Protection NIST SP 800-53 R3 MA-3 (1) A.11.5.4 Commandment #6 MA-5 7.1.3
Access DSS06.06 NIST SP 800-53 R3 MA-3 (2) Commandment #7 7.2
NIST SP 800-53 R3 MA-3 (3) Commandment #8 7.2.3
NIST SP 800-53 R3 MA-4 9.1.2
NIST SP 800-53 R3 MA-4 (1) 9.1.3
NIST SP 800-53 R3 MA-4 (2)
NIST SP 800-53 R3 MA-5

Identity & Access IAM-04 Policies and procedures shall be established to store and manage identity -- APO01.03 SRM > Policies and Standards > Domain 12 Annex 7.3 Compliant ServiceNow has formally documented Information Security Policies which
Management information about every person who accesses IT infrastructure and to APO01.08 Information Security Policies A.9.2 8.8 contain a section on Access Control and User Access Management. The
Policies and determine their level of access. Policies shall also be developed to control APO13.01 A.9.2.1 9.10 Information Security Policies address purpose, scope, responsibilities,
Procedures access to network resources based on user identity. APO13.02 A.9.2.2 management commitment, coordination among organizational entities, and
DSS05.02 A.9.2.3, compliance.
DSS05.04 A.9.2.4,
DSS06.06 A.9.2.5,
A.9.2.6

Identity & Access IAM-05 User access policies and procedures shall be established, and supporting X X X X X X X X X X X S3.2.a (S3.2.a) a. Logical access security measures to restrict access CC5.1 G.2.13. G.3, G.20.1, G.20.2, Schedule 1 (Section 5) 4.7 Safeguards, Subs. 4.7.3(b) IS-15 DS 5.4 APO01.03 312.8 and ITOS > Resource Management > shared x Domain 2 6.04.01. (d) Article 17 NIST SP 800-53 R3 AC-1 NIST SP 800-53 R3 AC-1 99.31(a)(1)(ii) 8.2.2 45 CFR 164.308 (a)(1)(ii)(D) A.10.1.3 A.6.1.2 Commandment #6 CIP-007-3 R5.1.1 AC-1 3.0 PA24 P 6.4.2 6.4.2, 7.3 Compliant ServiceNow establishes a division of responsibility and separation of duties as
Management business processes and technical measures implemented, for restricting to information resources not deemed to be public. G.20.5 APO01.08 312.10 Seggregation of Duties 6.04.08.02. (a) NIST SP 800-53 R3 AC-2 NIST SP 800-53 R3 AC-2 45 CFR 164.308 (a)(3)(ii)(A) Commandment #7 AC-2 3.1 8.8 needed to eliminate conflicts of interest in the responsibilities and duties of
Segregation of Duties user access as per defined segregation of duties to address business APO13.02 NIST SP 800-53 R3 AU-1 NIST SP 800-53 R3 AC-2 (1) 45 CFR 164.308(a)(4)(ii)(A) Commandment #8 AC-5 3.2 9.10 individuals.
risks associated with a user-role conflict of interest. DSS05.04 NIST SP 800-53 R3 AU-2 NIST SP 800-53 R3 AC-2 (2) 45 CFR 164.308 (a)(5)(ii)(C) Commandment #10 AC-6 3.3
DSS06.03 NIST SP 800-53 R3 AU-6 NIST SP 800-53 R3 AC-2 (3) 45 CFR 164.312 (b) AU-1 3.4
NIST SP 800-53 R3 AC-2 (4) AU-6 3.5
NIST SP 800-53 R3 AC-2 (7) SI-1
NIST SP 800-53 R3 AC-5 SI-4
NIST SP 800-53 R3 AC-6
NIST SP 800-53 R3 AC-6 (1)
NIST SP 800-53 R3 AC-6 (2)
NIST SP 800-53 R3 AU-1
NIST SP 800-53 R3 AU-2
NIST SP 800-53 R3 AU-6
NIST SP 800-53 R3 AU-6 (1)
NIST SP 800-53 R3 AU-6 (3)
NIST SP 800-53 R3 SI-4
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5)
NIST SP 800-53 R3 SI-4 (6)

Identity & Access IAM-06 Access to the organization's own developed applications, program, or X X X X X X X X S3.13.0 (S3.13.0) Procedures exist to provide that only authorized, CC7.4 I.2.7.2, I.2.9, I.2.10, I.2.15 Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 IS-33 APO01.03 ITOS > Service Support > Release shared x Domain 2 Article 17 NIST SP 800-53 R3 CM-5 1.2.6 Clause 4.3.3 Clause ITAR 22 Commandment #6 CM-5 9.4 6.4.1 6.4.1 Compliant ServiceNow's source code control system has its authentication and
Management object source code, or any other form of intellectual property (IP), and use tested, and documented changes are made to the system. APO01.08 NIST SP 800-53 R3 CM-5 (1) 6.2.1 A.12.4.3 5.2(c) CFR § Commandment #7 CM-6 14.1 6.4.2 6.4.2, 7.1 authorization mechanism and is only available to staff who require source code
Source Code Access of proprietary software shall be appropriately restricted following the rule APO13.02 NIST SP 800-53 R3 CM-5 (5) A.15.1.3 5.3(a), 120.17 Commandment #9 14.2 7.1.1 access.
Restriction of least privilege based on job function as per established user access DSS05.04 5.3(b), EAR 15 CFR Commandment #10 19.1 7.1.2
policies and procedures. DSS06.03 7.5.3(b) §736.2 (b) 7.1.3
7.5.3(d) 7.1.4
Identity & Access IAM-07 The identification, assessment, and prioritization of risks posed by X X X X X X X X X X X X S3.1 (S3.1) Procedures exist to (1) identify potential threats of CC3.1 B.1 B.1.1, B.1.2, D.1.1, E.1, F.1.1, Schedule 1 (Section 5), 4.7 - Safeguards RI-05 DS 2.3 APO01.03 312.8 and 3SRM > Governance Risk & shared x Domain 2, 4 6.02. (a) Article 17 (1), (2) NIST SP 800-53 R3 AC-1 NIST SP 800-53 R3 AC-1 7.1.1 A.6.2.1 A.9.2.6 CA-3 "FTC Fair Information 2.2 12.8.1 12.8 Compliant ServiceNow requires that providers of external information system services
Management business processes requiring third-party access to the organization's disruption to systems operation that would impair system H.2 H.1.1, K.1.1, E.6.2, E.6.3 APO01.08 Compliance > Vendor 6.02. (b) NIST SP 800-53 R3 AT-1 NIST SP 800-53 R3 AT-1 7.1.2 A.8.3.3 A.9.1.1 MA-4 Principles 4.3 12.8.2 12.2 comply with organizational information security requirements and employ
Third Party Access information systems and data shall be followed by coordinated security commitments and (2) assess the risks associated with APO07.06 Management 6.03. (a) NIST SP 800-53 R3 AU-1 NIST SP 800-53 R3 AU-1 7.2.1 A.11.1.1 A.9.2.1, A.9.2.2 RA-3 Integrity/Security 12.8.3 appropriate security controls. ServiceNow requires that Vendor Security
application of resources to minimize, monitor, and measure likelihood the identified threats. APO10.04 NIST SP 800-53 R3 CA-1 NIST SP 800-53 R3 CA-1 7.2.2 A.11.2.1 A.9.2.5 Security involves both 12.8.4 Assessment Checklists be completed for all relevant vendors (high risk) and
and impact of unauthorized or inappropriate access. Compensating APO13.02 NIST SP 800-53 R3 CM-1 NIST SP 800-53 R3 CM-1 7.2.3 A.11.2.4 managerial and technical maintains a risk ranking matrix to track security compliance of vendors.
controls derived from the risk analysis shall be implemented prior to x3.1.0 (x3.1.0) Procedures exist to (1) identify potential threats of DSS05.04 NIST SP 800-53 R3 CP-1 NIST SP 800-53 R3 CP-1 7.2.4 measures to protect
provisioning access. disruptions to systems operation that would impair system DSS05.07 NIST SP 800-53 R3 IA-1 NIST SP 800-53 R3 IA-1 against loss and the ServiceNow third parties do not have access to ServiceNow customer data.
[availability, processing integrity, confidenitality] commitments DSS06.03 NIST SP 800-53 R3 IA-5 NIST SP 800-53 R3 IA-4 unauthorized access,
and (2) assess the risks associated with the identified threats. DSS06.06 NIST SP 800-53 R3 IA-5 (1) NIST SP 800-53 R3 IA-5 destruction, use, or
NIST SP 800-53 R3 IR-1 NIST SP 800-53 R3 IA-5 (1) disclosure of the data.(49)
NIST SP 800-53 R3 MA-1 NIST SP 800-53 R3 IA-5 (2) Managerial measures
NIST SP 800-53 R3 MP-1 NIST SP 800-53 R3 IA-5 (3) include internal
NIST SP 800-53 R3 PE-1 NIST SP 800-53 R3 IA-5 (6) organizational measures
NIST SP 800-53 R3 PL-1 NIST SP 800-53 R3 IA-5 (7) that limit access to data
NIST SP 800-53 R3 PS-1 NIST SP 800-53 R3 IA-8 and ensure that those
NIST SP 800-53 R3 RA-1 NIST SP 800-53 R3 IR-1 individuals with access do
NIST SP 800-53 R3 SA-1 NIST SP 800-53 R3 MA-1 not utilize the data for
NIST SP 800-53 R3 SC-1 NIST SP 800-53 R3 MP-1 unauthorized purposes.
NIST SP 800-53 R3 SI-1 NIST SP 800-53 R3 PE-1 Technical security
NIST SP 800-53 R3 PL-1 measures to prevent
NIST SP 800-53 R3 PS-1 unauthorized access
NIST SP 800-53 R3 RA-1 include encryption in the
NIST SP 800-53 R3 SA-1 transmission and storage
NIST SP 800-53 R3 SC-1 of data; limits on access
NIST SP 800-53 R3 SI-1 through use of
passwords; and the
storage of data on secure
servers or computers . -
IAM-08 X X X X X CC3.3 shared x Domain 12 http://www.ftc.gov/reports/ Compliant
Identity & Access Policies and procedures are established for permissible storage and S3.2.0 (S3.2.0) Procedures exist to restrict logical access to the IS-08 APO01.03 312.8 and Information Services > User Annex "FTC Fair Information 3.2 7.1 ServiceNow restricts access to the directory services and other authentication
Management access of identities used for authentication to ensure identities are defined system including, but not limited to, the following IS-12 APO01.08 312.10 Directory Services > Active A.9.2, Principles 9.2 7.1.1 sources within ServiceNow to the appropriate managers.
Trusted Sources only accessible based on rules of least privilege and replication matters: APO10.04 Directory Services, A.9.2.1, Integrity/Security 15.2 7.1.2
limitation only to users explicitly defined as business necessary. c. Registration and authorization of new users. APO13.02 LDAP Repositories, A.9.2.2, Security involves both 7.1.3 For customer systems the customer has the ability to control who has
d. The process to make changes to user profiles. DSS05.04 X.500 Repositories, A.9.2.3, managerial and technical 7.1.4 administrative entitlements to users, groups and roles within a customer
g. Restriction of access to system configurations, superuser DSS06.03 DBMS Repositories, A.9.2.4, measures to protect 7.2 instance.
functionality, master passwords, powerful utilities, and security DSS06.06 Meta Directory Services, A.9.2.5, against loss and the
devices (for example, firewalls). Virtual Directory Services A.9.2.6, unauthorized access,
A.9.3.1, destruction, use, or
S4.3.0 (S4.3.0) Environmental, regulatory, and technological changes A.9.4.1, disclosure of the data.(49)
are monitored, and their effect on system availability, A.9.4.2, Managerial measures
confidentiality, processing integrity and security is assessed on A.9.4.3, include internal
a timely basis; policies are updated for that assessment. A.9.4.5 organizational measures
that limit access to data
and ensure that those
individuals with access do
Identity & Access IAM-09 Provisioning user access (e.g., employees, contractors, customers X X X X X X X X X X S3.2.0 (S3.2.0) Procedures exist to restrict logical access to the H.2.4, H.2.5, 35 (B) Schedule 1 (Section 5) Safeguards, Subs. 4.7.2 and 4.7.3 IS-08 DS5.4 APO01.03 312.8 and SRM > Privilege Management shared x Domain 2 6.03.04. (b) Article 17 NIST SP 800-53 R3 AC-3 NIST SP 800-53 R3 AC-3 8.2.2 45 CFR 164.308 (a)(3)(i) A.11.2.1 A.9.2.1, A.9.2.2 Commandment #6 CIP-003-3 - R5.1.1 - R5.3 AC-3 AP-1 The organization 9.2 PA24 GP 7.1 7.1 Compliant ServiceNow management must give permission for new users to be provisioned,
Management (tenants), business partners and/or supplier relationships) to data and defined system including, but not limited to, the following 40 (B) APO01.08 312.10 Infrastructure > Identity 6.03.04. (c) NIST SP 800-53 R3 IA-2 NIST SP 800-53 R3 AC-3 (3) 45 CFR 164.308 (a)(3)(ii)(A) A.11.2.2 A.9.2.3 Commandment #7 CIP-004-3 R2.3 AC-5 determines and 15.2 7.1.1 7.1.1 either via HR process upon on boarding or through incident tickets for changes
User Access organizationally-owned or managed (physical and virtual) applications, matters: 41 (B) APO07.06 Management - Identity 6.03.05. (d) NIST SP 800-53 R3 IA-2 (1) NIST SP 800-53 R3 AC-5 45 CFR 164.308 (a)(4)(i) A.11.4.1 A.9.1.2 Commandment #8 CIP-007-3 R5.1 - R5.1.2 AC-6 documents the legal 7.1.2 7.1.2 to basic entitlements. This process applies to all components in ServiceNow's
Authorization infrastructure systems, and network components shall be authorized by c. Registration and authorization of new users. 42 (B) APO10.04 Provisioning 6.03.06. (a) NIST SP 800-53 R3 IA-4 NIST SP 800-53 R3 AC-6 45 CFR 164.308 (a)(4)(ii)(B) A 11.4.2 A.9.4.1 Commandment #9 IA-2 authority that permits the 7.1.3 7.1.3 infrastructure.
the organization's management prior to access being granted and d. The process to make changes to user profiles. 44 (C+) APO13.02 6.03.06. (b) NIST SP 800-53 R3 IA-5 NIST SP 800-53 R3 AC-6 (1) 45 CFR 164.308 (a)(4)(ii)(C) A.11.6.1 Commandment #10 IA-4 collection, use, 7.2.1 7.1.4
appropriately restricted as per established policies and procedures. g. Restriction of access to system configurations, superuser DSS05.04 6.04.01. (a) NIST SP 800-53 R3 IA-5 (1) NIST SP 800-53 R3 AC-6 (2) 45 CFR 164.312 (a)(1) IA-5 maintenance, and sharing 7.2.2 12.5.4 For customer instances, customers control the user access to their data through
Upon request, provider shall inform customer (tenant) of this user functionality, master passwords, powerful utilities, and security DSS06.03 6.04.01. (b) NIST SP 800-53 R3 IA-8 NIST SP 800-53 R3 IA-2 IA-8 of personally identifiable 8.5.1 the application. This includes user accounts and user access privileges. The
access, especially if customer (tenant) data is used as part the service devices (for example, firewalls). DSS06.06 6.04.01. (d) NIST SP 800-53 R3 MA-5 NIST SP 800-53 R3 IA-2 (1) MA-5 information (PII), either 12.5.4 ServiceNow wiki (wiki.servicenow.com) describes the various methods for
and/or customer (tenant) has some shared responsibility over 6.04.01. (e) NIST SP 800-53 R3 PS-6 NIST SP 800-53 R3 IA-2 (2) PS-6 generally or in support of maintaining user accounts and entitlements.
implementation of control. 6.04.01. (g) NIST SP 800-53 R3 SA-7 NIST SP 800-53 R3 IA-2 (3) SA-7 a specific program or
6.04.03. (c) NIST SP 800-53 R3 IA-2 (8) SI-9 information system need.
6.04.08.02. (a) NIST SP 800-53 R3 IA-4
NIST SP 800-53 R3 IA-4 (4)
NIST SP 800-53 R3 IA-5
NIST SP 800-53 R3 IA-5 (1)
NIST SP 800-53 R3 IA-5 (2)
NIST SP 800-53 R3 IA-5 (3)
NIST SP 800-53 R3 IA-5 (6)
NIST SP 800-53 R3 IA-5 (7)
NIST SP 800-53 R3 IA-8
NIST SP 800-53 R3 MA-5
NIST SP 800-53 R3 PS-6
NIST SP 800-53 R3 SA-7
NIST SP 800-53 R3 SC-30
NIST SP 800-53 R3 SI-9

Identity & Access IAM-10 User access shall be authorized and revalidated for entitlement X X X X X X X X X X X S3.2.0 (S3.2.0) Procedures exist to restrict logical access to the H.2.6, H.2.7, H.2.9, 41 (B) Schedule 1 (Section 5), 4.7 - Safeguards IS-10 DS5.3 APO01.03 312.8 and SRM > Privilege Management shared x Domain 2 Article 17 NIST SP 800-53 R3 AC-2 NIST SP 800-53 R3 AC-2 99.31(a)(1)(ii) 8.2.1 45 CFR 164.308 (a)(3)(ii)(B) A.11.2.4 A.9.2.5 ITAR 22 Commandment #6 CIP-004-3 R2.2.2 AC-2 9.2 8.1.4 Compliant ServiceNow conducts periodic access reviews of user access to its infrastructure
Management appropriateness, at planned intervals, by the organization's business defined system including, but not limited to, the following DS5.4 APO01.08 312.10 Infrastructure > Authorization NIST SP 800-53 R3 AU-6 NIST SP 800-53 R3 AC-2 (1) 8.2.7 45 CFR 164.308 (a)(4)(ii)(C) CFR § Commandment #7 CIP-007-3 - R5 - R.1.3 AU-6 and as a result of the reviews generates incident tickets for access removal
User Access Reviews leadership or other accountable business role or function supported by matters: APO13.02 Services - Entitlement Review NIST SP 800-53 R3 PS-6 NIST SP 800-53 R3 AC-2 (2) 120.17 Commandment #8 PM-10 where access is inappropriate or if a user has not been successfully
evidence to demonstrate the organization is adhering to the rule of least d. The process to make changes to user profiles. DSS05.04 NIST SP 800-53 R3 PS-7 NIST SP 800-53 R3 AC-2 (3) EAR 15 CFR Commandment #10 PS-6 deprovisioned.
privilege based on job function. For identified access violations, g. Restriction of access to system configurations, superuser DSS06.03 NIST SP 800-53 R3 AC-2 (4) §736.2 (b) PS-7
remediation must follow established user access policies and procedures. functionality, master passwords, powerful utilities, and security DSS06.06 NIST SP 800-53 R3 AC-2 (7) ServiceNow customers are responsible for the review of access rights assigned
devices (for example, firewalls). MEA01.03 NIST SP 800-53 R3 AU-6 to their users within their instances.
NIST SP 800-53 R3 AU-6 (1)
NIST SP 800-53 R3 AU-6 (3)
NIST SP 800-53 R3 PS-6
NIST SP 800-53 R3 PS-7

Identity & Access IAM-11 Timely de-provisioning (revocation or modification) of user access to X X X X X X X X X X S3.2.0 (S3.2.0) Procedures exist to restrict logical access to the H.2 E.6.2, E.6.3 Schedule 1 (Section 5), 4.7 - Safeguards IS-09 DS 5.4 APO01.03 312.8 and SRM > Privilege Management shared x Domain 2 6.03.04. (b) Article 17 NIST SP 800-53 R3 AC-2 NIST SP 800-53 R3 AC-2 99.31(a)(1)(ii) 8.2.1 45 CFR 164.308(a)(3)(ii)(C) ISO/IEC 27001:2005 Annex A ITAR 22 Commandment #6 CIP-004-3 R2.2.3 AC-2 "FTC Fair Information 9.2 8.5.4 8.1.3 Partially Compliant ServiceNow has SOPs for the deprovisioning of staff and contractors who are no
Management data and organizationally-owned or managed (physical and virtual) defined system including, but not limited to, the following APO01.08 312.10 Infrastructure > Identity 6.03.04. (c) NIST SP 800-53 R3 PS-4 NIST SP 800-53 R3 AC-2 (1) A.8.3.3 A.9.2.6 CFR § Commandment #7 CIP-007-3 - R5.1.3 -R5.2.1 - PS-4 Principles 8.5.5 8.1.4 longer associated with ServiceNow.
User Access applications, infrastructure systems, and network components, shall be matters: APO13.02 Management - Identity 6.03.05. (d) NIST SP 800-53 R3 PS-5 NIST SP 800-53 R3 AC-2 (2) A.11.1.1 A.9.1.1 120.17 Commandment #8 R5.2.3 PS-5 Integrity/Security 8.1.5, 12.5.4
Revocation implemented as per established policies and procedures and based on d. The process to make changes to user profiles. DSS05.04 Provisioning 6.03.06. (a) NIST SP 800-53 R3 AC-2 (3) A.11.2.1 A.9.2.1, A.9.2.2 EAR 15 CFR Security involves both ServiceNow does not however inform customers during staff on-boarding or off-
user's change in status (e.g., termination of employment or other g. Restriction of access to system configurations, superuser DSS06.03 6.04.02. (b) NIST SP 800-53 R3 AC-2 (4) A.11.2.2 A.9.2.3 §736.2 (b) managerial and technical boarding nor does it notify customers about changes to staff entitlements.
business relationship, job change or transfer). Upon request, provider functionality, master passwords, powerful utilities, and security DSS06.06 NIST SP 800-53 R3 AC-2 (7) measures to protect ServiceNow undergoes annual SSAE 16 Type II attestations and maintains ISO
shall inform customer (tenant) of these changes, especially if customer devices (for example, firewalls). MEA01.03 NIST SP 800-53 R3 PS-4 against loss and the 27001 certification that includes de-provisioning processes and entitlement
(tenant) data is used as part the service and/or customer (tenant) has NIST SP 800-53 R3 PS-5 unauthorized access, reviews.
some shared responsibility over implementation of control. NIST SP 800-53 R3 SC-30 destruction, use, or
disclosure of the data.(49)
Managerial measures
Identity & Access IAM-12 Internal corporate or customer (tenant) user account credentials shall be X X X X X X X X X S3.2.b (S3.2.b) b. Identification and authentication of users. CC5.3 B.1 E.6.2, E.6.3, H.1.1, H.1.2, H.2, 6 (B) Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 SA-02 DS5.3 APO01.03 312.8 and SRM > Policies and Standards > shared x Domain 10 6.03.04. (b) Article 17 (1), (2) NIST SP 800-53 R3 AC-1 NIST SP 800-53 R3 AC-1 99.3 45 CFR 164.308(a)(5)(ii)(c) A.8.3.3 A.9.2.6 Commandment #6 CIP-004-3 R2.2.3 AC-1 include
"FTC Fairinternal
Information 15.1 PA9 BSGP 8.1 8.0 Compliant where applicable ServiceNow customers are granted full administrative control to their instances
Management restricted as per the following, ensuring appropriate identity, entitlement, H.5 H.3.2, H.4, H.4.1, H.4.5, H.4.8 DS5.4 APO01.08 312.10 Technical Securitry Standards 6.03.04. (c) NIST SP 800-53 R3 AC-2 NIST SP 800-53 R3 AC-2 99.31(a)(1)(ii) 45 CFR 164.308 (a)(5)(ii)(D) A.11.1.1 A.9.1.1 Commandment #7 CIP-007-3 - R5.2 - R5.3.1 - AC-2 Principles 15.2 PA6 BSGP 8.2, 10.1, including all authentication and authorization of their users to their instances of
User ID Credentials and access management and in accordance with established policies and APO13.02 6.03.05. (d) NIST SP 800-53 R3 AC-3 NIST SP 800-53 R3 AC-3 45 CFR 164.312 (a)(2)(i) A.11.2.1 A.9.2.1, A.9.2.2 Commandment #8 R5.3.2 - R5.3.3 AC-3 Integrity/Security PA24 P 8.3 12.3 ServiceNow.
procedures: DSS05.04 6.04.05. (b) NIST SP 800-53 R3 AU-2 NIST SP 800-53 R3 AC-11 45 CFR 164.312 (a)(2)(iii) A.11.2.3 A.9.2.4 Commandment #9 AC-11 Security involves both PA22 GP 8.4
• Identity trust verification and service-to-service application (API) and DSS06.03 NIST SP 800-53 R3 AU-11 NIST SP 800-53 R3 AC-11 (1) 45 CFR 164.312 (d) A.11.2.4 A.9.2.5 AU-2 managerial and technical 8.5 Customers can choose to
information processing interoperability (e.g., SSO and Federation) DSS06.06 NIST SP 800-53 R3 IA-1 NIST SP 800-53 R3 AU-2 A.11.5.5 A.9.4.2 AU-11 measures to protect 10.1,
• Account credential lifecycle management from instantiation through MEA01.03 NIST SP 800-53 R3 IA-2 NIST SP 800-53 R3 AU-2 (3) IA-1 against loss and the 12.2, 1) Make use of the built in authentication database within ServiceNow using a
revocation NIST SP 800-53 R3 IA-2 (1) NIST SP 800-53 R3 AU-2 (4) IA-2 unauthorized access, 12.3.8 user ID and salt-hashed password
• Account credential and/or identity store minimization or re-use when NIST SP 800-53 R3 IA-5 NIST SP 800-53 R3 AU-11 IA-5 destruction, use, or
feasible NIST SP 800-53 R3 IA-5 (1) NIST SP 800-53 R3 IA-1 IA-6 disclosure of the data.(49) 2) Make use of external authentication options such LDAP (AD) or SAML to
• Adherence to industry acceptable and/or regulatory compliant NIST SP 800-53 R3 IA-6 NIST SP 800-53 R3 IA-2 IA-8 Managerial measures authenticate their users.
authentication, authorization, and accounting (AAA) rules (e.g., NIST SP 800-53 R3 IA-8 NIST SP 800-53 R3 IA-2 (1) SC-10 include internal
strong/multi-factor, expireable, non-shared authentication secrets) NIST SP 800-53 R3 IA-2 (2) organizational measures 3) Make use of multifactor authentication of their own iDP when using SAML.
NIST SP 800-53 R3 IA-2 (3) that limit access to data
NIST SP 800-53 R3 IA-2 (8) and ensure that those 4) Manage authorization through groups in roles in ServiceNow or integrate
NIST SP 800-53 R3 IA-5 individuals with access do authorization controls into their own directory services via LDAP or flat file based
NIST SP 800-53 R3 IA-5 (1) not utilize the data for synchronization.
NIST SP 800-53 R3 IA-5 (2) unauthorized purposes.
NIST SP 800-53 R3 IA-5 (3) Technical security The ServiceNow wiki (wiki.servicenow.com) has detailed instructions on the
NIST SP 800-53 R3 IA-5 (6) measures to prevent implementation of authentication and authorization, via ACL and RBAC.
NIST SP 800-53 R3 IA-5 (7) unauthorized access
NIST SP 800-53 R3 IA-6 include encryption in the
NIST SP 800-53 R3 IA-8 transmission and storage
NIST SP 800-53 R3 SC-10 of data; limits on access
through use of
passwords; and the
storage of data on secure
Identity & Access IAM-13 Utility programs capable of potentially overriding system, object, network, X X X X X X X X X X S3.2.g (S3.2.g) g. Restriction of access to system configurations, CC5.1 H.2.16 Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 IS-34 DS5.7 APO13.01 312.8 and 3SRM > Privilege Management shared x Domain 2 NIST SP 800-53 R3 CM-7 NIST SP 800-53 R3 AC-6 A.11.4.1 A.9.1.2 Commandment #1 CIP-007-3 - R2.1 - R2.2 - R2.3 AC-5 servers or computers . - 12.2 7.1.2 5.0 Compliant ServiceNow restricts access to its data center network and monitors the behavior
Management virtual machine, and application controls shall be restricted. superuser functionality, master passwords, powerful utilities, APO13.02 Infrastructure > Privilege Usage NIST SP 800-53 R3 AC-6 (1) A 11.4.4 Deleted Commandment #5 AC-6 14.2 7.1 of privileged users when they are in that environment.
Utility Programs and security devices (for example, firewalls). DSS05.05 Management - Resource NIST SP 800-53 R3 AC-6 (2) A.11.5.4 A.9.4.4 Commandment #6 CM-7 7.1.2
Access Protection NIST SP 800-53 R3 CM-7 Commandment #7 SC-3 7.2
NIST SP 800-53 R3 CM-7 (1) SC-19
Infrastructure & IVS-01 Higher levels of assurance are required for protection, retention, and X X X X X X X X X X X S3.7 (S3.7) Procedures exist to identify, report, and act upon system CC6.2 G.7 G.14.7, G.14.8, G.14.9, Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 SA-14 DS5.5 APO13.01 312.3, BOSS > Security Monitoring shared x Domain 10 6.03. (i) Article 17 NIST SP 800-53 R3 AU-1 NIST SP 800-53 R3 AU-1 8.2.1 45 CFR 164.308 (a)(1)(ii)(D) A.10.10.1 A.12.4.1 Commandment #6 CIP-007-3 - R6.5 AU-1 17.6 PA11 BSGP 10.1 10.1 Compliant Logs exist at two levels within ServiceNow:
Virtualization Security lifecyle management of audit logs, adhering to applicable legal, security breaches and other incidents. G.8 G.14.10,G.14.11, G.14.12, DS5.6 APO13.02 312.8 and Services > SIEM 6.03. (j) NIST SP 800-53 R3 AU-2 NIST SP 800-53 R3 AU-2 8.2.2 45 CFR 164.312 (b) A.10.10.2 A.12.4.1 Commandment #7 AU-2 PA12 SGP 10.2 10.2
Audit Logging / statutory or regulatory compliance obligations and providing unique user G.9 G.15.5, G.15.7, G.15.8, G.16.8, DS9.2 BAI10.01 312.10 6.03.03. (a) NIST SP 800-53 R3 AU-3 NIST SP 800-53 R3 AU-2 (3) 45 CFR 164.308(a)(5)(ii)© A.10.10.3 A.12.4.2, A.12.4.3 Commandment #11 AU-3 PA13 SGP 10.3 10.3 1) Infrastructure Logs: Infrastructure logs are collected from the environment
Intrusion Detection access accountability to detect potentially suspicious network J.1 G.16.9, G.16.10, G.15.9, BAI10.02 6.03.03. (d) NIST SP 800-53 R3 AU-4 NIST SP 800-53 R3 AU-2 (4) A.10.10.4 A.12.4.3 AU-4 PA24 P 10.5 10.4 used to support ServiceNow. ServiceNow collects, protects and monitors these
behaviors and/or file integrity anomalies, and to support forensic L.2 G.17.5, G.17.7, G.17.8, G.17.6, BAI10.03 6.03.04. (e) NIST SP 800-53 R3 AU-5 NIST SP 800-53 R3 AU-3 A.10.10.5 A.12.4.1 AU-5 10.6 10.5 logs through its SIEM system.
investigative capabilities in the event of a security breach. G.17.9, G.18.2, G.18.3, G.18.5, DSS01.03 6.04.07. (a) NIST SP 800-53 R3 AU-6 NIST SP 800-53 R3 AU-3 (1) A.11.2.2 A.9.2.3 AU-6 10.7 10.6
G.18.6, G.19.2.6, G.19.3.1, DSS02.01 6.07.01. (a) NIST SP 800-53 R3 AU-9 NIST SP 800-53 R3 AU-4 A.11.5.4 A.9.4.4 AU-7 11.4 10.7, 10.8 2) Application Logs: Application logs collect information from the application and
G.9.6.2, G.9.6.3, G.9.6.4, DSS05.07 6.07.01. (c) NIST SP 800-53 R3 AU-11 NIST SP 800-53 R3 AU-5 A.11.6.1 A.9.4.1 AU-9 12.5.2 11.4, 11.5, 11.6 are unique to an individual instance. Customers have full access to application
G.9.19, H.2.16, H.3.3, J.1, J.2, DSS06.05 NIST SP 800-53 R3 AU-12 NIST SP 800-53 R3 AU-6 A.13.1.1 A.16.1.2 AU-11 12.9.5 12.5.2 log files and are able to download these log files from the application. Events
L.5, L.9, L.10 NIST SP 800-53 R3 PE-2 NIST SP 800-53 R3 AU-6 (1) A.13.2.3 A.16.1.7 AU-12 such as user login, failed user logins and privilege escalation are logged and can
NIST SP 800-53 R3 PE-3 NIST SP 800-53 R3 AU-6 (3) A.15.2.2 A.18.2.3 AU-14 be feed via a syslog connector into a customers environment. Transaction level
NIST SP 800-53 R3 AU-7 A.15.1.3 A.18.1.3 SI-4 logs capture every click, view and action within the system. Customer can
NIST SP 800-53 R3 AU-7 (1) download the transaction log files, which due to their detail are rolled over every
NIST SP 800-53 R3 AU-9 21 days. The transaction logs files and all other logging within ServiceNow can
NIST SP 800-53 R3 AU-11 be searched within ServiceNow. Details of logging can be found at wiki.service-
NIST SP 800-53 R3 AU-12 now.com
NIST SP 800-53 R3 PE-2
NIST SP 800-53 R3 PE-3
NIST SP 800-53 R3 SI-4
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5)
NIST SP 800-53 R3 SI-4 (6)
NIST SP 800-53 R3 SC-18

Infrastructure & IVS-02 The provider shall ensure the integrity of all virtual machine images at all APO08.04 SRM > Privilege Management Annex PA35 GP 10.5.5, 12.10.5 Not Applicable ServiceNow does not use hypervisor based virtualization for customer services.
Virtualization Security times. Any changes made to virtual machine images must be logged and APO13.01 Infrastructure > Privileged Usage A.12.1.2
Change Detection an alert raised regardless of their running state (e.g. dormant, off, or BAI06.01 Management -> Hypervisor A.12.4,
running). The results of a change or move of an image and the BAI06.02 Governance and Compliance A.12.4.1,
subsequent validation of the image's integrity must be immediately BAI10.03 A.12.4.2,
available to customers through electronic methods (e.g. portals or alerts). BAI10.04 A.12.4.3,
A.12.6.1,
A.12.6.2,
Infrastructure & IVS-03 A reliable and mutually agreed upon external time source shall be used to X X X X X X X S3.7 (S3.7) Procedures exist to identify, report, and act upon system CC6.2 G.7 G.13, G.14.8, G.15.5, G.16.8, 20 (B) Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 SA-12 DS5.7 APO01.08 312.8 and Infra Services > Network Se provider x Domain 10 6.03. (k) 10.4 10.4 Compliant ServiceNow has an NTP configuration that conforms to this control.
Virtualization Security synchronize the system clocks of all relevant information processing security breaches and other incidents. G.8 G.17.6, G.18.3, G.19.2.6, 28 (B) APO13.01 312.10
Clock Synchronization systems to facilitate tracing and reconstitution of activity timelines. G.19.3.1 30 (B) APO13.02
35 (B) BAI03.05
DSS01.01
IVS-04 X X X X X X X X X G.5 OP-03 DS 3 312.8 and 3 provider x Domain 7, 8 Article 17 (1) NIST SP 800-53 R3 SA-4 1.2.4 A.10.3.1 A.12.1.3 SA-4 3.3 PA16 SGP Compliant

IVS-05 X X X X X -- provider x Domain 1, 13 PA36 6.1 Not Applicable ServiceNow does not use hypervisor based virtualization for customer services.

IVS-06 X X X X X X X X X X X S3.4 CC5.6 Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 SA-08 provider x Domain 10 Article 17 8.2.5 CIP-004-3 R2.2.4 SC-7 Compliant

IVS-07 X X X X X X X -- shared x Domain 1, 13 Compliant

IVS-08 X X X X X X X X X X S3.4 CC5.6 B.1 22 (B) Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 SA-06 DS5.7 shared x Domain 10 6.03. (d) NIST SP 800-53 R3 SC-2 1.2.6 SC-2 14.5 PA3 BSGP Compliant

IVS-09 X X X X X X X X X X X S3.4 CC5.6 G.17 G.9.2, G.9.3, G.9.13 Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 SA-09 DS5.10 provider x Domain 10 Article 17 NIST SP 800-53 R3 SC-7 45 CFR 164.308 (a)(4)(ii)(A) CIP-004-3 R3 Not Applicable. ServiceNow has a multitier application with a single tenant database architecture.

IVS-10 X X X X X -- provider X Domain 1, 13 4.1 Not Applicable No hypervisor based virtualization is used.

IVS-11 X X X X X X X X X X -- provider X Domain 1, 13 3.5.1, 3.6.6 Not Applicable No hypervisor based virtualization is used.

IVS-12 X X X X X X X X X X X X S3.4 CC5.6 Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 SA-10 provider X Domain 10 Article 17 8.2.5 Compliant

IVS-13 Compliant

IPY-01 X X X X X X X X X -- provider X Domain 6 Compliant

IPY-02 X X X X X X X X X -- provider Domain 6 Compliant

IPY-03 X X X X X X X X X X X X -- Domain 3 Compliant

provider
IPY-04 X X X X X X -- provider x Domain 6 4.1 Compliant

IPY-05 X X X X X X X X X -- provider X Domain 6 Not Applicable No hypervisor based virtualization is used.

MOS-01 X X X X X X -- provider X Compliant

MOS-02 X X X X X X -- provider X 4.1.1 Not Applicable

MOS-03 X X X X X X -- provider X Partially Compliant

MOS-04 X X X X X X X -- provider X Partially Compliant

MOS-05 X X X X X X X -- provider X 4.3 Partially Compliant

MOS-06 X X X X X X X -- provider X Compliant

MOS-07 X X X X X X -- provider X Partially Compliant ServiceNow has this capability for laptops.

MOS-08 X X X X X X -- provider X Compliant

MOS-09 X X X X X X -- provider X Not Applicable

MOS-10 X X X X X X X X X X X -- provider X Compliant ServiceNow uses a commercial mobile device solution.

MOS-11 X X X X X X -- provider X PA32 BSGP 4.1 Compliant

MOS-12 X X X X X X X X X X X -- provider X Not Compliant

MOS-13 X X X X X X X X X -- shared X Not Compliant

MOS-14 X X X X X X X X -- shared X Compliant

MOS-15 X X X X X X X X X -- shared X Not Compliant ServiceNow does not manage patch updates on mobile devices.

MOS-16 X X X X X X X X -- shared X Compliant ServiceNow forces pins or passwords on all mobile devices.

MOS-17 X X X X X X X X X -- shared X Partially Compliant

MOS-18 X X X X X X X X X -- shared X PA34 SGP Partially Compliant

MOS-19 X X X X X X X -- shared X Not Compliant ServiceNow does not manage patch updates on mobile devices.

MOS-20 X X X X X X X -- shared X Not Compliant Access to ServiceNow infrastructure is not permitted from BYODs.

SEF-01 X X X X X X X X X X X X CC3.3 L1 CO-04 ME 3.1 312.4 shared x Domain 2, 4 CIP-001-1a R3 - R4 3.2 Partially Compliant

SEF-02 X X X X X X X X X X X X J.1 J.1.1, J.1.2 46 (B) IS-22 DS5.6 shared x Domain 2 Article 17 Chapter II, Article 20 BSGP 12.1 Compliant

SEF-03 X X X X X X X X X X X X J.1.1, E.4 Schedule 1 (Section 5) 4.1 Accountability, Subs. 4.1.3 IS-23 DS5.6 shared x Domain 2 6.07.01. (a) Article 17 Chapter II, Article 20 7.2 PA8 BSGP 12.10.1 Compliant

SEF-04 X X X X X X X X X X X X J.1.1, J.1.2, E.4 IS-24 DS5.6 shared x Domain 2 1.2.7 45 CFR 164.308 (a)(6)(ii) CIP-004-3 R3.3 7.3 PA11 BSGP Partially Compliant

SEF-05 X X X X X X X X X X X X J.1.2 47 (B) IS-25 DS 4.9 DSS04.07 shared x Domain 2 45 CFR 164.308 (a)(1)(ii)(D) A.13.2.2 A.16.1.6 CIP-008-3 - R1.1 PA11 BSGP 12.9.6 Compliant

STA-01 -- provider X Domain 2 Not Applicable and Compliant

STA-02 -- provider Domain 2 Compliant

STA-03 X X X X X X X X X X X X C2.2.0 C.2 C.2.6, G.9.9 Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 IS-31 DS5.10 312.8 and 3 provider x Domain 2 Article 17 17.1 Not Applicable

STA-04 X X X X X X X X X X X -- provider x Domain 2 12.1.1 Compliant

STA-05 X X X X X X X X X X X X C.2 C.2.4, C.2.6, G.4.1, G.16.3 LG-02 DS5.11 Domain 3 1.2.5 Compliant

Schedule 1 (Section 5) 4.1 Accountability, Subs. 4.1.3 shared x Article 17 (3)

STA-06 X X X X X X X X X X X -- Domain 2 12.8.4 Compliant

provider x
STA-07 X X X X X X X X X X X 51 (B) -- ITOS > Service Delivery > Service provider x Domain 3 Compliant

STA-08 X X X X X X X X X X X -- Domain 2 Compliant

provider x
STA-09 X X X X X X X X X X X C.2 CO-03 Domain 2, 4 Compliant

shared x Article 17(2) 5.4

TVM-01 X X X X X X X X X S3.5.0 CC5.8 G.7 17 (B) IS-21 DS5.9 Domain 2 6.03. (f) 8.2.2 45 CFR 164.308 (a)(5)(ii)(B) A.10.4.1 A.12.2.1 CIP-007-3 - R4 - R4.1 - R4.2 1.4, 5.0 Partially Compliant

Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 shared x Article 17 PA1 BSGP
TVM-02 X X X X X X X X X S3.10.0 CC7.1 I.4 G.15.2, I.3 IS-20 Domain 2 Compliant

Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3 shared x Article 17 BSGP
TVM-03 X X X X X X X X X G.20.12, I.2.5 SA-15 Domain 10 6.03. (g) A.12.2.1 SC-18 Compliant

shared x Article 17