ServiceNow Security Best Practices Guide v1

.pdf

School

University Of Central Missouri *

*We aren’t endorsed by this school

Course

2665

Subject

Information Systems

Date

Oct 30, 2023

Type

pdf

Pages

Uploaded by EarlBravery12338

WHITE PAPER ServiceNow Security Best Practices Guide Key considerations for securing your instance

WHITE PAPER WHITE PAPER Table of Contents Introduction ........................................................................................... 3 Overall security responsibilities .......................................................... 3 Certifications and accreditations ....................................................... 4 Securing your ServiceNow instance ................................................... 4 Security contact details ........................................................................................... 4 ServiceNow High Security plugin .......................................................................... 4 Instance hardening .................................................................................................... 4 Email security ............................................................................................................... 5 Logging and monitoring ......................................................................................... 6 Access control .............................................................................................................. 8 MID server security ................................................................................................... 10 Encryption .................................................................................................................... 11 Software updates .................................................................................................... 13 Mobile application security .................................................................................. 14 Vulnerability assessment and penetration testing ....................................... 14 Summary .............................................................................................. 15 Additional Resources ........................................................................... 16 Appendix A: Additional critical security settings ............................. 16

WHITE PAPER 3 WHITE PAPER Introduction This document gives guidance on some of the main areas which should be considered when securing your ServiceNow instance under the shared security model. Please note, all information in this eBook is related to the standard Now Platform commercial environment. For information related to ServiceNow’s in-country cloud offerings around the globe and how they may differ, please contact your ServiceNow account representative. This document refers to resources found in the ServiceNow CORE Compliance Portal. Find out how to access CORE here . Overall security responsibilities Security is a partnership between the provider and customer, both with specific responsibilities. ServiceNow provides its customers with extensive capabilities to configure their instances to meet their own security policies and requirements. However, overall security responsibilities are shared between customers, ServiceNow, and the data center provider. The areas of responsibility are shown in the table below. For more information about security responsibilities with respect to customer data, please review Safeguarding Your Data and the Shared Responsibility Model overview . Responsible Party Area of Responsibility Customer ServiceNow Colocation (Data center providers) Secure configuration of instance n Authentication and authorization n Data management (classification and retention) n Data encryption at rest n Data encryption in flight n n Encryption key management n n Security logging and monitoring n n Secure SDLC processes n n Penetration testing n n Vulnerability management n n Privacy n n Compliance: regulatory and legal n n n Employee vetting or screening n n n Physical security and environment controls n n Cloud infrastructure security management n Infrastructure management n Media disposal and destruction n Backup and restore n Business continuity and disaster recovery n

4 WHITE PAPER WHITE PAPER Certifications and accreditations ServiceNow provides highly resilient and secure cloud-based services to customers all over the world. The security of the infrastructure and data is paramount - a foundational requirement. This must be demonstrated consistently both to maintain customer trust and for regulatory and compliance reasons. ServiceNow maintains accreditation with many common standards. A full list of ServiceNow’s security-related certifications are publicly available on the Compliance page of the ServiceNow Trust site . They include the ISO 27001 series (27017, 27018, and 27701), as well as other global, regional, and industry specific certifications such as FedRAMP. Securing your ServiceNow instance There are several topics to consider when securing a ServiceNow instance. Some of these are configuration parameters within the product, and others relate to your own infrastructure and technologies and how they are integrated. Best Practice: If you make any configuration changes to your instance based on the information provided, we strongly recommend that you first test those changes on a non-production instance. Security contact details The ServiceNow Security Office (SSO) occasionally needs to relay security-related information directly to appropriate Information Security contacts within your organization. This could be to inform you of security issues, alerts, or details of important software updates, etc. • The security contact record within your customer account (located in Now Support) should be completed as soon as possible with details of at least two appropriate information security personnel. These contacts should be capable of understanding and acting on the information they receive , since it may be critically important. Best Practice: Make sure the security contact details are accurate and always kept up to date, bearing in mind personnel and process changes within your organization. ServiceNow High Security plugin To help you to secure your instance easily and efficiently, we provide the High Security plugin (HSP) . This is a tool for enhancing security management and applying appropriate settings. The plugin enables High Security Settings , and the resulting actions include centralizing critical security settings, creating a distinct security administrator role, a default deny property, and others. The HSP is a simple and effective way of enhancing your instance’s security. • Automatic activation: since it is such a powerful way of increasing security, the HSP is installed and enabled by default on all new instances. Older releases may require this to be explicitly activated. • Manual activation: you can request activation for older instances that do not have high security settings enabled by default (including those that have had upgrades from an older version). However, this should not be done without careful testing in a non-production environment, because activation will change some fundamental properties and behaviors. • Default deny property: if high security settings are enabled, you can choose to set a default deny posture, which prevents read, write, create, and delete for all tables unless explicit permission is given for a user or role in an ACL rule. See the Access controls section later in this document for more details on authorization and ACLs. • Self-privilege elevation: Users with Security Admin privileges can elevate themselves when they need to perform operations requiring a higher privilege level. This action modifies ServiceNow system logs to be read-only and allows for controls to authorize access of properties. Best Practice: Ensure that the High Security plugin is installed and activated where possible and enable the ‘default deny’ property. Instance hardening To make your instance as secure and resistant to unauthorized access as possible, you will need to examine configuration, coding practices, and wider aspects of the deployment such as integrations or policies. Guidance The Instance Security Hardening Settings content describes ways to make your instance more secure and resistant to malicious

5 WHITE PAPER WHITE PAPER intrusion. It also provides details of which settings and configurations must be applied (mandatory) and should be applied where possible (recommended). • Some of these settings require an understanding of your usage context, which is why they are not enabled by default. • The Instance Security Center described below can greatly assist with assessing and working towards compliance with the Instance Security Hardening Settings. Instance Security Center (ISC) We provide the Instance Security Center to help you understand your instance’s security posture, letting you evaluate and harden specific security settings, monitor activity, and identify any areas for improvement. This displays security activity and configuration in a simple overview. We have produced some additional resources on how to work with ISC. • The dashboard includes statistics, trends and an overall Compliance Score representing the level of correlation with the settings in the Instance Hardening Guide. This score can be refreshed at any time by users with an admin role. Best Practices: Consult the Instance Security Center frequently to assess and monitor your instance’s overall security level. • Use the Hardening tile to research, test, and identify areas of noncompliance in a sub-production instance to assess impact to your environment. Ideally, the score should be as close to 100% as possible with a minimum score of 83%, without affecting product functionality. • Enable the weekly digest notification to alert you to potential issues. • Refer your ServiceNow developers to the Secure Coding Guide and ensure they follow the practices outlined within. Email security The Now Platform provides multiple capabilities for email security. These include controlling which inbound messages are accepted and from whom, encrypting the transmission of outbound messages, and scanning the contents of any attachments for malicious content. You can choose which of these to enable as appropriate to enforce your security policy. Anti-malware and SPAM filtering Malware scanning is performed by ServiceNow Antivirus Protection . If a malicious email or attachment is detected, it is stored within an email quarantine area in your instance for inspection by your security personnel Additionally, all email inbound to the Now Platform is analyzed for malware and SPAM scoring and the results are reflected in x-headers added to the messages. You can use these as criteria for the Email Filters Plugin to act on if desired. Email domain restriction You can control the domains and users your instance can send email to and receive from by using system address filters . These can be customized to your requirements. • Your organization may control inbound email with anti-spam technology using Sender Policy Framework (SPF). If so, your email systems need to accept email originating from your ServiceNow instance. This is best achieved by configuring them to dynamically query the ServiceNow SPF records . • If SPF is not an option, another approach is to add the ServiceNow mail server IP addresses to your ‘allow’ list, but this needs to be monitored as the addresses could be subject to change. Automatic user account creation This feature allows user accounts to be created dynamically by email so should be used with care. Only activate if necessary for your use-case and ensure that you define a list of trusted domains from which accounts can be created. You can control how passwords are assigned to new accounts created this way. Monitoring You can monitor email and anti-malware activity in the ISC to highlight potential issues and to guide any corrective actions you may need to take.

6 WHITE PAPER Encryption Your instance has a built-in feature allowing it to send and receive email using opportunistic TLS. If your email server accepts TLS, messages will be transferred over an encrypted session, using TLS 1.2. This greatly enhances the privacy and integrity of messages as they traverse the internet. ServiceNow also supports the Secure/Multipurpose Internet Mail Extensions (S/MIME) standard. S/MIME is an end-to-end encryption protocol for sending digitally signed and encrypted emails that support data confidentiality, authenticity, and integrity. Best Practice: Use the email filters feature set to deal with suspect inbound messages, and limit accepted sender domains. Ensure automatic account creation is configured securely or disabled if not needed. Ideally, you should configure your email systems to accept mail from your instance by using SPF. If you already have a mature email security environment, consider using your own (or third-party) infrastructure to send and receive instance-related email and benefit from more precise perimeter email control. Logging and monitoring Your ServiceNow instance performs detailed logging about various aspects of its operation. These logs are stored within the instance itself, and benefit from the same level of security as other data in the instance. This means application logs cannot be inspected by ServiceNow without your permission. Logs are a valuable source of security information that help highlight suspicious or malicious activity, so it is essential that they are adequately monitored. You can feed selected log activity to your SIEM (or any syslog server), using the syslog probe . The syslog probe is enabled via a management, instrumentation, and discovery (MID) server deployed in your network. Options are also available for direct customer SIEM integration which facilitate real-time logging as part of the Vault security bundle. The Instance Security Center can also provide valuable insights. There is more information about this in the Instance Hardening section of this document. Event logs Event logs reveal much about system activity, including login events (successful or otherwise), and privilege escalation. System logs System logs contain extensive information about general activity, including configuration changes, system errors, workflows, and inbound/outbound data connections. Audit logs The Event and System logs can also be used to provide an audit trail of any activity by ServiceNow personnel . Transaction logs These logs record all web-browser related activity for an instance and can provide details of every request made. Transaction logs can be very useful for identifying unusual or malicious activity. Table auditing and record history You can enable auditing for database tables . Record history is perpetual and allows you to track and view details of any changes made to the data since creation. By default, only the incident, problem, and change tables are tracked. For other tables, Logs are a valuable source of security information that help highlight suspicious or malicious activity, so it is essential that they are adequately monitored. The Instance Security Center can also provide valuable insights.

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version