ServiceNow Security Best Practices Guide v1.19

WHITE PAPER 3 WHITE PAPER Introduction This document gives guidance on some of the main areas which should be considered when securing your ServiceNow instance under the shared security model. Please note, all information in this eBook is related to the standard Now Platform commercial environment. For information related to ServiceNow’s in-country cloud offerings around the globe and how they may differ, please contact your ServiceNow account representative. This document refers to resources found in the ServiceNow CORE Compliance Portal. Find out how to access CORE here . Overall security responsibilities Security is a partnership between the provider and customer, both with specific responsibilities. ServiceNow provides its customers with extensive capabilities to configure their instances to meet their own security policies and requirements. However, overall security responsibilities are shared between customers, ServiceNow, and the data center provider. The areas of responsibility are shown in the table below. For more information about security responsibilities with respect to customer data, please review Safeguarding Your Data and the Shared Responsibility Model overview . Responsible Party Area of Responsibility Customer ServiceNow Colocation (Data center providers) Secure configuration of instance n Authentication and authorization n Data management (classification and retention) n Data encryption at rest n Data encryption in flight n n Encryption key management n n Security logging and monitoring n n Secure SDLC processes n n Penetration testing n n Vulnerability management n n Privacy n n Compliance: regulatory and legal n n n Employee vetting or screening n n n Physical security and environment controls n n Cloud infrastructure security management n Infrastructure management n Media disposal and destruction n Backup and restore n Business continuity and disaster recovery n

6 WHITE PAPER Encryption Your instance has a built-in feature allowing it to send and receive email using opportunistic TLS. If your email server accepts TLS, messages will be transferred over an encrypted session, using TLS 1.2. This greatly enhances the privacy and integrity of messages as they traverse the internet. ServiceNow also supports the Secure/Multipurpose Internet Mail Extensions (S/MIME) standard. S/MIME is an end-to-end encryption protocol for sending digitally signed and encrypted emails that support data confidentiality, authenticity, and integrity. Best Practice: Use the email filters feature set to deal with suspect inbound messages, and limit accepted sender domains. Ensure automatic account creation is configured securely or disabled if not needed. Ideally, you should configure your email systems to accept mail from your instance by using SPF. If you already have a mature email security environment, consider using your own (or third-party) infrastructure to send and receive instance-related email and benefit from more precise perimeter email control. Logging and monitoring Your ServiceNow instance performs detailed logging about various aspects of its operation. These logs are stored within the instance itself, and benefit from the same level of security as other data in the instance. This means application logs cannot be inspected by ServiceNow without your permission. Logs are a valuable source of security information that help highlight suspicious or malicious activity, so it is essential that they are adequately monitored. You can feed selected log activity to your SIEM (or any syslog server), using the syslog probe . The syslog probe is enabled via a management, instrumentation, and discovery (MID) server deployed in your network. Options are also available for direct customer SIEM integration which facilitate real-time logging as part of the Vault security bundle. The Instance Security Center can also provide valuable insights. There is more information about this in the Instance Hardening section of this document. Event logs Event logs reveal much about system activity, including login events (successful or otherwise), and privilege escalation. System logs System logs contain extensive information about general activity, including configuration changes, system errors, workflows, and inbound/outbound data connections. Audit logs The Event and System logs can also be used to provide an audit trail of any activity by ServiceNow personnel . Transaction logs These logs record all web-browser related activity for an instance and can provide details of every request made. Transaction logs can be very useful for identifying unusual or malicious activity. Table auditing and record history You can enable auditing for database tables . Record history is perpetual and allows you to track and view details of any changes made to the data since creation. By default, only the incident, problem, and change tables are tracked. For other tables, Logs are a valuable source of security information that help highlight suspicious or malicious activity, so it is essential that they are adequately monitored. The Instance Security Center can also provide valuable insights.

9 WHITE PAPER Access via Side Door • If you have problems with, or failure of, your external authentication system, you can use Side Door access which allows users with local accounts to log in. Though we advise against it, it is possible to disable this feature , or to rename the login page. In this case we strongly encourage you to notify Customer Support of the modified name. • When Multi-provider SSO is active, you can make SSO credentials mandatory for the main login page. In this case, Side Door access is still available. • In the event of issues with SSO, Account recovery (ACR) allows designated Administrator accounts to log in while bypassing SSO. If ACR and SSO are active on an instance, additional protections are placed on the main and Side Door login pages. Multi-Factor Authentication • Third-party multi-factor authentication (MFA) can be integrated with your existing SAML IdP to provide additional login security. MFA provides a high level of security because authentication requires something the user knows (the password) as well as something they own (a one-time code produced by a MFA token or mobile phone, or physical attributes e.g. a fingerprint). Users logging into a system with MFA enabled must provide this additional credential along with their username and password. • The Web Authentication integration, allowing physical keys and biometric data such as fingerprints or facial recognition to be used with MFA. • The Now Platform supports direct MFA integration with local accounts, LDAP, and for SSO with SAML, OIDC, or Digest . The expansion of this feature allows conditional, rigorous authentication for e.g. remote users. Adaptive Authentication is a prerequisite for SSO with MFA . • MFA can be enabled for specified users and specified roles , and configured for ease of use, e.g. to exempt recognized devices for a number of hours. We recommend you enable MFA by default for all Admin users. MFA is supported for SSO integration, and ServiceNow offers built in MFA options, as well as email and SMS OTP. • You can view Metrics for MFA use in the Instance Security Center. • You can use Adaptive Authentication to enforce contextual authentication controls to the right users at the right time. Monitoring • We strongly recommend that you monitor the event log for unusual activity such as high numbers of failed logins, especially within short timeframes. Your instance can create incident tickets or trigger workflows (e.g. notify your security response team) automatically when user-defined criteria and thresholds are met. • Use the Session Management tile in the Instance Security Center to view detailed information about all user sessions and lock out any that could present a risk. • Optionally, you can use a data filter to narrow the scope of your data filtration rule to apply only to specific records on a table as well as monitor high privileged users and get notified when new admins are created. Authorization • Once a user has successfully authenticated, access to parts of the instance interface, functions, and the data within it are controlled with Access Control Lists (ACLs) and role-based access control (RBAC). ACLs use the account ID and associated groups to determine what access should be granted to an object, e.g. read, write, delete, create, etc. • Role-based access control rules are ACLs assigned to roles defined within the instance. These might cater to different types of users or various job roles. User accounts and groups are assigned to roles, and permissions are applied to those roles. • To provide an extra level of protection, you may want to limit concurrent sessions for the same account or role. • If the HSP (described earlier), is enabled, you can set a default deny property , which prevents read, write, create, and delete for all tables unless explicit permission is given for a user or role in an ACL rule. • All new instances have the Security Jump Start (ACL Rules) Plugin installed to provide a base level of access security for key system tables. File attachments • You can place access controls on file attachments . Uploads can be restricted by role, file extension, MIME type , or size, to help prevent potentially malicious files being stored and subsequently delivered from your instance. You can also control which file

12 WHITE PAPER or AES 256 cipher suites (SSL is not supported). All HTTP requests are redirected to HTTPS (secure HTTP). The data is decrypted again at the ServiceNow perimeter before being entered into the database. • Outbound email can also be sent over TLS, as described in the email security section of this document. • Edge Encryption enables an on-premises proxy application to encrypt or tokenize specified data with AES 128/256 before transmission to your instance over HTTPS. In this case, data is already encrypted or tokenized when it enters the instance, so your most sensitive data need never leave your premises in a vulnerable form. Since your organization holds the encryption keys , the data cannot be decrypted by anyone without the proper authorization and is always inaccessible to ServiceNow. Data at rest Data stored within an instance, including attachments, can be protected with column-level encryption using AES128, or AES 256. This allows encryption of specified database fields and attachments through use of cryptographic modules (formerly encryption contexts ). • These cryptographic modules provide role-based access control and enable you to decide what is encrypted, select the algorithm used, and supply the encryption key. The key itself is stored within the instance and is protected via ServiceNow’s NIST 800-57 compliant Key Management Framework and is protected by a wrapping mechanism through several other keys stored within the customer instance and the ServiceNow Hardware Security Module (HSM). • Platform Encryption brings together Column Level Encryption Enterprise with the new Cloud Encryption capabilities or Database Encryption. • Column Level Encryption Enterprise is available as an additional licensable feature. This is like the ‘legacy’ column-level encryption, but with multiple additional capabilities, such as API support, system-level access – which enables automated processes and workflows to function on encrypted data – and enhanced key management with the option of customer- supplied keys. It employs Cryptographic Modules in which an encryption key, scheme and policy are combined to allow flexible and granular cryptography for instance data. • ServiceNow’s Key Management Framework (KMF) is the foundation of Column Level Encryption Enterprise. It enables FIPS 140- 2-L3 compliant key storage, Bring Your Own Key (BYOK), improved key management throughout the NIST 800-57 based key lifecycle, and many other benefits, including the ability to transfer keys securely between instances. • Cloud encryption is an additional cost option available with the Platform Encryption bundle. It enables encryption of the database storage volume at rest and ensures compatibility with database technology enhancements that ServiceNow may introduce in the future. Cloud encryption provides protection in the unlikely event of physical disk loss or theft. Cloud encryption also uses the KMF, and therefore also benefits from NIST 800-57 compliant key lifecycle management, including segregation of duties, rotation of ServiceNow-managed keys and the option of customer managed keys (CMK) . A Withdraw and Resupply capability allows customers to withdraw their CMK and leverage Quorum control for approval operations to trigger a shutdown of their instance until a restore operation is performed to resupply the the withdrawn key. If the withdrawn CMK is not restored within 30 days, instance DB backups will no longer be accessible. Backup data lost in this way is not recoverable. • Database encryption is an additional cost option that allows you to encrypt data tables within your database with no loss of functionality. Data is encrypted with AES encryption and decrypted in real time as it is accessed. If enabled, this will also be applied to all sub-instances and backup data (specifically, it would provide encrypted database tables within a separately encrypted backup). Database encryption provides protection in the unlikely event of physical disk loss or theft. • You have the option of using your own encryption key with database encryption. This feature – Customer Controlled Switch (CCS) - requires you to implement an endpoint on your own premises or work with a technology partner who has an endpoint integration with CCS. • Full disk encryption (FDE) is an additional cost option where the disks used to store your instance and data include self- encryption capabilities. FDE requires customers to purchase a dedicated environment. This encrypts all your information when the system is offline and therefore provides protection in the unlikely event of physical disk loss or theft. Integration traffic Single sign-on (SSO) authentication can be performed using SAML integrations to your IdP using TLS. Secure Lightweight Directory Access Protocol (LDAPS) is also available for authentication and user object synchronization. • File transfers can be made outbound from your instance with SFTP, FTPS, or SCP. Outbound clear text protocols such as FTP and HTTP are also supported, but not recommended. Inbound transfers such as web uploads are conducted exclusively over HTTPS. In each case, TLS is supported. Email attachments are discussed in the section on email security.

WHITE PAPER 15 © 2023 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated. servicenow.com • Code is statically tested for vulnerabilities using a related process when checked into the main ServiceNow branch. We also perform internal, manual testing of any new patches and hot fixes developed through the lifecycle of a release family. In both cases, any detected issues enter the remediation process to be addressed where necessary. • Cloud infrastructure is internally (weekly) and externally (daily) scanned for vulnerabilities using a third-party enterprise vulnerability scanner. Internal scanning is performed on an authenticated basis to ensure maximum coverage • An independent third party performs application penetration testing on all major releases before they are made available to customers. Validated findings are taken forward for remediation based on several factors, including overall risk and possible impact. customers may request a summary of the results from these tests. • We rotate testing through several qualified providers to deliberately expose the platform to different teams, processes, and techniques. This maximizes the possibility of gaining actionable results during this stage of the overall process. Customer testing ServiceNow customers may perform a penetration test against a sub-production instance in alignment with ServiceNow’s Customer penetration testing policy . Any security testing outside of this process is not permitted. At the conclusion of the authorized testing period, all findings that impact the platform must be reported to ServiceNow via the Security Findings application in Now Support. The process for submitting findings is detailed here. • The target instance must be a non-production instance, running a supported update and hotfix combination. • You must report your findings to us within 30 days. The HSP and Instance Hardening Guides described earlier in this document are important tools for securing your instance(s) and remediating against potential vulnerabilities. Best Practice: Review ServiceNow’s most current published penetration test reports in the CORE Compliance Portal. Find out how to access CORE here. If you wish to carry out your own annual application penetration test, ensure that you have first installed the latest updates, hardened the instance, and fulfilled the pre-requisite conditions described above. You can then schedule your test in the Now Support Portal. ServiceNow will respond to findings in accordance with the process described in the Customer Instance Security Testing document. Summary Though the Now Platform is designed with security as a priority, the way you set up your instance to meet your security policies greatly affects the security of the data it contains. Maintaining security is an ongoing process, so it’s important to monitor activity, keep abreast of new developments, implement relevant changes, and verify the results in a regular cycle. This document has given an overview of the main areas to focus on to ensure the security of your ServiceNow instance. There are also inline links to a wide range of resources providing more details and guidance. By using the information provided, you will be able to configure your instance to be as secure as possible and ensure that it remains that way. Please visit the ServiceNow product documentation site for further reading.