How to Ensure Compliance for Your ServiceNow Backups

If you store customer data in ServiceNow, you can rest assured that ServiceNow is taking necessary measures to meet compliance regulations as it relates to their infrastructure. However, unless you take the appropriate steps, these measures often do not extend to any backups you maintain externally to the ServiceNow platform. 

So how do you know if the backups of your ServiceNow data are meeting the ever-growing list of data compliance regulations? Here are some areas to pay attention to when evaluating if your ServiceNow backup and recovery strategy can help you meet your compliance needs.

Under regulations like the General Data Protection Regulation (GDPR), California Privacy Rights Act (CPRA), Health Insurance Portability and Accountability Act (HIPAA), and others, it’s crucial for companies to inform customers about how certain personal data is being collected or used.  

At a minimum, you should start identifying the customer data that you store in ServiceNow, including within backups, so you can better support access approval audits, legal discovery, and more. To do this, you must first inventory and classify the data you already have. Though rigorous, this exercise will force you to think about how data flows in, through, and out of your organization.

While it’s one thing to identify all of your buckets of data, you also need to be able to query them based on many different criteria. So, when selecting your ServiceNow backup solution, you need to ensure it has powerful, extensive search capabilities.

Did you know that many regulations require you to retain immutable backup snapshots with a third party for several years? That can be particularly challenging for ServiceNow customers, since the Now Platform stores only a limited number of backups for a maximum of 28 days.  

If you are a public company, in a regulated industry, or if you have PII or PHI stored in ServiceNow, you may fail audits for regulations like the Sarbanes-Oxley Act (SOX), FINRA SEC 17a–4, or HIPAA.

When considering how long data needs to be kept, whether in your ServiceNow instance or in your backups, ask yourself the following questions:

1. Are we under any regulatory requirements requiring a specified period of time of data retention?
2. Do we have a specific legal or contractual obligation for keeping the data?
3. Was the data collected for specified, explicit, and legitimate purposes?
4. Are we only keeping data that is adequate, relevant, and necessary to our business?
5. Is the data being kept longer than is necessary, for example, longer than the length of the contract?
6. Is the data stored securely (e.g. encrypted, immutable)?

If you answered “no” to any of the above, you will need to have a clear rationale documented as to why the data is being retained. To keep this data, your company must agree that the value of your processing activities outweighs the liability of retaining and securing it.

Once data retention policies have been reviewed, you’ll need to establish a process for removing and/or retaining specific data within your ServiceNow backups.

Not only is data availability essential to running your business, it’s also critical to achieving compliance within mission-critical solutions like ServiceNow. Having data that is unavailable, whether due to downtime or loss/corruption, can lead to violations of regulations like GDPR, HIPAA, SOX, and others, often resulting in harsh penalties.

To ensure that data will be available in the event of a data loss or corruption, your backups must be stored off-platform (separate from your ServiceNow instance) to ensure business continuity, should any unexpected service disruptions occur.

Now that you’ve learned what to look for, has your answer changed? If your current ServiceNow backup strategy or solution allows for all of the following, you should feel confident that you can meet your data compliance requirements:

• Search within data and attachment backups
• Respond to audit requests quickly and easily
• Remove and/or export specific data from within backups
• Automatically implement custom data retention policies
• Maintain access to data in the event of a service disruption or outage
• Store backup data in an encrypted and immutable format

If not, you should strongly consider a different approach, like the one offered by OwnBackup. With OwnBackup Recover for ServiceNow, you can:

• Back up your critical ServiceNow data in an external data protection platform so that it’s accessible, even in the event of a service disruption.
• Tailor retention policies for every instance to keep immutable copies for as long as needed to achieve compliance with any data regulation. 
• Answer questions about your data history using keyword searches across backups, files and attachments, as well as zero in on precise data by focusing searches on specific items.
• Quickly restore lost or corrupted data at a granular table, column, or record level in a self-service fashion.

To learn more about Recover for ServiceNow, check out our website or download our ebook, "The Complete Guide to Backup and Recovery for ServiceNow".