If you store customer data in ServiceNow, you can rest assured that ServiceNow is taking necessary measures to meet compliance regulations as it relates to their infrastructure. However, unless you take the appropriate steps, these measures often do not extend to any backups you maintain externally to the ServiceNow platform.
So how do you know if the backups of your ServiceNow data are meeting the ever-growing list of data compliance regulations? Here are some areas to pay attention to when evaluating if your ServiceNow backup and recovery strategy can help you meet your compliance needs.
Under regulations like the General Data Protection Regulation (GDPR), California Privacy Rights Act (CPRA), Health Insurance Portability and Accountability Act (HIPAA), and others, it’s crucial for companies to inform customers about how certain personal data is being collected or used.
At a minimum, you should start identifying the customer data that you store in ServiceNow, including within backups, so you can better support access approval audits, legal discovery, and more. To do this, you must first inventory and classify the data you already have. Though rigorous, this exercise will force you to think about how data flows in, through, and out of your organization.
While it’s one thing to identify all of your buckets of data, you also need to be able to query them based on many different criteria. So, when selecting your ServiceNow backup solution, you need to ensure it has powerful, extensive search capabilities.
Did you know that many regulations require you to retain immutable backup snapshots with a third party for several years? That can be particularly challenging for ServiceNow customers, since the Now Platform stores only a limited number of backups for a maximum of 28 days.
If you are a public company, in a regulated industry, or if you have PII or PHI stored in ServiceNow, you may fail audits for regulations like the Sarbanes-Oxley Act (SOX), FINRA SEC 17a–4, or HIPAA.
When considering how long data needs to be kept, whether in your ServiceNow instance or in your backups, ask yourself the following questions:
If you answered “no” to any of the above, you will need to have a clear rationale documented as to why the data is being retained. To keep this data, your company must agree that the value of your processing activities outweighs the liability of retaining and securing it.
Once data retention policies have been reviewed, you’ll need to establish a process for removing and/or retaining specific data within your ServiceNow backups.
Not only is data availability essential to running your business, it’s also critical to achieving compliance within mission-critical solutions like ServiceNow. Having data that is unavailable, whether due to downtime or loss/corruption, can lead to violations of regulations like GDPR, HIPAA, SOX, and others, often resulting in harsh penalties.
To ensure that data will be available in the event of a data loss or corruption, your backups must be stored off-platform (separate from your ServiceNow instance) to ensure business continuity, should any unexpected service disruptions occur.
Now that you’ve learned what to look for, has your answer changed? If your current ServiceNow backup strategy or solution allows for all of the following, you should feel confident that you can meet your data compliance requirements:
If not, you should strongly consider a different approach, like the one offered by OwnBackup. With OwnBackup Recover for ServiceNow, you can:
To learn more about Recover for ServiceNow, check out our website or download our ebook, "The Complete Guide to Backup and Recovery for ServiceNow".