Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Security Incident Confidential Data Exposure flow template

Security Incident Confidential Data Exposure flow template

The Security Incident - Confidential Data Exposure - Template allows you to perform a series of tasks designed to handle the exposure of sensitive data.

Before you begin

Role required: sn_si.write

About this task

This flow is triggered when the Category in a security incident is set or changed to Confidential personal identity data exposure.

Procedure

  1. Open the security incident for which you want to handle the exposure to sensitive data, or create a new security incident.
  2. In Category, select Confidential personal identity data exposure.
  3. Save the record.
  4. Scroll down and open the Response Tasks related list.
    The first of a series of response tasks appears. Each time the record is saved, your response to the previous task either causes the next response task to be executed or the flow to end.
    Table 1. Response tasks in Confidential Data Exposure Template
    Response task Description Results
    Is the data sensitive? Determine whether the data associated with this security incident is sensitive or confidential. In the task, select Yes or No in Outcome. If you selected Yes, the next response task is executed.

    If you selected No, the flow ends.

    Determine root cause and prevent egress Determine the root cause of the attack and add egress filtering to stop the exfiltration, updating the State field in the task as appropriate. If you change the state of the task to Closed Complete or Cancelled, the next response task is executed.
    Eliminate exposure related to root cause Based on the root cause, perform the steps to eliminate the exposure, updating the State field in the task as appropriate. If you change the state of the task to Closed Complete or Cancelled, the next response task is executed.
    Quarantine residual artifacts Perform the steps to quarantine any residual artifacts, updating the State field in the task as appropriate. If you change the state of the task to Closed Complete or Cancelled, the next response task is executed.
    Legal process Perform the steps to satisfy the legal requirements of this analysis, updating the State field in the task as appropriate. If you change the state of the task to Closed Complete or Cancelled, the next response task is executed.
    PR process Perform the steps to satisfy the PR requirements of this analysis, updating the State field in the task as appropriate. If you change the state of the task to Closed Complete or Cancelled, the next response task is executed.
    Set state to review No action required. The State of the security incident is automatically changed to Review.
    Lessons learned meeting Conduct a lessons learned meeting to triage the work performed on this sensitive data, updating the State field in the task as appropriate. If you change the state of the task to Closed Complete or Cancelled, the security incident remains in the Review state until you close it.