Data Classification Q&As

Purpose:  This web page is for NC State Configuration Item (CI) owners with questions about how to classify their CIs using the ServiceNow Configuration Management Database (CMDB).

  • NOTE:  This page is not for general questions about how to use ServiceNow or the CMDB tool. For help with those issues, please visit help.ncsu.edu.

To ask a new question about how to classify CIs: If you have a question this page does not answer, please use this form to submit each new question. You should receive an answer via email within one week.

Approved Q&As

OIT S&C has approved the following Q&A combinations:

Q1:  When classifying a network switch, do I need to consider the data in its traffic?

A:  In short, no. When classifying network devices in the CMDB, the CI owner needs to consider only the data being processed or stored on the CI — not the data traversing it or residing only in volatile memory. Network devices store configuration files, so you need to classify network switches as the following scope/category combination, which is highly sensitive (red):

  • Information Technology Data — Server Configuration Files

Q2: How do I classify OIT Fortinet load balancers?

A: Classify both versions, production and test, as purple (ultra-sensitive).

Q3: When classifying a Configuration Item (CI), should I consider the minimum level of data it requires to function?

A:  In short, no:

  • Any given CI requires a minimum level of data to function (for example, local configuration files, default accounts, logs, and so on). Exclude this type of data from consideration.
  • Do include any operating system data that the CI is storing or maintaining for one or more other systems (such as configuration files, accounts, logs, and so on). Because a compromise of the CI would affect one or more additional systems, the risk would be higher, and thus, you would need to classify the CI as red (highly sensitive).

Q4: How do I classify a wireless access point that is managed by a centralized management server?

A:  Not sensitive (green)

Q5: How do I classify a configuration item when I can’t find an appropriate data classification?

A: If neither ServiceNow nor the NC State Data Classification Table provides the appropriate scope/category/element combination for your configuration item, send an email to oit_isra@help.ncsu.edu. OIT S&C will receive your email as a ServiceNow ticket and will work with the appropriate data steward to document and classify the new data. OIT S&C will notify you of the solution and add it to the data classification table as well as ServiceNow.