Purpose: This web page is for NC State Configuration Item (CI) owners with questions about how to classify their CIs using the ServiceNow Configuration Management Database (CMDB).
- NOTE: This page is not for general questions about how to use ServiceNow or the CMDB tool. For help with those issues, please visit help.ncsu.edu.
To ask a new question about how to classify CIs: If you have a question this page does not answer, please use this form to submit each new question. You should receive an answer via email within one week.
OIT S&C has approved the following Q&A combinations:
Q1: When classifying a network switch, do I need to consider the data in its traffic?
A: In short, no. When classifying network devices in the CMDB, the CI owner needs to consider only the data being processed or stored on the CI — not the data traversing it or residing only in volatile memory. Network devices store configuration files, so you need to classify network switches as the following scope/category combination, which is highly sensitive (red):
- Information Technology Data — Server Configuration Files
Q2: How do I classify OIT Fortinet load balancers?
A: Classify both versions, production and test, as purple (ultra-sensitive).
Q3: When classifying a Configuration Item (CI), should I consider the minimum level of data it requires to function?
A: In short, no:
- Any given CI requires a minimum level of data to function (for example, local configuration files, default accounts, logs, and so on). Exclude this type of data from consideration.
- Do include any operating system data that the CI is storing or maintaining for one or more other systems (such as configuration files, accounts, logs, and so on). Because a compromise of the CI would affect one or more additional systems, the risk would be higher, and thus, you would need to classify the CI as red (highly sensitive).
Q4: How do I classify a wireless access point that is managed by a centralized management server?
A: Not sensitive (green)
Q5: How do I classify a configuration item when I can’t find an appropriate data classification?
A: If neither ServiceNow nor the NC State Data Classification Table provides the appropriate scope/category/element combination for your configuration item, send an email to email@example.com. OIT S&C will receive your email as a ServiceNow ticket and will work with the appropriate data steward to document and classify the new data. OIT S&C will notify you of the solution and add it to the data classification table as well as ServiceNow.