Leading approaches for presenting findings include agreeing on a format, ensuring transparency, and discussing results beforehand with stakeholders so the playback is a validation of existing knowledge. The architecture diagram should include ServiceNow Instances, Integrations, Authentication systems, Portals, Data lakes, and external service providers. It should *not* include all information gathered from interviews, especially if it relates to processes/controls rather than the architecture itself.

The three layers of ServiceNow‘s platform security architecture are the Internet Services Layer, Application Layer, and Database Layer. Access is strictly controlled; requests must pass through the Internet Services Layer, then the Application Layer, before reaching the Database Layer, preventing any direct external access to deeper layers.

Database Encryption is the ideal solution for comprehensive, transparent encryption of all stored data at rest. It utilizes AES-256, is transparent to users and applications, supports instance cloning, and has a minimal performance impact (up to 5%).

Edge Encryption is suitable for data sovereignty and compliance requirements where keys cannot be cloud-stored. It is *not* recommended if the customer cannot manage the additional infrastructure and complexity, or if data needs to be available for server-side processing requiring decryption by the platform. While it can encrypt specific columns, if server-side decryption/manipulation is needed, it becomes problematic. Protecting against physical loss is the purpose of Full Disk Encryption, not Edge Encryption.

The application layer includes a pre-logon policy framework that enforces authentication controls based on user context. It also encompasses authentication mechanisms (like corporate SSO or MFA) that validate user identity, and authentication policies that evaluate requests to determine access. The ‘security_admin‘ role is for authorization *after* login, not pre-login or authentication. Direct database access and physical security are not application layer components for these functions.

Threat modeling is defined as a ‘risk-based approach to designing security systems‘. Its purpose is to systematically identify potential threats and develop mitigations, directly answering the questions ‘What might go wrong?‘ and ‘What can we do to prevent this?‘ during the design phase of a solution.

The ‘Platform Management‘ domain defines practices, policies, and standards for access, upgrades, patching, securing, and maintaining the Now Platform. This specifically includes detailed upgrade management policies covering process, approvals, testing, scheduling, and communications, as well as routine performance monitoring and readiness activities for instance hygiene. Development standards and environment structure belong to ‘App Development Management‘ and ‘Environment Management‘ domains respectively, while data ownership is part of ‘Data Management‘.

ServiceNow recommends assigning data ownership at the entity level (e.g., company records, user records, CI classes) to reduce complexity and maintenance. Data owners are ultimately accountable for the state of the data, defining requirements, and are authorized to enforce policy.

The recommended approach for populating the CMDB involves leveraging Discovery, augmenting with data from other point solutions (like SCCM), and using the Robust Transform Engine (RTE) to prepare data for the Identification and Reconciliation Engine (IRE). IRE processes inbound quality checks (identification, reconciliation, and relationship rules) and prioritizes data sources to ensure data quality and accuracy.

Leading practices for data management include establishing processes for measuring and improving data quality using dashboards, implementing validation checks, ensuring data integrity through regular cloning, managing data through its full lifecycle, and classifying data for easier access and reuse. Manual audits are part of this but not necessarily weekly for *all* attributes, and data owners are accountable for data quality, implying their involvement.

According to the provided table, ‘Common service data‘, ‘Foundation platform data‘, and ‘Integrations data‘ are explicitly highlighted as being within the scope of master data management. Other data types like Reporting, Transactional, and Platform maintenance data are excluded from this specific scope.

The IRE API processes three types of inbound quality checks: Identification rules, Reconciliation rules, and Relationship rules. Robust Transform (RTE) processes data *before* it enters IRE, and duplicate rules are associated with the Duplicate Remediator, a separate workflow to handle identified duplicates.

The main objective of identifying the current architecture is to support the identification of the ‘to-be‘ architecture. The process involves three leading steps: 1) Identifying key stakeholders and gathering information; 2) Documenting, analyzing, and interpreting results in a structured way; and 3) Documenting findings and presenting them back to stakeholders.

Recommended leading practices for stakeholder interviews include keeping them under one hour, having no more than two participants per session, asking open-ended questions, preparing relevant questions and documents, and ensuring executive sponsorship/oversight. It is advised to avoid focusing too much on IT-related personas and to include a wider variety of stakeholders.

Heatmaps use color to represent data values, with warmer colors typically indicating higher effort or values. Their approach is derived from stakeholder feedback and interview information. A critical caution is their ineffectiveness for colorblind customers. They are used to determine the required effort for both the customer (internal organization effort) and engagement (professional services effort). Heatmaps indicate effort, but are not necessarily for exact quantitative measurements.

The customer is explicitly responsible for the secure configuration of the instance, employee vetting/screening, and authentication/authorization policies. ServiceNow is responsible for data encryption at rest and vulnerability management of the platform, while colocation providers handle physical security of the data centers.

SPM is about the creation, organization, and management of portfolio services, supporting a service-oriented model. Service offerings are essential for defining SLAs and collecting metrics. SPM aligns with the ‘Sell/Consume‘ domain of the CSDM and improves IT business operations by standardizing service documentation. SPM does not primarily focus on foundational data or hardware CI management.

All listed methods (HTTP-based web services for various formats, ODBC connector, direct REST/SOAP calls, export set capability, and third-party replication tools like SnowMirror/Perspectium) are explicitly supported out-of-the-box patterns for bulk data export. Direct SQL queries from external systems are not mentioned as an out-of-the-box method.

In an IdP-initiated SSO process, the user first authenticates with the IdP and is then typically directed to a homepage with application links. When an application link is clicked, a SAML authentication assertion is sent to the application to match the user ID, leading to access if a match is found. Steps related to ServiceNow initiating a SAML request are part of ServiceNow-initiated SSO, not IdP-initiated.

The guiding principles for foundation data management include ensuring it supports capability, recognizing that its configuration influences process value and onboarding time, allowing it to be sourced from external systems if timely, and acknowledging that ownership of foundation data is critical and warrants its own product owner.

A MID Server can pull bulk data into an import set from external systems via protocols like JDBC, LDAP, or FTP. It can also be a destination for export sets, where exported data can be retrieved from its filesystem by external systems. The MID Server *cannot* be used for real-time user authentication (like LDAP authentication) due to the real-time nature of the operation. Its role is primarily for communication with on-premise systems, not as a general proxy for all cloud-based HTTP web services.

The critical factors determining consumed services and informing the operational model are: ‘Who‘ (consumer‘s role/structure), ‘What‘ (service catalog hierarchy), and ‘Where‘ (customer‘s location and its implications). The operational model itself defines how services are provided, often based on department or geography. ‘How‘ and ‘When‘ are not listed as the primary determinants in this context.

The ‘Platform Data and Integrations‘ domain includes: Introduction and overview, Leading practices, Foundation data and governance, MID servers, Integration patterns/protocols/web services, and User management. Although ‘IntegrationHub, spokes, flow designer‘ are part of this domain, the question specifically asked to exclude IntegrationHub.

For complex solution designs, multiple integrations, and data residency requirements, multi-development instances (split by product or release) and multi-production instances are suitable strategies. However, these introduce challenges such as duplication of resources/effort, complexities in sharing common data (e.g., foundation data, CSDM), and the need to execute processes across multiple instances.

Crucial factors when establishing governance steps for release and instance management include finding the right balance between risk mitigation (control) and value realization (speed). Also critical are clear processes and policies for moving code/data into an environment, and considering the customer‘s operating model, platform scope, instance structure, and implementation methodology. The specific individuals on the CAB and historical incidents, while relevant to IT operations, are not listed as the primary high-level governance considerations in this context.

The out-of-the-box code migration options supported in ServiceNow are Application repositories, Source control integrations, Update sets, and Team development (though Team development is now superseded by Source Control). Direct database replication tools are for data, not specifically code, and manual file transfers via SFTP are not listed as an out-of-the-box code migration method.

To reduce risk, resolve incidents faster, and prevent outages, instance management policies should clearly define: Instance overview, Support procedures, Critical availability, Maintenance procedures, Change management requirements, Advanced permissions, System properties, and Plugins. All these areas contribute to a well-managed and stable ServiceNow environment.

The CSDM is explicitly defined as a standard and consistent set of terms and definitions that span and can be used with all ServiceNow products, enabling service reporting and providing prescriptive guidelines for service modeling within the CMDB.

Phase 1 objectives include using CSDM for Incident Management (automatic routing to assignment group based on technical service offering), Change Management (automatic population of approver groups based on service offerings), and Tracking which service handles sensitive data. Options 1 and 5 are explicitly part of Phase 2.

The source indicates that assigning incidents and changes to the business application table is ‘No, according to CSDM these are not the right structures to use for ITSM processes since they belong to the design domain‘. Therefore, stating that it is acceptable for strategic level reporting on application health is incorrect in the context of CSDM alignment for ITSM processes.

For CSM implementation, ‘Account‘, ‘Sold Product‘, and ‘Install Base Item‘ are the record types used to link to internal CMDB classes for external customers. To enable the crucial reference between a ‘sold product‘ and a ‘service offering‘, the ‘Customer Service with Service Portfolio Management (SPM)‘ plugin must be activated (which also installs ‘Customer Service Install Base Management‘).

Managing database triggers during deployment requires careful planning and understanding of dependencies. A phased approach allows for systematic activation while monitoring system performance and data integrity. This method helps prevent cascade failures and allows for proper validation at each step while maintaining system stability.

A layered relationship model with governance controls provides the best balance between flexibility and maintainability in CMDB implementations. This approach allows organizations to define standard relationship types at different levels (infrastructure, application, business service) while maintaining data quality. The governance controls ensure that relationships are created consistently and maintain meaningful connections between CIs, supporting both operational and business needs.

Blue-green deployment in ServiceNow requires maintaining two identical production environments to minimize downtime and risk. By maintaining two production instances and using URL routing to switch between them, organizations can perform zero-downtime deployments and have immediate rollback capability if issues arise. This approach is particularly valuable for organizations with strict uptime requirements and complex deployments that need thorough validation in a production-like environment.

Update sets are ServiceNow‘s recommended method for migrating configurations between instances. They provide version control, allow for proper sequencing of changes, and include validation capabilities to prevent conflicts. Using update sets ensures that configurations are migrated consistently and allows for rollback if needed, making it the most reliable approach for go-live preparation.

Data security is crucial when handling production data in sub-production instances. The best practice is to implement data masking and scrambling techniques while selectively subsetting the data. This ensures that sensitive information is protected while maintaining realistic test scenarios and data relationships. Additionally, this approach complies with data privacy regulations while providing meaningful test data for development and testing activities.

ACL changes are critical security configurations that need to be properly tested before reaching production. The standard release pipeline using update sets ensures that ACL changes are properly tracked, tested, and validated across all environments. This approach maintains system security, provides audit trails, and allows for rollback if needed. It also helps maintain consistency across instances and follows ServiceNow best practices for change management.

When testing ETL operations in ServiceNow, using synthetic test data with known transformation patterns is the most effective approach. This method allows testers to validate all possible transformation scenarios while maintaining data security and predictability. Synthetic data can be designed to cover edge cases, complex transformations, and various data formats while ensuring that sensitive production data is not exposed during testing. Additionally, using predefined patterns makes it easier to verify the accuracy of transformations and troubleshoot any issues that arise.

OAuth with JWT tokens and MID Server provides multiple layers of security. JWT tokens offer tamper-proof authentication, OAuth ensures proper authorization, and the MID Server adds an additional security layer by handling the communication through firewalls. This combination also provides audit capability and can handle token rotation and expiration properly.

Temporary staging tables are optimal for ETL processes in ServiceNow as they provide a dedicated space for data transformation without impacting production tables. Using truncate operations ensures efficient cleanup after processing is complete. This approach balances performance, resource utilization, and maintainability while providing transaction safety and error handling capabilities. The strategy also supports parallel processing and can be easily monitored for performance optimization.

The CSDM recommends using Application Services for internal ITSM processes (from the ‘Manage Technical Services‘ domain) for automatic routing and approvals. For external business-to-business customers, ‘Sold Products‘ and ‘Install Base Items‘ (from the ‘Sell/Consume‘ domain) are used to link services and enable case management. The business application table is part of the ‘Design‘ domain and is not the appropriate structure for ITSM processes.

As per the CSDM mapping discussion, an application service ‘depends on‘ the infrastructure CIs that support it. The business application ‘consumes‘ the application service.

The ‘Crawl‘ maturity level enables ITSM to start tracking incidents, problems, and change requests against application services, establishing foundational service management. The ‘Walk‘ level builds on this by focusing on managing technology services, integrating discovered CIs with manual metadata (like support groups) via technical service offerings.

The CMDB creates and maintains logical configurations and relationships for network infrastructure and services. The CSDM is a standard data framework guiding service modeling within the CMDB, ensuring data consistency and enabling full benefits from ServiceNow products. The CSDM is not primarily about physical architecture or solely external integrations.

At the ‘Run‘ maturity level, the data model enables impact assessment for ITSM, allowing the identification of impacted services and service offerings for incidents, problems, and changes associated with selected CIs. It also populates the ‘subscribed by‘ tables to identify impacted parties.

When dealing with multiple discovery sources in ServiceNow CMDB, implementing a reconciliation rule set with priority-based identification rules is essential. This approach allows for systematic handling of conflicts while maintaining data integrity. The rules can consider source reliability, data completeness, and update frequency to determine the authoritative source for each CI attribute. This method ensures consistent and accurate CI identification across the CMDB.

Suzi explicitly states that ‘If you don‘t follow this standard, your customer may not receive the full benefit of the ServiceNow products on the Now Platform,‘ because the framework ensures that the necessary data maps correctly to the appropriate CMDB tables.

The Technical Governance Board is responsible for overseeing the development of technical governance policies and standards across data, environment, application development, and platform management domains. Critically, these governance levels (technical, portfolio, and strategy) are interrelated and their decisions must remain in sync to prevent siloed operations.

The platform owner is central to defining scope, planning setup, identifying stakeholders, and advising decision-making groups, as well as ensuring the framework is adaptable. Continuous improvement, involving metric analysis and bottleneck removal, is explicitly part of the governance process to optimize its effectiveness over time.

When defining platform access policies, critical considerations include: which users have access, their access level, the process for requesting access, required training/certification, and who approves access. The engagement of ServiceNow Support is relevant to upgrade management policies, not platform access policies.

Regression testing is the most suitable type to ensure existing functionality remains stable after changes or upgrades. The Automated Testing Framework (ATF) is the ServiceNow application specifically designed for creating and running automated, reusable tests, perfect for regression testing.

Manual testing is primarily recommended for exploratory testing, usability testing (where human observation is key), and ad hoc testing due to their reliance on human intuition, creativity, and observation. Automated testing is more efficient for repetitive tasks like regression and performance testing.

Customers are permitted only one penetration test per year. The testing must be pre-approved and scheduled with ServiceNow. Prerequisites include upgrading instances to the latest release/patch and implementing ServiceNow‘s hardening guide. A minimum HealthScan score may be required. Customers must share their testing scenarios and results with ServiceNow.

Testing on the ServiceNow platform primarily aims to validate applications against requirements, verify conformity to specifications, and ensure new functionality does not introduce regressions to existing functionality, especially following changes like upgrades, patches, hotfixes, or new releases.

Internationalization testing verifies if a software application can adapt to various languages and regions without changes, while Localization testing verifies if it looks and behaves as expected after adapting for a specific region or language. Performance testing assesses speed, stability, and scalability to identify areas for improvement.

Load testing simulates anticipated production consumption but is distinct from stress testing. It can be performed before go-live or during upgrades to address performance concerns. It requires an isolated environment and is subject to strict policies, including pre-planning and restrictions during peak hours to avoid impacting live system performance. The integration of results to CMDB health is not automatically implied.

A ‘Smoke test‘ (or ‘build verification test‘) is a non-exhaustive, quick test typically performed by QA after a successful build to ensure the most important functions work. User Acceptance Testing (UAT) is the final validation stage, completed by end-users or authorized stakeholders to ensure the application meets business outcomes and is acceptable for delivery.

A robust go-live plan includes identifying anticipated technical/process challenges, defining comprehensive mitigation plans for risks/issues, identifying necessary logistics and key resources, and establishing a governance and OCM model. Communication is multifaceted, covering pre-, during, and post-go-live, and includes support, not just celebration. Existing solutions and customizations are important to consider.

The goals of hypercare include managing hypercare incidents/requests in a dedicated dashboard and managing handover documents. Leading practices for issue tracking include using ServiceNow Test and Defect Management, establishing a separate queue for incidents, and leveraging knowledge articles and virtual agent topics for self-help. Continuous service improvement is also a key objective.

The source details specific communication strategies for each phase: pre-go-live (set expectations, reinforce change awareness, outline job changes), go-live (mention live modules, build competency with KB articles/guided tours), and post-go-live (support enablement, document issues/workarounds). Inspiring messages from leadership and town halls are successful strategies applicable across phases. A go-live kit with relevant documents is also recommended. Surveys are for continuous improvement post-go-live, not solely for positive feedback.