ServiceNow: Data Integrity Guide for GxP Compliance - Tables

This post provides a framework for configuring the ServiceNow Platform Tables to meet today's data integrity standards in order to comply with 21 CFR Part 11 and other predicate GxP regulations.  I will attempt to cover:

  1. How to leverage in-built ServiceNow features to ensure Tables are configured for GxP Compliance?
  2. How to design the configuration qualification (CQ) tests?
  3. How to ensure "validated status" (VS) on a ongoing basis?

Step 1 - Table Configuration

Data Tables

You must identify all the Data Tables utilized by your apps that host GxP data (for example: incident table, change_request table).  For each, table that hosts GxP data, turn on the audit feature.

You must also turn on the auditing for inserts (set the system property glide.sys.audit_inserts to TRUE).

You must ensure that no_audit_delete is NOT set to FALSE for any of the Data Tables (default value is TRUE).

You must also ensure that whitelisting is not enabled for the table (all fields should be audited) and none of the fields are blacklisted for auditing (no field should be excluded from auditing).

System Tables

Follow the above listed steps under Data Tables for the following System Tables:

sys_schema_change
sys_properties
sys_user
sys_user_group
sys_user_role
sys_user_has_role
sys_user_grmember
sys_group_has_role
sys_security_acl
sys_security_acl_role

Update glide.ui.audit_deleted_tables system property to include the above system tables (this will enable delete tracking for the included system tables)

Step 2 - Configuration Qualification

Design automated tests to:

  1. Qualify the configuration settings in Step 1 above.
  2. Perform smoke tests to ensure Table Audit feature (insert, update and delete) is functioning as expected.

Step 3 - Continuous Validation

Design a continuous validation (CV) framework to ensure compliance on an ongoing basis.  This CV framework should ensure the following:

  1. Check the configuration settings match with compliance best practices (Step 1 above).
  2. Perform smoke tests to ensure Table Audit feature (insert, update and delete) is functioning as expected.
  3. Data and Configuration Compliance Checks
  • Query the sys_audit table to ensure data compliance is met.  For example, a flag has to be raised if records were deleted from Tables where deletion is prohibited.
  • Query the sys_schema_change table to ensure configuration compliance is met.  For example, a flag has to be raised if configuration changes associated with the locked tables are found.

By following the above three steps, a robust Table Level Data Integrity Framework can be deployed leveraging the built-in ServiceNow Platform features.  Turning on audit trail is the easy part, but enforcing compliance based on the data in the audit trail is the difficult one.  By implementing a continuous validation framework, you not only ensure that the best practice settings are always turned on, but also audit trail data is mined to ensure compliance.