Are you using ITSM incident module for your security incidents?Do you lack visibility into your security incident posture?Check how Security Incident Response implementation enhances your security posture



The ServiceNow® Security Incident Response application tracks the progress of security incidents from discovery and initial analysis, through containment, eradication, and recovery, and into the final post incident review, knowledge base article creation, and closure.

Below are some of the challenges that are facing a Federal Agency and how we are helping them overcomethese challenges with the implementation of Security Incident Response Module.




Many Agencies that use ServiceNow ITSM incident module include their security incident response teams as assignment groups on the incident module. While the incident module is designed to address general support tickets, it lacks the functionalities and features required for Security Incident teams to effectively respond to security incidents.


Cannot properly calculate the severity of the incident and prioritize accordingly


Security response tasks are created manually and there are no dependencies between tasks or order of processing


The Security Incident Response team, unless familiar with the step by step process to resolve the incidents, may be at loss until a more seasoned and experience team member confirms the steps


Lack of visibility into the different stages of the incident because ITSM incident response doesn’t reflect all stages of security incident


By creating security incident calculator groups and setup calculators in the base system or creating your Agency specific severity calculator. Incident Severity calculations, based on incident type, PII data or system involved, or other predetermined factors helps security teams prioritize thus giving their immediate attention to high severity incidents


Response tasks in the security incident module are configured by activating and configuring security incident response flows. ServiceNow baseline configuration contains sample flows for a variety of incident tasks. Our team can help you create or modify existing flows that automate the processes including integrations with other systems


With Playbooks and Runbooks, institutional memory and memorization of each step of the process is not necessary. We preconfigure playbooks to suite each and every security incident type, whether it is a missing laptop or a PII breach. Playbooks provide full transparency and a guided approach to resolving the incidents


Stages of security incident are different from ITSM incident and can be configured based on your Agency’s standard model. With that said, we can help configure the SIR module based on your organization standards and requirements as well as build custom reports and dashboards that gives your teams complete visibility into the security incident posture, including durations, trends, and other indicators that helps you improve your Agency’s security posture


Security Incident Response is designed for security teams to quickly track and respond to incidents. Security incidents can be reported through several mechanisms:

  • From the ITSM incident module, by clicking a button to create security incident 

  • Filling a form for the Security Incident category on Service Catalog

  • By configuring email inbound actions - users send an email to a predefined email address

  • Microsoft Outlook client plugin allows users to report phishing attacks directly from their outlook

  • When critical security-related events are received from within ServiceNow or from third-party monitoring applications

Security Incident Response
New Incident Form