According to the Common Service Data Model (CSDM), the Business Application [cmdbcibusinessapp] is the logical construct used to store business-level information for portfolio management, GRC, and audits. To address data classification requirements, the Information Object [cmdbciinformationobject] is used to define the type of data (e.g., PII, PCI) that the Business Application processes. Linking these two CIs provides a clear, auditable record of which applications handle sensitive data, directly satisfying the security and compliance requirements.

A. Technology Management Service Offerings (Technical Service Offerings) and Groups: Technical Service Offerings represent underlying technical capabilities (e.g., database hosting), not the business application or its data classification.

C. Customer Service Offerings and Databases: The business-level compliance and data classification information belongs on the Business Application, not the underlying database CI or a non-standard "Customer Service Offering" term.

1. ServiceNow White Paper

"CSDM 4.0 White Paper

" October 2022

Page 16 (Design Domain). This document defines Business Application as the record for "rationalization

GRC

and other business-related concerns."

2. ServiceNow Product Documentation

"Information object

" CSDM

Utah. "An information object represents the data that is exchanged or manipulated by the business application... Use information objects to track and manage sensitive data

such as PII or PCI."