Moody's — ITOM and ITSM process architecture that made asset tracking and vulnerability management computable

Asset tracking and vulnerability management are only as reliable as the data model underneath them. At Moody’s, the data model came first.

The challenge

Moody’s operated IT infrastructure with asset-management and vulnerability-assessment processes that were not computable at scale. The gap between what IT knew about its estate and what was actually running created operational blind spots: incident routing that relied on tribal knowledge rather than configuration data, request fulfilment that could not be validated against entitlement, and vulnerability assessments that could not be cross-referenced against a reliable CMDB to prioritise remediation by blast radius. The requirement was an integrated ITOM and ITSM architecture in ServiceNow — one that would make IT Asset Management, Incident Management, Request Management, and the CMDB work as a system rather than as four implementations that happened to share a platform.

The Blu Wingu approach

Blu Wingu was engaged as ITOM and ITSM Process Architect at Moody’s in New York and London from July 2014 to December 2016, accountable for the design and implementation of integrated processes across IT Asset Management, Incident Management, Request Management, and the CMDB.

The CMDB was the foundation decision. Without an authoritative, continuously maintained CI inventory, every downstream process — incident routing, asset reconciliation, vulnerability prioritisation — works from assumptions rather than facts. Blu Wingu led the CMDB design, establishing the data model, population strategy, and lifecycle-management governance to keep the inventory current as the estate changed. A CMDB not actively maintained degrades faster than it was built; the governance model was therefore a technical deliverable, not an afterthought.

Incident Management was redesigned to route on configuration data rather than categorical rules — assignments driven by what the CMDB recorded about affected CIs, not by what engineers remembered. Request fulfilment was streamlined against the asset inventory so that entitlement checks and provisioning decisions could be validated at the point of request rather than resolved manually downstream. Vulnerability assessments were integrated with the CMDB so that identified vulnerabilities could be cross-referenced against a CI’s business context, enabling remediation prioritisation by operational impact rather than CVSS score alone.

The engagement was designed to leave a platform Moody’s engineering teams could govern without ongoing consulting dependency — solutions aligned with industry standards that the internal team could maintain and extend. In a financial-services regulatory context, asset-management and vulnerability-management data quality carries audit implications; the CMDB and process designs were built to demonstrate that data was authoritative, changes were governed, and processes were computable rather than discretionary.

The outcome

Moody’s received an integrated ITOM and ITSM architecture in ServiceNow covering IT Asset Management, Incident Management, Request Management, and the CMDB. Request fulfilment was streamlined, operational efficiency increased, and service delivery improved. The CMDB foundation and governance model provided the authoritative CI inventory that subsequent platform maturity work could build on.

What’s defensible

The ITOM and ITSM Process Architect role and the scope of deliverables — IT Asset Management, Incident Management, Request Management, CMDB — are drawn from the programme record. This is a direct Blu Wingu engagement at Moody’s as an ITOM/ITSM client, not in any other capacity.

Cross-links: CMDB & CSDM · ITSM Process Design