CA Service Management

My Security and Risk Management team has requested I add multiple fields into the CMDB so they may track information on CI's during an Incident as it is tied to Security and Risk Mangement, i.e., PCI info, SOX, NPI data, Bank/Loan Account numbers, etc...  I'm very hesitant to do this as it is not related to Service Management.  I understand their need to look at the CI's from a what relates to what perspective but why would I put Security and Risk information into a Service Management tool as it is specicif to that department.  Does anyone have any thoughts or suggestions?

Information security management is one of the ITIL Service Design processes. Such information may provide additional information for other processes, for example change management can use such information to evaluate possible security risks of the change.

I understand security management but why would it put it in my Service Management tool?  If CA felt it was this important, wouldn't they have a seperate module specifically for security and risk management rather than requiring customers to further customize the Service Management tool?  I understand ServiceNow has such a module for thier ITSM tool.

I don't fully understand your concern regarding the extra attributes being requested, i.e. if proper or more efficient handling of incidents related to security and risk management can be optimized by having access to these extra CI attributes I cannot see why you shouldn't.

Another option depending on which other system(s) may hold these attributes at current would be to consider this/these source(s) as MDR(s) for the CMDB and then leverage the MDR(s) for the CIs in context of handling these types of incidents.