Roadmap. How to implement GDPR in SAP?
|
|
- Barnard Harrington
- 6 years ago
- Views:
Transcription
1
2 Roadmap 2 How to implement GDPR in SAP? 1. Introduction to GDPR 2. GDPR security-related requirements 3. SAP security controls for GDPR 4. GDPR security implementation plan 5. Follow-up actions
3 Introduction to GDPR Key GDPR security provisions and challenges
4 Drivers of GDPR 4 Privacy concerns cybertheft of personal data tracking and predicting individual behavior misuse of personal data control over their data 25 May 2018: General Data Protection Regulation level playing field
5 GDPR s Goal 5 To facilitate digital economy For citizens: easier access to their data a new right to data portability right to be forgotten right to know when their personal data has been hacked For business: a single set of EU-wide rules EU rules for non-eu companies one-stop-shop a data protection officer innovation-friendly rules privacy-friendly techniques impact assessments
6 Are SAP users ready? 6 By 25 May 2018, less than 50% of all organizations will fully comply with EU s GDPR Gartner Security & Risk Management Summit 2017 of users do not fully understand the implications of the GDPR in relation to their SAP estate, and their future use of SAP Source: UK and Ireland SAP User Group, June 2017 of companies expect sanction or remedial action per 25 May 2018 Source: Symantec, October 2016
7 Turn GDPR into Lemonade 7 1. Elicit SAP-related GDPR security requirements 2. Learn suitable SAP security controls 3. Prepare GDPR security implementation plan
8 GDPR security-related requirements
9 Definitions 9 Personal data any information relating to an identified or identifiable natural person ( data subject ); Data subject an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Data controller the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; Data processor a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller General Data Protection Regulation, Article 4
10 Online Store 10
11 GDPR Security Provisions 11 Overview Data Subject Rights Privacy Principles (Privacy By Design and Privacy By Default) Data Protection Officer Duties Data Protection Impact Assessment Cybersecurity Requirements Data Breach Notification
12 Privacy Principles 12 Eliciting requirements Lawfulness, fairness and transparency Purpose limited Data minimization Accuracy Storage limitation Integrity and confidentiality Accountability and compliance SAP tasks: Identify data items Find users having access to personal data Restrict access to personal data Manage personal data lifecycle Implement and describe security controls to demonstrate compliance Monitor personal data access Implement incident response capabilities
13 GDPR Security Tasks 13 Identify data items Find users having access to personal data Evaluate security controls Assess risks to data subjects Restrict access to personal data Implement and describe security controls to demonstrate compliance Manage personal data lifecycle Monitor personal data access Detect SAP security threats Implement SAP incident response capabilities
14 SAP Security Controls for GDPR
15
16 1. Assess data processes Identify data items 1.2 Find users having access to personal data 1.3 Evaluate security controls 1.4 Assess risks to data subjects
17 1.1 Find data 17 Standard global master tables: o Customers: KNA1, KNBK, KNVK o Vendors: LFA1, LFBK o Addresses: ADRC, ADR2, ADR3, ARD6 o Business partners: BP000, BP030 o Users: USR03 o Credit cards: VCNUM HR master records: o 0002 Personal Data o 0004 Challenge o 0006 Addresses o 0009 Bank Details o 0021 Family o 0028 Internal Medical Services o 0094 Residence Status Typical locations of personal data
18 1.1 Find data 18 How to find personal data in SAP? Search in domains: o RSCRDOMA: Where-Used List of Domains in Tables o RPDINF01: Audit Information Systems Technical Overview of Infotypes Search in table description: o tables and descriptions: DD02L, text table DD02T o fields: DD03L o data elements: DD04L, text table DD04T o domain are in DD01L, text table DD01T
19 1.2 Find users 19 Overview of communication channels Business transactions and reports SAP tables: o table browsing and maintenance transactions: SE16, SE16N, SE17, SM30, SM31 et al. o proxy-transactions like SPRO (which call the aforementioned ones internally) o SAP Query (SQVI, SQ01, ) Access controls RFC functions Databases (HANA, Oracle) SAP services: o o o Gateway Message Server SOAP Interface Other security controls
20 1.2 Find users by S_TABU_* authorizations 20
21 1.2 Find users of transaction 21 Standard data-related transactions: o Customers: FD02 o Vendors: FK02, M-01 o Addresses: VCUST o Business partners: BP o Users: SU01, SU10, SUGR, PA30 o Credit cards: PRCCD, Find more: 1. Search for programs using data-related tables (SE80\Repository Information System\ABAP Dictionary\Database Tables) 2. Find transactions related to the program (SE80, or table TSTC) 3. Find users having S_TCODE authorizations to run the transactions
22 1.3 Evaluate security controls 22 Authentication Password policy Privileged users SSO checks Access control Assignment of authorization groups to tables and ABAP programs RFC authorization checks Unblocked critical transactions (SM59, SCC5, SM32, ) Insecure configuration Gateway, RFC, ICF, MMC, GUI, Web Dispatcher, Monitoring Log settings: security audit log, system log, gateway, HTTP, SQL logs CCMS settings Encryption SSL options SNC options List of connected systems RFC, DBCON, HANA, XI
23 1.4 Assess risks to data subjects 23 CAUSE RISK EFFECT weak access controls (no SoD enforced, weak passwords) transmission of data using unencrypted channels application vulnerabilities misconfigurations disabled logging disclosure alteration destruction or loss of personal data Health Legal Financial Reputation In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. Source: General Data Protection Regulation
24 2. Prevent the data breach Restrict access to personal data 2.2 Implement and describe security controls to demonstrate compliance 2.3 Manage personal data lifecycle
25 2.1 Restrict access to personal data 25 Overview LEVEL Business Communications Infrastructure Authorization objects Segregation of Duties Single sign-on and password auth. UI Masking and Logging XI SNC VPN s Firewalls SOLUTION Secure configuration: servers, databases, SAP components and clients Database and files encryption Identity management
26 2.1 Restrict access to personal data 26 UI Masking Purpose o masking sensitive data in SAP GUI o logging of requests to selected data fields Functions o modifies data before being displayed at the backend side o tracks requests for sensitive data o configurable to what and how should be masked o configurable who is authorized to see unmasked data Source: SAP UI Masking presentation
27 2.1 Restrict access to personal data 27 UI Masking Architecture Source: SAP UI Masking presentation
28 2.2 Implement security controls 28 Article 32 (a) pseudonymization and encryption: SAP CSF. Data Security SAP CSF. Secure Architecture (b) CIA: SAP CSF. Asset Management SAP CSF. Access Control (c) continuity: SAP CSF. Business Environment SAP CSF. Incident Response (d) testing: SAP CSF. Vulnerability Management SAP CSF. Threat Detection
29
30 2.2 Implement security controls 30 System Security Plan: description of the approach to protect a system security plan roles and assignment of security responsibilities description of system: purpose, environment and interconnections description of assets: name, purpose, environmental context, severity and type of information laws, regulations, and policies affecting systems and data security control selection information about approving and completion security plan maintenance considerations Source: NIST SP800-18, Guide for Developing Security Plans for Federal Information Systems
31 2.3 Manage personal data lifecycle 31 All the steps of the deal include processing personal data that is needed to be blocked and erased after the ending of purpose Source: D&IM Services
32 2.3 Manage personal data lifecycle 32 As soon as the original purpose ends, personal data must be deleted. However, if other fiscal/legal retention periods apply, the data must be blocked. Source: D&IM Services
33 2.3 Manage personal data lifecycle 33 SAP Information Lifecycle Management Lifecycle Management of data with the following Retention Management functions: o Defining ILM rules (for example, retention rules) for the purpose of mapping legal requirements and their application to live and archived data. o Putting legal holds on data that is relevant for legal cases in order to prevent early destruction. o Destroying data while taking legal requirements and legal holds into account. Storage of archived data on an ILM-certified WebDAV server (to guarantee non-changeability of the data and to protect it from premature destruction)
34 3. Detect & Respond Monitor personal data access 3.2 Notify incident response team 3.3 Respond to SAP incidents
35 3.1 Monitor personal data access 35 Event sources UI Masking UI Logging Read Access Logging Security logs
36 3.1 Monitor personal data access 36 UI Logging is a nonmodifying add-on based on SAP NetWeaver UI Logging captures the data stream between SAP GUI and the backend system Minimal impact on the application UI Logging Transaction BP (Business Partner) Log record Source: SAP UI Logging presentation
37 3.1 Monitor personal data access 37 Read Access Logging Read Access Logging Framework
38 3.1 Monitor personal data access 38 Security Audit Log
39 3.2 Notify incident response team 39 SAP Computing Center Management System RZ21: create alert RZ20: assign alert to MTE
40 3.3 Respond to SAP incidents 40
41 GDPR Security Tasks 41 Identify data items Find users having access to personal data Evaluate security controls Assess risks to data subjects Restrict access to personal data Implement and describe security controls to demonstrate compliance Manage personal data lifecycle Manage personal data lifecycle Notify incident response team Implement SAP incident response capabilities
42 GDPR Security Implementation Plan
43 GDPR Security Implementation Plan Understand your system: what personal data is processed in SAP and who has access to it? 2. Restrict access develop authorizations and SOD rules prioritize remediations 3. Stay compliant and detect breaches monitor access detect GDPR non-compliance and SAP threats
44 1. Understand your system 44 tables transactions, reports RFC functions Have you assigned table authorization groups to all critical tables? Have you revoked unnecessary S_TCODE authorizations related to personal data? Check the list of users with S_RFC authorizations database & OS access platform vulnerabilities misconfigurations custom code vulnerabilities Are the database and OS hardened? Have you implemented all SAP patches and SAP security notes? Is the SAP configuration secure? Does your custom code have any hardcoded stuff and missing authorizations?
45 1. Understand your system 45 SAP Security Audit Data flows description Analysis of authorizations, roles and SOD conflicts Vulnerability assessment and remediation guideline Security control evaluation & custom code security analysis Threat analysis: o security event analysis o roles profiling o RFC profiling
46 2. Restrict access 46 Action plan 1. Revoke unjustified access 2. Prepare remediation plan for vulnerabilities 3. Prepare action plan for security controls: o fix custom code issues and missing authorization checks o turn on logging of data access o mask personal data o harden configuration o
47 Constraints and requirements (example): Tasks: 2. Restrict access 47 Duration: not more than 60 days Vulnerability risk level: medium and higher Allowed remediation types: No kernel patch 1. Prioritizing vulnerabilities: - ease of exploitation: availability of public exploit, need for preparation, need for credentials with special rights, etc.; - impact of a successful exploitation: full disclosure and OS-level access or just revealing technical data; - prevalence of the vulnerability in SAP systems; - criticality of the SAP systems with the vulnerability. 2. Filtering vulnerabilities Outcome: Remediation Plan Remediation planning
48 3. Stay compliant and detect breaches 48 Aggregate logs More than 30 logs o SAP ABAP Security log o SAP ABAP Audit log o SAP ABAP HTTP log o SAP ABAP ICM Security log o SAP ABAP RFC log o SAP J2EE HTTP log o SAP HANA Security log o SAP HANA log Log Management Solutions
49 3. Detect SAP security threats 49 Threats & attacks examples Threats: starting of critical RFC, report, transactions or web service access unauthorized/unsuccessful access (e.g. RFC calls, logon attempts) potential DDoS attack Attacks: WEB-resource attacks (XSS, SQL Injection, etc.) Using source code vulnerabilities Authentication bypass (Verb Tampering, Invoker servlet) Anomalies: first time access to personal data location change of users processing personal data unusually high traffic utilization
50 ERPScan GDPR Solutions 50 How can ERPScan help? SAP Security Audit ERPScan VM module ERPScan Code scanning module ERPScan SOD module SOD services SAP Vulnerability Management Services SAP - SIEM integration services Contact us: inbox@erpscan.com Phone:
51 Follow-up actions
52 Follow-up actions 52 Conduct an SAP security audit Organize one-to-one demo Request more information
53 Thank you 53 Michael Rakutko Head of Professional Services USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA Phone Read our blog erpscan.com/category/press-center/blog/ Join our webinars erpscan.com/category/press-center/events/ HQ Netherlands: Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam Phone erpscan.com
ERPSCAN SMART SOLUTIONS FOR GDPR COMPLIANCE BY MICHAEL RAKUTKO, HEAD OF PROFESSIONAL SERVICES
ERPSCAN SMART SOLUTIONS FOR GDPR COMPLIANCE BY MICHAEL RAKUTKO, HEAD OF PROFESSIONAL SERVICES ROADMAP How to implement GDPR in SAP? 1. GDPR security requirements 2. How to discover personal data? 3. How
More informationAbout the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).
About the company 2 What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle). Agenda 3 Building a business case for SAP Vulnerability Management How to start
More informationAbout ERPScan. ERPScan and Oracle. ERPScan researchers were acknowledged 20+ times during quarterly Oracle patch updates since 2008
1 2 About ERPScan 3 ERPScan and Oracle ERPScan researchers were acknowledged 20+ times during quarterly Oracle patch updates since 2008 Totally 100+ Vulnerabilities closed in Oracle Applications o Oracle
More informationEU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?
EU GDPR and Email The EU General Data Protection Regulation (GDPR) is the new legal framework governing the use of the personal data of European Union (EU) citizens across all EU markets. It replaces existing
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationCOMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2
COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September 2018 Table of Contents 1. Scope, Purpose and Application to Employees 2 2. Reference Documents 2 3. Definitions 3 4. Data Protection Principles
More informationBaseline Information Security and Privacy Requirements for Suppliers
Baseline Information Security and Privacy Requirements for Suppliers INSTRUCTION 1/00021-2849 Uen Rev H Ericsson AB 2017 All rights reserved. The information in this document is the property of Ericsson.
More informationGDPR How to Comply in an HPE NonStop Environment. Steve Tcherchian GTUG Mai 2018
GDPR How to Comply in an HPE NonStop Environment Steve Tcherchian GTUG Mai 2018 Agenda About XYPRO What is GDPR Data Definitions Addressing GDPR Compliance on the HPE NonStop Slide 2 About XYPRO Inc. Magazine
More informationGeneral Data Protection Regulation Frequently Asked Questions (FAQ) General Questions
General Data Protection Regulation Frequently Asked Questions (FAQ) This document addresses some of the frequently asked questions regarding the General Data Protection Regulation (GDPR), which goes into
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationOnapsis: The CISO Imperative Taking Control of SAP
Onapsis: The CISO Imperative Taking Control of SAP Cyberattacks @onapsis 2016 Key SAP Cyber-Security Trends Over 95% of the SAP systems we have assessed, were exposed to vulnerabilities that could lead
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationSAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts
SAP Cybersecurity Solution Brief Objectives Solution Benefits Quick Facts Secure your SAP landscapes from cyber attack Identify and remove cyber risks in SAP landscapes Perform gap analysis against compliance
More informationData Protection Policy
Data Protection Policy Data Protection Policy Version 3.00 May 2018 For more information, please contact: Technical Team T: 01903 228100 / 01903 550242 E: info@24x.com Page 1 The Data Protection Law...
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationEmbedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere
Embedding GDPR into the SDLC Sebastien Deleersnyder Siebe De Roovere Who is Who? Sebastien Deleersnyder 5 years developer experience 15+ years information security experience Application security consultant
More informationSite Builder Privacy and Data Protection Policy
Site Builder Privacy and Data Protection Policy This policy applies to the work of the Third Age Trust s Site Builder Team. The policy sets out the approach of the Team in managing personal information
More informationThis Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).
PRIVACY POLICY Data Protection Policy 1. Introduction This Data Protection Policy (this Policy ) sets out how Brital Foods Limited ( we, us, our ) handle the Personal Data we Process in the course of our
More informationEmbedding GDPR into the SDLC
Embedding GDPR into the SDLC Sebastien Deleersnyder Siebe De Roovere Toreon 2 Who is Who? Sebastien Deleersnyder Siebe De Roovere 5 years developer experience 15+ years information security experience
More informationIBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT
IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT NOTICE Clients are responsible for ensuring their own compliance with various laws and regulations, including the
More informationData Protection and GDPR
Data Protection and GDPR At DPDgroup UK Ltd (DPD & DPD Local) we take data protection seriously and have updated all our relevant policies and documents to ensure we meet the requirements of GDPR. We have
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More informationIMPACT OF INTERNATIONAL PRIVACY REGULATIONS. Michelle Caswell, Coalfire Julia Jacobson, K&L Gates
IMPACT OF INTERNATIONAL PRIVACY REGULATIONS Michelle Caswell, Coalfire Julia Jacobson, K&L Gates Introduction to International Privacy Law General Data Protection Regulation 2 2018 HITRUST Alliance What
More informationPrivacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information
Privacy Statement Introduction Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information about how IT Support (UK) Ltd handle personal information.
More informationCrises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.
Crises Control Cloud Security Principles Transputec provides ICT Services and Solutions to leading organisations around the globe. As a provider of these services for over 30 years, we have the credibility
More informationNEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE
COMPLIANCE ADVISOR NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE A PUBLICATION BY THE EXCESS LINE ASSOCIATION OF NEW YORK One Exchange Plaza 55 Broadway 29th Floor New York, New York 10006-3728 Telephone:
More informationEU DATA PROTECTION COMPLIANCE WHEN SECURING SAAS APPLICATIONS
White Paper EU DATA PROTECTION COMPLIANCE WHEN SECURING SAAS APPLICATIONS Introduction Palo Alto Networks takes data protection very seriously. Complying with data protection requirements and enabling
More informationGeneral Data Protection Regulation (GDPR) Key Facts & FAQ s
General Data Protection Regulation (GDPR) Key Facts & FAQ s GDPR comes into force on 25 May 2018 GDPR replaces the Data Protection Act 1998. The main principles are much the same as those in the current
More informationSecurity Information for SAP Asset Strategy and Performance Management
Master Guide SAP Asset Strategy and Performance Management Document Version: 2.0 2018-03-09 Security Information for SAP Asset Strategy and Performance Management Typographic Conventions Type Style Example
More informationUCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:
UCOP ITS Systemwide CISO Office Systemwide IT Policy UC Event Logging Standard Revision History Date: By: Contact Information: Description: 05/02/18 Robert Smith robert.smith@ucop.edu Approved by the CISOs
More informationTHE GDPR PCLOUD'S ROAD TO FULL COMPLIANCE
THE GDPR PCLOUD'S ROAD TO FULL COMPLIANCE A WAY TO STRENGTHEN DATA PRIVACY The General Data Protection Regulation is a unified framework of data privacy rules, accepted by the WHAT IS THE GDPR? European
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More information2015 HFMA What Healthcare Can Learn from the Banking Industry
2015 HFMA What Healthcare Can Learn from the Banking Industry Agenda Introduction- Background and Experience Healthcare vs. Banking The Results OCR Audit Results Healthcare vs. Banking The Theories Practical
More informationPutting It All Together:
Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,
More informationCybersecurity Considerations for GDPR
Cybersecurity Considerations for GDPR What is the GDPR? The General Data Protection Regulation (GDPR) is a brand new legislation containing updated requirements for how personal data of European Union
More informationLearning Management System - Privacy Policy
We recognize that visitors to our Learning Management System (LMS) may be concerned about what happens to information they provide when they make use of the system. We also recognize that education and
More informationGeneral Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant
General Data Protection Regulation: Knowing your data Title Prepared by: Paul Barks, Managing Consultant Table of Contents 1. Introduction... 3 2. The challenge... 4 3. Data mapping... 7 4. Conclusion...
More informationWhat You Need to Know About Addressing GDPR Data Subject Rights in Pivot
What You Need to Know About Addressing GDPR Data Subject Rights in Pivot Not Legal Advice This document is provided for informational purposes only and must not be interpreted as legal advice or opinion.
More informationHPE DATA PRIVACY AND SECURITY
ARUBA, a Hewlett Packard Enterprise company, product services ( Services ) This Data Privacy and Security Agreement ("DPSA") Schedule governs the privacy and security of Personal Data by HPE in connection
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationOracle Data Cloud ( ODC ) Inbound Security Policies
Oracle Data Cloud ( ODC ) Inbound Security Policies Contents Contents... 1 Overview... 2 Oracle Data Cloud Security Policy... 2 Oracle Information Security Practices - General... 2 Security Standards...
More informationACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION
ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION Document Control Owner: Distribution List: Data Protection Officer Relevant individuals who access, use, store or
More informationControlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:
Page 1 of 6 I. Common Principles and Approaches to Privacy A. A Modern History of Privacy a. Descriptions, definitions and classes b. Historical and social origins B. Types of Information a. Personal information
More informationRev.1 Solution Brief
FISMA-NIST SP 800-171 Rev.1 Solution Brief New York FISMA Cybersecurity NIST SP 800-171 EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker delivers business critical
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationRed Flags/Identity Theft Prevention Policy: Purpose
Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and
More informationData Processing Agreement
In accordance with the European Parliament- and Council s Directive (EU) 2016/679 of 27th April 2016 (hereinafter GDPR) on the protection of physical persons in connection with the processing of personal
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationA Security Admin's Survival Guide to the GDPR.
A Security Admin's Survival Guide to the GDPR www.manageengine.com/log-management Table of Contents Scope of this guide... 2 The GDPR requirements that need your attention... 2 Prep steps for GDPR compliance...
More informationIslam21c.com Data Protection and Privacy Policy
Islam21c.com Data Protection and Privacy Policy Purpose of this policy The purpose of this policy is to communicate to staff, volunteers, donors, non-donors, supporters and clients of Islam21c the approach
More informationManaging Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow
Managing Privacy Risk & Compliance in Financial Services Brett Hamilton Advisory Solutions Consultant ServiceNow 1 Speaker Introduction INSERT PHOTO Name: Brett Hamilton Title: Advisory Solutions Consultant
More informationTechnical Requirements of the GDPR
Technical Requirements of the GDPR Purpose The purpose of this white paper is to list in detail all the technological requirements mandated by the new General Data Protection Regulation (GDPR) laws with
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationSAP, dos, dos, race conditions => rce. Dmitry Chastuhin, Dmitry Yudin
SAP, dos, dos, race conditions => rce Dmitry Chastuhin, Dmitry Yudin 1 About us Yet another security researcher Business application security expert ERPScan Wiem, jak korzystać z tłumaczami 2 About us
More informationAccelerate GDPR compliance with the Microsoft Cloud
Regional Forum on Cybersecurity in the Era of Emerging Technologies & the Second Meeting of the Successful Administrative Practices -2017 Cairo, Egypt 28-29 November 2017 Accelerate GDPR compliance with
More informationZIMBRA & THE IMPACT OF GDPR
ZIMBRA & THE IMPACT OF GDPR 1 WHAT IS THE GENERAL DATA PROTECTION REGULATION? What Privacy law that applies to personal data of EU residents Privacy It also ensures those holding the information protects
More informationCybersecurity Roadmap: Global Healthcare Security Architecture
SESSION ID: TECH-W02F Cybersecurity Roadmap: Global Healthcare Security Architecture Nick H. Yoo Chief Security Architect Disclosure No affiliation to any vendor products No vendor endorsements Products
More informationT H E P H A N T O M S E C U R I T Y. By Vahagn Vardanyan and Vladimir Egorov
T H E P H A N T O M S E C U R I T Y By Vahagn Vardanyan and Vladimir Egorov Vahagn Vardanyan Master jedy Senior security researcher at ERPScan. Bug hunter, malware and vulnerability researcher for over
More informationDEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy
DEPARTMENT OF JUSTICE AND EQUALITY Data Protection Policy May 2018 Contents Page 1. Introduction 3 2. Scope 3 3. Data Protection Principles 4 4. GDPR - Rights of data subjects 6 5. Responsibilities of
More informationEmployee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More informationSHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT
SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT AGREEMENT DATED [ ] BETWEEN: (1) SHELTERMANAGER LTD and (2) [ ] ( The Customer ) BACKGROUND (A) (B) (C) This Agreement is to ensure there is in place
More informationGDPR: A QUICK OVERVIEW
GDPR: A QUICK OVERVIEW 2018 Get ready now. 29 June 2017 Presenters Charles Barley Director, Risk Advisory Services Charles Barley, Jr. is responsible for the delivery of governance, risk and compliance
More informationNYDFS Cybersecurity Regulations
SPEAKERS NYDFS Cybersecurity Regulations Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com www.huntonprivacyblog.com March 9, 2017 The Privacy Team at Hunton & Williams Over 30 privacy
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationSAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0
Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex
More informationGDPR - Are you ready?
GDPR - Are you ready? Anne-Marie Bohan and Michael Finn 24 March 2018 Matheson Ranked Ireland s Most Innovative Law Firm Financial Times 2017 International Firm in the Americas International Tax Review
More informationEAS- SEC: Framework for Securing Enterprise Business Applica;ons
Invest in security to secure investments EAS- SEC: Framework for Securing Enterprise Business Applica;ons Alexander Polyakov CTO ERPScan About ERPScan The only 360- degree SAP Security solu8on - ERPScan
More informationProhire Software Systems Limited ("Prohire")
Prohire Software Systems Limited ("Prohire") White paper on Prohire GDPR compliance measures 11 th May 2018 Contents 1. Overview 2. Legal Background 3. How Prohire complies 4. Wedlake Bell 5. Conclusion
More informationGDPR Controls and Netwrix Auditor Mapping
GDPR Controls and Netwrix Auditor Mapping www.netwrix.com Toll-free: 888-638-9749 About GDPR The General Data Protection Regulation (GDPR) is a legal act of the European Parliament and the Council (Regulation
More informationGeneral Data Protection Regulation (GDPR) The impact of doing business in Asia
SESSION ID: GPS-R09 General Data Protection Regulation (GDPR) The impact of doing business in Asia Ilias Chantzos Senior Director EMEA & APJ Government Affairs Symantec Corporation @ichantzos Typical Customer
More informationFile Transfer and the GDPR
General Data Protection Regulation Article 32 (2): In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from
More informationOverview of Akamai s Personal Data Processing Activities and Role
Overview of Akamai s Personal Data Processing Activities and Role Last Updated: April 2018 This document is maintained by the Akamai Global Data Protection Office 1 Introduction Akamai is a global leader
More informationGDPR: A technical perspective from Arkivum
GDPR: A technical perspective from Arkivum Under the GDPR, you have a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationSecure Access & SWIFT Customer Security Controls Framework
Secure Access & SWIFT Customer Security Controls Framework SWIFT Financial Messaging Services SWIFT is the world s leading provider of secure financial messaging services. Their services are used and trusted
More informationDATA PROTECTION POLICY THE HOLST GROUP
DATA PROTECTION POLICY THE HOLST GROUP INTRODUCTION The purpose of this document is to provide a concise policy regarding the data protection obligations of The Holst Group. The Holst Group is a data controller
More informationWORKSHARE SECURITY OVERVIEW
WORKSHARE SECURITY OVERVIEW April 2016 COMPANY INFORMATION Workshare Security Overview Workshare Ltd. (UK) 20 Fashion Street London E1 6PX UK Workshare Website: www.workshare.com Workshare Inc. (USA) 625
More informationUnderstand & Prepare for EU GDPR Requirements
Understand & Prepare for EU GDPR Requirements The information landscape has changed significantly since the European Union (EU) introduced its Data Protection Directive in 1995 1 aimed at protecting the
More informationJeff Wilbur VP Marketing Iconix
2016 Data Protection & Breach Readiness Guide February 3, 2016 Craig Spiezle Executive Director & President Online Trust Alliance Jeff Wilbur VP Marketing Iconix 1 Who is OTA? Mission to enhance online
More informationMachine Learning for User Behavior Anomaly Detection EUGENE NEYOLOV, HEAD OF R&D
Machine Learning for User Behavior Anomaly Detection EUGENE NEYOLOV, HEAD OF R&D 2 AUTHOR Eugene Neyolov HEAD OF R&D Security engineer and analyst leading applied research projects in security monitoring,
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationAltitude Software. Data Protection Heading 2018
Altitude Software Data Protection Heading 2018 How to prevent our Contact Centers from Data Leaks? Why is this a priority for Altitude? How does it affect the Contact Center environment? How does this
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationPlan a Pragmatic Approach to the new EU Data Privacy Regulation
AmChamDenmark event: EU Compliant & Cyber Resistant Plan a Pragmatic Approach to the new EU Data Privacy Regulation Janus Friis Bindslev, Partner Cyber Risk Services, Deloitte 4 February 2016 Agenda General
More informationPass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores
Pass4suresVCE http://www.pass4suresvce.com Pass4sures exam vce dumps for guaranteed success with high scores Exam : CS0-001 Title : CompTIA Cybersecurity Analyst (CySA+) Exam Vendor : CompTIA Version :
More informationNo Country for Old Security Compliance in the Cloud. Joel Sloss, CDSA Board of Directors May 2017
No Country for Old Security Compliance in the Cloud Joel Sloss, CDSA Board of Directors May 2017 Emerging Threats Specific/sequential targeting Effective reconnaissance Practiced tool usage Sophisticated
More informationA company built on security
Security How we handle security at Flywheel Flywheel was founded in 2012 on a mission to create an exceptional platform to help creatives do their best work. As the leading WordPress hosting provider for
More informationHow the GDPR will impact your software delivery processes
How the GDPR will impact your software delivery processes About Redgate 230 17 202,000 2m Redgaters and counting years old customers SQL Server Central and Simple Talk users 91% of the Fortune 100 use
More informationMapping Cyber-Protections to Regulatory Requirements for Fintech
SESSION ID: PGR-R03 Mapping Cyber-Protections to Regulatory Requirements for Fintech Jonathan Fairtlough Managing Director Kroll, Cyber Security & Investigations Paul Haswell Partner Pinsent Masons, Risk
More informationINFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare
INFORMATION SECURITY A briefing on the information security controls at Computershare One line heading > One line subheading INTRODUCTION Information is critical to all of our clients and is therefore
More informationGuidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17
GUIDELINES ON SECURITY MEASURES FOR OPERATIONAL AND SECURITY RISKS UNDER EBA/GL/2017/17 12/01/2018 Guidelines on the security measures for operational and security risks of payment services under Directive
More informationNW NATURAL CYBER SECURITY 2016.JUNE.16
NW NATURAL CYBER SECURITY 2016.JUNE.16 ADOPTED CYBER SECURITY FRAMEWORKS CYBER SECURITY TESTING SCADA TRANSPORT SECURITY AID AGREEMENTS CONCLUSION QUESTIONS ADOPTED CYBER SECURITY FRAMEWORKS THE FOLLOWING
More informationG DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know
G DATA Whitepaper The new EU General Data Protection Regulation - What businesses need to know G DATA Software AG September 2017 Introduction Guaranteeing the privacy of personal data requires more than
More informationSecurity Audit What Why
What A systematic, measurable technical assessment of how the organization's security policy is employed at a specific site Physical configuration, environment, software, information handling processes,
More informationSAP Security in a Hybrid World. Kiran Kola
SAP Security in a Hybrid World Kiran Kola Agenda Cybersecurity SAP Cloud Platform Identity Provisioning service SAP Cloud Platform Identity Authentication service SAP Cloud Connector & how to achieve Principal
More informationEXABEAM HELPS PROTECT INFORMATION SYSTEMS
WHITE PAPER EXABEAM HELPS PROTECT INFORMATION SYSTEMS Meeting the Latest NIST SP 800-53 Revision 4 Guidelines SECURITY GUIDELINE COMPLIANCE There has been a rapid increase in malicious insider threats,
More information"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.
Rushcliff Ltd Data Processing Agreement This Data Processing Agreement ( DPA ) forms part of the main terms of use of PPS, PPS Express, PPS Online booking, any other Rushcliff products or services and
More information