GDPR, Data Privacy and Cybersecurity - MIT Symposium

2018 MIT CDOIQ Symposium
July 20, 2018
Stephanie Gruber, SAP
Eric Vanderburg, TCDI
GDPR, Data Privacy and Cybersecurity
It is all about data protection

2
TCDI content © Technology Concepts and Design Inc.
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Market Conditions and Privacy Regulations
SAP Security, Privacy and Compliance Strategy
Data Protection and Privacy Framework
Appendix: SAP Solutions and Services
Agenda

3
Agenda

4
Digital Business Transformation
Digitization is changing the world by driving two main
things. Business agility and fully connected Value
Chain.
This is enabling businesses to be driven by technology.
Technology is creating the network and analytics to
develop products, services, and new business models.
The ability for all business processes being automated
and the digital connectedness of the entire value chain
creates huge agility.
Digital Technologies are Here to Stay
Mobile
Social
In-Memory
Computing
Machine
Learning
Cloud
Internet
of Things
Big Data
Hyper
Connectivity
Cybersecurity
0010100
1110011
0011001

5
Security Risks
Value of data
Volume of data
Vulnerability of endpoints
Value to
attacker
both in terms of the value companies
are able to extract and the value a
potential hacker could exploit
companies are collecting and storing
more data than ever before
no longer does data remain locked
inside a datacenter as it has proliferated
outside of the four-walls of a companies’
business The sheer number and
sophistication of attacks
are at an all-time high
Security
risk

6
Impact of Cybersecurity Incidents
Loss of valuable information and
intellectual property
Outages and disruption to
business
Direct financial
loss
Regulatory audits and
fines
Unfavorable media
exposure
Civil law suits
Damage to
reputation
Criminal charges

7
You Know the Challenges – Breaches Classified as Sensitive
2004/2005 2016/2017
Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

8
1 in 2,596 emails are phishing emails
1 in 14 employees clicked on a
malicious link or attachment
25% of those employees did so more
than once
PHISHING RATE
1 in 131 emails contain malware
This is the highest rate in five
years
EMAIL MALWARE RATE
357 million new malware variants
were detected this past year
NEW MALWARE VARIANTS
* Internet Security Threat Report Volume 22 by Symantec

9
Key facts reminder - General Data Protection Regulation (GDPR)
The General Data Protection Regulation (EU Regulation 2016/679), effective May 25, 2018,
gives individuals control and protection of their personal data. Data controllers, who
determine the purpose and means of processing personal data, and processors, who process
for controllers, are affected.
Penalties up to 4% of annual global
revenue or €20 million whichever is greater
Organizations that offer goods or services
to, or monitor the behavior of, EU data
subjects and those that process or hold
the personal data of EU residents
Natural persons, whatever their nationality or
place of residence in the EU, in relation to
the processing of their personal data
Applies to:Who must comply?

10
Imagine what could have been with GDPR in effect….
￡200K
Data breach April 2015
FINES BEFORE GDPR
POTENTIAL FINES IF
OCCURRED AFTER GDPR
￡1.6B
Data breach
$27M+
Data breach May 2017
$125M+
Data breach
The UK subsidiary of a major
healthcare group
A US global financial services
group
£400K
Security failure Oct 2015
£59M
Security failure
A major internet service
provider
Based on publicly available data –
companies anonymized
Calculated based on maximum fines
against annual revenues

11
GDPR Drastically changes detection and response expectations
29 30 31 1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31 1
M T W T F S S
2 3 4 5 6 7 8
JANUARY
26 27 28 29 30 31 1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 1
M T W T F S S
2 3 4 5 6 7 8
FEBRUARY
23 24 25 26 27 28 1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
M T W T F S S
30 31 1 2 3 4 5
MARCH
30 31 1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 1 2 3
M T W T F S S
4 5 6 7 8 9 10
APRIL
27 28 29 30 1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31
M T W T F S S
1 2 3 4 5 6 7
MAY
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 1 2 3 4 5
M T W T F S S
6 7 8 9 10 11 12
JUNE
29 30 1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31 1 2
M T W T F S S
3 4 5 6 7 8 9
JULY
27 28 29 30 31 1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
M T W T F S S
31 1 2 3 4 5 6
AUGUST
31 1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 1 2 3 4
M T W T F S S
5 6 7 8 9 10 11
SEPTEMBER
28 29 30 1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31 1
M T W T F S S
2 3 4 5 6 7 8
OCTOBER
26 27 28 29 30 31 1
2 3 4 5 6 7 8
9 10 11 12 13 4 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
M T W T F S S
30 1 2 3 4 5 6
NOVEMBER
30 1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31 1 2 3
M T W T F S S
4 5 6 7 8 9 10
DECEMBER
On average it takes
214 days to detect a
data breach…
* 2017 Cost of Data Breach Study by Ponemon
Institute
GDPR requires scope
and impact reporting 72
hours after a breach.

12
Process and personnel
 Demonstrate compliance and
accountability
 Train all employees
 Bring in a data protection officer or function
Policies
 Issue clear notice and obtain consent
for data collection and processing
 Disclose purpose of personal data usage
 Manage data usage, retention,
and deletion policies
 Enable 72-hour data breach notification
Systems
 Protect personal data with
enhanced security
 Maintain records of consent
by data subjects
 Manage personal data access
and processing restrictions with
change tracking
What’s changing under GDPR?
Under GDPR, data subjects can expect increased data protection of and direct control over their personal data. More
specifically, they will have the right to access, correct, object to or limit processing, erase, and request an export of their
personal data from companies. On the other side, companies (also referred to as “controllers and processors”) will have
increased responsibilities in the following key areas of data protection and privacy:

13
Data protection regulations vary globally and continue to evolve
Global Data Protection Regulations and Their Impact on Cloud Vendors
and Customers
Country Regulations
USA USA Patriot Act, Stored Communications Act, EU-US Privacy Shield
EU
EU Data Protection Directive replaced in 2018 by the EU General Data Protection Regulation
(GDPR) − privacy laws in 28 countries
Germany Federal Data Protection Act (FDPA)
Japan Personal Information Communications Act (Amended PIPA)
Australia Privacy Act 1988, Australian state and territory legislation
Singapore The Personal Data Protection Act (PDPA)
Canada
Personal Information Protection Act (PIPA), Personal Information Protection and Electronic
Documents Act (PIPEDA), Freedom of Information and Protection of Privacy Act (FIPPA)
Russia Federal Law No. 152-FZ on Personal Data

14
Complexity of processes and number
of stakeholders involved
Under GDPR, not all data requires the same level of governance,
with use cases defining the differentiation. This approach enables
greater flexibility and agility in accessing data. It also increases the
possibilities for as-yet-unknown uses of data – all while maintaining
compliance with GDPR requirements.
(Source: Gartner blog: How GDPR Is an Opportunity to Create Business Value, Jan. 2018)
High costs of addressing and
maintaining compliance
Gartner predicts that by the end of 2018, more than 50%
of companies affected by the GDPR will not be in full
compliance with the regulation.
(Source: Gartner Says Organizations Are Unprepared for the 2018 EDPR, May 2017)
Challenges
Business impact of losing customer trust
and loyalty for noncompliance
Handled effectively, there is great potential to obtain consent to
increase data access, use, and sharing rights – in line with the
goals of a wider organizational data and analytics strategy.
This can lead to competitive advantage, while helping to achieve
compliance in other countries and regions.
(Source: Gartner blog. How GDPR Is an Opportunity to Create Business Value, Jan. 2018)
Increased workload and resources needed
to meet and maintain compliance
“Of those noncompliant firms, 50% will intentionally
not comply – meaning they have weighed the cost and
risk and are taking a path that presents the best position
for their firms.”
(Source: Forrester Predicts 80% of Companies Will Fail to Comply with GDPR in 2019,
Nov. 2017)

15
Cybersecurity vs. Data Privacy Programs
OverlapsCybersecurity
Risk
Loss, deletion, abuse
Protection of information against
unauthorized access through
computing environments
Responsible
Information Security Officer
Data Privacy
Risk
Infringement of personal rights
Responsible
Data Privacy Officer
Protection of individuals with
regard to the processing of
personal data
Technical and
Organizational
Measures (TOMs)

16
Technical & organizational measures (TOM) at a glance
Access Control
System Access Control
Data Access Control
Data Transmission Control
Data Input Control
Job Control
Availability Control
Data Separation Control
Data Integrity Control
TOM Measures (samples)
Video and sensor surveillance, access logging, intruder alarm systems
Password policy, strong authentication, access management tool
Authorization concepts, SAP security policies and standards,
security checks and penetration tests
Security Incident Management, 24 x 7 Security Monitoring Center,
SIEM
SAP security policy (confidentiality), network security, encryption
Segregation of duties, subcontractor compliance / certification
Business continuity management, disaster recovery plans / testing
Multi-tenancy, separate system landscapes, access restrictions
Security patch management, malware management process

17
Agenda

18
SAP Data Protection, Privacy and Compliance Strategy
Privacy Built-In
Deliver privacy
compliant applications
Privacy in the
Cloud
Comply to privacy
regulations in the cloud
Solutions
Effective and scalable
solutions to manage
requirements

19
SAP Security Vision
As the world’s leading provider of business critical applications,
SAP will continue to drive security into the heart of the
application for ultimate protection of content and transactions.
We see a world where our customers and
employees are able to use our software & services
from anywhere, from any device, at any time, with
confidence and trust.

20
Security incorporated
into applications,
delivering ultimate
protection for content
and transactions
End-to-end secure
cloud operations,
defense of customer
data and business
operations
Defendable
Application
Zero
Knowledge
Zero
Vulnerability
Security
by Default
Intelligent
Infrastructure
Protection
Perceptive
Data Shield
Secure
Augmented
Network
Security
Shielded
Ecosystem
Security
Culture
Secure
Environments
Business
Continuity
Cornerstones of Security at SAP
Security-aware staff, end-to-end physical security of
SAP’s assets, and a comprehensive business
continuity framework: Secure SAP
Transparency

21PUBLIC© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Management System of standards and best practices*
* The Management systems are used across all SAP Cloud Secure services, execution of independent certification and audit depend on service and organizational unit respectively.
Details available at: http://go.sap.com/corporate/de/company/innovation-quality/excellence.html
** Component of the Integrated Information Security Management System (IISMS) of SAP
Code of Practice
ISO 27002
Foundation
Certification
ISO 27001**
ISO 22301**, ISO 9001** BS10012
Operations and Compliance
SOC 2, SOC 3
(AT 101 / ISAE 3000)
Financial Controls
SOC 1
(SSAE18 / ISAE 3402)
Transparency
Data Protection
BS 10012
ISO 27018
Data Privacy
BDSG
EU Directive 95/46/EC
Privacy
Security
Best Practice
(extract)
Service
Delivery
ISO 20000
Business
Continuity
ISO 22300
Application
Security
ISO 27034
OWASP
Hardening
Guidelines
SANs, ISO
CERT, NIST
Quality
Management
ISO 9000
ISO25010
Destruction
of Media
ISO 27040
Incident
Management
ISO 27035

22EXTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Security Recommendations
10 Focus areas for customers (detail: www.sap.com/security)
As SAP continues to secure its internal operations, we have captured our best-practice approach to
share with our customers.
Emergency
Concept
• Define emergency, backup, and
disaster recovery concepts to
ensure business continuity
• Consider preparation of
complete fallback systems for
business-critical processes and
applications
Users and
Authorizations
• Security Awareness
• User Authorizations clearly
defined and managed
Custom Code
Security
• Establish custom code
lifecycle management
processes
• Use security source code
scan tools to identify
vulnerabilities in your
custom coding
Secure
Configuration
• Password security
• Authentication
• Encryption of data,
communication
Secure
Maintenance
of SAP Code
• Regularly update all SAP
software
• Review monthly CVE
Disclosures to assess
risks to your SAP
landscape
OS and Database
Security
• Implement dedicated security
requirements for all operating
systems
• Implement restrictive database
access mechanisms
Network
Security
• Define a network concept
with clearly structured
different zones
• Separate high-security
areas
• Determine concepts for
dedicated servers and
administrative roles
Front-End
Security
• Deploy security
configuration for both
clients and mobile
endpoints
• Distribute and activate
administrator rules
• Activate access control
lists (ACLs)
Security
Audit Log
• Monitor all systems
• Activate the security audit
log (SAL)
• Activate filters for critical
users
Communication
Security
• Use encrypted communication
- Secure Sockets Layer (SSL),
Transport Layer Security
(TLS), or Secure Network
Communications (SNC)
• Secure all Remote Function
Call (RFC) connections

Security a fully integrated part in SAP’s
software development life cycle
and SAP’s cloud service delivery
Secure software development life cycle
 Risk-based approach to security, according
to ISO 27034
 Threat modelling
 Security planning
Secure cloud service delivery
 Secure design of cloud services
 Secure operations of cloud services
 Hacker simulation for the productive cloud
environment
Security in cloud software development and service delivery
Secure Software Development Life Cycle
Secure Cloud Service Delivery
Start Software Development
Release Decision
SSD
RD

24EXTERNAL© 2018 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Security Recommendations addressed in Cloud
10 Focus areas for customers (detail: www.sap.com/security)
As SAP continues to secure its internal operations, we have captured our best-practice approach to
share with our customers.
Emergency
Concept
• SAP takes care of business
continuity, infrastructure
redundancy
• Customer has the choice of data
center and different level of
disaster recovery depending of
the subscription method and
Cloud solutions
Users and
Authorizations
• SAP has roles defined in the
organization and Cloud
Solutions. These are managed
internally by Cloud Access
Manager
• Customer can use the existing
roles defined within the Cloud
solution, and is responsible of
manage the provisioning
Custom Code
Security
• SAP delivers code through
S2DL and follows ISO
• Customer is still
responsible of any custom
code on top of the current
solution
Secure
Configuration
• SAP manages the system
password policy, and give s
different authentication method
• SAP requires that all data in
transit and at rest are encrypted.
• Customer has control over the
password policy on the
tenant/instance that it owns.
Secure
Maintenance
of SAP Code
• SAP manages Patches for
all cloud solutions
• Customer has no control
over patching
OS and Database
Security
• SAP maintains the OS and
Database where solution is
hosted
• Customer has no control over
OS nor Database
Network
Security
• SAP maintains the network
security within
Firewall/DMZ where the
application is hosted
• Customer manages their
own network
Front-End
Security
• SAP delivered UI5
checked for security
before release
• Custom is still manages
custom UI5 and devices
Security
Audit Log
• SAP monitors System logs
• Customer is responsible of
monitoring application (
tenant/instance) log
Communication
Security
• SAP requires that all data in
transit and at rest are
encrypted.
• Customer has no control over
the encrypted communication
option, except custom
developed application

Agenda

26
Optimize
governance
Optimize your data management
and governance
Protect the business, establish a governance
framework, and mitigate compliance risk
Modernize
systems
Establish a foundation for data protection
and privacy
Ensure your systems incorporate data protection
and privacy measures by design and by default
Perform continuous
assessment
Understand your data privacy landscape
Uncover any risk exposure in your current data protection
and privacy systems, processes, and governance
Build trusted
relationships
Increase trust with your customer
Leverage privacy as a competitive advantage
Data protection and privacy framework: Why it matters
Great customer experiences are based on trusted relationships.
Data protection and privacy are top of mind for consumers as consumer data breaches are making front-page headlines and
hurting bottom lines worldwide. Regulations like the General Data Protection Regulation (GDPR) are putting customers back
in control of their data, which may have a significant impact on the foundations of your business.

27
Optimize
governance
 Assess, plan and respond to data privacy
requirements
 Define and adopt consistent policy strategy
 Demonstrate compliance and accountability
Modernize
systems
 Update systems to address regulatory
requirements
 Discover, categorize, and map personal data
 Enable rectification, retention, blocking, and
deletion of personal data
 Put in place technical and organizational
measures to ensure compliance
Perform
continuous
assessment
 Conduct data protection impact assessments
 Record personal data processing activities
 Evaluate risks for personal data and processes
 Implement and test data protection and privacy controls
Build trusted
Relationships
 Empower user control, preference, and consent
 Centralize and govern consent and preferences
 Power digital experiences across multiple touch points
Data protection and privacy framework: What you do
Every business is unique – and so is your journey to provide data protection and privacy.
SAP has focused on data protection and privacy for over 20 years, working with companies of all sizes and in all industries.

28
Help protect profitability
and grow revenue
 Mitigate reputational risk and brand
exposure by integrating compliance at the
transactional level with real-time
compliance checks
 Control cost by automating compliance
and minimizing maintenance
 Integrate your GDPR program into your
digital business transformation to promote
compliance from the beginning
Stay agile throughout compliance
 Build a strong framework and sound data
protection processes for GDPR and other
privacy regulations
 Scale data protection programs as data
evolves and expands due to changed
regulations
 Focus on your business agility
(acquisitions, new business models) while
maintaining compliance
Build trust
 Keep your customers for life by creating
positive digital experiences with
transparency of use and control of their
data
 Establish accountability with clearly
communicated policies and procedures
 Document your commitment to data
privacy responsibilities
Data protection and privacy is good for business
Better governance, data, and consent management can improve business outcomes

29
Who is involved: Identify your stakeholders precisely
Legal and governance
 Data protection officer
 Chief compliance officer
 Chief risk officer
 Head of legal
 Chief audit executive
IT operations
 Chief information officer
 Chief information
security officer
Line of business
 Human resources
 Order-to-cash (OTC) function
 Procure-to-pay (P2P) function
 Business process owners
 Chief digital marketing officer
CEO and board of directors

30
GDPR roles and responsibilities to support GDPR compliance efforts
Data protection officer
 Define the company-wide
privacy and
GDPR strategy
 Lead and harmonize
privacy and GDPR
initiatives across other
roles within the business
 Establish oversight
and reporting mechanisms
for managing risks
and controls
Chief security officer
 Choose and deploy
security controls and
policies to execute
the privacy and
GDPR strategy
 Set up processes and
support teams in data
discovery, data
classification, and
company-wide risk
assessment exercises
 Leverage technology
to enable continuous
monitoring and reporting
Chief audit executive
compliance and risk
officer
 Evaluate risk exposures
relating to data privacy
governance, operations,
and information systems
 Evaluate the adequacy
and effectiveness of
internal controls and the
ability to demonstrate
accountability
Chief information
officer
 Help security and privacy
teams discover and
classify data
 Enforce the privacy
policies that the data
protection and security
teams have set
 Enable the organization
to comply with data
subject requests, such as
data portability and the
right to be forgotten
Business owners
(HR, marketing,
sales, OTC, P2P)
 Perform a top-down
review of relevant
personal data being
processed within
business processes
 Understand risks and
challenges as well as
new opportunities

31
GDPR roles and responsibilities within the business processes
Marketing and sales
 Ensure that explicit
consent is given by
customer for processing
their personal data
 Renew and version
consent when policies or
regulations change in a
secure audit-ready vault
 Enforce profile,
preferences, and consent
across sales and
marketing ecosystem
 Offer access to self-
service preference center
so customers can
exercise their privacy
rights
Customer support
and experience
 Design customer-facing
notices and
communication
 Run customer journey
mapping exercises to
establish privacy and
GDPR touch points
 Design privacy and
GDPR-relevant customer
journeys
Human resources
 Identify the customer data
the team handles,
including data with third
parties
 Determine which data is
personal or sensitive and
what specific retention
requirements are relevant
to that data
 Collect and make
available for review all
third-party contract and
employee and employee
privacy notices
Vendor management
and procurement
 Collect and make
available for review third-
party contracts
 Design privacy
requirements to be
included in third-party
contracts that are in line
with the data protection
and GDPR strategy
 Design processes that
perform continuous audits
on third parties to verify
their compliance with data
protection and GDPR
requirements

32
 Regular data protection impact
assessments
 Data protection controls monitoring
 Tracking of access and security
measures
 Remediation (issues, breaches)
Customer
data cloud
Database
and data
management
Governance,
risk, and
compliance
 Data discovery
 Retention rules
 Blocking and deletion
 Policy distribution and
acceptance
 Record of processing activities
 Access policies and security
procedures
 Transparency when
using customer data
 Orchestration and enforcement
of consent
 Increased trust and loyalty
 Flow and lineage
 Data accuracy
 Process compliance
 Customer access to and
control of their data
 Governance and control reporting
 Breach disclosure
 Security testing and certification
 Integrated audits
Your journey with data protection software from SAP
Show complianceStay compliantGet compliant
SAP Digital Business Services

33
Agenda

34
 SAP HANA Data Management Suite supports data
cataloging, process mapping and flow analysis,
anonymization, and lifecycle management.
 SAP governance, risk, and compliance solutions
support compliance assessments, identity management,
authorization and access controls, privacy policies and
controls, security monitoring and reporting, and risk and
audit management.
 The SAP Digital Business Services organization can
work with your team to help you make the necessary
changes so you can address data protection and
privacy issues effectively and offer the EU Access
service from SAP.
Optimize
governance
 Latest SAP solutions and products are built with data
protection and privacy by design and by default.
 The SAP Technical Integration Check service from
SAP Digital Business Services provides an analysis of
possible technical and functional configurations in SAP
solutions.
 The SAP Cloud Trust Center site has dedicated pages
on data protection and privacy.
Modernize
systems
 The SAP Process Control application helps you manage and monitor high-impact processes, regulations, and risks.
Gain continuous insight into the status of controls. Improve compliance and business process performance at optimal cost.
 An initial standard workshop or discovery workshops from SAP Digital Business Services can give you an overview of
the GDPR requirements for the EU and the SAP products and services that can help you to achieve compliance.
Make continuous
assessments
Build trusted
relationships
 The SAP Customer Identity and SAP Customer Consent solutions
are scalable and secure customer identity and consent management
solutions that let customers manage their preferences and opt-ins.
Data protection and privacy framework: What SAP offers
Compliance by design, trust by default
Whether you are just starting to think about data privacy or are well on your way to compliance with data protection and
privacy regulations, the depth of experience SAP has and the SAP portfolio of solutions and services can help you on your
journey.

35
SAP Security brochure - Security in the Digital Economy with SAP
News Release:
SAP Receives Global Certification of Data Protection and Privacy from BSI

36
Security Goal
Physical access control
Authentication
Authorization
Disclosure control
Change control
Transmission control
Job control
Availability control
Data separation
GDPR Aspect
Information/transparency
Access to data
Rectification of data
Erasure of data
Restriction of processing
Data portability
Data breach notification
Privacy by design
Privacy by default
Consent
Automated decisions
X-border data transfer
By Product
Release (version and date)
Description of the product
Business processes supported by
the product
Categories of personal data
Deployment mode
Processor SAP
De-personalization
Encryption
All SAP products and cloud solutions processing personal data provide data protection and privacy features.
See SAP Note 2590321 for technical prerequisites/minimum release levels – on premise.
GDPR Capabilities – SAP Product Fact Sheets
Functionality and Technical Features – Privacy

37
GDPR Capabilities – SAP Product Fact Sheets
Functionality and Technical Features – Privacy
https://www.successfactors.com/content/dam/successfact
ors/en_us/resources/white-papers/fact-sheet-gdpr-hr.pdf

38
Evaluate Your Current Security Profile
SAP offers a wide range of security tools via SAP Solution Manager and services* to ensure the
smooth operation of your SAP solution by taking action proactively, before security issues occur.
More information:
– SAP Support Portal - EarlyWatch Alert
– SAP Security Optimization Services includes white papers, example reports, and how to videos
– Keep up to date on published white papers and patch Tuesdays - Sign up for the monthly Security Newsletter here
* Services vary depending on the type of maintenance contract and/or SAP MaxAttention days

39
SAP Security Services
SAP Security Engagement service package –
service component description
Security Optimization Service
SHORT DESCRIPTION
 This service is designed to verify and
improve the security of the SAP systems
of customers by identifying potential
security issues and giving
recommendations on how to improve the
security of the system.
SAP Security Engagement service
package – service component description
GDPR Discovery Workshop
SHORT DESCRIPTION
 The EU General Data Protection Regulation (EU-
GDPR) places increased requirements on the
collection, use and processing of personal data.
The GDPR Discovery Workshop provides insight
into the technical requirements related to the EU-
GDPR and into the current customer situation. It
results in a roadmap to improve and maintain the
necessary technical prerequisites.

40
Information on security from SAP Media Library
Where to Find More Information

41
Relevant information can be found on the SAP Cloud
Trust Center:
 Compliance (ISO / BS certs, SOC reports)
 Secure Software Development Life Cycle
 SAP's security response
 SAP Business Continuity Plan – SAP Cloud Platform:
ISO/IEC 22301:2012
 SOC report on Cloud Platform
 SAP Global Data Protection and Privacy Policy
 View the Data Processing Agreement for cloud services
from SAP
Data Privacy and Protection at SAP
SAP Cloud Trust Center
SAP Security, Data Protection, and Privacy

42
Data Privacy and Protection at SAP
EU General Data Protection Regulation (GDPR)
 SAP GDPR
 Part 1: How SAP is getting ready for GDPR
 Part 2: Changes SAP is making to its products and services for GDPR
 SAP Insider Article: How SAP Business Suite helps you comply with
the latest data protection regulations
 SAP Hybris:
– What is GDPR & How can SAP Hybris Cloud for Customer help you comply
with GDPR
– SAP Hybris Commerce Cloud GDPR
 SuccessFactors: GDPR product capabilities fact sheet
 Ariba GDPR

43
 SAP Single Sign-On - Product page
 SAP Access Control - Product page
 SAP Process Control - Product page
 SAP Risk Management - Product page
 SAP Audit Management - Product page
 SAP Identity Management - Product page
 SAP Cloud Identity Access Governance - Product page
 SAP Cloud Platform Identity Provisioning - Product page
 SAP Cloud Platform Identity Authentication - Product page
Solutions for GRC and Security from SAP

44
 SAP UI logging and field masking - Product page
 SAP Enterprise Threat Detection - Product page
 SAP Access Violation Management by Greenlight - Product page
 SAP Regulation Management by Greenlight - Product page
 SAP Dynamic Authorization Management by NextLabs - Product page
 SAP Enterprise Digital Rights Management by NextLabs - Product page
 SAP NetWeaver® Application Server, add-on for code vulnerability analysis - Product page
 SAP Fortify by Micro Focus - Product page
Solutions for GRC and Security from SAP (cont.)

Contact information:
Stephanie Gruber
NA Office of the CIO, SAP
720.496.5957
Eric Vanderburg
Vice President of Cybersecurity, TCDI
216-664-1100
Thank you.

GDPR, Data Privacy and Cybersecurity - MIT Symposium

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie GDPR, Data Privacy and Cybersecurity - MIT Symposium

Ähnlich wie GDPR, Data Privacy and Cybersecurity - MIT Symposium (20)

Mehr von Eric Vanderburg

Mehr von Eric Vanderburg (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

GDPR, Data Privacy and Cybersecurity - MIT Symposium