SlideShare ist ein Scribd-Unternehmen logo

eGRC for Information Export Control

NextLabs, Inc.
NextLabs, Inc.

This document discusses an enterprise governance, risk, and compliance solution for controlling the flow of export-controlled technical documents and data. It describes how current approaches like perimeter security, operating system controls, and document management systems are insufficient on their own. The proposed solution integrates IBM Tivoli Identity Manager, NextLabs Data Protection, and SAP GRC Global Trade Services to identify, control, and audit technical data access and movement across organizations in order to ensure and demonstrate compliance with regulations like ITAR and EAR. This comprehensive solution aims to help aerospace, defense, and industrial companies minimize risks from inappropriate data disclosure and streamline compliance.

Technologie
1 von 5
Downloaden Sie, um offline zu lesen
Enterprise Governance, Risk, and Compliance Solution for Information Export Control Aerospace and Defense, High Tech, and Industrial Companies Can Identify, Control, and Audit The Flow Of Technical Documents to Ensure and Demonstrate ITAR and EAR Compliance WHITE PAPER EXECUTIVE SUMMARY Export controls, such as the International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR), and similar regulations, govern the transfer of items including defense articles, services, and technical data from U.S. commercial companies to foreign persons outside or within the U.S. Effective compliance requires safeguards across several domains, including physical and network security, project management, and trade management, and includes effective controls on the flow of sensitive technologies, defense articles and related technical data. The eGRC Solution for Information Export Control allows organizations to automate how technical data is identified, controlled, and audited to ensure that the disclosure or export of such data meets regulatory requirements. The solution integrates with other domains and solutions for a comprehensive approach. The eGRC Solution for Information Export Control enforces policies to govern: Access to export-controlled data and systems, such as those that are ITAR or EAR regulated, by non-approved or unauthorized persons. Handling of export-controlled technical data that could expose information to risks by providing accessibility to non-approved or unauthorized persons. Accounting for the export of technical data under an export license, technical assistance agreement (TAA), or global program management authorization (PMA). Contamination of commercial products with export-controlled technology. Transmission or storage of export-controlled technical data across or within systems that are administered by non-approved or unauthorized administrators, and are used for both defense and commercial applications. Accidental export or unauthorized access of technical data by mobile employees. Businesses can now control exposure of technical data where misuse and conflicts of interest can result in costly fines, audits, and related damages. Benefits include: Minimize the risk of inappropriate disclosure – reduce costly fines and penalties by actively preventing violations, and maintain national security integrity. Economize multi-use environments – reduce IT overhead by eliminating redundant controls used for both export-controlled and commercial projects. Quickly demonstrate compliance – expedite investigations by proving that information disclosure is appropriately controlled and documented. Educate users on procedures to protect technical data – ensure that users follow best practices to accelerate project productivity without incurring violations. The eGRC Solution for Information Export Control integrates seamlessly both within and across the extended enterprise to include partners, outsourcers and contractors. The platform approach, built on NextLabs®’s Data Protection®, IBM®’s Tivoli® Identity Manager, and SAP® GRC Global Trade Services, delivers a policy-based solution that leverages existing identity management and trade management applications for rapid time-to-value. Aerospace and Defense, High Tech, and Industrial firms can now quickly enforce controls that minimize risks to technical data and support the safe completion of export-controlled projects. - 1 -
OVERVIEW Many Aerospace and Defense, High Tech and Industrial companies use SAP GRC Global Trade Services (GTS) to manage compliance with the International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) for export controls. Compliance includes two focus areas: Tracking and controlling the shipment of export-controlled product orders under an export license, and Tracking and controlling the transfer of export-controlled technical data that must also be made under an appropriate license or technical assistance agreement (TAA). SAP GTS is optimized for tracking and controlling the shipment of export-controlled product orders. For such orders, companies obtain a license from the government to ship particular items to a foreign firm, government or individual. The license limits the shipment of goods under that license based on quantity, or quantity and value. When ITAR- or EAR-controlled orders are processed for shipment, SAP GTS manages compliance and approval of the shipment and decrements the appropriate license by the amount of the shipment. Today, the transfer of technical data is not managed by GTS. As such, companies require a solution to track and manage transfers of technical data against TAAs in the same way that GTS manages shipments of export- controlled product orders. However, defense articles are both quantifiable and physical, while companies operate and use data within a complex, geographically diverse, environment. Compounding the problem, partners, suppliers, contractors, and outsourcers that help support business goals also multiply the risks to data confidentiality during collaboration. Given the isolated point products available till now to protect data, the ability to maintain comprehensive control of technical data has been a daunting task. Current solutions fail to provide complete coverage or account for conditional business use of data that is inappropriate. As a result, many companies simply accept the risks and resign themselves to paying compulsory fines when data is misused as an inevitable cost for doing business with the U.S. Government. To successfully fulfill contracts and manage business relationships, technical data controls need to move beyond simply“who has access to what”to a systematic determination of appropriate usage based on user roles, acceptable use activities, locations for doing business, data sensitivity, and a range of attributes that can be evaluated against export policies. The integrated solution to control this technical data includes Tivoli Identity Manager from IBM, NextLabs Data Protection from NextLabs, and SAP GTS. With the solution, companies can now: Identify and track information resources within the enterprise and across the extended enterprise to include the supply chain Monitor technical data access, movement, and use, and define boundaries for exposure, to ensure activities are aligned with export policies, and Audit and report technical data use and export with license and TAA tracking for export control accountability. The solution operates transparently to ensure companies remain productive, while conforming to export regulation policies for technical data control. With this solution, data mobility is controlled to prevent unauthorized exposure, while all activities are centrally monitored to demonstrate export policy compliance. The solution provides a reliable means to control data in alignment with ITAR and EAR policies to reduce the risks that result in expensive fines, damage to business reputation, and costly remediation. - 2 -
Key Facts IBM has identified a third-party software from NextLabs that, in conjunction with SAP GRC Global Trade Services and IBM Tivoli Identity Manager, can significantly aid in providing a solution for export-controlled data. This is a critical business and compliance requirement for Aerospace Defense, High Tech, and Industrial companies. IBM intends to deliver this functionality using SAP’s Composite Application Framework (CAF). With this Composite Application, IBM can now offer an integrated solution that enables a client’s ability to ensure ITAR and EAR compliance. It combines people, process, and technology to provide a solution, which demonstrates policy enforcement and provides auditable reporting. Benefits to Clients: Protect sensitive export-controlled technical documents, such as defense data, from being leaked to unauthorized recipients Collaborate securely with partners across dispersed networks Control data mobility across global business environments to prevent exposure risks Demonstrate regulatory compliance with accurate reporting across the entire organization Definitions ITAR - International Traffic in Arms Regulations EAR - Export Administration Regulations Links US Department of State, Directorate of Defense Trade Controls http://pmddtc.state.gov Export Administration Regulations Database http://www.access.gpo.gov/bis/ear/ear_data.html - 3 -
PROBLEM OF EXISTING APPROACHES TO CONTROL EXPORT DATA Controlling ITAR- or EAR-related technical data disclosure and export, without gaps, requires the active enforcement of information policies for the use and export of controlled data within the enterprise and across the extended enterprise. Different systems, devices, applications, users, locations, and data types combine to create a complex business environment during export-controlled projects that today’s approaches for protecting information disclosure fail to adequately resolve. The lack of a comprehensive approach results in uncertain visibility and enforcement gaps that ultimately expose regulated companies to risks such as fines and costly remediation. Weaknesses with current approaches include the following: Perimeter Security Control Controls such as firewalls, and intrusion detection and prevention, primarily focus on external threats that enter or leave an organization’s network. However, companies must be able to maintain openly productive information flow between employees, partners, outsourcers and contractors across multiple locations, without exposing data to risks. Because of the complexity of export-controlled information use during projects, perimeter controls do not adequately account for the complexity of today’s supply chains that incorporate multiple locations and organizations. Existing solutions either leave enforcement gaps that risk disclosing classified information, or they impede the productivity of mixed commercial and export-controlled projects. Operating System / Application Controls Standard operating system and application-based access and authentication controls are the most common protective measures for export-controlled technical data. These are based on trust, similar to perimeter controls. Once an authorized user legitimately enters an export protected application such as a database, its access and authentication controls do nothing to protect subsequent movement of technical data that is copied and transmitted outside the application. Violations, unintentional or otherwise, can occur immediately once an approved or authorized user distributes, copies, or stores data in a manner that is inconsistent with the export- control regulations. Document Management Systems (DMS) DMS is used to store and track the use of documents, or images of documents. Users are often required to add descriptive“tags”to facilitate management of information in free-form files created with an office application, such as a word processor. The main use of DMS is for a small subset of enterprise documents with heavy workflow and long lifecycle requirements, such as for a legal department. However, these systems cannot protect technical data in files outside the DMS system, including those sent elsewhere outside the organization using e-mail or instant messaging. Digital Rights Management Technology that handles the description, layering, analysis, valuation, trading and monitoring of legal or access authorization rights of a digital work, DRM is used most often in context of electronic media such as music or movies. DRM may be used for export-controlled technical documents to prevent unauthorized tampering and to create an audit trail for compliance, but still has similar weaknesses to a document management system. DRM suffers from low scalability when applied to complex environments of millions of documents, using rights that are embedded within each file, and also lacks accounting when file movement requires tracking against export licenses. Enterprise Content Management ECM is a popular catch-all term for complementary systems that capture, store, retrieve, and disseminate digital files for use in an enterprise and their lifecycle management. In addition to DMS and DRM, other related acronyms are ILM (Information Lifecycle Management), WCM (Web Content Management), IRM (Information Resource Management), SRM (Storage Resource Management), RM (Records Management), BPM (Business Process Management), and collaborative software. These solutions often fail to understand the complexity of export-controlled projects and the business relationships that include user authorizations, extended enterprise collaboration, and user mobility. - 4 -
Thank You! Thank you for viewing a preview of our White Paper - eGRC for Information Export Control Request the full version of this White Paper to see: -The role of information export control in ITAR compliance -Best Practices for technical data classification, access control, secure transfer, and compliance auditing CLICK HERE to request a copy of the full version of this White Paper. - NextLabs www.nextlabs.com

Empfohlen

Empowering Secure Mobility in Regulated Industries
Empowering Secure Mobility in Regulated IndustriesEmpowering Secure Mobility in Regulated Industries
Empowering Secure Mobility in Regulated Industries
Globo Plc
 
Cloud Computing - Emerging Opportunities in the CA Profession
Cloud Computing - Emerging Opportunities in the CA ProfessionCloud Computing - Emerging Opportunities in the CA Profession
Cloud Computing - Emerging Opportunities in the CA Profession
Bharath Rao
 
Big data - The next best thing
Big data - The next best thingBig data - The next best thing
Big data - The next best thing
Bharath Rao
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
ControlCase
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
ControlCase
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
Precisely
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-
IT Strategy Group
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
padler01
 

Empfohlen

Empowering Secure Mobility in Regulated Industries
Empowering Secure Mobility in Regulated IndustriesEmpowering Secure Mobility in Regulated Industries
Empowering Secure Mobility in Regulated Industries
Globo Plc
 
Cloud Computing - Emerging Opportunities in the CA Profession
Cloud Computing - Emerging Opportunities in the CA ProfessionCloud Computing - Emerging Opportunities in the CA Profession
Cloud Computing - Emerging Opportunities in the CA Profession
Bharath Rao
 
Big data - The next best thing
Big data - The next best thingBig data - The next best thing
Big data - The next best thing
Bharath Rao
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
ControlCase
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
ControlCase
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
Precisely
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-
IT Strategy Group
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
padler01
 
Accelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i SystemsAccelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i Systems
Precisely
 
Database auditing essentials
Database auditing essentialsDatabase auditing essentials
Database auditing essentials
Craig Mullins
 
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
Taiye Lambo
 
task 1
task 1task 1
task 1
BIBEKCHAUDHARYBScHon
 
The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)
Craig Mullins
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
ControlCase
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
Jessica Santamaria
 
Task 2
Task 2Task 2
Task 2
BIBEKCHAUDHARYBScHon
 
Protecting pii and phi exec summary
Protecting pii and phi exec summaryProtecting pii and phi exec summary
Protecting pii and phi exec summary
Joe Orlando
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
lgcdcpas
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
ControlCase
 
Arc Sight Info Documents 10 21 2009
Arc Sight Info Documents 10 21 2009Arc Sight Info Documents 10 21 2009
Arc Sight Info Documents 10 21 2009
mattdriscoll
 
Task 3
Task 3Task 3
Task 3
BIBEKCHAUDHARYBScHon
 
Approche intégrée de la gestion des risques, de la sécurité de l’information,...
Approche intégrée de la gestion des risques, de la sécurité de l’information,...Approche intégrée de la gestion des risques, de la sécurité de l’information,...
Approche intégrée de la gestion des risques, de la sécurité de l’information,...
PECB
 
Protecting Donor Privacy
Protecting Donor PrivacyProtecting Donor Privacy
Protecting Donor Privacy
Raymond Cunningham
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelines
amburyj3c9
 
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc SolutionsCCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
TrustArc
 
Guardium Triples Bookings and Installed Base in 2006
Guardium Triples Bookings and Installed Base in 2006Guardium Triples Bookings and Installed Base in 2006
Guardium Triples Bookings and Installed Base in 2006
pneray
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and control
Kashif Rana ACCA
 
Data classification-policy
Data classification-policyData classification-policy
Data classification-policy
Coi Xay
 
Muni chatarpal considerations for grc
Muni chatarpal considerations for grcMuni chatarpal considerations for grc
Muni chatarpal considerations for grc
jpkush
 
Improving the Integration Process of Large Software Systems
Improving the Integration Process of Large Software SystemsImproving the Integration Process of Large Software Systems
Improving the Integration Process of Large Software Systems
Yujuan Jiang
 

Weitere ähnliche Inhalte

Was ist angesagt?

{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
Taiye Lambo
 
The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)
Craig Mullins
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelines
amburyj3c9
 
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc SolutionsCCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
TrustArc
 
Guardium Triples Bookings and Installed Base in 2006
Guardium Triples Bookings and Installed Base in 2006Guardium Triples Bookings and Installed Base in 2006
Guardium Triples Bookings and Installed Base in 2006
pneray
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and control
Kashif Rana ACCA
 

Was ist angesagt? (20)

Accelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i SystemsAccelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i Systems
 
Database auditing essentials
Database auditing essentialsDatabase auditing essentials
Database auditing essentials
 
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
 
task 1
task 1task 1
task 1
 
The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
 
Task 2
Task 2Task 2
Task 2
 
Protecting pii and phi exec summary
Protecting pii and phi exec summaryProtecting pii and phi exec summary
Protecting pii and phi exec summary
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
Arc Sight Info Documents 10 21 2009
Arc Sight Info Documents 10 21 2009Arc Sight Info Documents 10 21 2009
Arc Sight Info Documents 10 21 2009
 
Task 3
Task 3Task 3
Task 3
 
Approche intégrée de la gestion des risques, de la sécurité de l’information,...
Approche intégrée de la gestion des risques, de la sécurité de l’information,...Approche intégrée de la gestion des risques, de la sécurité de l’information,...
Approche intégrée de la gestion des risques, de la sécurité de l’information,...
 
Protecting Donor Privacy
Protecting Donor PrivacyProtecting Donor Privacy
Protecting Donor Privacy
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelines
 
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc SolutionsCCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
 
Guardium Triples Bookings and Installed Base in 2006
Guardium Triples Bookings and Installed Base in 2006Guardium Triples Bookings and Installed Base in 2006
Guardium Triples Bookings and Installed Base in 2006
 
Information systems audit and control
Information systems audit and controlInformation systems audit and control
Information systems audit and control
 
Data classification-policy
Data classification-policyData classification-policy
Data classification-policy
 

Andere mochten auch

Muni chatarpal considerations for grc
Muni chatarpal considerations for grcMuni chatarpal considerations for grc
Muni chatarpal considerations for grc
jpkush
 
Archer Resource On-Demand - Kelley Boutoille
Archer Resource On-Demand - Kelley BoutoilleArcher Resource On-Demand - Kelley Boutoille
Archer Resource On-Demand - Kelley Boutoille
Kelley Boutoille, ACP
 
Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5
justinklooster
 
Steps to successful technology implementation
Steps to successful technology implementationSteps to successful technology implementation
Steps to successful technology implementation
LisaWells
 

Andere mochten auch (9)

Muni chatarpal considerations for grc
Muni chatarpal considerations for grcMuni chatarpal considerations for grc
Muni chatarpal considerations for grc
 
Improving the Integration Process of Large Software Systems
Improving the Integration Process of Large Software SystemsImproving the Integration Process of Large Software Systems
Improving the Integration Process of Large Software Systems
 
Ronan Consulting Group - Systems Selection and Implementation
Ronan Consulting Group - Systems Selection and ImplementationRonan Consulting Group - Systems Selection and Implementation
Ronan Consulting Group - Systems Selection and Implementation
 
Archer Resource On-Demand - Kelley Boutoille
Archer Resource On-Demand - Kelley BoutoilleArcher Resource On-Demand - Kelley Boutoille
Archer Resource On-Demand - Kelley Boutoille
 
Infographic: Four Steps to Measuring Mobile ROI
Infographic: Four Steps to Measuring Mobile ROIInfographic: Four Steps to Measuring Mobile ROI
Infographic: Four Steps to Measuring Mobile ROI
 
Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5
 
Steps to successful technology implementation
Steps to successful technology implementationSteps to successful technology implementation
Steps to successful technology implementation
 
Ipo process
Ipo processIpo process
Ipo process
 
Agile Software Development Overview
Agile Software Development OverviewAgile Software Development Overview
Agile Software Development Overview
 

Ähnlich wie eGRC for Information Export Control

Minimizing Compliance Resistance to Digital Transformation --- Design for reg...
Minimizing Compliance Resistance to Digital Transformation --- Design for reg...Minimizing Compliance Resistance to Digital Transformation --- Design for reg...
Minimizing Compliance Resistance to Digital Transformation --- Design for reg...
VMware Tanzu
 
Data privacy and security in uae
Data privacy and security in uaeData privacy and security in uae
Data privacy and security in uae
RishalHalid1
 
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
David Kearney
 
Compliance in Motion: Aligning Data Governance Initiatives with Business Obje...
Compliance in Motion: Aligning Data Governance Initiatives with Business Obje...Compliance in Motion: Aligning Data Governance Initiatives with Business Obje...
Compliance in Motion: Aligning Data Governance Initiatives with Business Obje...
confluent
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 
Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR Success
Sirius
 
ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - Web
Fahd Khan
 

Ähnlich wie eGRC for Information Export Control (20)

Security, GDRP, and IT outsourcing: How to get it right
Security, GDRP, and IT outsourcing: How to get it rightSecurity, GDRP, and IT outsourcing: How to get it right
Security, GDRP, and IT outsourcing: How to get it right
 
Michael Josephs
Michael JosephsMichael Josephs
Michael Josephs
 
Minimizing Compliance Resistance to Digital Transformation --- Design for reg...
Minimizing Compliance Resistance to Digital Transformation --- Design for reg...Minimizing Compliance Resistance to Digital Transformation --- Design for reg...
Minimizing Compliance Resistance to Digital Transformation --- Design for reg...
 
Data privacy and security in uae
Data privacy and security in uaeData privacy and security in uae
Data privacy and security in uae
 
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
 
Advanced Authorization for SAP Global Deployments Part II of III
Advanced Authorization for SAP Global Deployments Part II of IIIAdvanced Authorization for SAP Global Deployments Part II of III
Advanced Authorization for SAP Global Deployments Part II of III
 
Internal Audit
Internal AuditInternal Audit
Internal Audit
 
Enterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftEnterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoft
 
Compliance in Motion: Aligning Data Governance Initiatives with Business Obje...
Compliance in Motion: Aligning Data Governance Initiatives with Business Obje...Compliance in Motion: Aligning Data Governance Initiatives with Business Obje...
Compliance in Motion: Aligning Data Governance Initiatives with Business Obje...
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
 
Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR Success
 
The EU General Protection Regulation and how Oracle can help
The EU General Protection Regulation and how Oracle can help The EU General Protection Regulation and how Oracle can help
The EU General Protection Regulation and how Oracle can help
 
ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - Web
 
Data Privacy and Security in UAE.pptx
Data Privacy and Security in UAE.pptxData Privacy and Security in UAE.pptx
Data Privacy and Security in UAE.pptx
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
 
Part II of III: Advanced Authorization for SAP Global Deployments: September ...
Part II of III: Advanced Authorization for SAP Global Deployments: September ...Part II of III: Advanced Authorization for SAP Global Deployments: September ...
Part II of III: Advanced Authorization for SAP Global Deployments: September ...
 
IRJET- An Investigation into the Adoption of Computer Assisted Audit Techniqu...
IRJET- An Investigation into the Adoption of Computer Assisted Audit Techniqu...IRJET- An Investigation into the Adoption of Computer Assisted Audit Techniqu...
IRJET- An Investigation into the Adoption of Computer Assisted Audit Techniqu...
 
Chapter 6 Technology and Data Platforms.pptx
Chapter 6 Technology and Data Platforms.pptxChapter 6 Technology and Data Platforms.pptx
Chapter 6 Technology and Data Platforms.pptx
 
The Anatomy of Building a Compliant PCF Service in a Limited Connectivity Env...
The Anatomy of Building a Compliant PCF Service in a Limited Connectivity Env...The Anatomy of Building a Compliant PCF Service in a Limited Connectivity Env...
The Anatomy of Building a Compliant PCF Service in a Limited Connectivity Env...
 
Overcome regulatory data retention challenges
Overcome regulatory data retention challengesOvercome regulatory data retention challenges
Overcome regulatory data retention challenges
 

Mehr von NextLabs, Inc.

SharePoint Business Track Part 1 of 2
SharePoint Business Track Part 1 of 2SharePoint Business Track Part 1 of 2
SharePoint Business Track Part 1 of 2
NextLabs, Inc.
 
Addressing Gaps in Your Cyber Security
Addressing Gaps in Your Cyber Security Addressing Gaps in Your Cyber Security
Addressing Gaps in Your Cyber Security
NextLabs, Inc.
 
Requirements for Implementing Data-Centric ABAC
Requirements for Implementing Data-Centric ABAC Requirements for Implementing Data-Centric ABAC
Requirements for Implementing Data-Centric ABAC
NextLabs, Inc.
 
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
NextLabs, Inc.
 
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
NextLabs, Inc.
 
Using Microsoft Dynamic Access Control to create Information Barriers for SEC...
Using Microsoft Dynamic Access Control to create Information Barriers for SEC...Using Microsoft Dynamic Access Control to create Information Barriers for SEC...
Using Microsoft Dynamic Access Control to create Information Barriers for SEC...
NextLabs, Inc.
 
Extensible Authorization for SAP Applications Webinar
Extensible Authorization for SAP Applications WebinarExtensible Authorization for SAP Applications Webinar
Extensible Authorization for SAP Applications Webinar
NextLabs, Inc.
 
Preview Of Gary Stanley 10 Commandments
Preview Of Gary Stanley 10 CommandmentsPreview Of Gary Stanley 10 Commandments
Preview Of Gary Stanley 10 Commandments
NextLabs, Inc.
 
Preview of Heaney On ITAR Controls
Preview of Heaney On ITAR ControlsPreview of Heaney On ITAR Controls
Preview of Heaney On ITAR Controls
NextLabs, Inc.
 

Mehr von NextLabs, Inc. (17)

SharePoint Business Track Part 1 of 2
SharePoint Business Track Part 1 of 2SharePoint Business Track Part 1 of 2
SharePoint Business Track Part 1 of 2
 
Digital Rights Management
Digital Rights ManagementDigital Rights Management
Digital Rights Management
 
Addressing Gaps in Your Cyber Security
Addressing Gaps in Your Cyber Security Addressing Gaps in Your Cyber Security
Addressing Gaps in Your Cyber Security
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Requirements for Implementing Data-Centric ABAC
Requirements for Implementing Data-Centric ABAC Requirements for Implementing Data-Centric ABAC
Requirements for Implementing Data-Centric ABAC
 
Data-Centric Security for the Extended Enterprise
Data-Centric Security for the Extended EnterpriseData-Centric Security for the Extended Enterprise
Data-Centric Security for the Extended Enterprise
 
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
 
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
 
Using Microsoft Dynamic Access Control to create Information Barriers for SEC...
Using Microsoft Dynamic Access Control to create Information Barriers for SEC...Using Microsoft Dynamic Access Control to create Information Barriers for SEC...
Using Microsoft Dynamic Access Control to create Information Barriers for SEC...
 
NextLabs Internships
NextLabs InternshipsNextLabs Internships
NextLabs Internships
 
Extensible Authorization for SAP Applications Webinar
Extensible Authorization for SAP Applications WebinarExtensible Authorization for SAP Applications Webinar
Extensible Authorization for SAP Applications Webinar
 
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
Part III of III: SAP Advanced Authorization for SAP Global Deployments: Octo...
 
PART I of III: Advanced Authorization for SAP Global Deployments: September ...
PART I of III: Advanced Authorization for SAP Global Deployments: September ...PART I of III: Advanced Authorization for SAP Global Deployments: September ...
PART I of III: Advanced Authorization for SAP Global Deployments: September ...
 
Advanced Authorization for SAP Global Deployments Part III of III
Advanced Authorization for SAP Global Deployments Part III of IIIAdvanced Authorization for SAP Global Deployments Part III of III
Advanced Authorization for SAP Global Deployments Part III of III
 
Advanced Authorization for SAP Global Deployments Part I of III
Advanced Authorization for SAP Global Deployments Part I of IIIAdvanced Authorization for SAP Global Deployments Part I of III
Advanced Authorization for SAP Global Deployments Part I of III
 
Preview Of Gary Stanley 10 Commandments
Preview Of Gary Stanley 10 CommandmentsPreview Of Gary Stanley 10 Commandments
Preview Of Gary Stanley 10 Commandments
 
Preview of Heaney On ITAR Controls
Preview of Heaney On ITAR ControlsPreview of Heaney On ITAR Controls
Preview of Heaney On ITAR Controls
 

Kürzlich hochgeladen

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Kürzlich hochgeladen (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

eGRC for Information Export Control

  • 1. Enterprise Governance, Risk, and Compliance Solution for Information Export Control Aerospace and Defense, High Tech, and Industrial Companies Can Identify, Control, and Audit The Flow Of Technical Documents to Ensure and Demonstrate ITAR and EAR Compliance WHITE PAPER EXECUTIVE SUMMARY Export controls, such as the International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR), and similar regulations, govern the transfer of items including defense articles, services, and technical data from U.S. commercial companies to foreign persons outside or within the U.S. Effective compliance requires safeguards across several domains, including physical and network security, project management, and trade management, and includes effective controls on the flow of sensitive technologies, defense articles and related technical data. The eGRC Solution for Information Export Control allows organizations to automate how technical data is identified, controlled, and audited to ensure that the disclosure or export of such data meets regulatory requirements. The solution integrates with other domains and solutions for a comprehensive approach. The eGRC Solution for Information Export Control enforces policies to govern: Access to export-controlled data and systems, such as those that are ITAR or EAR regulated, by non-approved or unauthorized persons. Handling of export-controlled technical data that could expose information to risks by providing accessibility to non-approved or unauthorized persons. Accounting for the export of technical data under an export license, technical assistance agreement (TAA), or global program management authorization (PMA). Contamination of commercial products with export-controlled technology. Transmission or storage of export-controlled technical data across or within systems that are administered by non-approved or unauthorized administrators, and are used for both defense and commercial applications. Accidental export or unauthorized access of technical data by mobile employees. Businesses can now control exposure of technical data where misuse and conflicts of interest can result in costly fines, audits, and related damages. Benefits include: Minimize the risk of inappropriate disclosure – reduce costly fines and penalties by actively preventing violations, and maintain national security integrity. Economize multi-use environments – reduce IT overhead by eliminating redundant controls used for both export-controlled and commercial projects. Quickly demonstrate compliance – expedite investigations by proving that information disclosure is appropriately controlled and documented. Educate users on procedures to protect technical data – ensure that users follow best practices to accelerate project productivity without incurring violations. The eGRC Solution for Information Export Control integrates seamlessly both within and across the extended enterprise to include partners, outsourcers and contractors. The platform approach, built on NextLabs®’s Data Protection®, IBM®’s Tivoli® Identity Manager, and SAP® GRC Global Trade Services, delivers a policy-based solution that leverages existing identity management and trade management applications for rapid time-to-value. Aerospace and Defense, High Tech, and Industrial firms can now quickly enforce controls that minimize risks to technical data and support the safe completion of export-controlled projects. - 1 -
  • 2. OVERVIEW Many Aerospace and Defense, High Tech and Industrial companies use SAP GRC Global Trade Services (GTS) to manage compliance with the International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) for export controls. Compliance includes two focus areas: Tracking and controlling the shipment of export-controlled product orders under an export license, and Tracking and controlling the transfer of export-controlled technical data that must also be made under an appropriate license or technical assistance agreement (TAA). SAP GTS is optimized for tracking and controlling the shipment of export-controlled product orders. For such orders, companies obtain a license from the government to ship particular items to a foreign firm, government or individual. The license limits the shipment of goods under that license based on quantity, or quantity and value. When ITAR- or EAR-controlled orders are processed for shipment, SAP GTS manages compliance and approval of the shipment and decrements the appropriate license by the amount of the shipment. Today, the transfer of technical data is not managed by GTS. As such, companies require a solution to track and manage transfers of technical data against TAAs in the same way that GTS manages shipments of export- controlled product orders. However, defense articles are both quantifiable and physical, while companies operate and use data within a complex, geographically diverse, environment. Compounding the problem, partners, suppliers, contractors, and outsourcers that help support business goals also multiply the risks to data confidentiality during collaboration. Given the isolated point products available till now to protect data, the ability to maintain comprehensive control of technical data has been a daunting task. Current solutions fail to provide complete coverage or account for conditional business use of data that is inappropriate. As a result, many companies simply accept the risks and resign themselves to paying compulsory fines when data is misused as an inevitable cost for doing business with the U.S. Government. To successfully fulfill contracts and manage business relationships, technical data controls need to move beyond simply“who has access to what”to a systematic determination of appropriate usage based on user roles, acceptable use activities, locations for doing business, data sensitivity, and a range of attributes that can be evaluated against export policies. The integrated solution to control this technical data includes Tivoli Identity Manager from IBM, NextLabs Data Protection from NextLabs, and SAP GTS. With the solution, companies can now: Identify and track information resources within the enterprise and across the extended enterprise to include the supply chain Monitor technical data access, movement, and use, and define boundaries for exposure, to ensure activities are aligned with export policies, and Audit and report technical data use and export with license and TAA tracking for export control accountability. The solution operates transparently to ensure companies remain productive, while conforming to export regulation policies for technical data control. With this solution, data mobility is controlled to prevent unauthorized exposure, while all activities are centrally monitored to demonstrate export policy compliance. The solution provides a reliable means to control data in alignment with ITAR and EAR policies to reduce the risks that result in expensive fines, damage to business reputation, and costly remediation. - 2 -
  • 3. Key Facts IBM has identified a third-party software from NextLabs that, in conjunction with SAP GRC Global Trade Services and IBM Tivoli Identity Manager, can significantly aid in providing a solution for export-controlled data. This is a critical business and compliance requirement for Aerospace Defense, High Tech, and Industrial companies. IBM intends to deliver this functionality using SAP’s Composite Application Framework (CAF). With this Composite Application, IBM can now offer an integrated solution that enables a client’s ability to ensure ITAR and EAR compliance. It combines people, process, and technology to provide a solution, which demonstrates policy enforcement and provides auditable reporting. Benefits to Clients: Protect sensitive export-controlled technical documents, such as defense data, from being leaked to unauthorized recipients Collaborate securely with partners across dispersed networks Control data mobility across global business environments to prevent exposure risks Demonstrate regulatory compliance with accurate reporting across the entire organization Definitions ITAR - International Traffic in Arms Regulations EAR - Export Administration Regulations Links US Department of State, Directorate of Defense Trade Controls http://pmddtc.state.gov Export Administration Regulations Database http://www.access.gpo.gov/bis/ear/ear_data.html - 3 -
  • 4. PROBLEM OF EXISTING APPROACHES TO CONTROL EXPORT DATA Controlling ITAR- or EAR-related technical data disclosure and export, without gaps, requires the active enforcement of information policies for the use and export of controlled data within the enterprise and across the extended enterprise. Different systems, devices, applications, users, locations, and data types combine to create a complex business environment during export-controlled projects that today’s approaches for protecting information disclosure fail to adequately resolve. The lack of a comprehensive approach results in uncertain visibility and enforcement gaps that ultimately expose regulated companies to risks such as fines and costly remediation. Weaknesses with current approaches include the following: Perimeter Security Control Controls such as firewalls, and intrusion detection and prevention, primarily focus on external threats that enter or leave an organization’s network. However, companies must be able to maintain openly productive information flow between employees, partners, outsourcers and contractors across multiple locations, without exposing data to risks. Because of the complexity of export-controlled information use during projects, perimeter controls do not adequately account for the complexity of today’s supply chains that incorporate multiple locations and organizations. Existing solutions either leave enforcement gaps that risk disclosing classified information, or they impede the productivity of mixed commercial and export-controlled projects. Operating System / Application Controls Standard operating system and application-based access and authentication controls are the most common protective measures for export-controlled technical data. These are based on trust, similar to perimeter controls. Once an authorized user legitimately enters an export protected application such as a database, its access and authentication controls do nothing to protect subsequent movement of technical data that is copied and transmitted outside the application. Violations, unintentional or otherwise, can occur immediately once an approved or authorized user distributes, copies, or stores data in a manner that is inconsistent with the export- control regulations. Document Management Systems (DMS) DMS is used to store and track the use of documents, or images of documents. Users are often required to add descriptive“tags”to facilitate management of information in free-form files created with an office application, such as a word processor. The main use of DMS is for a small subset of enterprise documents with heavy workflow and long lifecycle requirements, such as for a legal department. However, these systems cannot protect technical data in files outside the DMS system, including those sent elsewhere outside the organization using e-mail or instant messaging. Digital Rights Management Technology that handles the description, layering, analysis, valuation, trading and monitoring of legal or access authorization rights of a digital work, DRM is used most often in context of electronic media such as music or movies. DRM may be used for export-controlled technical documents to prevent unauthorized tampering and to create an audit trail for compliance, but still has similar weaknesses to a document management system. DRM suffers from low scalability when applied to complex environments of millions of documents, using rights that are embedded within each file, and also lacks accounting when file movement requires tracking against export licenses. Enterprise Content Management ECM is a popular catch-all term for complementary systems that capture, store, retrieve, and disseminate digital files for use in an enterprise and their lifecycle management. In addition to DMS and DRM, other related acronyms are ILM (Information Lifecycle Management), WCM (Web Content Management), IRM (Information Resource Management), SRM (Storage Resource Management), RM (Records Management), BPM (Business Process Management), and collaborative software. These solutions often fail to understand the complexity of export-controlled projects and the business relationships that include user authorizations, extended enterprise collaboration, and user mobility. - 4 -
  • 5. Thank You! Thank you for viewing a preview of our White Paper - eGRC for Information Export Control Request the full version of this White Paper to see: -The role of information export control in ITAR compliance -Best Practices for technical data classification, access control, secure transfer, and compliance auditing CLICK HERE to request a copy of the full version of this White Paper. - NextLabs www.nextlabs.com