I was given the privilege last week of addressing attendees at the inaugural CyberSecurity for SAP Customers conference in Las Vegas on the topic of GDPR. Specifically, I presented the topic 'Mapping Your SAP Systems to GDPR Compliance Requirements'.
In this presentation I took the work that had previously been done by our research team, the Onapsis Research Labs, shared in the form of a blog and white paper, and provided guidance on how to understand the role SAP systems play in adhering to the GDPR requirements and avoiding penalties.
The goal of GDPR is to ensure that information about ‘data subjects’ (the term used in the regulation to mean individuals) in the EU is used appropriately. Also to ensure that this information, once it has been used for the purpose that was communicated to the data subject when the data was obtained, was then deleted. For the period of time the data is being used, the data subject has the right to ask the enterprise what data it has for itself and also request that data be deleted.
In addition, GDPR requires that this data be properly protected and not just from hackers. It should also only be available to those within the enterprise who require access to the data to perform the agreed functions. If the data is compromised, the enterprise is required to report the amount and type of data breached, and how they propose to address the breach, including any mitigation efforts, all within 72 hours.
This strict reporting timeframe, coupled with the penalties associated with a breach, puts a high emphasis on protecting data and preventing these breaches. With this in mind, Onapsis has released an audit policy within the Onapsis Security Platform (OSP) that evaluates any SAP system through the lens of the data protection requirements of GDPR. This includes both data at rest, data in transit and the assessment of data access/authorizations.
Onapsis Security Platform GDPR Policy
As with any new policy, the first stage is to identify those SAP systems that are in scope. In the case of GDPR these are any systems that process, handle or store user information. This must be performed outside of OSP, by interviewing data architects and those most knowledgeable about the role and function of your SAP systems. As these systems are identified, it is recommended to create a ‘GDPR’ tag and associate that tag with each in scope system.
Through the execution of this policy, enterprises leveraging OSP can identify those SAP systems that do not provide adequate protection of the data and processes on their systems and receive detailed guidance on how to address those gaps. This policy can be scheduled to execute against some or all SAP systems known to OSP through the ‘comply’ tab. If a GDPR tag has been applied to each system, then the target simply needs to be the GDPR tag - this allows you to schedule a regular audit early in the discovery phase and, as new systems are brought in scope and tagged as GDPR, they will automatically be included in the next audit.
The power of SAP systems is the ability of enterprises to extend and customize SAP to meet the needs and specific requirements of the enterprise. As a result, the out-of-the-box authorization checks provided by OSP may only address a subset of the identified authorizations that relate to user data as covered by GDPR. Through the use of custom modules and exclusion groups, OSP can be extended to identify any authorization that could expose GDPR data to those who do not require access to that data.
To learn more, or to request a walk through of how OSP can be used to assess your exposure to GDPR, I invite you to join me for a live webcast presentation on December 14th at 9:00am and 1:00pm EST.