RoadmapHow to implement GDPR in SAP?

1. Introduction to GDPR

2. GDPR security-related requirements

3. SAP security controls for GDPR

4. GDPR security implementation plan

5. Follow-up actions

2

Introduction to GDPRKey GDPR security provisions and challenges

Drivers of GDPRPrivacy concerns

4

25 May 2018: General Data Protection

Regulation

cybertheft of personal data tracking and predicting

individual behavior misuse of personal data

control over their data level playing field

GDPRs GoalTo facilitate digital economy

5

For citizens:

easier access to their data a new right to data portability right to be forgotten right to know when their

personal data has been hacked

For business:

a single set of EU-wide rules EU rules for non-EU companies one-stop-shop a data protection officer innovation-friendly rules privacy-friendly techniques impact assessments

Are SAP users ready? 6

of users do not fully understand the implications of the GDPR in relation to their SAP estate, and their future use of SAP

Source: UK and Ireland SAP User Group, June 2017

By 25 May 2018, less than 50% of all organizations will fully comply with EUs GDPR

Gartner Security & Risk Management Summit 2017

of companies expect sanction or remedial action per 25 May 2018Source: Symantec, October 2016

http://www.computerweekly.com/news/450420744/SAP-users-look-to-software-suppliers-to-help-with-fast-approaching-GDPRhttps://www.symantec.com/en/uk/about/newsroom/press-releases/2016/symantec_1018_01

Turn GDPR into Lemonade

1. Elicit SAP-related GDPR security requirements

2. Learn suitable SAP security controls

3. Prepare GDPR security implementation plan

7

GDPR security-related requirements

Definitions

Personal data any information relating to an identified or identifiable natural person (data subject);

Data subject an identifiable natural person is one who can be identified, directly or indirectly, in particular by

reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data controller the natural or legal person, public authority, agency or other body which, alone or jointly with

others, determines the purposes and means of the processing of personal data;

Data processor a natural or legal person, public authority, agency or other body which processes personal data

on behalf of the controllerGeneral Data Protection Regulation, Article 4

9

http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf

Online Store 10

GDPR Security ProvisionsOverview

Data Subject Rights

Privacy Principles (Privacy By Design and Privacy By Default)

Data Protection Officer Duties

Data Protection Impact Assessment

Cybersecurity Requirements

Data Breach Notification

11

Privacy PrinciplesEliciting requirements

Lawfulness, fairness and transparency

Purpose limited

Data minimization

Accuracy

Storage limitation

Integrity and confidentiality

Accountability and compliance

12

SAP tasks:

Identify data items

Find users having access to personal data

Restrict access to personal data

Manage personal data lifecycle

Implement and describe security controls to demonstrate compliance

Monitor personal data access

Implement incident response capabilities

GDPR Security Tasks 13

Identify data items Find users having access to personal data Evaluate security controls Assess risks to data subjects

Restrict access to personal data

Implement and describe security controls to demonstrate compliance

Manage personal data lifecycle

Monitor personal data access Detect SAP security threats Implement SAP incident response capabilities

SAP Security Controls for GDPR

1. Assess data processes 16

1.1 Identify data items

1.2 Find users having access to personal data

1.3 Evaluate security controls

1.4 Assess risks to data subjects

1.1 Find data

Standard global master tables:o Customers: KNA1, KNBK, KNVKo Vendors: LFA1, LFBKo Addresses: ADRC, ADR2, ADR3, ARD6o Business partners: BP000, BP030o Users: USR03o Credit cards: VCNUM

HR master records:o 0002 Personal Datao 0004 Challengeo 0006 Addresseso 0009 Bank Detailso 0021 Familyo 0028 Internal Medical Serviceso 0094 Residence Status

17

Typical locations of personal data

1.1 Find data

Search in domains:o RSCRDOMA: Where-Used List of Domains in Tableso RPDINF01: Audit Information Systems Technical Overview of Infotypes

Search in table description:o tables and descriptions: DD02L, text table DD02To fields: DD03Lo data elements: DD04L, text table DD04To domain are in DD01L, text table DD01T

18

How to find personal data in SAP?

1.2 Find users

Business transactions and reports SAP tables:

o table browsing and maintenance transactions: SE16, SE16N, SE17, SM30, SM31 et al.o proxy-transactions like SPRO (which call the aforementioned ones internally)o SAP Query (SQVI, SQ01, )

RFC functions Databases (HANA, Oracle) SAP services:

o Gatewayo Message Servero SOAP Interface

19

Overview of communication channels

Access controls

Other security controls

1.2 Find users by S_TABU_* authorizations 20

1.2 Find users of transaction 21

Standard data-related transactions:o Customers: FD02o Vendors: FK02, M-01o Addresses: VCUSTo Business partners: BPo Users: SU01, SU10, SUGR, PA30o Credit cards: PRCCD,

Find more:1. Search for programs using data-related tables (SE80\Repository Information System\ABAP

Dictionary\Database Tables)2. Find transactions related to the program (SE80, or table TSTC)3. Find users having S_TCODE authorizations to run the transactions

1.3 Evaluate security controls 22

Authentication Password policy Privileged users SSO checks

Monitoring Log settings: security audit log, system log,

gateway, HTTP, SQL logs CCMS settings

Access control Assignment of authorization groups

to tables and ABAP programs

RFC authorization checks

Unblocked critical transactions(SM59, SCC5, SM32,)

Encryption SSL options SNC options

Insecure configuration Gateway, RFC, ICF, MMC, GUI, Web

Dispatcher,

List of connected systems RFC, DBCON, HANA, XI

1.4 Assess risks to data subjects 23

Health Legal Financial Reputation

weak access controls (no SoDenforced, weak passwords)

transmission of data using unencrypted channels

application vulnerabilities misconfigurations disabled logging

of personal data

disclosure

alteration

destruction or loss

In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

CAUSE EFFECTRISK

Source: General Data Protection Regulation

2. Prevent the data breach 24

2.1 Restrict access to personal data

2.2 Implement and describe security controls to demonstrate compliance

2.3 Manage personal data lifecycle

2.1 Restrict access to personal dataOverview

25

LEVEL SOLUTION

Business

Authorization objects Segregation of Duties Single sign-on and password auth. UI Masking and Logging

Communications

XI SNC VPNs Firewalls

Infrastructure Secure configuration: servers, databases, SAP components and clients Database and files encryption Identity management

2.1 Restrict access to personal dataUI Masking

Purposeo masking sensitive data in SAP GUIo logging of requests to selected data fields

Functionso modifies data before being displayed at the backend

sideo tracks requests for sensitive datao configurable to what and how should be maskedo configurable who is authorized to see unmasked data

26

Source: SAP UI Masking presentation

https://assets.cdn.sap.com/sapcom/docs/2015/06/0a0d918e-5b7c-0010-82c7-eda71af511fa.pdf

2.1 Restrict access to personal dataUI Masking Architecture

27

Source: SAP UI Masking presentation

https://assets.cdn.sap.com/sapcom/docs/2015/06/0a0d918e-5b7c-0010-82c7-eda71af511fa.pdf

2.2 Implement security controlsArticle 32

(a) pseudonymization and encryption:SAP CSF. Data SecuritySAP CSF. Secure Architecture

(b) CIA:SAP CSF. Asset ManagementSAP CSF. Access Control

(c) continuity:SAP CSF. Business EnvironmentSAP CSF. Incident Response

(d) testing:SAP CSF. Vulnerability ManagementSAP CSF. Threat Detection

28

2.2 Implement security controls

System Security Plan: description of the approach to protect a system

security plan roles and assignment of security responsibilities

description of system: purpose, environment and interconnections

description of assets: name, purpose, environmental context, severity and type of information

laws, regulations, and policies affecting systems and data

security control selection

information about