Flash Friday: Data Quality & GDPR
1 like94 views
The presentation discusses the importance of IBM i security in compliance with the EU General Data Protection Regulation (GDPR), which aims to protect data privacy for EU citizens. It outlines the roles of data controllers and processors, as well as the key imperatives for GDPR compliance, including protecting data, tracking activity, and assessing risks. Additionally, it emphasizes the necessity of adopting appropriate data protection measures and regular security assessments, and suggests services offered by Syncsort to support compliance.
Flash Friday: Data Quality & GDPR
- 1. IBM i Security and GDPR Becky Hjellming Senior Director, Product Marketing
- 2. This presentation and all related materials are provided for informational purposes only, and are not intended to provide, and should not be relied on for, legal advice pertaining to the subject matter. If you have specific questions on how this may affect your organization, you should consult your legal advisor. Disclaimer 2
- 3. IBM i Security for GDPR Compliance GDPR enforcement began May 25, 2018. The EU General Data Protection Regulation (GDPR) is “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” IBM i security is not only critical for GDPR compliance, but also supports compliance with other security regulations and benefits the business. 3
- 4. The GDPR regulation applies to two categories of organizations: • Controllers – Organizations of any kind or individuals that determine how to process personal data. Controllers are responsible for collecting consent, controlling access to that data, and managing requests from data subjects • Processors – Organizations of any kind or individuals that process personal data on behalf of the controller. Who Does GDPR Apply To? GDPR applies to every organization that stores, processes or otherwise uses data relating to E.U. citizens 4
- 5. GDPR is all about respecting and protecting personal data • The regulation is comprised of 173 recitals and 99 articles • Many recitals and articles mention the need for data security IT imperatives for complying with GDPR 1. Protecting data 2. Tracking activity / detecting violations 3. Assessing risks GDPR and IBM i Security 1 2 3 5
- 6. Data protection encompasses preventing an individual’s personally identifiable information from • Being stolen • Being seen by an unauthorized person • Being used in a way outside the scope of the individual’s consent GDPR doesn’t dictate technologies that should be used aside from mentions of encryption and pseudonymization. Every organization is expected to make a reasonable determination of what data protection measures they need to take given the nature of the data they handle. 6 Imperative #1 – Protecting Data
- 7. Global access control prevents unauthorized access to systems and data • Password management and multi-factor authentication • Management of object authorities • Control of access via network protocols, system or user commands, SQL statements, file opens and more Elevated authority management restricts the use of powerful profiles • Management of powerful profiles and temporarily elevated authorities • Enforcement of session timeouts Sensitive data protection ensures authorized individuals can only read sensitive data • Encryption • Pseudonymization (also known as tokenization, scrambling, shuffling, and anonymization) • Masking 7 Key Technologies for Protecting Data
- 8. GDPR requires that organizations have mechanisms in place to track: • How personal data is used • How that data is accessed within systems If a breach of confidentiality or inappropriate use of an individual’s data occurs, the organization must: • Quickly detect and remediate the violation • Report the extent of the breach in a timely fashion 8 Imperative 2 – Tracking Activity / Detecting Violations
- 9. System activity logging tracks all system access and sensitive data activity • Searchable, filterable views into IBM i System Audit and user journals • Reports and alerts on databases changes or system changes • Logs of all access to sensitive files (who, when, how) with before/after details Policy compliance management to detect object and configuration settings that may be in violation of your security policies • Automatic comparison of security policy and object and system settings Global access control to alert administrators to violations • Notification of access violations 9 Key Technologies for Tracking Activity / Detecting Violations
- 10. Several provisions within GDPR mandate security risk assessments on a regular basis An IBM i assessment should analyze security in the IBM i environment, comparing system configurations with known security best practices. Key areas that must be covered include, but aren’t limited to: • System values • Default passwords • Disabled users • Command line users Many compliance regulations require that assessments be conducted by a person or process independent from the IT staff that manage or otherwise use the system 10 Imperative #3 Assessing Risk • Distribution of powerful users • Library authorities • Open ports • Exit-point programs
- 11. Self-service risk assessment tool provides insights into security vulnerabilities for your internal team • Doesn’t meet “separation of duties” requirement • Gives you an idea where you stand Risk assessment services obtains a third-party assessment of all potential security exposures in your IBM i environment. Look for: • Expertise in IBM i security • Depth of breadth of analysis • A detailed report with explanations, recommendations and guidance • Summary report for management team 11 Key Technologies and Services for Assessing Risk
- 12. Expanded partnership opportunities with companies who require GDPR compliance of their partners Improved quality of data as individuals take the opportunity to review and update their personal information Reduced possibility of fines and impact to your reputation Goodwill and trust from customers, prospects, vendors, and employees when they recognize your efforts to respect the privacy and security Addressing GDPR can helps you meet other regulations, while obtaining a competitive advantage 12
- 13. Data Privacy Protect the privacy of data at-rest or in-motion to prevent data breaches Access Control Ensure comprehensive control of unauthorized access and the ability to trace any activity, suspicious or otherwise Compliance Monitoring Gain visibility into all security activity on your IBM i and optionally feed it to an enterprise console Security Risk Assessment Assess your security threats and vulnerabilities 13 Syncsort offers leading security solutions and expert services to address GDPR requirements for IBM i security Syncsort Can Help!
- 14. To learn more about Syncsort’s security technologies and services for IBM i, visit www.syncsort.com/assure Or contact Syncsort at info@syncsort.com Learn More! 14