Electronic Export Compliance - WhitePaper

Electronic Export Compliance - WhitePaper



Control and audit the use of technical data and information flow to comply with ITAR and Export Regulations.

Control and audit the use of technical data and information flow to comply with ITAR and Export Regulations.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Electronic Export Compliance - WhitePaper Electronic Export Compliance - WhitePaper Document Transcript

    • Electronic Export Compliance Control and Audit the Use of Technical Data and Information Flow to Comply with ITAR and Export Regulations Inap op Inappropriate Disclosure The Solution o Technical Data of Techn The NextLabs and SAP Electronic T The Aerospace and Defense (A&D) Export Compliance solution indu industry faces a set of unique is designed to address export information security challenges nform rm control requirements dealing with in order to comply with ITAR rd de the handling and protection of a EA and EAR export regulations. E defense or other technical data. ITAR ITAR and EAR regulations A AR The solution consists of three impose fines and penalties for mppo major components: identity na ap inappropriate disclosure of management, information con co controlled information, e.g. data of access control and enforcement, im importance to national defense. and export license (e.g. TAA’s) management. Satisfying ITAR and EAR regulations is a major challenge for A&D The Solution addresses technical firms, especially those with global data export requirements bySolution Highlights enabling project teams to: presence, mo ence mobile workers, offshore e, Control access to and operations, join ven ra ons, jo nt venture and ations, joint ventures, ns, Define authorized users protect information extensive collaboration or sup ensive col ive collab collabo r su supply ains. Guideline r standard ns. uidel s. uide stan chains. Guidelines or standards Identify controlled subject to export around key concepts like d e ro nd oundd conce concepts dee deemed technical data regulations ex exports are loo xports loosely defined oosely ned. Control technical data access Comply with ITAR and N xtLabs® NextLabs® and SAP® have te teamed and use according to defined EAR regulations by to provide a solution that h rovide helps business policies implementing: A&D firms comply with ITAR and ITA EAR export regulations. ort Control export of technical • Information access data corresponding with and handling controls The solution protects information approved licenses and defined including enforcement within the enterprise, ensures business policies, and compliance with export regulations Provide a full audit trail • Export License when dealing with global suppliers, detailing technical data flow Management and restricts access to controlled history to satisfy regulatory information to authorized users, • Automated assistance and provides detailed reports compliance requirements. to satisfy export to demonstrate compliance and The Solution actively enforces control regulations support audits. export controls by understanding the complex, business context variables for appropriate technical data handling and disclosure. Collaboration inside and outside the extended enterprise, including supply chain partners and a mobile workforce, can safely take place.
    • Leveraging SAP for GTS ITAR Technical Data Scenarios to Protect ITAR Technical DataExports The Electronic Export Compliance solution is centered on aSAP GRC Global Trade Services (GTS) provides enterprises best-practice ITAR Policy Library that addresses the greatestwith the ability to manage the physical export of goods areas of technical data control risk. Additional librariesagainst agreements/licenses which are necessary to to address EAR, or custom libraries for export controlscomply with government regulations such as ITAR and EAR. based on client needs, can be easily included or designed.Comprised of 3 modules (Compliance, Customs and Risk), Recognizing that the determination of ITAR jurisdictionGTS manages the export process from receiving the license can be a subjective process, policies are managed throughthrough operational management and documentation. collaboration between Export Officers at the corporate level and Project Managers in each of the business units.The Compliance Management module manages Policy is deployed across enforcement points of relevantinternational trade in three main areas: sanctioned party applications and systems to control data access and use.screening, export license management and import license Controls are measurable and demonstrable via a set ofmanagement. The Customs Management module facilitates audit dashboards, reports, and integration with exportcommunications between the company’s enterprise and trade management systems. Existing infrastructure, suchcustoms agencies, the creation of documentation and as Identity Management, Access Management, HR, andproduction classification. The Risk management module corporate directories are directly leveraged to minimizedeals with trade preference agreements and financial manual maintenance and allow policies to easily adapt tointegration for letter of credit. changes when underlying infrastructure is updated.In an integrated environment, GTS is linked with the ERP, Technical Controls for Electronic Exportsales and/or shipping systems to provide seamless export Compliancecompliance. Sales order and shipment data is sent to GTS,processed within the Compliance management module To prevent inappropriate disclosure, and ensure data useand evaluated for compliance with export licenses. Then and export complies with regulatory policies, the Electronicdocumentation needed to facilitate the export (i.e., US CBP Export Compliance solution provides the following controls:forms) is delivered via the Customs management module.Reporting and audit capabilities are then made available Limiting Access to ITAR Technologiesagainst each license at the transaction level. ITAR policies require that access to technical data is restricted to US persons. Typically, technical data is managedHowever, as mentioned earlier, when the export is a in document management systems or on file servers, andtransmittal of technical data to a supplier or customer, there while in a repository, local controls may prevent ITAR accessis not necessarily a transaction in the ERP or shipping system violations. However, these controls are insufficient to meetthat captures the export. Without a transaction, GTS does ITAR requirements once data is removed from the repositorynot have visibility to the export or a means to associate it where no usage controls exist, allowing data to be misused.with the applicable export agreement/license. If there wasa way to have the technical data transfer represented as As an example, an authorized user may need to copy aa physical shipment, then the GTS provided functionality design file to an engineering workstation to complete thecould be used as designed and compliance improved. design. Once copied to the workstation, no further controls exist for where the file may be saved or sent. A violation,With the addition of NextLabs’ suite of information risk even unintentional, now has the opportunity to occur. Withmanagement software, transfers of data can be tracked the Electronic Export Compliance solution, access controlsand monitored discretely. Each of these movements can are maintained when technical data flows between systems.be transferred to GTS as if they were a physical shipment Furthermore, files may only be saved within or distributedusing the standard API. GTS will then process the shipment to approved locations as the data flows across the businessthrough license determination, license association and environment.track the transfer against the license for audit purposes. Thisprovides a permanent record of each instance and when Mixed-Use Enviornmentstechnical data was transferred against a license. Additional In many Aerospace and Defense, High Tech, and Industrialinformation about the transfer, such as file name, can then firms, engineering design, development, and manufacturingbe retrieved, if necessary. resources are used for both ITAR projects and commercial projects. Such multi-use environments create potential for accidental disclosure of technical data and contamination of commercial projects. In these environments, users, systems, and applications are a potential breach and leakage point.
    • For example, an engineer copies design files to a The Electronic Export Compliance solution enforcesworkstation that is accessible to foreign persons. Similarly, policy-based controls within the enterprise and acrossa server application with ITAR-controlled designs may be the extended enterprise to include partners, outsourcers,administered by a foreign person, potentially exposing the and contractors for compliance throughout the supplyfiles. While utilizing shared resources across ITAR controlled chain. Controls can require that collaboration make useand commercial environments allows companies to of specific communication channels with additionaleconomize by reducing infrastructure costs, it also increases protection technologies enforced, such as encryption,potential for inappropriate exposure. The Electronic Export to maintain information integrity while in transit. WithCompliance solution protects the integrity of mixed- the Electronic Export Compliance solution, data thatuse environments by enforcing appropriate access and is physically maintained on partner, outsourcer, anduse for technical data that allows businesses to realize contractor systems can also be controlled with the samethe economies of managing information across shared degree of integrity as if the system was managed directlyresources. within the enterprise.Technical Data Export With Trade Management Contamination via see-throughExport of technical data occurs any time that information ITAR will control a commercial item if a product oris sent outside of the US or provided to foreign persons component that is subject to ITAR control is incorporatedwithin the US. Many of these types of exchanges are, into it.however, allowed under license. Transfers of technical dataunder licenses must be accounted for and reported, similar For example, if a part originally designed for a militaryto the export of physical goods. Accounting and tracking aircraft is used in a commercial airliner, the airliner isdata movement can be difficult since transfer of electronic subject to ITAR while that ITAR controlled part remainstechnical data can occur over multiple channels, including integrated into the airliner. This situation presentsemail, instant messenger, FTP, or Web upload. Because the unique risks when applied to ITAR technical data, suchtransfer of electronic data is so frictionless, it is difficult to as specifications and software, where documents andaccurately account for exported information as required by code are easily reused between products. To preventregulations. the contamination described above, it is important that data pertaining to defense articles be kept separateThe Electronic Export Compliance solution ensures that from commercial data, with any mixing of technical datatechnical data export is tracked and in alignment with prevented.export licenses by enforcing controls over ITAR technicaldata access, movement, and use across systems and The Electronic Export Compliance solution can identifyapplications. SAP GTS can process the technical data export data based on locations, such as applications, repositoriesas a shipment and apply the GTS service checks, such as and devices, as well as data attributes, such as documentlicense determination, to the transaction. Auditing and tags, to actively control exposure. Classes of information orreporting, integrated with the trade management system, specific documents can be restricted from use in projectsverifies and proves compliance is being met. that would present conflicts by using a solution that is scalable across the entire environment.Supply Chain Collaboration on ITAR Projects Mobile Data and Remote Access UseIn the design and manufacture of defense articles,companies often collaborate across a complex supply Access to ITAR technical data from locations out-side thechain. A single product may include parts from suppliers, US, even by approved or authorized persons, is consideredand each part may have several companies involved in an export of technical data. Similarly, the transportdesign and manufacture. In these cases, technical data is of technical data on a mobile device such as a laptopshared between organizations. The transfer of data requires computer, outside the US, is considered an export ofapproved distribution methods to prevent exposure during technical data. These export activities are either prohibitedtransmission. or allowed under an existing export license. Furthermore, data access requires that controls are applied based onFor example, if data travels through systems or networks the current location of the end user and end point system,that are administered by foreign persons, there is along with a means to identify ITAR data that is stored on aopportunity for inappropriate disclosure. The receiving mobile device, to ensure that the device is free of technicalorganization must also handle technical data appropriately; data before it is brought outside the country.for example they are required to ensure it is not exposed,return the information after it has been used, and destroy The Electronic Export Compliance solution enforcescopies once a project is complete. controls by integrating with identity management systems
    • that track users and devices for applying policies. When data across systems shared by both export-controlled andusers and devices are mobile, they are evaluated against commercial projects. The solution is effective even acrosspolicies to apply enforcement accurately, even when off the the complexity of heterogeneous systems, applications,network or disconnected. When conditions indicate that devices and data types.users are in locations subject to ITAR restrictions or they areaccessing the network remotely, policies can restrict data Educate Users to Policies for Protecting Technicalaccess, movement and use to ensure ITAR compliance is Datamaintained. The solution can also require dependencies for Large companies often depend on the goodwill ofincreased protection to ensure additional safeguards are employees and supply chain partners to enforce exportenforced, such as encrypted storage or communications. control policies for the safe handling of regulated technical documents. However, misuse can often occur accidentallySolution Benefits for Electronic Export or through an unintended combination of entitlements.Compliance The Electronic Export Compliance solution takes theWith active controls applied to the access, movement guesswork out of enforcement by automatically notifyingand use of export controlled technical data, companies users when they are in potential violation of policiescan now avoid costly fines resulting from inappropriate before the violations occur, and actively preventingdisclosure, as well as audit the export of technical data, misuse at the same time. By automatically educating usersto align the movement of technical documents with valid with warning notices, companies can ensure that usersexport licenses. Moreover, the solution provides auditing accelerate project productivity by following best practicesand reporting to provide much needed visibility to ensure for the safe access, movement, and use of export-export control regulatory compliance meets business goals. controlled technical data.Minimize the Risk of Inappropriate Disclosure Solution DeploymentThe Electronic Export Compliance solution enforces export NextLabs and SAP follow a proven method for implementingcontrol policies in real time at each point of information the solution by utilizing a combination of expert productuse to ensure that technical data is accessed, handled, knowledge and a services best practices methodology. Whendistributed, communicated, and exported appropriately. Electronic Export Compliance is deployed, clients will beBy applying information controls, Aerospace and Defense, assisted in identifying their controlled documents, as well asHigh Tech, and Industrial firms can reduce fines and defining access control policies.penalties, and legal and remediation costs, as well as protectcustomer and stockholder trust, by actively preventing The following method defines the solution deploymentviolations, while maintaining national security integrity as a process:responsible organization. Step 1: Review Identity Management SystemQuickly Demonstrate Compliance An identity management system must exist to identify andThe Electronic Export Compliance solution allows authenticate users accessing controlled data. The existingorganizations to monitor, log and report all information identity management system will be reviewed to determine ifuse activities, regardless of policies put in place, to ensure any enhancements are required in order to work effectively astechnical data access, movement and use is aligned with part of the Electronic Export Compliance solution. This processcompliance goals. By demonstrating policies are enforced must function regardless of domain or locality.appropriately, along with clear visibility into all information Step 2: Identify Controlled Technical Datause activities, companies can assist investigations byproving that information disclosure occurs appropriately Technical data subject to export controls will be identified inand policies actively protect sensitive information. order to control access, usage, and distribution of information. Step 3: (If not yet deployed) Deploy SAP GRC GlobalEconomize Multi-Use Environments Trade ServicesLarge, global companies with significant investments in GRC Global Trade Services provides an integrated and unifiedinfrastructure need the ability to use all available resources report on the export of both manufactured goods andproductively, given the alternative of maintaining dual technical data. Technical data is associated with export licensesinfrastructures for export-controlled data and other and a full report of all technical data transfers is created.programs. However, the lack of adequate solutions forprotecting technical data as it flows within the enterprise Step 4: Deploy NextLabs Information Risk Managementand across the extended enterprise has required businesses Softwareto create physically isolated environments. By applying the NextLabs’ information risk management software activelyElectronic Export Compliance solution across the enterprise, controls technical data handling and disclosure to maintainbusinesses can now mitigate risks by actively protecting
    • alignment with regulatory About NextLabs About SAP compliance. Policies are enforced NextLabs®, Inc. is the leading provider of SAP is the world’s leading provider of at the point of data use, including policy-driven information risk manage- business software (*), offering aplica- extended enterprise locations across ment (IRM) software for large enter- tions and services that enable com- the business and supply chain, and prises. Our software offers a cohesive panies of all sizes and in more than 25 across devices when users are mobile, solution for improving compliance and industries to become best-run business- even when they are disconnected mitigating information risk by helping es. With approximately 76,000 customers from the network. companies achieve safer and more se- (includes customers from the acquisition Step 5: Define Controlled Techni- cure internal and external collaboration, of Business Objects) in over 120 coun- prevent data loss, and ensure proper tries, the company is listed on serveral cal Data Authorized Users authorization to applications and data. exchanges, including the Frankfurt stock Users authorized to access controlled exchange and NYSE, under the symbol technical data are identified in order Our flagship data protection and entitlement management products, “SAP”. to define appropriate access controls. Users will be granted access to Enterprise Data Protection and (*) SAP defines business software as information subject to defined usage Compliant Enterprise®, combine with comprising enterprise resource planning restrictions that are automatically the Control Center XACML-based policy and related applications. enforced. management platform with integrated content-aware and identity-driven Export compliance policies are defined enforcement technology, to offer the Want to Find Out More? and may cover various aspects of most comprehensive information For more information about NextLabs information access and usage to risk management (IRM) solution. Our Information Risk Management, visit usassure compliance with information products preserve confidentiality, online at:export regulations, e.g. restricting prevent data loss, and ensure compliance across more channels and more points, http: //www.nextlabs.comcommunications of controlledinformation only over approved within a single unified solution with thechannels, preventing controlled unmatched user acceptance and Total For additional details about what SAP caninformation from contaminating Cost of Ownership (TCO). offer your organization, visit us online at:commercial projects, and others. http: //www.sap.comDetailed reports cover deniedinformation exports and approvedinformation exports are matchedto the covering TAA licenses forcomprehensive auditing. Reports canbe accessed through a single interfacethat covers exports of both physicalgoods and services, and electronicdata. © 2007-2011 NextLabs Inc.. All Rights Reserved. NextLabs, the NextLabs Logo, Enterprise Data Protection and Compliant Enterprise are trademarks or registered trademarks of NextLabs Inc. in the United States. SAP and SAP NetWeaver are the trademark(s) or regis- tered trademark(s) of SAP AG in Germany and in several other countries. All other company, product, or service names mentioned may be the trademarks or service marks of their respective companies. 9-08. 2 Waters Park Drive, #250 San Mateo, CA 94403 USA t: 650-577-9101 f: 650-577-9102 www.nextlabs.com