In this presentation, we’ll be talking about the importance of your IBM i security for GDPR compliance and share three imperatives for your IBM I and complying with GDPR including:
Protecting data
Tracking activity/detecting violations
Assessing risks
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
GDPR & IBM i Security
1. FLASH FRIDAY:
IBM i SECURITY AND GDPR
Becky Hjellming
Product Marketing Director
2. Flash Friday: A New Webcast Series
Today’s format is a 15 minute informational session to give you what you need to
know quickly so you can get back to your day.
Questions can be submitted through the chat feature and will be followed up
after the session.
The webcast is being recorded and will be available on-demand.
2
3. Disclaimer
This webcast and all related materials are provided for informational
purposes only, and are not intended to provide, and should not be relied
on for, legal advice pertaining to the subject matter.
If you have specific questions on how this may affect your organization,
you should consult your legal advisor.
3
4. Are you Ready? GDPR Enforcement Begins May 25, 2018
The EU General Data Protection
Regulation (GDPR) is “designed to
harmonize data privacy laws across
Europe, to protect and empower all EU
citizens data privacy and to reshape the
way organizations across the region
approach data privacy”
IBM i security is not only critical for GDPR
compliance, but also supports
compliance with other security
regulations and benefits the business
4
5. Who Does GDPR Apply To?
The regulation applies to two categories of organizations:
– Controllers – Organizations of any kind or individuals that determine how to
process personal data. Controllers are responsible for collecting consent,
controlling access to that data, and managing requests from data subjects
– Processors – Organizations of any kind or individuals that process personal data
on behalf of the controller.
GDPR applies to every organization that stores, processes or
otherwise uses data relating to E.U. citizens
6. GDPR and IBM i Security
GDPR is all about respecting and protecting personal data
– The regulation is comprised of 173 recitals and 99 articles
– Many recitals and articles mention the need for data security
IT imperatives for complying with GDPR
1. Protecting data
2. Tracking activity / detecting violations
3. Assessing risks
6
1
2
3
7. Protecting Data
Data protection encompasses preventing an individual’s personally identifiable
information from
– Being stolen
– Being seen by an unauthorized person
– Being used in a way outside the scope of
the individual’s consent
GDPR doesn’t dictate technologies that should be used aside from mentions of
encryption and pseudonymization.
Every organization is expected to make a reasonable determination of what data
protection measures they need to take given the nature of the data they handle.
7
1
8. Key Technologies for Protecting Data
Global access control to prevents unauthorized access to systems and data, including
– Management of object authorities
– Control of access via network protocols, system or user commands, SQL statements,
file opens outside of applications and more
– Password management and multi-factor authentication
8
1
9. Key Technologies for Protecting Data
Global access control to prevents unauthorized access to systems and data, including
– Management of object authorities
– Control of access via network protocols, system or user commands, SQL statements,
file opens outside of applications and more
– Password management and multi-factor authentication
Sensitive data protection to ensures only unauthorized individuals can read sensitive data
– Encryption
– Pseudonymization (also known as scrambling, shuffling, and anonymization)
– Masking
9
1
10. Key Technologies for Protecting Data
Global access control to prevents unauthorized access to systems and data, including
– Management of object authorities
– Control of access via network protocols, system or user commands, SQL statements,
file opens outside of applications and more
– Password management and multi-factor authentication
Sensitive data protection to ensures only authorized individuals can read sensitive data
– Encryption
– Pseudonymization (also known as scrambling, shuffling, and anonymization)
– Masking
Elevated authority management to restricts the use of powerful profiles
– Management of powerful profiles and temporarily elevated authorities
– Enforcement of session timeouts
10
1
11. Tracking Activity / Detecting Violations
GDPR requires that organizations have mechanisms in place
to track:
– How personal data is used
– How that data is accessed within systems
If a breach of confidentiality or inappropriate use of an individual’s
data occurs, the organization must:
– Quickly detect and remediate the violation
– Report the extent of the breach in a timely fashion
11
2
12. Key Technologies for Tracking Activity / Detecting Violations
System activity logging to track all system access and sensitive data activity
– Searchable, filterable views into IBM i System Audit and user journals
– Reports and alerts on databases changes or system changes
– Logs of all access to sensitive files (who, when, how) with before/after details
12
2
13. Key Technologies for Tracking Activity / Detecting Violations
System activity logging to track all system access and sensitive data activity
– Searchable, filterable views into IBM i System Audit and user journals
– Reports and alerts on databases changes or system changes
– Logs of all access to sensitive files (who, when, how) with before/after details
Policy compliance management to detect object and configuration settings that may
be in violation of your security policies
– Automatic comparison of security policy and object and system settings
13
2
14. Key Technologies for Tracking Activity / Detecting Violations
System activity logging to track all system access and sensitive data activity
– Searchable, filterable views into IBM i System Audit and user journals
– Reports and alerts on databases changes or system changes
– Logs of all access to sensitive files (who, when, how) with before/after details
Policy compliance management to detect object and configuration settings that may
be in violation of your security policies
– Automatic comparison of security policy and object and system settings
Global access control to alert administrators to violations
– Notification of access violations
14
2
15. Assessing Risk
Several provisions within GDPR mandate security risk assessments on a regular basis
An IBM i security risk assessment should analyze security in the IBM i environment,
comparing system configurations with known security best practices. Key areas that
must be covered include, but aren’t limited to:
– System values
– Default passwords
– Disabled users
– Command line users
– Distribution of powerful users
– Library authorities
– Open ports
– Exit-point programs
Many compliance regulations require that assessments be conducted by a person or
process independent from the IT staff that manage or otherwise use the system
15
3
16. Key Technologies and Services for Assessing Risk
Self-service risk assessment tool to provide insights into security vulnerabilities for
your internal team.
– Doesn’t meet “separation of duties” requirement
– Gives you an idea where you stand
Risk assessment services to obtain a third-party assessment of all potential security
exposures in your IBM i environment. Look for:
– Expertise in IBM i security
– Depth of breadth of analysis
– A detailed report with explanations, recommendations and guidance
– Summary report for management team
16
3
17. GDPR as a Competitive Advantage
While addressing IBM i security for GDPR can feel daunting, keep in mind that it can:
– Help you with compliance to other security regulations
– Provide competitive advantages:
17
Goodwill and trust from customers,
prospects, vendors, and employees
when they recognize your efforts to
respect the privacy and security
Reduced possibility of fines and
impact to your reputation
Improved quality of data as
individuals take the opportunity to
review and update their personal
information.
Expanded partnership opportunities
with companies who require GDPR
compliance of their partners
18. Syncsort Can Help!
Syncsort offers leading security solutions for IBM i and expert security services for
– Global access control
– Sensitive data protection
– User profile management
– Elevated authority management
– System activity logging
– Security violation detection and alerting
– Policy compliance management
– Security risk assessment
– Managed security services
18
19. Learn More!
To learn more about Syncsort’s security technologies and services for IBM i, visit
http://www.visionsolutions.com/solutions/security/overview
Or contact Syncsort at
info@syncsort.com
19