SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

Similar documents
SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

SOLUTION BRIEF HELPING PREPARE FOR RISK ASSESSMENT & COMPLIANCE CHALLENGES FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

SOLUTION BRIEF HELPING ADDRESS GDPR CHALLENGES WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

RSA ARCHER IT & SECURITY RISK MANAGEMENT

SOLUTION BRIEF RSA ARCHER REGULATORY & CORPORATE COMPLIANCE MANAGEMENT

COMPLIANCE TRUMPS RISK

SOLUTION BRIEF RSA ARCHER AUDIT MANAGEMENT

SOLUTION BRIEF RSA ARCHER PUBLIC SECTOR SOLUTIONS

RSA ARCHER MATURITY MODEL: AUDIT MANAGEMENT

RSA ARCHER INSPIRE EVERYONE TO OWN RISK

SOLUTION BRIEF RSA IDENTITY GOVERNANCE & LIFECYCLE SOLUTION OVERVIEW ACT WITH INSIGHT TO DRIVE INFORMED DECISIONS TO MITIGATE IDENTITY RISK

Fulfilling CDM Phase II with Identity Governance and Provisioning

DATA SHEET RSA IDENTITY GOVERNANCE & LIFECYCLE SERVICES ACCELERATE TIME-TO-VALUE WITH PROFESSIONAL SERVICES FROM RSA IDENTITY ASSURANCE PRACTICE

Enterprise Compliance Management for Credit Unions

WHITE PAPER THE RSA ARCHER BUSINESS RISK MANAGEMENT REFERENCE ARCHITECTURE

RSA. Sustaining Trust in the Digital World. Gintaras Pelenis

Preparing for the General Data Protection Regulation (GDPR)

Preparation Guide to the New European General Data Protection Regulation

Oracle Product Hub Cloud

STRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES. September 2017

WHITE PAPER EU General Data Protection Regulation Compliance

RSA Solution for egrc. A holistic strategy for managing risk and compliance across functional domains and lines of business.

Data Protection Policy

Ready for the GDPR, Ready for the Digital Economy Fast-Track Your Midsized Business for the Digital Economy While Addressing GDPR Requirements

RSA Archer Compliance Management 5.2 Webcast

IBM Data Security Services for activity compliance monitoring and reporting log analysis management

BMC - Business Service Management Platform

Appendix A - Service Provider RACI Model

RSA. Archer Risk Intelligence Index

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

MATURITY MODEL SNAPSHOT REGULATORY & CORPORATE COMPLIANCE MANAGEMENT

Why You Should Take a Holistic Approach

CENTRE (Common Enterprise Resource)

SAP and SAP Ariba Solution Support for GDPR Compliance

Data protection in light of the GDPR

Third Party Risk Management ( TPRM ) Transformation

7 STEPS TO BUILD A GRC FRAMEWORK ALIGNING BUSINESS RISK MANAGEMENT FOR BUSINESS-DRIVEN SECURITY

ORACLE SOA GOVERNANCE SOLUTION

Gain strategic insight into business services to help optimize IT.

IBM Smarter Cities Public Safety Emergency Management

Ensuring Organizational & Enterprise Resiliency with Third Parties

WHITE PAPER RSA RISK FRAMEWORK FOR DYNAMIC WORKFORCE MANAGING RISK IN A COMPLEX & CHANGING WORK ENVIRONMENT

1 Privacy by Design: The Impact of the new European Regulation on Data protection. Introduction

WHITE PAPER KEY PRINCIPLES OF INTEGRATED BUSINESS RESILIENCY

EU-GDPR and the cloud. Heike Fiedler-Phelps January 13, 2018

Service management solutions White paper. Six steps toward assuring service availability and performance.

Effects of GDPR and NY DFS on your Third Party Risk Management Program

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

IBM Service Management solutions To support your IT objectives. Create and manage value throughout the entire service management life cycle.

WHITE PAPER THE 6 DIMENSIONS (& OBSTACLES) OF RISK MANAGEMENT

Accelerate Your Response to the EU General Data Protection Regulation (GDPR) with Oracle Cloud Applications

EX0-114_Wins_Exam. Number: Passing Score: 800 Time Limit: 120 min File Version: 1.0

Security solutions White paper. Effectively manage access to systems and information to help optimize integrity and facilitate compliance.

IT Service Management Foundation based on ISO/IEC20000

A PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018

What is GDPR and Should You Care?

White paper Orchestrating Hybrid IT

External Supplier Control Obligations

Gearing up for GDPR Compliance - Practical steps to ensure compliance with the revised data protection regulation. Chris Bernau.

TOP 6 SECURITY USE CASES

ORACLE ADVANCED ACCESS CONTROLS CLOUD SERVICE

IBM Collaboration Solutions Readiness for GDPR IBM Corporation

EXIN ITIL Exam Questions & Answers

ORACLE FUSION FINANCIALS

CFPB Compliance Management Review

ITIL from brain dump_formatted

Data rich governance. Three keys to leading consumer data and information practices. kpmg.com

Planning for the General Data Protection Regulation

TECHNOLOGY brief: Event Management. Event Management. Nancy Hinich-Gualda

STREAM Integrated Risk Manager. ISO Application. How STREAM supports compliance with ISO 27001

Improve Field Performance at A Lower Operating Cost with Oracle Utilities Mobile Workforce Management

Citizens Property Insurance Corporation Business Continuity Framework

Streamline Retail Processes with State-of-the-Art Master Data Governance

Building a Foundation for Effective Service Delivery and Process Automation

Effective Vendor Risk Management. April 21, Mario A. Mosse. This Training is Brought to you by ComplianceOnline. Presenter:

A PRACTICAL GUIDE TO GDPR BREACH NOTIFICATION AND SECURITY REQUIREMENTS

GDPR: Centralize Unstructured Data Governance Across On-premises and Cloud

Strathclyde Partnership for Transport

How to Stand Up a Privacy Program: Privacy in a Box

Aligning IT risk management with strategic business goals

ORACLE FUSION FINANCIALS CLOUD SERVICE

An Introduction to Oracle Identity Management. An Oracle White Paper June 2008

ACHIEVE GLOBAL TRADE BEST PRACTICES

CERT Resilience Management Model, Version 1.2

General Data Protection Regulation Philippe Roggeband. Business Development, Manager, GSSO EMEAR

How Can I Better Manage My Software Assets And Mitigate The Risk Of Compliance Audits?

PART THREE: Work Plan and IV&V Methodology (RFP 5.3.3)

What Does GDPR Mean for B2B Organizations?

MAXIMIZE PERFORMANCE AND REDUCE RISK

2012 Honeywell Users Group EMEA. Sustain.Ability. John Schofield, Honeywell Improved Reliability, Safety and Compliance with Management of Change

CERT Resilience Management Model, Version 1.2

Data Privacy, Protection and Compliance From the U.S. to Europe and Beyond

Data rich and regulation wary

Implementing ITIL Best Practices

GDPR and Microsoft 365: Streamline your path to compliance

EU General Data Protection Regulation: What Impact for Businesses Established Outside the EU and EEA Francoise Gilbert 1

Sustainable Identity and Access Governance

ISACA San Francisco Chapter

PRODUCT BROCHURE COMPLIANCE MANAGER

2017 IBM Corporation. IBM s Journey to GDPR Readiness

Transcription:

EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

ARRIVAL OF GDPR IN 2018 The European Union (EU) General Data Protection Regulation (GDPR) that takes effect in 2018 will bring changes for organizations that handle personal identifiable information of European citizens. This regulation is intended to strengthen and unify data protection of individuals within the EU, and the export of this personal data outside of the EU. The scope of the GDPR encompasses all European businesses as well as any business that controls or processes personal data related to the delivery of goods and services to individuals in the EU or is designed to monitor their behavior in some way. These requirements apply regardless of where the organization is based. Sanctions for GDPR non-compliance could include: A written warning Periodic audits Fines up to 10 million EUR or up to 2% of the annual worldwide turnover of the preceding financial year, whichever is greater Fines up to 20 million EUR, or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher EU General Data Protection Regulation While there is some time before the EU GDPR is enforced, the significant breadth and complexity of the GDPR warrants starting the compliance strategy planning process now. Non-compliance with GDPR requirements is expected to result in fines up to 4% of an organization s annual world-wide revenue or 20 million Euros, whichever is greater. Without a holistic approach to GDPR compliance, organizations are likely to prematurely exhaust available human and capital resources and take an unnecessarily long time to prepare for the impending regulation. PREPARATION IS ESSENTIAL The EU GDPR imposes interrelated obligations for organizations handling personal data of EU citizens, including: Adopting policies and procedures to ensure and demonstrate that EU citizen personal data is handled in compliance with the regulation Maintaining documentation of all processing operations Assessing electronic and physical data security risk to personal data including accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed Implementing appropriate technical and organizational controls to ensure a level of security appropriate to the risk Implementing procedures to verify the effectiveness of the controls which align with the results of the risk assessment Establishing control testing procedures Performing data protection impact assessments on planned processing of highly sensitive personal data Communication with EU citizens at the time information is collected, upon directed inquiry, and delivery of responses Appointment of a Data Protection Officer charged with the responsibility of ensuring the organization s compliance with the EU GDPR requirements 2

EU GDPR requires organizations to utilize a risk-based approach for compliance. To demonstrate compliance, organizations must document: The processes and infrastructure of the organization where EU personal data is handled or resides The processes and infrastructure of the organization where EU personal data is handled or resides The risk assessment of these processes and infrastructure The controls and enforcement policies and procedures to ensure personal data is handled in compliance with the regulation The results of control testing The status of outstanding issues and remediation plans By taking a holistic approach to EU GDPR compliance, you can better understand information security-related risk, how to prioritize investments to more effectively manage risk, establish accountability for risk management, and more quickly respond to identified gaps in the information security control framework. Consolidating these compliance efforts provides the executive team, regulators, and your board of directors with an accurate, real-time picture of the state of EU GDPR compliance across the organization, as well as proof that your organization has fulfilled regulatory obligations. Taking a risk-based approach for EU GDPR compliance requires organizations to: Understand if, where, and how much EU personal information is handled by the organization Have manual and technical controls in place to protect the information from unauthorized access, alteration, and unavailability commensurate with the risk Test manual and technical controls on a periodic basis to ensure they are operating effectively 3 THE RSA ARCHER ADVANTAGE RSA Archer allows your organization to document and evaluate EU GDPR-related infrastructure, policies and procedures, risks, controls, third parties, outstanding issues and remediation plans. You can consolidate this information for relevant business processes to establish a sustainable, repeatable, and auditable EU GDPR compliance program. With RSA Archer, you get a clear view of the organization s state of EU GDPR compliance that allows you to prioritize activities that address the regulation s requirements. The RSA Archer Suite provides several use cases to help your organization address GDPR obligations, including the following options. ISSUES MANAGEMENT RSA Archer Issues Management lays the foundation for your EU GDPR program to manage issues generated from risk and control assessments and audits. You can create a consolidated view and workflow for managing findings, remediation plans, and exceptions. Issues Management also establishes business hierarchy to establish corporate structure for accountability. With an organized, managed process to escalate issues, you get visibility into risks and efforts to close and address those risks in a timely manner. Workflow for proper sign-off and approval of issues, remediation plans, and exceptions ensures identified issues are managed and mitigated. Your organization will see quicker reaction to emerging issues, creating a more proactive and resilient environment while reducing the cost of compliance to GDPR.

IT RISK MANAGEMENT With RSA Archer IT Risk Management, you can comprehensively catalog organizational hierarchies and the business processes and IT assets involved in the handling, processing, storage, and transmittal of EU citizen data. This is done to ensure all business critical connections are documented and understood in the proper context of the regulatory obligations, and establishes the structure to document applicable IT risks in the Risk Register. Pre-built IT risk assessments, threat assessment methodology, and an IT control repository allow you to document and assess the design and effectiveness of applicable IT controls. Streamlined assessments accelerate the identification of IT risks, and the linkage between risks and internal controls eases communication of IT control requirements, reducing GDPR compliance gaps and improving risk mitigation strategies. This agile framework allows your organization to keep up with changing requirements and focus resources on the most impactful IT risks. IT & SECURITY POLICY PROGRAM MANAGEMENT RSA Archer IT & Security Policy Program Management provides the framework for establishing a scalable and flexible environment to document and manage your organization s policies and procedures to comply with the EU GRPR. This includes documenting policies and standards, assigning ownership, and mapping policies to key business areas, objectives, and controls. By implementing an EU GDPR policy program, you can effectively manage the entire policy development lifecycle process in addition to handling policy exceptions, policy reaffirmation and acknowledgement and demonstrating how your control environment complies with your established policies and procedures. IT CONTROLS ASSURANCE RSA Archer IT Controls Assurance provides a framework and taxonomy to systematically document the EU GDPR control universe. You can assess and report on the performance of controls at business hierarchy and business process levels. With streamlined processes and workflow for testing IT controls, you can deploy standardized assessment processes for manual controls and integrate testing results from automated systems. Issues identified during compliance assessments are centralized, with tracking and reporting of compliance gaps and remediation efforts. By improving the linkage between compliance requirements and internal controls, your organization can better communicate and report on EU GDPR compliance obligations using a common taxonomy and language across the organization. 4

THIRD PARTY RISK MANAGEMENT RSA Archer Third Party Risk Management enables you to assess the inherent and residual risk to third parties as it relates to your GDPR obligations. It employs a series of risk assessment questionnaires to be completed by a third party to assess the vendor s internal control environment applicable to the EU GDPR and collect relevant supporting documentation for further analysis. The results are factored into a determination of the organization s residual risk across several risk categories, including compliance/litigation, financial, information security, reputation, resiliency, strategic, sustainability, and fourth party risk. Risk results are depicted for each product and service engagement provided by the third party and rolled up on an aggregated basis to depict your overall risk to the third party. In addition, you can assess contracts you have drafted with third parties to ensure they fulfill the third party s GDPR obligations and provide adequate risk transfer for your organization. Risk assessment findings can be automatically captured and managed as exceptions, and remediation plans can be established, assigned to the responsible individuals, and monitored to resolution. PERMISSION TO PROCESS AND BE FORGOTTEN The EU GDPR requires organizations to obtain permission from EU citizens to process their personal data. It also requires organizations to manage and respond to EU citizen inquiries about if and how they process the citizen s personal data, as well as providing individuals the right to be forgotten. Using RSA Archer on-demand applications, organizations can configure workflow and repositories to collect, document, and process these requirements to ensure permissions are obtained, and inquiries and responses are executed accurately, completely, and in a timely manner. 5

The best thing for me about working with RSA is the fact that, as a control and compliance officer, I have access to all data I need. I can see what s happening, and where the organization has deficiencies I can see what is done to cope with them. I can see whether or not management has accepted things correctly at the right levels and I can execute my control tasks much easier than in the past. Jans Jans Control & Compliance Officer, Rabobank MATURING YOUR GDPR PROGRAM Once your organization has mastered the initial GDPR program requirements, you can apply additional RSA Archer use cases to mature your program to address more specific risk and compliance elements, including: Security Incident Management - Implement a structured process for investigating, escalating and resolving cyber incidents. IT Security Vulnerabilities Program Proactively manage cybersecurity risks by combining actionable cyber threat intelligence, security vulnerability assessment results, and business context on the criticality of IT assets. Security Operations & Breach Management - Centrally catalog IT assets for incident prioritization based on business context, monitor key performance indicators, measure control efficacy, and manage the overall security operations team, and focus on the most impactful incidents to lower overall security risk and react promptly and appropriately to data breaches. Business Continuity and IT Disaster Recovery Planning Ensure you have the established resiliency required by the EU GDPR by documenting and testing business continuity and IT disaster recovery plans for business processes, locations, IT applications and infrastructure, and information assets, thereby enabling you to respond swiftly in crisis situations to minimize disruptions and protect your ongoing operations. Key Indicator Management - Establish and monitor key indicators associated with EU GDPR compliance. Associate indicators with risks, controls, strategies and objectives, products and services and business processes to monitor quality assurance and performance Third Party Catalog - Catalog your suppliers, partners, service providers and other third parties related to your EU GDPR compliance obligations. Third Party Engagement - Capture important details related to the products and services delivered by third parties, including contracts, perform risk assessments and monitor performance to SLAs. Organizations employ a third line of defense to independently validate the design and effectiveness of their internal control frameworks. RSA Archer Audit Management solutions alongside the above use cases offer a mechanism to validate that your organization has fulfilled its EU GDPR obligations. Audit Engagements and Workpapers - Efficiently perform audit engagements, maintain workpaper documentation, and provide consistent and timely reporting on audit results. 6

Audit Planning & Quality Plan your GDPR audits by identifying, defining and assessing the risk of your auditable entities across the organization. Automatically integrate management risk and control information to ensure audit objectives are aligned with your risk and compliance priorities. CONCLUSION EU GDPR compliance to protect personal information of EU citizens will be a complex and time consuming undertaking for most organizations. RSA Archer can help your organization establish the necessary framework to comply with this regulation by implementing a business-driven approach to security, ensuring your risk and control framework is accurate, complete, and protected from theft, destruction, or interruptions. Copyright 2017, Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners. Published in the USA. 5/17 Solution Brief H15676-1 7 Dell Inc. or its subsidiaries believe the information in this document is accurate as of its publication date. The information is subject to change without notice.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback