How the SAP Privacy Framework Protects Data

Lukman 27-12-2021 1320 Viewer SAP Business One

Data is the lifeblood of today's modern global economy. As a multi-national company with offerings that enable businesses to run better, we have a responsibility to secure our customers' data while remaining compliant. This blog is an overview of how SAP supports our customers' data security and data privacy by following standards, establishing policies, and remaining compliant with security layers.


Key Terms of the Security Framework

Data security and data privacy are important elements of SAP's security strategy. Data security ensures the confidentiality, integrity, and availability of data and lays the foundation for information security and privacy. Privacy refers to the proper use of data — companies should only use the data they collect for agreed purposes.

There are also various types of data that need to be secured. Personally Identifiable Information (PII), Sensitive Personal Information (SPI), and Personal Data are terms that refer to any information relating to an identified or identifiable natural person. Data Subject is any individual whose personal data is collected.

A data controller is a person or entity that collects and manages personal data. A data processor is any person (other than an employee of the data controller) who processes data on behalf of the data controller.


Privacy Regulations

Data privacy regulations are a shared responsibility between cloud providers and customers. In a cloud environment, the customer is the controller and SAP is the processor. While there are no established global standards for data privacy, countries, states, and organizations have developed their own data privacy standards that companies must follow to remain compliant. Some well-known regulations include the US Health Insurance Portability and Accountability Act (HIPAA), which sets national standards for protecting individual health information, and the European Union General Data Protection Regulation (GDPR), which is a regulation on data protection and privacy.

All privacy regulations follow the same core principles: demonstration of compliance, lawful processing, breach notification, accountability, and individual rights. However, each individual private regulation may have specific controls necessary to fulfill the core principles.


Guidelines, Standards, and Certification

SAP's Security Privacy Framework is based on standards created by regulatory and non-regulatory bodies that ensure our customers' data is secure. The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the US Department of Commerce whose mission is to promote innovation and competitiveness. NIST has created standards for various industries, including Information Technology. The International Organization for Standardization (ISO) is a Swiss-based organization that has developed standards to ensure a safer, cleaner, and more efficient world. SAP takes guidance from the NIST Cybersecurity Framework for our Global Security Policy and is certified in several ISO standards.


SAP Framework Privacy Security

SAP's well-established data privacy and data security controls come together to create the SAP Security Privacy Framework. Our Security Privacy Framework consists of the following layers: Foundation, Best Practices, Events, Privacy, and Transparency. Each layer is based on different ISO certifications and other data privacy regulations.


Foundation

The Basic Aspects of the Privacy Security Framework consists of standards concerning Information Security Management, Codes of Practice and Certification. The ISO/IEC 27000 standard covers the security of all forms of information, including physical security, compliance, networks, operations, etc. SAP leverages this standard to ensure it covers all forms of security for our cloud products. The Code of Practice, included in ISO/IEC 27002, establishes four administrative standards and security controls for 14 security domains. Certification (ISO/IEC 27001) ensures the security controls in the Code of Practice are adapted to keep pace with current security threats, vulnerabilities and business impacts. SAP is audited by KPMG, a third-party auditor that issues custom ISO certificates for each SAP cloud application.


Best Practices

We also have other standards that build on the Foundation mentioned above. These standards include, but are not limited to, Quality Management (ISO/IEC 9000), Service Delivery (ISO/IEC 20000), and Business Continuity (ISO/IEC 22300). Quality Management Standards are designed to help organizations meet their customers' needs while remaining compliant. SAP Support, SAP Development, and some SAP cloud solutions are certified to this standard. Service Delivery Standards were developed to reflect best practices in the IT Service Management Framework. Finally, Business Continuity Management standards were created to help companies continue operations in the event of a disaster, such as a cyber incident.


Incident

Many SAP cloud solutions are multi-tenant, meaning that knowing who is accessing what data is important for Incident Response. This layer is based on the Incident Management standard (ISO/IEC 27035). This standard focuses on assessing, reporting, and responding to cyber incidents and improving the overall incident management process. The goal is to minimize the impact on business operations if a cyber incident occurs.


Privacy

SAP has data privacy controls in place so we can fully protect our customers' data and ensure they remain compliant. SAP is certified in The British Standard (BS) 10012 and ISO/IEC STANDARD 27018 — specifically for data privacy. BS 10012 is a British legal standard created to safeguard the privacy of SPI held by companies. It also outlines what you can and cannot do with the data and provides guidance on how to communicate with data subjects about that information. ISO/IEC 27018 is specific to cloud providers because the standard is about processing private information and the public cloud acting as a processor. SAP also follows the GDPR framework, which provides personal data protection for European Union citizens, and the Standard Contractual Clauses (SCC) in data processing agreements.


Transparency

The final part of the Sap Security Framework is Transparency. SAP wants to operate in a way that informs customers about what actions are being taken with the confidentiality, integrity and availability of their data stored in SAP systems. KPMG is the publisher of our audit reports and they provide the System and Organization Controls (SOC) report. SOC reports are a way for customers to verify that SAP is following best practices and remaining compliant.

The SAP Security Framework embodies the security philosophy in depth and aims to provide the highest level of security for our customers. We will continue to find ways to improve our policies and follow industry best practices to secure our customers' data.

_____________________________________________________________________________________________________________________

Tags : SAP Business One Jakarta, SAP Business One Bandung, SAP Business One Semarang, SAP Business One Surabaya, SAP Business One Bali