Those of you who work with the personal data of European citizens will be familiar with about GDPR (General Data Protection Regulation).
If not, take a look at Manoj Patel’s word image and GDPR quick fact posts for an overview.
If your organization has links to Europe, while there are some exemptions, you have until the date of enforcement – 25th May 2018 – to investigate your compliance. See ZDNet’s article, “How Europe’s GDPR will affect Australian organisations” for more information about how it might affect your business.
Key requirements include security measures; in short, data needs to be secured with the GDPR privacy/security by design and default obligation. Other requirements revolve around how you protect personal data through prevention, assessment, and monitoring.
So, how DO you ensure data flows securely through your SAS platform?
Data Security Governance
The data security section of the GDPR requires privacy/security by design and by default, to ensure data is secured from the inception of the application or system. Security and privacy need to be considered during the planning phases, as opposed to during development (or even later). Usually within a SAS 9 implementation, a security plan and model is designed following installation.
In light of GDPR we need to be asking ourselves:
- Is the security model maintained and assessed weeks, months, or years later as changes are made?
- In an enterprise-wide SAS 9 deployment, can the business ensure there is a level of security appropriate to the risk?
- Are you able to provide reports and risk levels to authorities?
- Do you have clear processes, documentation, and auditing in place?
- Is there data security governance?
Earl Perkins, Research VP at Gartner, has said, “Companies should move towards a mindset that embraces governance and show some formalism in securing their data”. With GDPR, we believe this means establishing a process for:
- regular security testing
- assessment of the effectiveness of the security practices and solutions that are in place.
At Metacoda, our Metadata Security Testing Framework can help to ensure your SAS 9 platform is:
- conforming to well-known SAS security best practices
- regularly tested
- remains business compliant in terms of security
To find out how we can help with your GDPR data security governance requirements with your SAS platform, see the following presentation we gave at a Brisbane SAS user group meeting: How will the EU General Data Protection Regulation (GDPR) impact you? Keep your SAS data assets and platform secure.
SAS 9 Security Best Practices
There are several SAS 9.4 security best practice papers available in the SAS admin community. One of the authors, David Stern, talks about how Metacoda Identity Sync plug-in can help with synchronising Active Directory identities. We can also help SAS customers ensure their SAS platforms conform to these best practice rules and are tested regularly. Paul Homes’ technical blog post explains how to use the Metacoda Metadata Security Testing Framework for this purpose.
SAS Security Implementation Testing
Answering internal and external compliance audit requests in a timely manner demonstrates a well-maintained and organized environment. This, in turn, can increase the auditor’s confidence that the platform is secure and well managed. Metacoda can help SAS customers keep their platforms secure with regular metadata security implementation testing. In particular, answering the questions “Who has access to what?” and “Is this correct?”. Once the platform is as secure as the business expects, security tests can be implemented and conducted regularly. Any non-compliance or changes to the security model will trigger alerts for assessment and rectification.
If you are a security conscious organisation, you’ll be taking security auditing beyond basic compliance. A program of robust periodic reviews not only ensures a smooth audit, it strengthens the overall security program. In addition to monitoring implementation compliance, SAS customers can review how well their security programs are adhering to established best practices when performing periodic security audits.
Fail Securely
As Bruce Schneier advised in his April 2000 article, The Process of Security, it is important to ‘fail securely’. Design your networks so that when products fail, they fail in a secure manner. For instance, “When an ATM fails, it shuts down; it doesn’t spew money out its slot”.
Can you be confident that you’ll fail securely with your SAS 9 platform? Does your environment have data privacy/security by design and by default? Contact us or Register for an evaluation to find out how we can help keep your SAS 9 platform secure.
Further resources:
- European Commission: Data Protection
- General Data Protection Regulation: A Short Guide to Data Security in the GDPR
- Australian businesses and the EU General Data Protection Regulation – good summary table at the end
- GDPR: Comply while staying Competitive
- SAS solution to GDPR
- SAS Webinar Series in September 2017 – GDPR in Action: from ‘what’ to ‘how’
- 6th July 2017 GDPR Twitter chat – #GDPR #SASchat