Privacy and Security Assessment. Technical Security and Data Privacy in a Single Process.
|
|
- Philip Stevenson
- 8 years ago
- Views:
Transcription
1 Privacy and Security Assessment. Technical Security and Data Privacy in a Single Process. Deutsche Telekom AG Friedrich-Ebert-Allee 140 D Bonn
2 Contents. 2 Technical Security and Data Privacy at Deutsche Telekom 2 Foreword 4 Privacy and Security Assessment 4 Scope of validity 6 Objectives 8 Consulting approach 10 Interrelationship between project and system level 12 Benefits of the process 14 Opinions on the process 16 Annex 16 Glossary 17 Publication details / Contact
3 Foreword 2 3 Technical Security and Data Privacy at Deutsche Telekom. Dear Readers, This brochure is designed to explain the Privacy and Security Assessment process (PSA process) a core element in safeguarding technical security and data privacy at Deutsche Telekom. One of the main objectives of the Data Privacy, Legal Affairs and Compliance (DRC) Board of Management department is to ensure a suitable level of security and data privacy. Since the DRC department was set up, our two Group IT Security (GIS) and Group Privacy (GPR) units have been cooperating increasingly in this Board of Management department. The technical and organizational requirements of GIS and GPR are closely linked in terms of content. Against this background, we developed the PSA process in 2009, with the common goal of integrating the fulfillment of technical security and data privacy requirements at an early stage in the relevant Deutsche Telekom development processes. The new standardized process implements security and data privacy requirements as part of product and system development, thus ensuring greater transparency, improved project support as well as a suitable level of protection for our products. The PSA process has enabled us to put in place the foundation for uniform support in relation to security and data privacy issues. All development projects that create or change IT or NT systems are categorized, taking into account the data being processed, attack vulnerability from the public Internet (hereinafter referred to as criticality) as well as complexity. Security and data privacy experts provide ongoing consulting and review functions for highly critical and complex projects. Before such projects go live, they need to be explicitly approved. Standardized requirements are provided for less complex and less critical projects. These requirements enable the responsible employees themselves to achieve a suitable level of security and data privacy. This is confirmed by a Statement of Compliance, which is archived for documentation purposes. In 2010, the PSA process was integrated into the key product and system development processes in Germany as well as on a cross-functional Group level. More than 2,000 projects undergo the PSA process every year. In future, the process will also be applied at Deutsche Telekom s international subsidiaries. The PSA process already enjoys a high level of acceptance throughout the entire Group. It received the seal of quality according to the internationally recognized ISO certificate and has also served as a role model outside the company. Yours, Dr. Stefan Pütz PSA process owner for technical security Stefan Pütz has been head of Production Infrastructure Security within Group IT Security (GIS) in the Data Privacy, Legal Affairs and Compliance Board of Management department since Together with Dr. Kornel Knöpfle, he is responsible for the PSA process and manages its further development from a security perspective. Stefan Pütz started out at Deutsche Telekom in 1997 and has since been in charge of various technical security areas. He studied electrical engineering, specializing in communications engineering, at the University of Siegen and completed a doctorate in the security of modern mobile communications systems. Dr. Kornel Knöpfle PSA process owner for data privacy Kornel Knöpfle has been working for Deutsche Telekom since He has been in charge of Privacy Audit & Technical Knowhow Management within Group Privacy (GPR) in the Data Privacy, Legal Affairs and Compliance Board of Management department since April Together with Dr. Stefan Pütz, he has developed the PSA process, which he supports from a data privacy perspective. Prior to this, Kornel Knöpfle spent several years at T-Online International AG in Darmstadt, holding various management posts in the IT Strategy and IT Security department. Kornel Knöpfle has a doctorate in physics from the Technical University of Darmstadt. Dr. Stefan Pütz Dr. Kornel Knöpfle PSA process owners for technical security and data privacy
4 Scope of validty 4 5 Scope of validty. Summary Integration of security and data privacy in product and system development. Consulting, documentation and approval regarding technical security and data privacy. PSA mandatory in Germany; international roll-out in The PSA process standardizes key activities in the area of technical security and data privacy, and governs the creation of security and data privacy concepts for IT or NT systems. The process is also used to provide support and advice from GIS and GPR experts, as well as to ensure approval of systems from a security and data privacy law perspective. The PSA process is used in product or system development when new systems are created or existing systems are updated technically or in terms of the type of data processing. Typically, new systems are created or systems are updated in the course of versioning (new release). This process ensures that the changes caused by the new version are adapted in the data privacy and security concept. The PSA process can be used on all IT or NT systems, regardless of their range and complexity. The new PSA process completely replaces all older requirements for drawing up security and data privacy concepts. However, in order to ensure a smooth transition from the old to the new process, existing security and data privacy concepts continue to apply until the end of Up to this point, managers can decide whether to continue applying the old concepts or to switch to the new ones. The use of the PSA process is mandatory for all German companies as well as for all Deutsche Telekom common projects, provided they are to be managed from Germany. In the course of 2011, the PSA process will be gradually rolled out in the Deutsche Telekom international subsidiaries in close cooperation with the IT and technology units in a form geared to local circumstances. The roll-out will be conducted jointly with the Corporate IT security organization. International roll-out of the PSA process. Roll-out complete Roll-out in the pipeline
5 Objectives 6 7 Objectives. Summary Safeguarding a uniform, suitable level of security and data privacy. Integrated process for technical security and data privacy. Project support level according to to project complexity and criticality. GIS and GPR establish important fundamentals within Deutsche Telekom for reliable products that also satisfy strict requirements for security and data privacy. They have introduced the PSA process jointly in order to ensure that all development projects within the Group can satisfy requirements for technical security and data privacy. Group IT Security (GIS) GIS is responsible for technical security within Deutsche Telekom. Therefore a suitable level of security needs to be defined and implemented using suitable measures. Group Privacy (GPR) GPR determines the Group s strategic alignment in terms of data privacy and defines the requirements from a legal, technical and organizational perspective. It also represents the Group in all data privacy matters, both internally and externally. Security Platform SDSK Detailed Design Realization Design Initial Rollout Idea Standardization Comp liance Systems Privacy Concept Data Privacy Implementation Pro ject Manager Criticality Benefit Feasibility Study Privacy Requirements Sytem Owner Secur ity Requirements PSA-Template DRC PSA Process Live Operation GPR Products GIS Security Level PMT suitable appropriate Realization The new process addresses the following aims: A consistent and adequate security and data privacy level in all products, systems and platforms that are updated or created from scratch. An integrated process for technical security and data privacy as a component of the product and system development processes. A support level adapted to project complexity and criticality through the introduction of categorization at the start of each development project. Deutsche Telekom operates several thousand different IT systems and network platforms. This implies a huge challenge integrating security and data privacy in a single process. These IT systems and network platforms are designed, implemented and constantly developed further via a host of different processes as well as through the involvement of functional and technical stakeholders. It is an extremely complex undertaking to set up a single procedure ensuring technical security and data privacy throughout the entire system landscape. Additionally this new procedure has to be integrated functionally into the existing development processes.
6 Consulting approach 8 9 Consulting approach. Summary Integration in the product and system development processes. Categorization in terms of security and data privacy relevance. Approval prior to live operation. The following drawing describes the PSA process methodology along a generic development process. It explains the integration in the development process as well as the differences that result depending on the particular project categorization. The PSA process at a glance. Initial idea Feasibility study Detailed design Realization Operation Gate: Start of project Gate Gate Gate: Live operation Categorization A B C Assign consutant and requirements Identification of requirements Sample tests Sample tests Creation of security and data privacy concept (SDSK) Project consulting concerning SDSK Creation of security and data privacy concept Approval Self declaration / Review by local security organizations Sample tests Integration in the development processes. The PSA process is integrated into Deutsche Telekom s main development processes, which basically follow the generic model of a development process presented here (initial idea feasibility study detailed design realization operation). At the decision gates between each process step, a decision is made as to whether the next process step is to be taken. This requires an explicit gate decision by the responsible management. The PSA process is linked to the decision gates at the start of the project and at the launch of live operation. At the start of the project, in the idea generation phase, the project is categorized in terms of its security and data privacy relevance. At the end of the realization phase, i.e., before the launch of live operation, the PSA process must have been completed successfully. As such, all necessary approvals must be in place. If live operation is subject to certain conditions, the resulting measures must be implemented by the time the project is completed. If GIS and GPR are not directly involved in consulting the project, the effectiveness of the PSA process is tested on a sample basis. Project categorization. Before the decision gate for the start of the project, a project manager categorizes his project using a categorization tool. This tool determines in three different categories (A, B, C) the criticality and complexity of the requirements resulting from the project in terms of technical security and data privacy. This defines the level of detail on the basis of which the project is consulted and approved. The categorization is based on characteristics such as processing of particularly sensitive data, the complexity of the platforms or systems, or the strategic and financial significance of the products. Relevance and level of support of the projects. Category Relevance/level of support/approval Distribution by percent* A B C * Distribution of the categorization in High relevance, as projects are complex and/or critical. The project is supported, advised and approved directly by security and/or data privacy experts from GIS and GPR. Relevant, but projects are less complex with less sensitive data. Standard requirements are implemented by the project teams themselves, with support from local security organizations if required. Approval is given through a self-declaration by the project manager and, if appropriate, is reviewed by local security organizations; GIS and GPR review these approvals on a sample basis. No changes or generally irrelevant. The projects do not result in any changes relevant for security and/or data privacy. No approval is required; GIS and GPR review the project categorizations on a sample basis. 46 % 35 % 19 %
7 Interrelationship between project and system level Interrelationship between project and system level. Summary Documentation of project categorization and approval in the PSA template. Documentation of implementation of security and data privacy requirements and approvals in the SDSK. The PSA process is based on two central documents: the PSA template and the standardized data privacy and security concept (SDSK). PSA template. The PSA template is the form used to document the project categorization and approval. It is prepared by the project manager at project level. Project approval is generally only given and documented in the PSA template once all systems have been approved. As such, the approval of all systems in the PSA template is the prerequisite for project approval for live operation. SDSK. The SDSK is drawn up and updated for each system by the system owner. The system owner is responsible for ensuring the respective system meets the requirements for technical security and data privacy. He documents the implementation of security and data privacy requirements at IT or NT system level as well as their approval or self-declaration in the SDSK. The role and area of responsibility of the system owners are not dependent on specific projects and apply for the entire life cycle of a system. Privacy and Security Assessment Documentation on project categorization and approval Textbox Project information Headline Project name: Short text Project contact: Name, phone number Privacy Assessment Cat. Approval (A) unconditional A conditional* not issued* Date, name, org. unit Self Declaration (B1/B2) poss. Assessment local DPC B1 unconditional B2 conditional* not issued* Date, name, org. unit Date, name, org. unit C No information 1. Development process: PMT, RLT etc. Project number: SAP no., PMT no., RLT no. Security Assessment Categorization Cat. Approval (A) Embed the completed unconditional categorization tool here (using Objekt einfügen A conditional* [Insert object], als Symbol not issued* [as symbol]). Link to the tool: Date, name, org. unit Wiki-link to the Self Declaration (B) poss. Assessment local PSM B categorization tool unconditional conditional* not issued* Date, name, org. unit Date, name, org. unit Version: x.y C No information Date: dd.mm.yyyy Confirmation of Data Privacy and Security system approvals for new or modified IT/NT systems System owner Data Privacy system Approval / Self declaration / poss. Assessment Security system Approval / Self declaration / poss. Assessment System Release Cate- Uncon- Con- Not Approval / Self Possible name Approval / Self Possible Categorditionaditional issued Uncon- Con- Not Name, phone Org. unit Declaration Assessment gory ditional ditional issued Declaration Assessment (name) (name) (name) (name) System 1 No. Name, phone Org. unit A name n.a. X A name n.a. X System 2 No. Name, phone Org. unit A name n.a. X A name n.a. X System 3 No. Name, phone Org. unit A name n.a. X A name n.a. X System 4 No. Name, phone Org. unit C n.a. n.a. B name (name) X 2. Notes on the PSA template. 1. Documentation of project categorization and approval by the project manager, the security and data privacy experts from GIS and GPR or the local security and data privacy units. 2. List of newly created or modified IT or NT systems concerned including approval status. Notes on the SDSK. 1. The SDSK consists of: System description Data privacy information Authorization concept Requirements catalogs Action plan System categorization 2. Since the SDSK is maintained over the entire lifecycle of a system, it includes the update of the particular releases, including the release status. Standardized Data Privacy and and Security Concept (SDSK) System Textbox System information headline System System name: name: Short Short text text SDSK SDSK version: version: No. No. Last Last update: update: xx.xx.xxxx System System Identifier: e.g. e.g. App-ID, App-ID, ICTO-ID ICTO-ID System System owner: owner: Name Name Org. Org. unit: unit: Org. Org. Phone Phone no.: no.: (xxx) (xxx) xxxxxxxx xxxxxxxx Documentation on the on the Standardized Data Data Privacy Privacy and and Security Security Concept 1. System System description Authorization concept concept Data Data privacy privacy info info Requirements catalog catalog Embed Embed the system the system description description as a as a Embed Embed the authorization the authorization concept conceptembed Embed the completed the completed data Privacy data Privacy Embed Embed both the both completed the completed SoCs as SoCs as Action Action plan plan Embed Embed the completed the completed action action Categorization Optional Optional (** see (** backside) see backside) file here. file Link here. to Link the template: to the template: as a file as here. a file Link here. to Link the template: to the template: information information as a file as here: a file here: a file here: a file here: plan as plan a file as here. a file Link here. to Link the to the Embed Embed the categorization the categorization tool tool Weblink Weblink to the to data the data Weblink Weblink to the to Data the Data template: template: for systems for systems as a file as here. a file here. privacy info for info category for category A A Privacy Privacy SoC SoC Weblink Weblink to the to template the template Weblink Weblink to the to template the template of ofweblink Weblink to the to template the template of of privacy Weblink Weblink to the to the and B1 and B1 of the of action the action plan plan the system the system description description the the authorization concept concept Weblink Weblink to the to Security the Security categorization tool tool Weblink Weblink to the to data the data SoC SoC privacy privacy info for info category for category B2 B2 Date: Date: dd.mm.yyyy dd.mm.yyyy Date: Date: dd.mm.yyyy dd.mm.yyyy Date: Date: dd.mm.yyyy dd.mm.yyyy Date: Date: dd.mm.yyyy dd.mm.yyyy dd.mm.yyyy dd.mm.yyyy Date: Date: dd.mm.yyyy dd.mm.yyyy Date: Date: dd.mm.yyyy dd.mm.yyyy Change Textbox Change history history Headline 2. SDSK SDSK Vers. Vers. Data Data Privacy Privacy Approval Approval (GPR)/ (GPR)/ Self declaration Self declaration (specialist (specialist unit) unit) /poss. /poss. Security Security Approval Approval (GIS)/ (GIS)/ Self Declaration Self Declaration (specialist (specialist unit) /poss. unit) /poss. Assessment Assessment local local PSM PSM Assessment local local DPC DPC System System Rel. Rel. Data Data Date Date Approval/ Approval/ Poss. Poss. Assessmenment local local DPC DPC condi- condi- tional tional issued issued Category Category decl. decl. ment ment local local condi- condi- di- di- issued issued Assess-Un- Un- Condi- Condi- Not NotSecurity Security Date Date Approval/ Approval/ Self Self Poss. Poss. Assess- Assess- Un- Un- Con- Con- Not Not Privacy Privacy Self decl. Self decl. Category Category (name) (name) (name) (name) tional tional (name) (name) PSM (name) PSM (name) tional tional tional tional B1 B A A name name (name) (name) X name name n.a.* X X n.a.* X C C A A n.a.* n.a.* n.a.* n.a.* X n.a.* n.a.* n.a.* n.a.* X B1 B C C name name (name) (name) X name name n.a.* X n.a.* B1 B A A name name (name) (name) X name name n.a.* X X n.a.* X * A system * A system approval approval is not is required not required if no if data no data privacy privacy or or security-relevant changes changes are made are made with with the release the release of the of IT/NT the IT/NT system. system. Version Version 1.1 Feb Feb Classification according to information security guideline: internal Version 1.1 ( ) * If an approval is rejected or has only been issued with conditions, then please attach an informal document to this template (or embed it electronically) which documents the respective conditions or justifies the rejection. Classification according according to to Information Security Security Guideline: Guideline: Confidential
8 Benefits of the process Benefits of the process. Summary Greater structure and transparency of security and data privacy work. Suitable level of security and data privacy thanks to standardized procedural model. Greater efficiency thanks to early integration. The roll-out of the Privacy and Security Assessment (PSA process) gives more structure and transparency to Deutsche Telekom s security and data privacy work. The process gives development projects a uniform and suitable level of security and data privacy, which is documented efficiently in standardized templates. Project support for technical security and data privacy is provided along a uniform procedural model. This procedural model helps to ensure that all security and data privacy requirements are identified early on. Prompt integration has the advantage of preventing costly reworking and unnecessary compromises. The benefits of the PSA process at a glance. Benefit Description of the benefit Consistency Technical security and data privacy are reviewed and evaluated based on uniform requirements and criteria. Reduction in effort Redundant documentation is minimized as a result of uniform, standardized templates. Timeliness Integration into development processes ensures technical security and data privacy are incorporated into the relevant topics at an early stage. Optimization of resources Project prioritization ensures that critical, complex projects are supported by experts from GIS and GPR. It also prevents projects from possibly having to be stopped before going live as a result of GIS and GPR involvement that is too late. Thanks to the project cate gorization, GIS and GPR can optimally focus the level of consulting for technical security and data privacy on the key issues, and hence sustainably support rapid project work. Reliable implementation The modular, requirement-based approach enables the project teams to ensure implementation.
9 Opinions on the process Opinions on the process. External opinions on the PSA process Internal opinions on the PSA process Bernhard Petri Monika Wojtowicz Peter Rothfeld and Ingo Vasen Dr. Ralf Schneider Boris Riese Andreas Hörnes Nokia Siemens Networks GmbH & Co KG, Head of CTO Security Team Munich LL.M., TÜV Informationstechnik GmbH, TÜV NORD group of companies, Head of the TÜV Data Protection and Evaluation Center External auditors at DQS GmbH, Deutsche Gesellschaft zur Zertifizierung von Managementsystemen, as part of ISO certification Chief Compliance Officer, Telekom Deutschland GmbH Head of Group Audit Information & Communication Technology, Deutsche Telekom Head of Competence Center Subscriber Data Management, Group Technology, Deutsche Telekom Deutsche Telekom developed the PSA process to ensure compliance with security and data privacy specifications in products, systems and platforms. Thanks to its security specifications, the process fully covers issues of technical security and ensures implementation of secure solutions in the Deutsche Telekom network. The PSA process is well thought-out and important. The PSA process provides NSN as a telecommunications vendor with a process that complements its own security processes and supports rapid project acceptance. As part of our data privacy audit and certification, the SDSK was submitted to us as documentation and as the basis for the audit. Deutsche Telekom is way above the general standard with this consolidated documentation of data privacy and security aspects and the technical/organizational measures implemented. Based on our long-standing experience in auditing and certification, the SDSK is an extremely positive development. As part of ISO certification of Deutsche Telekom s centralized security management, the PSA process was also presented as a service process provided by Group IT Security. The process was rated positively in the certification process as a good, sensible way of prioritized processing development projects in respect of data privacy and security. The PSA process ensures that the security requirements for IT and NT systems developed by Group IT Security are taken into account in the IT and NT projects and actively supported by Group IT Security as part of the associated operational implementation. Technical security and data privacy are crucial to the commercial success of Telekom Deutschland GmbH. That s why exacting requirements need to be made of their implementation. The Privacy and Security Assessment process is a key component in meeting these requirements. As Chief Compliance Officer at Telekom Deutschland I therefore emphatically welcome this standardized process as it contributes to our compliance with legal provisions and internal guidelines, helping ensure the reputation of our company is not tarnished. The PSA process involves the rollout of an entirely logical, process-oriented model, which systematically envisages for the first time the inclusion of security and data privacy requirements as part of system implementations and modifications as an integral component of the development processes. I therefore explicitly welcome it and wish all my colleagues a great deal of success. The PSA process is extremely important from a security and data privacy perspective, especially for a system platform such as the CNTDB (Common Network Technology Data Base) with centralized subscriber data storage. At the end of the process you have a platform that is certified in accordance with security and data privacy requirements. The PSA process offers a harmonized, standardized procedural model for creating security and data privacy concepts; the modular structuring of platform documentation reduces the cost in the case of subsequent changes managed by projects. In addition to this valuable, compact platform and project documentation, the data privacy and security concept also provides an agreed roadmap for further improvement measures.
10 16 17 Annex. Glossary. Action plan Documentation of measures through which the requirements will be met in future Authorization concept Description of roles and access rigths Data privacy information Description of the purpose of processing personal data or data that can be traced back to a given individual in the IT / NT system concerned DRC Data Privacy, Legal Affairs and Compliance Board of Management department GIS Group IT Security GPR Group Privacy IT or NT system Systems that process or transmit information in electronic form. These generally consist of a number of computer systems or network elements with the same or similar purpose, e.g. servers, IT or NT networks and platforms PSA The PSA process is intended to ensure a suitable level of data privacy and security Requirements catalogs Documentation of the degree of compliance with technical security and data privacy requirements SDSK Standardized data privacy and security concept System description Documentation of the responsibilities, along with functional and technical system description Publication details. Deutsche Telekom AG Group IT Security / Group Privacy Friedrich-Ebert-Allee 140 D Bonn, Germany Design: HGB Hamburger Geschäftsberichte GmbH & Co. KG Last revised: March 2011 Contact. Group IT Security: SecurityDemandManagement@telekom.de Group Privacy: datenschutz@telekom.de
Driving Excellence in Implementation and Beyond The Underlying Quality Principles
SAP Thought Leadership Paper SAP Active Quality Management Driving Excellence in Implementation and Beyond The Underlying Quality Principles 2014 SAP AG or an SAP affiliate company. All rights reserved.
More informationProtecting information minimizing risks. Information Security Management
Protecting information minimizing risks Information Security Management Keeping information safe is an essential premise for sustained success in any business area but how much attention do you pay to
More information4.10 Information Management Policy
Policy Statement Information is a strategic business resource that the must manage as a public trust on behalf of Nova Scotians. Effective information management makes program and service delivery more
More informationFoundation Bridge in IT Service Management (ITSM) according to ISO/IEC 20000. Specification Sheet. ISO/IEC 20000 Foundation Bridge TÜV SÜD Akademie
Foundation Bridge in IT Service Management (ITSM) according to ISO/IEC 20000 Specification Sheet TÜV SÜD Akademie Issue: 2.0 Date: 25 October 2012 Table of Contents 1 Reading aid... 4 2 ISO/IEC 20000 -
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More informationCUSTOMER MANAGEMENT IN THE CLOUD
CUSTOMER MANAGEMENT IN THE CLOUD SPEED UP YOUR BUSINESS WITH CRM2HOST. COST-EFFICIENT, FLEXIBLE, INTUITIVE AND SECURE. Business requirements steadily grow. You need efficient processes and central information
More informationInformation Security Policies and Procedures Development Framework for Government Agencies. First Edition - 1432 AH
Information Security Policies and Procedures Development Framework for Government Agencies First Edition - 1432 AH 6 Contents Chapter 1 Information Security Policies and Procedures Development Framework
More informationSecurity Solutions Secure your network and minimize the risks
Secure your network and minimize the risks 02/08 Charting a safe path to the future Security is becoming one of the major business concerns for telecommunications around the globe. In the past, security
More informationProduct Life Cycle Management in Life Sciences Industry
Life Cycle Management in Life Sciences Industry Evolving from siloed to cross-functional management Audit. Tax. Consulting. Corporate Finance. A need for Lifecycle Management Life Sciences companies are
More informationV-Modell XT. Part 1: Fundamentals of the V-Modell
V-Modell XT Part 1: Fundamentals of the V-Modell THE V-MODELL XT IS PROTECTED BY COPYRIGHT. BUNDESREPUBLIK DEUTSCHLAND 2004. ALL RIGHTS RESERVED. COPYRIGHT RESERVED BUNDESREPUBLIK DEUTSCHLAND 2004.THE
More informationGlobal Network Initiative Protecting and Advancing Freedom of Expression and Privacy in Information and Communications Technologies
Global Network Initiative Protecting and Advancing Freedom of Expression and Privacy in Information and Communications Technologies Implementation Guidelines for the Principles on Freedom of Expression
More informationWith us, your bank is in safe hands. HiPath Banking Solutions. www.siemens.com/hipath
With us, your bank is in safe hands Banking Solutions www.siemens.com/hipath How to perform the balancing act between rationalization and differentiation The banking sector is undergoing drastic change.
More information» Kienbaum 360 Degree Feedback
» Kienbaum 360 Degree Feedback Develop leaders. Improve leadership quality. What we offer 2» The Challenge 3 Self-reflected, authentic, confident Why leadership quality is so important good leaders make
More informationSAP Product and Cloud Security Strategy
SAP Products and Solutions SAP Product and Cloud Security Strategy Table of Contents 2 SAP s Commitment to Security 3 Secure Product Development at SAP 5 SAP s Approach to Secure Cloud Offerings SAP s
More informationProduct Suite LCM. Integrated and standardized Enterprise Information Management. The Quality Group
Product Suite LCM Integrated and standardized Enterprise Information Management The Quality Group Product Suite LCM Product Suite LCM The Product Suite LCM is a company-wide solution for the optimization
More informationStakeholder Engagement Initiative: Customer Relationship Management
for the Stakeholder Engagement Initiative: December 10, 2009 Contact Point Christine Campigotto Private Sector Office Policy 202-612-1623 Reviewing Official Mary Ellen Callahan Chief Privacy Officer Department
More informationDeclaration of Corporate Governance pursuant to 289 a HGB for the 2014 Financial Year
Declaration of Corporate Governance pursuant to 289 a HGB for the 2014 Financial Year Good corporate governance is reflected in responsible corporate management. The Board of Management and the Supervisory
More informationas4 SOX Compliance at AEB Gesellschaft zur Entwicklung von Branchen-Software mbh
as4 SOX Compliance at AEB Gesellschaft zur Entwicklung von Branchen-Software mbh January, 2014 1 Basic Information The requirements for service providers, especially those outlined in Section 404 of the
More informationShared Services Generating Value for Business
Shared Services Generating Value for Business Interview with RALF P. THOMAS Siemens AG, Sector Industry This interview explores the customer point of view on Shared Services Organizations (SSOs) and was
More informationISO 9001. What to do. for Small Businesses. Advice from ISO/TC 176
ISO 9001 for Small Businesses What to do Advice from ISO/TC 176 ISO 9001 for Small Businesses What to do Advice from ISO/TC 176 ISO Central Secretariat 1, chemin de la Voie-Creuse Case postale 56 CH -
More informationRisk management Risks firmly under control. CP-Risk is a module of the Corporate Planning Suite.
Risk management Risks firmly under control CP-Risk is a module of the Corporate Planning Suite. RISK IDENTIFICATION, ASSESSMENT, ANALYSIS, AND MONITORING Systematic risk management. Risk management includes
More informationCorporate Governance report and statement
32 www.leoni.com Corporate Governance report and statement Corporate Governance at LEONI LEONI is committed to maintaining responsible and transparent corporate governance, the basis of which consists
More informationWhite Paper Case Study: How Collaboration Platforms Support the ITIL Best Practices Standard
White Paper Case Study: How Collaboration Platforms Support the ITIL Best Practices Standard Abstract: This white paper outlines the ITIL industry best practices methodology and discusses the methods in
More informationSubject: 1268-1 Information Technology Configuration Management Manual
Form 1221-2 (June 1969) UNITED STATES DEPARTMENT OF THE INTERIOR BUREAU OF LAND MANAGEMENT Release 1-1741 Date MANUAL TRANSMITTAL SHEET 06/19/2012 Subject: 1268-1 Information Technology Configuration Management
More informationOpinion Paper. Capex Management. In Collaboration with Subex
Opinion Paper Capex Management In Collaboration with Subex Table of Contents 1 Introduction... 3 2 Aligning CTO and CFO views... 4 3 Capex optimization recommendations and tools... 5 4 The Authors... 9
More informationUNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework
UNOPS UNITED NATIONS OFFICE FOR PROJECT SERVICES Headquarters, Copenhagen O.D. No. 33 16 April 2010 ORGANIZATIONAL DIRECTIVE No. 33 UNOPS Strategic Risk Management Planning Framework 1. Introduction 1.1.
More informationGlobal Material Master Data Management at Merck. Combining innovative solutions with a collaborative approach. Statement
CAMELOT management Consultants Customer Success Story Global Material Master Data Management at Merck Combining innovative solutions with a collaborative approach Merck has emphasized and given priority
More informationFrom the P&L and the balance sheet to the cash flow statement.
From the P&L and the balance sheet to the cash flow statement. Integrated financial planning A comprehensive approach right through to consolidation CP-Finance is a module of the Corporate Planning Suite.
More informationSAP Customer Success Story Professional Services T-Systems. T-Systems: Managing Global Sales with SAP CRM
T-Systems: Managing Global Sales with SAP CRM T-Systems International GmbH Industry Professional services IT service providers Products and Services Full service provider for the operation of information
More informationGlobal Network Initiative Protecting and Advancing Freedom of Expression and Privacy in Information and Communications Technologies
Global Network Initiative Protecting and Advancing Freedom of Expression and Privacy in Information and Communications Technologies Principles on Freedom of Expression and Privacy 1. Preamble 2. Freedom
More informationManagement of Information Systems. Certification of Secure Systems and Processes
Management of Information Systems Certification of Secure Systems and Processes Information Security Management System (ISMS) ISO 27001 Protecting valuable information Information is an asset whose loss,
More informationISO 27001: Information Security and the Road to Certification
ISO 27001: Information Security and the Road to Certification White paper Abstract An information security management system (ISMS) is an essential part of an organization s defense against cyberattacks
More informationBusiness-centric Storage FUJITSU Storage ETERNUS CS200c Integrated Backup Appliance
Business-centric Storage FUJITSU Storage ETERNUS CS200c Integrated Backup liance The complete backup and archiving solution in a box Data backup made easy FUJITSU Storage ETERNUS CS200c FUJITSU Storage
More informationSolution & Service Portfolio for the Telco Market.
Telecommunications Billing Solution & Service Portfolio for the Telco Market. Billing. Business flexibility Solution & Service Portfolio for the Telco Market. T-Systems. T-Systems is a one-stop information
More informationInformation Security Plan May 24, 2011
Information Security Plan May 24, 2011 REVISION CONTROL Document Title: Author: HSU Information Security Plan John McBrearty Revision History Revision Date Revised By Summary of Revisions Sections Revised
More informationCollaborative Quality Ensuring the Success of Your SAP Software Implementation
SAP Thought Leadership Paper SAP Active Quality Management Collaborative Quality Ensuring the Success of Your SAP Software Implementation Table of Contents 4 Introduction 5 Putting Collaboration into Quality
More informationAn Overview of ISO/IEC 27000 family of Information Security Management System Standards
What is ISO/IEC 27001? The ISO/IEC 27001 standard, published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), is known as Information
More informationThe V-Model. Prepared for. Prepared by. Christian Bucanac c.bucanac@computer.org Software Engineering Student, University Of Karlskrona/Ronneby
Course: Quality Management, DPT404 Teacher: Conny Johansson Department: IDE, University Of Karlskrona/Ronneby The V-Model Prepared for Conny Johansson Conny.Johansson@ide.hk-r.se IDE, University Of Karlskrona/Ronneby
More informationCOCIR contribution to the public consultation on Personal Data Protection in the EU 1
COCIR contribution to the public consultation on Personal Data Protection in the EU 1 European Coordination Committee of the Radiological, Electromedical and Healthcare IT Industry Bd. A. Reyers 80, 1030
More informationGlobal Material Master Data Management at Merck
CAMELOT ITLAB Customer success story _Technologies _Products & Solutions _SAP Applications Global Material Master Data Management at Merck Combining innovative solutions with a collaborative approach Merck
More informationWelcome to the SCM Stream. Sponsored by:
Welcome to the SCM Stream Sponsored by: Harmonization of Indirect Purchasing -Agenda Indirect Purchasing Overview Key Elements of Indirect Purchasing Indirect Purchasing - Challenges Solution Approach
More informationThe College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012
The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only Agenda Introduction Basic program components Recent trends in higher education risk management Why
More informationSecurity Control Standard
Security Standard The security and risk management baseline for the lottery sector worldwide Updated by the WLA Security and Risk Management Committee V1.0, November 2006 The WLA Security Standard is the
More informationIntroduction: ITIL Version 3 and the ITIL Process Map V3
Introduction: ITIL Version 3 and the ITIL Process Map V3 IT Process Maps www.it-processmaps.com IT Process Know-How out of a Box IT Process Maps GbR, 2009-2 - Contents HISTORY OF ITIL... 4 The Beginnings...
More informationOutstanding Prospects for Your Company Software Solutions from DATEV. A Service Provided by Your Tax Advisor
Outstanding Prospects for Your Company Software Solutions from DATEV A Service Provided by Your Tax Advisor Welcome to DATEV! Companies that utilize DATEV solutions not only benefit from first-class software
More informationInformation Security Management Systems
Information Security Management Systems Information Security Management Systems Conformity Assessment Scheme ISO/IEC 27001:2005 (JIS Q 27001:2006) ITMangement Center Japan Information Processing Development
More informationCorporate governance report and corporate governance declaration
Corporate governance report and corporate governance declaration This corporate governance report constitutes the corporate governance declaration required by Sec. 289a Handelsgesetzbuch (HGB, German Commercial
More informationInformation Security Management Systems
Information Security Management Systems Øivind Høiem CISA, CRISC, ISO27001 Lead Implementer Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector
More informationOSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data
OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data Terms Adopting company an OSRAM associated company in Germany or overseas
More informationInformation Technology Services Project Management Office Operations Guide
Information Technology Services Project Management Office Operations Guide Revised 3/31/2015 Table of Contents ABOUT US... 4 WORKFLOW... 5 PROJECT LIFECYCLE... 6 PROJECT INITIATION... 6 PROJECT PLANNING...
More informationtheguard! SmartChange Intelligent SAP change management think big, change SMART!
theguard! SmartChange Intelligent SAP change management think big, change SMART! theguard! SmartChange theguard! SmartChange takes an intelligent SAP change management approach. It provides maximum automation,
More informationSAP Security Recommendations December 2011. Secure Software Development at SAP Embedding Security in the Product Innovation Lifecycle Version 1.
SAP Security Recommendations December 2011 Secure Software Development at SAP Embedding Security in the Product Innovation Lifecycle Version 1.0 Secure Software Development at SAP Table of Contents 4
More informationCDC UNIFIED PROCESS PRACTICES GUIDE
Document Purpose The purpose of this document is to provide guidance on the practice of Quality Management and to describe the practice overview, requirements, best practices, activities, and key terms
More informationB-COMM ERP 4.0 for Use with SAP ERP Solutions for SAP applications time attendance, shop floor data collection, access control
B-COMM ERP 4.0 for Use with SAP ERP Solutions for SAP applications time attendance, shop floor data collection, access control SAP and Kaba a successful partnership For more than two decades, we have maintained
More informationIT Governance, Risk and Compliance (GRC) : A Strategic Priority. Joerg Asma
IT Governance, Risk and Compliance (GRC) : A Strategic Priority Joerg Asma Agenda Introductions An Overview of IT Governance Risk & Compliance (IT-GRC) The Value Proposition Implementing an IT-GRC Program
More informationTERMS OF REFERENCE (TORs) OF CONSULTANTS - (EAG) 1. Reporting Function. The Applications Consultant reports directly to the CIO
TERMS OF REFERENCE (TORs) OF CONSULTANTS - (EAG) Consultant - Enterprise Systems & Applications 1. Reporting Function. The Applications Consultant reports directly to the CIO 2. Qualification and Experience
More informationFAQs on the Standard IEC 80001-1 (Risk management for IT-networks incorporating medical devices)
Introduction FAQs zur IEC 80001-Rev. 2.1 Stand 24.11.2010 An increasing number of medical devices, for example medical imaging devices, are designed to exchange electronic information with other devices,
More information2008 by Bundesamt für Sicherheit in der Informationstechnik (BSI) Godesberger Allee 185-189, 53175 Bonn
2008 by Bundesamt für Sicherheit in der Informationstechnik (BSI) Godesberger Allee 185-189, 53175 Bonn Contents Contents 1 Introduction 1.1 Version History 1.2 Objective 1.3 Target group 1.4 Application
More informationQualified mobile electronic signatures: Possible, but worth a try?
Qualified mobile electronic signatures: Possible, but worth a try? Lothar Fritsch 1, Johannes Ranke 2, Heiko Rossnagel 1 Interest level of audience: 3 - for application developers (interested in IT security)
More informationIntegrated management system Ensuring global quality, environmental protection, health and safety
Integrated management system Ensuring global quality, environmental protection, health and safety Fair. Reliable. Innovative. This is our promise to our customers. And it is the demand we place on ourselves
More informationData Protection Policy of the Strenesse AG Online Store
Data Protection Policy of the Strenesse AG Online Store 1 Responsible Parties Strenesse AG ( Strenesse ) attaches great importance on a legitimate application of data processing aiming to protect your
More informationHow To Use An Fujitsu Storage Eternus C200C Backup Appliance
Business-Centric Storage FUJITSU Storage ETERNUS CS200c Integrated Backup liance Powered by Commvault The complete backup and archiving solution in a box Intel Inside. Powerful Solution Outside. Intel
More informationTrust. The essential ingredient for innovation. Thomas Langkabel National Technology Officer Microsoft Germany
Trust The essential ingredient for innovation Thomas Langkabel National Technology Officer Microsoft Germany How do we understand innovation? Innovation is the conversion of knowledge and ideas into new
More informationTemplate Management. Using Templates in Global Rollout. Solution Management Application Lifecycle Management
Using s in Global Rollout Solution Application Lifecycle Process Overview Involving ALM listing capabilities The template management approach allows customers with multi-site SAP installations to efficiently
More informationImplementing an Information Governance Program CIGP Installment 2: Building Your IG Roadmap by Rick Wilson, Sherpa Software
Implementing an Information Governance Program CIGP Installment 2: Building Your IG Roadmap by Rick Wilson, Sherpa Software www.sherpasoftware.com 1.800.255.5155 @sherpasoftware information@sherpasoftware.com
More informationData Protection Policy.
Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data
More informationELECTRONIC INFORMATION SECURITY A.R.
A.R. Number: 2.6 Effective Date: 2/1/2009 Page: 1 of 7 I. PURPOSE In recognition of the critical role that electronic information systems play in City of Richmond (COR) business activities, this policy
More informationGovernance and Management of Information Security
Governance and Management of Information Security Øivind Høiem, CISA CRISC Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector secretary for information
More informationHosting. Simply Different. www.iso-gruppe.com
Hosting. Simply Different. www.iso-gruppe.com Hosting. ISO Professional Services offers more All the SAP expertise of the ISO Group is focused in ISO Professional Services, which is among the firmly established
More informationNon-Stop Manufacturing Excellence. Automotive. Answers for industry.
Non-Stop Manufacturing Excellence. Automotive Answers for industry. Answers to your challenges How can the potential of emerging markets be best economically tapped? What possibilities are there of reducing
More informationLeveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs
IBM Global Technology Services Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs Achieving a secure government
More informationMaster Data Management for SAP
excellence in data quality Master Data System Master Data Management for SAP www.iso-gruppe.com EXT 1 Initial situation / requirements Master data management a technological challenge? Implementing a Master
More informationMaster Data Governance Find Out How SAP Business Suite powered by SAP HANA Delivers Business Value in Real Time
Master Data Governance Find Out How SAP Business Suite powered by SAP HANA Delivers Business Value in Real Time Disclaimer This document is not subject to your license agreement or any other service or
More informationA Structured Comparison of Security Standards
A Structured Comparison of Security Standards Kristian Beckers 1, Isabelle Côté 3, Stefan Fenz 2, Denis Hatebur 1,3, and Maritta Heisel 1 1 paluno - The Ruhr Institute for Software Technology - University
More informationClariant: Optimizing Product Safety and Stewardship with SAP Software
SAP Customer Success Story Chemicals Clariant 2013 SAP AG or an SAP affiliate company. All rights reserved. Clariant: Optimizing Product Safety and Stewardship with SAP Software Company Clariant International
More informationDoXite. Document Composition for SAP
DoXite Document Composition for SAP Layout, production and distribution of printed and digital business documents Customer oriented optimization of SAP output Additional benefit by personalized communication
More informationxxxxx Conformity assessment Requirements for third party certification auditing of environmental management systems - competence requirements
NEW WORK ITEM PROPOSAL Date of presentation 2011-02-25 Reference number (to be given by the Secretariat) Proposer ISO/TC 207/SC 2 ISO/TC 207 / SC 2 N 251 Secretariat NEN A proposal for a new work item
More informationInformation Systems Security Regulation
Information Systems Security Regulation Original Regulation issued on, October 1, 2003 as Regulation #15-49 Revised Regulation issued on, March 29, 2004 as Regulation #16-29 November 1, 2004 as Regulation
More informationPreemptive security solutions for healthcare
Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare
More informationSecond Cyber Security Summit, November 11, 2013 in Bonn Final communique
Second Cyber Security Summit, November 11, 2013 in Bonn Final communique On November 11, the Cyber Security Summit was held for the second time in Bonn at the invitation of the Munich Security Conference
More informationProduct Lifecycle Management for the Pharmaceutical Industry
Product Lifecycle Management for the Pharmaceutical Industry An Oracle White Paper Author: Todd Hein, Oracle Life Sciences Key Contributors: i. Arvindh Balakrishnan, Oracle Life Sciences ii. Hardeep Gulati,
More informationCorporate Policy. Data Protection for Data of Customers & Partners.
Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing
More informationsee >analyze >control >align < WhitePaper > planningit: alfabet s Logical IT Inventory
see >analyze >control >align < WhitePaper > planningit: alfabet s Logical IT Inventory planningit: alfabet s Logical IT Inventory 2 A transparent IT Landscape IT planning takes place in a rapidly changing
More informationsyscovery Savvy Suite Whitepaper Identity and Access Management
syscovery Savvy Suite Whitepaper Identity and Access Management whitepaper identity and access management 0C Can you answer the question which employee has what type of authorization? Have you already
More informationDIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014 Revision History Update this table every time a new edition of the document is published Date Authored
More informationWORKFLOW MANAGEMENT FOR THE CLINICAL RADIOLOGY
RADIOLOGY WORKFLOW SOLUTIONS WORKFLOW MANAGEMENT FOR THE CLINICAL RADIOLOGY RADIOLOGY WORKFLOW MANAGEMENT OPTIMISED WORKFLOW MAXIMUM EFFICIENCY medavis. Your trusted partner for workflow management in
More informationMoP Glossary of Terms - English
English Term aggregated risk English Definition The overall level of risk to the portfolio when all the risks are viewed as a totality rather than individually. This could include the outputs of particular
More informationIntegration of Time Management in the Digital Factory
Integration of Time Management in the Digital Factory Ulf Eberhardt a,, Stefan Rulhoff b,1 and Dr. Josip Stjepandic c a Project Engineer, Daimler Trucks, Mannheim, Germany b Consultant, PROSTEP AG, Darmstadt
More informationEffectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com
Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased
More informationCOMOS Operations. Professional plant management for efficient operations. www.siemens.com/comos
COMOS Operations Professional plant management for efficient operations www.siemens.com/comos COMOS From Integrated Engineering...... to Integrated Operations Integration of plant engineering and operation
More informationIdentity and Access Management
Cut costs. Increase security. Support compliance. www.siemens.com/iam Scenarios for greater efficiency and enhanced security Cost pressure is combining with increased security needs compliance requirements
More informationDocument Management In SAP Solution Manager Application Lifecycle Management
Document Management In SAP Solution Manager Application Lifecycle Management www.sap.com TABLE OF CONTENTS 1.0 Motivation... 3 2.0 Method and Prerequisites... 4 2.1 Document storage in SAP Solution Manager...
More informationCOMESA Guidelines on Free and Open Source Software (FOSS)
COMESA Guidelines on Free and Open Source Software (FOSS) Introduction The COMESA Guidelines on Free and Open Source Software are a follow-up to the COMESA Regional FOSS Framework of 2009 whose main objective
More informationIAEA-TECDOC-1328 Solutions for cost effective assessment of software based instrumentation and control systems in nuclear power plants
IAEA-TECDOC-1328 Solutions for cost effective assessment of software based instrumentation and control systems in nuclear power plants Report prepared within the framework of the Technical Working Group
More informationInnovation Case Study: Business Marketplace by Deutsche Telekom. Copyright Ovum. All rights reserved. Ovum is a subsidiary of Informa plc.
Innovation Case Study: Business Marketplace by Deutsche Telekom 1 Copyright Ovum. All rights reserved. Ovum is a subsidiary of Informa plc. Innovation Deutsche Telekom (DT) extended its Telekom Business
More informationGSK Vaccines: Easing Compliance with SAP Process Control
2014 SAP AG or an SAP affiliate company. All rights reserved. GSK Vaccines: Easing Compliance with SAP Process Control GlaxoSmithKline Vaccines Industry Life sciences pharmaceuticals Products and Services
More informationTelekom Malaysia Case Study
Clarity Case Study Telekom Malaysia Case Study Telekom Malaysia Deploys Clarity s Integrated Next Generation OSS and Consolidates Seven Inventory Systems in Two Years in Preparation for NGNs. Telekom Malaysia
More informationCorporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data
Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data *) For the purposes of these Corporate Guidelines, Third Countries are all those countries, which do not
More informationITIL Managing Digital Information Assets
ITIL Managing Digital Information Assets Shirley Lacy, ConnectSphere Frieda Midgley, Digital Continuity Project Judith Riley, Digital Continuity Project Nigel Williamson, Digital Continuity Project White
More informationRajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np
Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security
More information