Personal Identifiable Information and SAP
Importance of privacy in your SAP environment
Deloitte joined the SAP Insiders conference related to SAP Governance, Risk and Compliance held in Vienna. Here we presented our view on the importance of privacy in SAP systems and in particular how to address logging requirements using the SAP Read Access Logging module.
As most ERP environments, SAP systems are using and storing more and more privacy sensitive information. With the growth of this Personal Identifiable Information in SAP systems, the desire to secure and protect this data has grown as well. On top of this, legal requirements are getting stricter for processing this kind of data. Here we present our view on the SAP Insiders conference and its conclusions.
Organizations and Personally Identifiable Information
Personally Identifiable Information (PII) is generally defined as any information relating to an identified or identifiable natural person. It may be referred to as personal data, personal information, non-public personal information, etc. Examples of PII are home addresses, health information such as medical records, social security numbers, criminal convictions or security measures. There are many examples where “disconnects” between corporate policies, actual operational practices and technology infrastructure of an organisation have led to enforcement actions, law suits, or monetary fines. Causes of these “disconnects” could be:
- Misrepresenting the purpose for collecting PII
- Failure to disclose the means used to collect PII (i.e., the use and/or duration of cookies, web bugs, spyware, tracking technologies)
- Failure to adequately train personnel on privacy representations
- Exporting PII contrary to the privacy laws of the originating country
- Misrepresenting the security protection of PII
SAP offers a wide range of possibilities to address privacy requirements which could prevent these issues. Solutions that could be used include SAP GRC Risk Management, GRC Process Control and various security management solutions like SAP GRC Access Control, Fraud Management, the native SAP role concept, security functions and logging capabilities. None of these solutions are, however, specifically focussed on addressing privacy requirements. Organizations therefore need to perform a thorough assessment of the PII that they are handling, the (legal) privacy requirements that apply to their situation and the technical (SAP) solutions that address (parts of) these. Deloitte has ample experience with these kind of privacy assessments and combining the resulting requirements with possible SAP solutions, such as SAP’s logging capabilities.
SAP Read Access Logging Module
SAP offers a large variety of standard logging functions, including the security audit log, system log, application logs, change documents and table change logs. Even so, none of these can be used to log and monitor display activities on a detailed level. The SAP Read Access Logging Module (RAL) however, can be used to log display activities on the individual field level. In addition, it can be used to tailor specific logging to monitor updates or to display activities for various purposes. This could include logging for security monitoring, business optimization and much more. Other drivers for using RAL could be that privacy legislation requires an organization to implement logging and monitoring procedures around the use of PPI, or that it requires an organization to give persons the right to get insight into who has had access to their personal information.
SAP RAL in combination with a Business Intelligence solution offers a wide range of extra possibilities such as forensic purposes to investigate a data leak, report on unauthorized access to sensitive data or detect unwanted searches. For business performance controls SAP RAL can be used to measure time of a certain process or report on critical business transaction usage.This flexibility in usage does however have its drawbacks. If not properly setup, RAL can have a significant impact on system performance. And, even more important, the logging and monitoring procedures themselves should be compliant to privacy legislation as well. Next to this, the standard reporting capabilities of RAL are limited. We therefore recommend to extend the output RAL provides to create proper reports for an effective and efficient monitoring process.
To achieve the desired results when implementing security and privacy measures like RAL, we highly recommend to assure involvement of business owners, privacy experts and SAP technology expertise. Should you need support with any of these aspects, don’t hesitate to reach out to the contacts below.
If you have any questions about the topics discussed in this blog, the SAPInsider conference or SAP Security in general, don’t hesitate to reach out to either Frank Hakkennes via FHakkennes@deloitte.nl or Arne Beentjes via ABeentjes@deloitte.nl.