Data Security and Privacy (DS&P)Awareness for

ERNST YOUNG LLP – SAP ERP Global Blueprint Project

Apr 20, 2023 2

Objective

Objective :

Ensure that IBM project team members are aware of IBM and client-specific Data Security & Privacy requirements.

Goal :

To educate IBM Workforce and comply with IBM DSP policies and client contract DSP requirements.

Apr 20, 2023 3

What is IBM’s Global Data Security & Privacy Definition?

Data Privacy: The ability of individuals to determine when, how, and to what extent information about them is used or disclosed to others

Sensitive personal information (SPI) could be misused to harm a person in a financial, employment or social way. [The USA also focuses on information facilitating identity theft (SSN, account code, PIN, etc.), and on medical information]

Personally identifiable information (PI) includes any data element relating to identified or identifiable individuals

Business sensitive information (BSI) is information protected by a client or other company as important to their business, the improper exposure or use of which could harm them.

*IBM’s definition of SPI can be found at: http://w3.ibm.com/ibm/privacy/practices_guidance.html

Security: The practices we employ through people, processes and technology to protect information to minimize the potential of a data breach or security compromise

All IBM projects must follow foundational Data Security and Privacy standards and policies.

Apr 20, 2023 4

Client Sensitive Information – ERNST YOUNG LLP - SAP ERP Global

Only SAP Application Hosts PI/SPI/BSI Information Client sensitive information lies at Production Environment PI (Personal Information) – Customer Name, Customer Address, Customer

Account ID BSI (Business Sensitive Information) – E&Y Billing Period, E&Y Account ID and

E&Y Account Balance Data access restriction is applied

Apr 20, 2023 5

Protecting Confidential InformationWhat is Confidential information?

Any information that could damage IBM or Client by its misappropriation or unauthorized disclosure is termed IBM Confidential

Examples of Confidential information:- financial data relating to IBM or Client operations or

financial position- Product design data and source code during

development, and possibly, design data and source code

- Disclose details of production schedules.- Customer / Employee details

Who can access Confidential Information?

IBM or Client Confidential information can be accessed only with a "need-to-know“ and management approval.

You can disclose to third parties only when:- Management or client approved or...- Confidential non-disclosure agreement signed - Approved by IBM Legal Counsel

What if I Fail to comply with IBM security policies

This could lead to:

• suspension

• termination

• other disciplinary action

Apr 20, 2023 6

Why is DS&P Important: Data Security and Privacy Breaches are High Impact / Low Frequency Events?

Key Factors: IBM’s Reputation Contractual Requirements Compliance with Global and Regional

Regulations and Directives Client Relationships: “Trust”

Appropriate security practices must be taken to protect SPI/PI.

Contributing Factors: Loss: Accidental, intentional Theft: Physical, logical Misuse: Employee, third party Disclosure: Inadvertent,

inappropriate Access: Unauthorized Increasing Regulatory Requirements

…. Also impact to individual persons

Apr 20, 2023 7

Service applications accessed by IBM team members might contain customer details including the name, address, account and credit card details. These information are categorized as PI/SPI. Any intentional/unintentional disclosure of these through IBM may result in legal liabilities and reputational loss for IBM

Customer information is considered as business sensitive information (BSI). Customer information include business plan, project details, details of the client business processes and procedures and any information of IBM or Servic, which when leaked will impact their business or reputation.

The customized source code is the intellectual property of Service and hence is considered BSI. The source code should not be copied, transferred or replicated.

IBM management and team should understand the implications and evaluate the associated risk before accepting any new access or elevated privileges to the applications or database. This should be done only after a thorough risk assessment and PE approval, and after ensuring adequate controls are in place

All IBM project members must ensure that their laptops are compliant with WST. Project members must check from time to time that all requirements are green in WST. Subcontractors must ensure that their laptops are up to date with the latest patches and updates for their operating system and anti virus software.

What are the DS&P matters on my project that I should be aware of?

Apr 20, 2023 8

How Can You Make A Difference!!!

Did you Know that the group that represents the most likely source of an asset loss

through inappropriate computer use is the employees from within the organization.

Information security begins with every individual. We need your help to maintain the integrity and reliability of our computer resources You need to be aware of the risks that are associated with an action or a resource You need to use good judgment You need to report unusual incidents

"People are the weakest link. You can have the best technology, firewalls, intrusion-detection systems, biometric devices - and somebody can call an unsuspecting employee. That's all, they have got everything."

Apr 20, 2023 9

Physical Security Do’s When on IBM premises always carry your

IBM ID card on your person and display it prominently

When on customer premises always carry the customer given ID card and display it prominently

Workstations should be physically locked (e.g. cable locks) when unattended

If any physical asset including ID badge/Portable media/Laptops etc are lost or stolen, report to physical security officer and manager immediately

Don'ts Do not tailgate Do not allow anyone to tailgate Do not loan your ID badge to another

employee Do not leave your laptops unattended in your

vehicle of in any public place

Apr 20, 2023 10

Internet Security and E mail Security

Don’ts Do not post IBM or client specific/ proprietary

information on public sites. Do not access online music/ games sites, P2P

software (Kazaa, Napster, Skype etc.), chat sites and/or other inappropriate forums through IBM or Client site.

Do not download or copy freeware and shareware software from the Internet or any other source.

Never send passwords or other personal information about yourself to anyone.

Do not auto forward emails from external addresses to your official mail email id or vice versa

Do not forward chain mails / spam while accessing IBM or client mail systems.

Never send inappropriate messages Do not use the client email infrastructure for

communication on non-client related IBM confidential matters.

Do’s

Use Internet only for business related work.

Report obscene emails

Delete unsolicited advertising e-mail without replying to it

Apr 20, 2023 11

Password Policy Do’s Password set should be a minimum of 8 characters Change passwords every 90 days or less. If there is no

technical process to the password change, you must comply manually with the password change requirement

Passwords must contain a mix of alphabetics,special characters and numbers. The use of a passphrase is advised.

Change your password if you suspect its compromised Always change the default password When changing your password, you must select a new

password, i.e., do not change the password to one that you used in the past

Don’ts Personal details like DoB, Anniversary dates,

Spouse/Children names etc should not be used in the passwords.

Avoid using names of places, or other common dictionary words as your password.

Don’t reveal your password to anyone. Don’t write down your password for the world to see.

Apr 20, 2023 12

Data Protection / Backup If there is a valid business need to store PI/SPI/BSI on

your workstation. Usage of portable removable media such as CD/DVD, removable HDD,a USB storage device or a data backup tape is not allowed.

The external storage media used for backing up data must be physically secured in secure rooms or cabinets under lock and key

Activate a power on password and a password controlled time out/lock out feature on all hand held devices containing backup data

IBM Confidential or other business sensitive data should not be placed on a handheld device if there is no way to secure the device

Link:http://w3-03.ibm.com/tools/it/ittools.nsf/main/security_fileencryptionsolutions

Apr 20, 2023 13

Workplace Security Do’s

Follow the clean desk policy.

Collect printouts from printer trays promptly.

All confidential documents/ literature/ information should be kept under lock and key.

At the end of your working day, lock all your papers in the storage provided.

Keep your drawer keys secure.

All confidential documents should be shredded prior to disposal

Activate the password protected keyboard/screen lock when leaving your work area.

Don’ts

Do not leave your drawer keys at insecure locations

Do not leave Post-it Notes with confidential information at a place from where it can be picked by anyone.

Do not leave any papers on your workstation after you leave for the day.

Do not leave any documents on the printer once you have printed them.

Do not attempt to install/run any software/code/application without prior approval from IBM or Client.

Do not attempt to bypass any security controls

Do not attempt to access any IBM or client information which you are permitted to , or which is not relevant or required in the current responsibilities.

Apr 20, 2023 14

Security Incident Reporting If you suspect a security incident is in progress or has

occurred, it is important for you to act promptly by contacting your location Security department / Project Manager.

Employees are not to attempt to investigate or take action against the offender unless directed to do so by Security personnel.

If your workstation or portable media containing PI/SPI/BSI is lot or stolen, or if you suspect that somebody has compromised its security, you must immediately report the security incident and specify that sensitive information may have been exposed.

Link:http://w3-03.ibm.com/security/secweb.nsf/ContentDocsByCtryTitle/

Corporate~Incident+reporting?Open&Country=Global+Services

Apr 20, 2023 1515

Essential Links

ITCS 300 IT Security Standard in use at IBMhttp://w3-03.ibm.com/tools/it/

ittools.nsf/main/security

BCGBusiness Conduct Guidelines – Mandatory for all

employees to read, understand and comply

http://w3-03.ibm.com/ibm/documents/corpdocweb.nsf/ContentDocsByTitle/IBM+Business+Conduct+Guidelines

Data Privacy GBS Data Security & Privacy Guidancehttp://ams1.sby.ibm.com/as/as.nsf/

content/as_dataprivacyguidance

IT Security portalGateway to the whole lot of information about IBM IT

Security policies, guidelines, standards, best practices

http://w3-03.ibm.com/tools/it/ittools.nsf/main/security

Virus Information Updates about virus threats, etc. http://w3.ibm.com/virus

IBM Confidential

Apr 20, 2023 16

Thank You!!