The financial, reputational, and regulatory impact of a data breach can be catastrophic. Data exfiltration, whether malicious or accidental, typically originates from employees’ legitimate access to PeopleSoft and can be hard to prevent or detect with existing security capabilities.

In this Pathlock solution demo, you’ll learn how real-time analytics can monitor data security and privacy policy violations to prevent PeopleSoft data exfiltration.

PeopleSoft’s native architecture makes it easy for users to run queries and download data out of the application. Additionally, the lack of detailed user activity logs in PeopleSoft prevents organizations from having a clear view of how, when, and by whom specific data fields were viewed. When you think about all the different devices that people are using to access your system, you realize that you want to monitor those scenarios.

Pathlock can help you understand where all this sensitive data is going to be stored and accessed inside of PeopleSoft. We pre-categorized your data fields inside of PeopleSoft into Level One or Level Two sensitivity that you can customize later. We pull this information through to our analytics platform so you can not only monitor access and usage but also show you if anybody is writing queries that have access to that data.

Monitoring and Enforcing PeopleSoft Data Exfiltration Policies with Pathlock

Data exfiltration policy enforcement can be challenging in PeopleSoft because it lacks the logging features that provide visibility into user activity around data access and usage. That can make it difficult to distinguish whether users are accessing sensitive information for legitimate reasons or with malicious intent.

Pathlock’s logging feature records all user activity for all data access and transactions, allowing you to aggregate and visualize data trends such as access by data sensitivity level and access by user privilege level. Pathlock’s real-time analytics help you continuously monitor instances of query running and download attempts of sensitive data onto unauthorized devices, from suspicious locations, or outside business hours.

Contact us today to learn how we can help you take a proactive approach to detect and prevent PeopleSoft data privacy violations, including users viewing co-worker PII data.

Data privacy is often associated with how companies are allowed to collect and handle customer data. Lost in the data privacy breach headlines is that protecting employee information is just as critical for security and compliance. In fact, we have a lot of organizations who ask us to help them understand if, when, and how an employee is viewing co-worker PII data, especially within the same department.

In this Appsian solution demo, we’ll show you how real-time analytics can provide granular information and alerts when users are accessing and viewing other employee information. 

When organizations using PeopleSoft request the ability to monitor and detect when one employee accesses the PII data of another employee, data privacy isn’t always the number one reason for the request. Data security and employee safety are also factors. 

Of course, there are employees who require privileged access to sensitive and personal information to perform their daily tasks. However, those employees most likely do not need to access a co-worker’s PII, especially within the same department.  

Beyond data privacy, we’ve heard about situations where an employee would stalk a co-worker. They had a level of access that allowed them to look at the personal information of another employee such as their home address, phone numbers, ID numbers, etc.  Appsian allows you to create alerts around this kind of activity so you can quickly respond in an appropriate manner.

Appsian’s enhanced PeopleSoft’s logging capabilities and real-time analytics allow you to detect, understand, and report when an employee is viewing co-worker PII data. It provides granular data that shows you the specific employee ID that looked at personal data, the specific data viewed, to whom it belonged, and whether they’re within the same department. 

Contact us today to learn how we can help you take a proactive approach to detect and prevent PeopleSoft data privacy violations, including users viewing co-worker PII data. 

When it comes to PeopleSoft data privacy, the financial, reputational, and regulatory impact of having your employees’ or executives’ compensation or personal data accessed can be catastrophic.

In this Appsian solution demo, you’ll learn how real-time analytics can provide alerts if members of the same department look at each other’s compensation information. Or when a privileged user accesses an executive’s compensation data.

A common request we get from our PeopleSoft customers is to ensure that they are always alerted when somebody accesses an executive’s or co-worker’s compensation information or other personal data. Even when accessing this information is part of an employee’s daily responsibilities, they don’t need to be viewing it every time they access an employee’s record.

Previously, we demonstrated how dynamic data masking and real-time analytics work together to control & monitor access to sensitive information. Here, we’re focusing on compensation information. Receiving an alert and logging activity every time a user accesses this information is critical for monitoring and complying with data privacy policies.

This level of detail can also help organizations tell the difference between legitimate access or when a privileged user accesses this information outside the scope of their everyday responsibilities – which could indicate malicious intent by a disgruntled employee or a compromised account.

Appsian’s Real-Time Analytics allows you to track the number of times a user accesses that data during the day or outside of business hours. So instead of asking “if” a person should have access to that data, you can track how often and when that data is accessed.

Not only are you risking a data privacy violation, but a disgruntled employee could also cause internal conflicts and external PR issues if they leak executive compensation information. Knowing who accessed what and when is critical for ensuring policies are met while aiding in response tactics with full forensic details.

Appsian helps you take a proactive approach to detect and prevent PeopleSoft data privacy violations, including users accessing executive compensation information.

Contact us today to learn how we can help you with alerts when executive or co-worker compensation data is accessed. In addition, we provide the fastest path for applying data masking and logging across all necessary data fields in PeopleSoft.

Security threats exist at the application, transaction, and data level. Unfortunately, default PeopleSoft data masking and logging capabilities are insufficient to meet today’s modern data security and privacy requirements.

In this Appsian Solution demo, we’ll show you how dynamic data masking and real-time analytics work together to secure identity, control & monitor access to sensitive transactions, protect UI data, and provide deep visibility into data access and usage.

While all activity should be monitored for security and compliance purposes, high privilege user accounts should be continuously monitored and analyzed for potentially malicious trends.

Click-to-View Data Masking

Allowing access to sensitive data fields to everyone with valid login credentials can lead to unnecessary exposure, resulting in non-compliance with regulatory requirements such as Sarbanes-Oxley, PCI DSS, HIPAA, GDPR, etc. Appsian offers several types of dynamic data masking, including full, partial, click-to-view masking, or complete redaction to any data field in PeopleSoft.

As we demonstrate in this video, click-to-view field masking helps protect against unnecessary exposure of sensitive data while still allowing users to view data with expressed intent. The Appsian Security Platform (ASP) creates very specific and targeted logs in PeopleSoft. These logging features like click-to-view masking develop a complete audit trail of all data access for quick reference.

Real-Time Analytics

Appsian’s transaction-level activity logging captures granular, real-time information on who a user is, what they’re trying to access, and where they’re coming from. With that information, our real-time analytics application aggregates data access and usage trends. Then, it displays them on a visually rich dashboard, eliminating the time-consuming need to translate unstructured logs into actionable information.

Strengthen PeopleSoft Data Security and Privacy with Appsian

Appsian helps you take a proactive approach to detect and prevent PeopleSoft security threats. In addition, we provide the fastest path for applying PeopleSoft data masking and logging across all necessary data fields.

Contact us today to learn how we can help you quickly respond to security threats with full forensic information and prevent costly data breaches and non-compliance penalties.

On December 9, 2021, the Federal Trade Commission (FTC) published a final rule amending the requirements for safeguarding customer information under the Gramm-Leach-Bliley Act (GLBA) (the Safeguards Rule). The Safeguards Rule has long specified cybersecurity standards under which financial institutions must maintain customer information, including higher education institutions (thanks to their participation in the federal student financial aid program). This is a significant development for our Higher Ed customers because it effectively mandates any Title IV participating institution to follow the updated guidelines.

Obligatory disclaimer: This article isn’t legal advice. Instead, it is a high-level look at new security regulations that affect our higher education customers. Therefore, we recommend that you seek guidance from your legal department and other relevant experts.

Key Security Elements of the Updated Safeguards Rule

While the amendments still allow some flexibility, they now include detailed criteria that higher education institutions must implement. This includes more detailed requirements for developing and establishing an information security program. Here’s a brief look at some of the security elements from the updated Safeguards Rule that higher education institutions should be aware of:

• 314.4(c) Implement and maintain technical and physical access controls on customer information to limit access to authorized users and limit those users’ access to the scope of their authorizations.
• 314.4(c) Implement measures to “monitor and log the activity of authorized users” and to detect when they have accessed, used, or tampered with customer information outside the scope of their authorization.
• 314.4(c) “Implement multi-factor authentication for any individual accessing any information system.”
• 314.4(d)(2)—Implement continuous monitoring of “information systems” (as defined in 314.2) or annual penetration testing with vulnerability assessments at least every six months.
• 314.4(f)(3)—Periodically assess the information security risks that your institution’s service providers present and the adequacy of the safeguards they deploy to ensure that they are following the provisions of the Rule.
• 314.4(f)(3)—Periodically assess the information security risks that your institution’s service providers present and the adequacy of the safeguards they deploy to ensure that they are following the provisions of the Rule.

Appsian can help organizations with these requirements. Here’s how:

• Implementing fine-grained, dynamic (ABAC) controls while continuing to leverage the role-based controls that are already defined and in-use across the organization.
• Implementing dynamic MFA, not just at the perimeter but also at the application, transaction, and data level (inline.)
• Granular Activity Logging to provide visibility into data access and usage trends
• Real-time user activity monitoring to ensure that security controls are properly enforced
• Audit trail to aid investigation and remediation efforts

What Else is Included in the Updated Safeguards Rule

In addition to specific security controls, the amendments also include new requirements for risk assessments and new accountability and reporting requirements to boards of directors. We encourage you to review the revised regulations because some parts of the amendments may be more relevant to your institution’s needs than others. (pages 109–128 of this PDF document specifically cover the new rule)

Effective Date of the Updated Safeguards Rule

Due to the time required to implement many of the described provisions, the effective date of most above-described elements is December 9, 2022.

Next Steps

You don’t want to wait until the last minute to implement any of these security mandates. Contact us today to learn how we can help ensure that your information security program meets these new federal requirements.

Sources, References, and Further Reading: 

• “Policy Analysis: Revised, Highly Prescriptive FTC Safeguards Rule,” by Jarrett Cummings, EDUCAUSE 
• “FTC Updates to “Safeguards Rule” Has Impacts for Higher Education Institutions,” by Sarah Pheasant & Jonathan Tarnow Faegre, Drinker Biddle & Reath LLP 
• Standards for Safeguarding Customer Information (PDF) by The Federal Trade Commission 

Over the last two years, organizations had to move employees out of a secure office environment and provide them with access to corporate ERP applications from multiple remote locations — effectively creating an extensive remote and hybrid workforce. A recent report by Gartner predicts that 47% of knowledge workers will work remotely in 2022, compared to pre-pandemic levels of 27%. With this rise in hybrid working and network connections originating from outside the firewall, organizations are understandably prioritizing remote access security.

In this remote/hybrid work landscape, workers and organizations often struggle to replicate that 9 to 5 experience. An experience where employees commute to an office, sit at a desk, and securely access ERP systems behind the office firewall. The reality is that organizations end up facing the challenge of balancing securing ERP systems and critical data with the access demands of the hybrid workforce.

Let’s be clear about something: workers may work 9 to 5, but they have 24/7 access to your ERP applications. And just like you wouldn’t let employees have access to certain areas of a physical office (if it’s a big office space) at all times of the day and night, you shouldn’t grant them remote access to all areas of the ERP system any time they want. 

There isn’t a single technology that will secure remote access. Instead, organizations should leverage a variety of technologies that together provide the necessary remote access security when users are working “9 to 5” from home or other remote locations.

Implement Dynamic Access Controls 

Remote access security begins by giving users access to only the applications, transactions, and data needed to perform their jobs during the “9 to 5” workday. These dynamic access controls consider the different contexts of user access (i.e., location of access, time of request, device used, IP address, and others) to govern who can use specific applications, the types of transactions they can process, and when. For example, if you wouldn’t allow Ted from payroll to enter the office building at 1:00 AM to access employee bank account data when no one is around, why let him do it from home?  

Reauthenticate Users at the Data and Transaction Level

As we continue to follow Ted around his 9 to 5 workday in-office, he uses his security badge to access the accounting area. An area off-limits to most other employees. Essentially, Ted had to reauthenticate his identity before reaching his desk and executing a payroll run. Now that Ted is part of the hybrid workforce, it makes sense that he should reauthenticate his access with dynamic multifactor authentication (MFA) before changing sensitive data, like employee bank accounts, or running critical transactions, like payroll. Enforcing dynamic MFA allows organizations to implement challenges based on contextual attributes. For example, attributes like location, IP address, time, device type, etc. 

Gain Full Control of Data Access Using Dynamic Data Masking 

Controlling what information an employee can see is critical regardless of office location (on-premise or remote). For example, suppose Ted’s manager accesses his employee record to review his information or department settings. In that case, typically, his date of birth and social security number are on display. Data his manager doesn’t need to see to do their 9 to 5 job. Dynamic data masking leverages contextual access controls to ensure that sensitive data is only accessible by the people that need to see it to accomplish their job. Additional controls can ensure full or partial data masking. At the same time, click-to-view and MFA can create a record of data access for use in an audit. Dynamic Data Masking also means a hacker with compromised credentials will be unable to access or view sensitive data fields.   

Increase Visibility through User Activity Monitoring 

Even with remote access security in place, it’s vital that organizations understand who is accessing what, from where, and for what purpose. For example, a hacker compromises Ted’s credentials and starts accessing ERP applications outside of Ted’s regular 9 to 5 activity. With continuous monitoring of user behavior around data access and usage at a granular level, an organization can detect “Ted’s” suspicious activities and quickly apply an appropriate threat response. 

Appsian’s Approach to Remote Access Security  

As more employees take their 9 to 5 workday outside the confines of the corporate firewall and access ERP applications and data from nearly any location, Appsian can help organizations take a dynamic approach to remote access security. 

Contact Appsian today to learn how our context-aware access controls can anchor your remote access security policies and improve ERP data security for your remote teams. 

If you’re a multinational enterprise (MNE) that does business in or with China, you’re likely aware of the Data Security Law (DSL) that went into effect on September 1, 2021. The DSL adds to an increasingly comprehensive legal framework for information and data security in China. The law also imposes extensive data processing requirements and imposes potentially severe penalties for violations. 

This article attempts to share a high-level overview of the DSL and put into context the overall state of data governance in China. First, a disclaimer: This article isn’t legal advice. Instead, it is a high-level look at a new set of data governance and regulations that affect our customers. We do recommend that you seek guidance from your legal department and other relevant experts.

A Brief Recap of China’s Recent Data Security Initiatives

The recent legal moves by China over the past few years address the country’s growing concerns over the amount of data collected by firms and whether that information is at risk of misuse and attack, particularly by foreign nations. On June 10, 2021, the Standing Committee of China’s National People’s Congress passed the Data Security Law (DSL), which took effect earlier this month (September). The DSL, together with the 2017 Cybersecurity Law and the just-passed Personal Information Protection Law (PIPL), will form an increasingly comprehensive legal framework for information and data security in China. 

Data Security Law Highlights

The primary purpose of the DSL is to regulate “data activities,” safeguard data security, promote data development and usage, and protect individuals and entities’ legitimate rights and interests. Additionally, the DSL focuses on safeguarding China’s state sovereignty, state security, and development interests. 

Extraterritorial Jurisdiction

The DSL provides broad extraterritorial jurisdiction. According to Article 2, the law governs data activities conducted within China as well as those outside the country that may “harm the national security or public interests of the PRC, or the legitimate rights of Chinese citizens or entities.”

Defining and Classifying Data 

The DSL requires all companies in China to classify the data they handle into several categories and governs how that data is stored and transferred to other parties. The classification system will control data according to the data’s importance (i.e., “important data”) to China’s economy, national security, and public and private interests. 

The DSL further introduces a separate regulatory framework for “core state data,” broadly defined as data involving national security, lifelines of the national economy, importance to people’s livelihood, and significant public interests. Core data are subject to stricter processing regulations. 

Currently, the data classification system details are not specified in the DSL but are expected to be rolled out in the future.

Data Security Compliance Obligations

The DSL imposes general obligations on companies and individuals who carry out any data activities, including: 

• Establishing comprehensive data security management systems, organizing data security education, and implementing necessary measures to ensure data security 
• Strengthening risk monitoring, taking corrective actions when data security flaws or “loopholes” are discovered, and notifying users and authorities of security incidents 
• Conducting regular risk evaluations of the data activities for “important data” processors and reporting results to relevant authorities.

The more sensitive the data a company handles, the more rigorous the data security obligations. For example, in addition to obeying strict processing restrictions for “national core” data, entities that process “important data” must: 

• assign a data security officer, 
• create a data security management department, 
• conduct regular evaluations to monitor potential risks, and 
• report results to appropriate government agencies.

Cross-Border Data Transfer Requirements

There are many details about cross-border data transfers that we won’t cover in this article. But, basically, the DSL doesn’t allow the transfer of any data from China to any foreign law enforcement agencies or judicial bodies without approval from the appropriate Chinese government authorities, creating complications for companies legally required to submit data to foreign authorities. 

For example, companies established in China that offer goods or services in the European Union (EU) are subject to the EU General Data Protection Regulation (GDPR), which allows EU supervisory officials to request data when exercising their enforcement powers. However, China requires that companies receive government approval before transferring data in response to GDPR enforcement requests. 

Again, the DSL currently provides no specific guidance to companies on this requirement. 

Penalties for Noncompliance

Failure to comply with DSL requirements includes demands for rectification, warnings, monetary fines, forfeiture of illegal gains, revocation of business licenses, and/or orders to close down businesses. Noncompliance with the DSL that scales to a criminal or administrative offense level may also be prosecuted criminally under China’s Criminal Law or be subject to administrative penalties. In addition, the DSL allows parties to recover damages through civil litigation in court. 

What’s Next? Here’s How Appsian Security Can Help

MNEs currently conducting business in and with China are likely already used to stingy information and data security controls and may have existing internal policies for information technology, data management, and privacy already in place. Even so, those companies will benefit from additional reviews of their data processing policies and activities for potential non-compliance risks.

Additionally, it’s a good time to talk with Appsian Security to learn how the Appsian Security Platform (ASP) can help you comply with China’s DSL, along with other global compliance regulations like GDPR. ASP gives you complete control and visibility over your business data using a comprehensive platform that combines data security, identity and access management, and governance, risk, and compliance (GRC). 

Contact us today for a demonstration.

Sources, references, and further reading:

• “China’s New Data Security Law: What to Know,” by Hui Xu & Kieran Donovan, Latham & Watkins, LLP
• “China Adopts New Data Security Law,” by Colin Zick, Foley Hoag LLP
• “Cross-Border Data Transfer and Data Localization Requirements in China,” by Andrea Tang, CIPP/E, CIPM, ISO27001 LA
• “Translation: Data Security Law of the People’s Republic of China” – Stanford’s DigiChina Cyber Policy Center
• “Unpacking China’s game-changing data law,” by Shen Lu, Protocol

A constantly evolving threat landscape and compliance environment with inconsistent standards have made data loss prevention (DLP) a vital component of an organization’s SAP data security strategy. The global cost of data breaches hit a record-high in 2021 ($4.2 million per incident), highlighting the importance of a robust DLP strategy to protect organizations from financial, legal, and reputational damages. 

What Is Data Loss Prevention?

Data Loss Prevention is the practice of identifying and preventing data breaches, exfiltration, or unwanted loss or destruction of sensitive data. Businesses use DLP solutions for SAP and PeopleSoft applications mainly to:

• Secure Personally Identifiable Information (PII)
• Comply with data security and privacy regulations
• Protect intellectual property critical to the organization
• Prevent unauthorized transfer of data outside the organization

Seven Data Loss Prevention Best Practices

For any DLP strategy, you need to understand which organizational data to secure, where that data resides, who has access to that data (and when), and how the data should be used. Unfortunately, data loss is difficult to spot because data routinely moves in and out of an enterprise and closely resembles normal traffic. Let’s take a look at a list of data loss prevention best practices that have helped our customers achieve their data security goals and meet compliance standards.

1. Configure Dynamic Data Loss Prevention Policies
   Preventing unauthorized exposure of sensitive information and protecting against insider data leakage begins by configuring contextual, attribute-based DLP policies that restrict transactions based on user and data attributes. Unfortunately, traditional role-based access controls (RBAC) can’t completely safeguard data in dynamic environments as static roles fail to leverage contextual attributes such as time of the day, geolocations, IP address, transaction type, etc.   

2. Establish Clearly Defined Rulesets for Segregation of Duties
   Establishing a clearly defined ruleset for segregation of duties that divides business processes between multiple users helps limit the risk of fraud and error while ensuring that a user’s access privileges do not conflict or violate business policies.

3. Deploy Policy-Based Data Masking and Redaction
   Companies can enable dynamic data masking to reduce unnecessary exposure of sensitive information while allowing employees to do their jobs. For example, masking specific fields on a page an employee is accessing. Or using click-to-view masking to unmask data or require an MFA challenge before data is revealed to log access to a particular field. And don’t forget to protect non-production environments where dynamic data masking ensures development or testing teams can only access the data they need and nothing more.

4. Continuously Monitor Data Access And Usage
   Monitoring user behavior around data access and usage in real-time at a granular level provides visibility into how users interact with sensitive data, triggering security event alerts for high-risk access and abnormal activity at the field level. (Native application logging capabilities cannot tell the difference between malicious user activity and normal usage.)

5. Increase The Levels Of Access Control & Monitoring for High-Privilege Users
   Because privileged user accounts are magnets for hackers, companies should isolate activity and access data by these accounts to ensure integrity and alignment with current business policies. For example, an employee from the HR department needs access to payroll information to do their job, but do they need that access outside of office hours or from an unknown IP address? 

6. Closely Monitor Report and Query Downloads
   Monitor instances of query running and download attempts, ensuring that sensitive queries are not being downloaded onto unauthorized devices, from suspicious locations, or outside business hours.

7. Leverage DLP Solutions to Automate As Much As Possible
   For all the features and value ERP systems provide, they lack the functionality to provide a dynamic, automated data loss prevention solution. Automating DLP processes across the organization allows you to enforce dynamic policies to identify and protect data before it exits the organization. In addition, automating compliance audits allows you to constantly monitor data access and usage and alert security teams to abnormal activities. 

How Appsian Security Helps Enable Your SAP Data Loss Prevention Strategy

Whether careless or malicious, employee, partner, or contractor, it can be difficult to tell the difference between a user’s regular activity and activity intent on causing harm or theft. The Appsian Security Platform (ASP) helps SAP customers deploy these data loss prevention best practices, and many more, to prevent unauthorized exposure and exfiltration of sensitive data, PII, and intellectual property.

By configuring dynamic access controls, you can uniformly enforce policies that restrict transactions based on user and data attributes. In addition, you can deploy policy-based data masking that help you comply with data security and privacy regulations by reducing the exposure of high-risk data.

Contact us today for a demonstration and see for yourself how Appsian Security can help with your data loss prevention strategy.

You know how vital SAP data security can be in the age of data privacy and compliance regulations such as GDPR, CCPA, SOX, and others. If you’re a company involved with any part of the defense supply chain—from direct contracts on defense projects to independent upstream suppliers of parts, components, services, and software that are ultimately used in defense products—you’re likely subject to ITAR compliance. 

The International Traffic in Arms Regulations, or ITAR, is a set of government rules that control the export and import of defense-related articles, services, and technology on the U.S. Munitions List (USML) and ensure that sensitive materials (i.e., data) don’t fall into the hands of foreign parties and U.S. enemies. Put another way, if your company’s product, software, technical data, or services are identified on the USML, you’re going to be subject to ITAR requirements.

What Is ITAR Compliance? 

Answering this question is a bit tricky because there is no formal certification process to become “ITAR Compliant” or “ITAR Certified.” Instead, companies are expected to understand the regulations and take the appropriate steps to comply with these requirements. We’re not in the business of offering legal advice, but the U.S. Department of State is an excellent place to start to learn more.

Ensuring that your SAP data security practices comply with ITAR mandates is essential from a security and consequence standpoint. You never want to compromise your data, but you also don’t want to face the risks of high fines and possible jail time for failing to comply with ITAR. The penalties for ITAR infractions are severe, including civil penalties up to $500,000 per violation and criminal fines of up to $1 million and/or ten years imprisonment per violation. (A California electronics company was recently fined $6.6 Million for multiple ITAR export violations)

What’s on the U.S. Munitions List? 

There are 21 categories of Defense Articles in the USML as well as related technical data. For your reference, here are the categories (emphasis mine for #21):

1. Firearms, Close Assault Weapons, and Combat Shotguns 
2. Guns and Armament 
3. Ammunition/Ordnance 
4. Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs, and Mines 
5. Explosives and Energetic Materials, Propellants, Incendiary Agents and Their Constituents 
6. Surface Vessels of War and Special Naval Equipment 
7. Ground Vehicles 
8. Aircraft and Related Articles 
9. Military Training Equipment and Training 
10. Personal Protective Equipment 
11. Military Electronics 
12. Fire Control, Laser, Imaging, and Guidance Equipment 
13. Materials and Miscellaneous Articles 
14. Toxicological Agents, Including Chemical Agents, Biological Agents, and Associated Equipment 
15. Spacecraft and Related Articles 
16. Nuclear Weapons Related Articles 
17. Classified Articles, Technical Data, and Defense Services Not Otherwise Enumerated 
18. Directed Energy Weapons 
19. Gas Turbine Engines and Associated Equipment 
20. Submersible Vessels and Related Articles 
21. Articles, Technical Data, and Defense Services Not Otherwise Enumerated 

Regarding category 21, technical data refers to any data stored in your SAP ERP application containing information related to items or services designated on the USML. ITAR compliance centers on ensuring this data is not accessible by non-U.S. citizens, including employees, or inadvertently distributed to foreign persons or nations.

Add ITAR Compliance Items to Your Data Classification List 

To comply with GDPR, SOX, and other compliance regulations, you probably have already classified which data in your organization is sensitive and subject to your data security, privacy, and governance policies. Further, with technical data, it’s also a good idea to tag each page with an ITAR notification. This prevents employees with legitimate access from accidentally sharing controlled information with unauthorized users.

Apply Policy-Based Access Controls 

Now that you’ve identified and categorized your data, it’s time to establish who has access to it, when they can access it, from where, on what device, and how often. This is critical but challenging as any company with employees who are non-U.S. citizens or work with non-US subcontractors must prohibit them from accessing ITAR technical data. Adding to the challenge is SAP’s static role-based access controls (RBAC) for governing access because they do not leverage contextual attributes.

Appsian Security can help you create a more policy-based and robust data security program by enabling attribute-based access controls (often called policy-based access controls) that incorporate additional contexts, such as citizenship (nationality), certification, geolocation, network, time of day, and transaction type. Combining contextual attributes with your standard roles-based attributes, you can establish policy-based rules that grant access to ERP applications, technical data, and transactions only if the person meets certain contextual criteria while still allowing them full access to everything they need to do their job.

Leverage Policy-Based Controls to Configure Preventative Controls with Appsian Security 

Once policy-based access controls are in place, Appsian Security can enable you to easily configure preventative controls at the SAP process, transaction, and field level to prevent unauthorized activity, enhance your data privacy, and increase the efficiency of your ITAR compliance program.  

Avoid Unnecessary Data Exposure with Dynamic Data Masking:

An essential requirement of ITAR is ensuring that users accessing SAP applications, either in an authorized or unauthorized manner, do not have needless access to sensitive technical data through various pages, reports, or queries. Appsian can reduce the exposure of technical data with dynamic data masking while still allowing employees to do their assigned work.

Add Stepped-Up Multi-Factor Authentication at the Transaction Level:

Adding MFA at the transaction level ensures that users are not only authorized to access and view the data but perform the actual transaction based on their current context of access and not just their role. This should be applied to highly sensitive transactions like editing a direct deposit account number, accessing compensation data, or anything involving the USML.

Strengthen Data Loss Prevention:

Using context-aware data loss prevention policies, Appsian can prevent users from executing transactions that download technical data in high-risk scenarios, such as: citizenship, after business hours, from untrusted locations, networks, or devices. This prevents employees from downloading and accidentally sharing data they shouldn’t and prevents malicious insider threats from causing damage beyond non-compliance.

Enhance Visibility into ERP Data Access and Usage:

A critical component of ITAR compliance often lacking in SAP is real-time visibility into user behavior around data access and usage. Native SAP logging capabilities were not designed with data security in mind. Appsian360 allows organizations to continuously monitor data access and usage and proactively alerts security teams to anomalous activity, particularly useful for ensuring non-U.S. citizens are not accessing data they shouldn’t.  

Learn How Appsian Helps You Enforce Controls in a Single Policy for Better ITAR Compliance 

What makes ITAR unique from other data privacy regulations is the importance it places on citizenship, certifications, and network/location attributes. Appsian can help your organization capture these and other attributes and provide the tools for enforcing them in a single policy.  

Contact the SAP data security experts at Appsian Security to find out how we can help you leverage policy-based controls to eliminate the complexities required with RBAC alone and more efficiently achieve ITAR compliance.