Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Welcome to today’s webinar
How GDPR Should Change the Way You Test Workday
(we’ll get started shortly)
o
How GDPR Should Change the Way You Test Workday
)
Shelly WilsonProduct Marketing Manager
Today’s Topics
WhatisGDPR?
HowGDPRimpactsWorkdaytesting
Changesneededforcompliance• Securityconfiguration• Securitytesting• Testdata
Disclaimers
Wearenotlawexperts
Thisisnotlegaladvice
1,100 KAINOS EMPLOYEES
300+ WORKSMART EMPLOYEES
Damien TaylorChief Technology Officer, Kainos WorkSmart
• Why
GDPR in 90 Seconds
GDPR in 90 Seconds
• Why
• Who must comply
GDPR in 90 Seconds
• Why
• Who must comply
• Why
• Who must comply
• Who it protects
GDPR in 90 Seconds
• Why
• Who must comply
• Who it protects
• Increased accountability
• Increased rights
• Penalties of €20M or 4%
GDPR in 90 Seconds
GDPRARTICLE 24
Responsibility of the Controller"the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with
this Regulation."
ARTICLE 25Data Protection By Design & By Default
“… measures … which are designed to implement data-protection principles … and to integrate the necessary safeguards into the processing… ensuring that ensure that by default personal data are not made accessible without the individual’s intervention”
ARTICLE 32Security of Processing
“measures to ensure a level of security appropriate to the risk…in particular from accidental or unlawful … disclosure of, or access to personal data”
How GDPR Impacts HR Data
Workday Security Configuration: Management Chain
SeniorManager
Manager
Executive
Executive
Executive
Manager
Executive
Executive
Executive
Workday Security Configuration: N-Level/CRBSG
SeniorManager
Manager
Executive
Executive
Executive
Manager
Executive
Executive
Executive
Workday Security Configuration: N-Level/CRBSG
SeniorManager
Manager
Executive
Executive
Executive
Manager
Executive
Executive
Executive
Workday Security Configuration: N-Level/CRBSG
SeniorManager
Manager
Executive
Executive
Executive
Manager
Executive
Executive
Executive
GDPRARTICLE 24
Responsibility of the Controller"the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with
this Regulation."
ARTICLE 25Data Protection By Design & By Default
“… measures … which are designed to implement data-protection principles … and to integrate the necessary safeguards into the processing… ensuring that ensure that by default personal data are not made accessible without the individual’s intervention”
ARTICLE 32Security of Processing
“
How GDPR Impacts Workday Teams
“… a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
Testing Challenges
• Security testing uncommon
• Complexity always increases risk
• Tenant security evolves
• Change = risk of data exposure
Advantages of Security Testing
• Verification, confidence and assurance
• Catch problems quickly
• Demonstrates due diligence
SecurityTestStrategy
KeySecurityGroups KeyWorker
In the real world workers can have many responsibilities
Isolate & test security groups on an individual basis
Security Testing Strategy
• Document all tests well
• Follow a formal process for all security configuration changes
• Test weekly
• Test at scale• Smart customers execute 60K checks consistently• in under 1 hour• aligned with GDPR
How GDPR Affects Test ExecutionARTICLE 5
Purpose Limitation Principle" … collected for specified, explicit and legitimate purposes and not
further processed in a manner that is incompatible with those purposes…"
ARTICLE 5Integrity & Confidentiality Principle
“… processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
unlawful processing …”
Test Data & GDPR
Production Tenant
SBXTenant
SBX PreviewTenant
ManualtesterstestonREALworkerdata
TestershaveMOREaccesstodataintesttenants
Test Data & GDRP: Compliance options
1. Replicate Production security on SBX and SBX.
2. Scramble data
3. Test using synthetic data
Note: Strongly recommend that you do not relax security configuration on SBX and SBX Preview
GDPROption 1: Replicate Production Security on SBXs
Pros• Controlled Access
• 100% of Testing
Cons• TestingcanonlybeperformedbyKeypeopleinkeyroles
• Limitedvaluefromtenante.g.cannotbeusedfortraining
GDPROption 2: Scramble Data on SBXs
Pros• 100% of testing
• GDPR does not apply to scrambled data
Cons• Difficult&timeconsuming
• Can’tscramblehistory
• Losedataintegrity
• Differentdataeachweek
• Regressiontestingisdifficult
Option 3: Synthetic Data
Data that is artificial but looks and behaves like real data for the purposes of testing and training
GDPROption 3: Synthetic Data (with Synthetic Org)
GDPROption 3: Synthetic Data (with Synthetic Org)Pros
• GDPR does not apply to synthetic data
• QA teams only need access to synthetic Org
• Can create rich scenarios and history
• Consistent data weekly
• Key staff members can focus on day job
• Suitable for training
• Can be automated
Cons• Time consuming (if doing manually)
• Some testing may not be possible using synthetic orgs
In Summary
Explore an N-Level security configurationStart security testing
Use synthetic workers for testing
NextWebinar
Workday&GDPR:ReducingRisk&DataExposureThruSmartTMAutomated
TestingMay22,2018
https://bit.ly/2rxjdwV
Surveyhttps://www.surveymonkey.co.uk/r/BDMW3JW
Workday,GDPR&You:ABenchmarkingSurvey
bitly
Thanks for coming.