Security Assessment Remediation (SAR)
Space shortcuts
Page tree
Skip to end of metadata
Go to start of metadata


Date

 

Time1 PM
Duration30 mts 
Location

Zoom

Zoom
Attendees

Ashish Pandit Unknown User (mkgill) Nathalie Gholmieh Brian DeMeulle Michael Corn Judith White 

Project/ProgramSecurity Assessment remediation - SAR 
Project BoardITS PMO 
Log Time
OTL
Objective(s)
  • Implement SAR Remediations

Notes: 


Speaker DescriptionNotes
SAR SAR Implementation Strategy
  • There are a total 130 items listed by Cynergistik. Out which 34 are deemed Very and High priority items

Remediate Production Data in Non-Prod environments
  • We do not mask the data in a non-prod environment
  • Tools are available to mask the data. Since there is no budget allocated for this purpose in the current budget cycle, it has to be a future endeavor if there is a business case for it
  • For the short term, treat non-prod environment same as prod env and apply the same access policy to the non-prod environment as in prod environment

Action Item:

  • Identify differences in Prod and Non-Prod environments configuration  –   - Ashish Pandit 

RA16/SAR-18 Production data usage


Data Classification is not defined
  • Currently, P4 data is classified in HANA by separating how they are stored. This can be used as a basis for the P4 data classification.
  • P1-P3 data is provisioned together and can be treated as one classification
  • iPaaS platform logs data in respective log files that get aggerated to Splunk
  • Through Splunk, the security team should be able to search Splunk logs for anomalies during a specific time. That should be sufficient for the data flow classification requirement

HANA Data access
  • Need to discuss separately with Judy and Mike regarding possible solutions
Write a comment...