Three Steps towards GDPR Compliance

In our last post we already talked about the upcoming enactment of the EU regulation 2016/679 for data protection by the end of May 2018.

We stated that Enterprise Architecture Management (EAM) tools are a natural starting point for collecting and managing the data that are necessary for GDPR compliance.

In order to use this starting point properly we mentioned a three-step approach. Today, we would like to go a little further describing these three steps.

Step 1 – Inform

First of all it is necessary to get to know the GDPR regulation and its requirements both from a legal and IT point of view. This can be done in a one-day workshop.

Such a “GDPR Briefing” workshop should at least have the following items on the agenda:

  • Introduction to the topic of GDPR in a holistic manner
    • Legal perspective
    • Organizational perspective
    • IT perspective
  • Discuss the “need for action” for the company and identify main points
  • Derive first top-level recommendations for GDPR compliance implementation

We offer these GDPR Briefing workshops in cooperation with lawyers.

Step 2 – Define

In the next step the different perspectives of GDPR should be considered in more detail. Besides changes to contracts or end user license agreements on the legal perspective or the installation of new roles (e.g. a data protection officer) and the necessary overhaul of (especially) end user business processes one needs to check the readiness of the existing IT landscape for GDPR:

  • Analysis of the IT landscape regarding GDPR (in particular Article 30)
  • Evaluation of the GDPR Readiness from the perspective of IT
  • Recommendations for the implementation of GDPR with focus on IT

These “GDPR Readiness Checks” are usually performed in short-time projects and are used to prepare the final step.

Step 3 – Realize

Finally, recommendations and defined measures need implementation. This should be based on a project plan derived from a “GDPR Readiness Check” and encompasses points like:

  • Set up and enhance the EAM tool for the GDPR use case
  • Import the necessary data
    • Applications and how they process business data
    • Servers where applications are deployed and their physical location
    • How applications support business capabilities and organizational units
  • Automate updates for these data in the EAM tool
  • Name responsibilities and incorporate the EAM tool in GDPR compliance processes
  • Train GDPR responsibles

When it comes to the setup of an EAM tool as the “golden source” for GDPR compliance there is always one reason that hinders quick results – the amount of data to be collected about the existing IT landscape.

We offer various “remedies” for this particular obstacle which automatically read a specific part of the IT landscape and make it visible in EAM tools – and thus accountable in terms of GDPR:

  • Landscape Analzer for SAP: This tool reads the basic data about entire ABAP-based SAP landscapes (systems, clients, interfaces). We are currently working on an enhancement to also gather interfaces between SAP systems and non-SAP systems using SAP PI.
  • AWS integration: Servers running as virtual machines in the Amazon cloud (Elastic Cloud Compute [EC2] service of the Amazon Web Services) can be read via this tool and automatically imported in an EAM tool.

 

Do you have questions or comments? Feel free to let us know what you think about this approach and whether it makes sense to you. Let us know when you have questions the post did not cover deep enough. We’re glad to help: sales(at)cti-consulting.de.

Realize GDPR Compliance with Enterprise Architecture Management

Data protection becomes more and more important in a world where many aspects of life are supported by IT systems processing personal data and a lot of organizations running these systems.

General Data Protection Regulation (GDPR)

With Regulation (EU) 2016/679 of the European Parliament and of the Council data protection becomes a prominent issue for all organizations operating inside the European Union. That is because both the rights of individual users on information against organizations and the obligations of organizations for reporting and disclosure have been extended. Some examples:

  • Consent: Stronger conditions apply as to how consent about personal data processing is given.
  • Breach notification: Loss, theft or unauthorized access to personal data must be notified.
  • Subject access: Subjects can demand information whether their personal data is processed by an organization or demand porting their data to another provider.
  • Right to be forgotten: Subjects can demand data to be erased or restrict the processing of their data.
  • Data governance: Measures to ensure data governance must be put in place, e.g. privacy impact assessments (PIA), audits, or the appointment of a data protection officer.

Disregard of the new legislation can lead to severe penalties. GDPR Article 83 demands up 20 m Euros or up to 4 % of the total worldwide annual turnover.

In order to reach compliance with GDPR a lot of information about all data handling activities and the data processed needs to be collected, analyzed and made accessible. Action must be taken now as the regulation comes into force on May 25th 2018.

Enterprise Architecture Management supports GDPR Compliance

Enterprise Architecture Management (EAM) is the part of IT management that deals with documenting the existing IT landscape, defining standards and planning the future IT landscape. As this task needs to collect and maintain a lot of meta data about the IT of an organization, EAM is usually tool-based.

EAM tools like Alfabet (Software AG) or LeanIX (LeanIX GmbH) can support organizations in gaining GDPR compliance for various reasons.

First of all, these tools already come with a lot of information about the IT that is relevant for GDPR:

  • Documented applications show where (inside and outside of an organization) data are processed and how.
  • Information Flows describe how data are exchanged between applications.
  • Cataloges for business data define categories of data used by applications and business processes.

Such repositories are easily amended with the information specific for GDPR and thus lead to a much more complete view of an organization’s IT processing activities.

EAM tools also provide strong reporting capabilities. Alfabet, for instance and among others, offers the following reports and views:

  • Applications and their interrelation via information flows can be made visible using information flow diagrams.
  • Data processing activities (create, read, update, delete) are listed in so-called CRUD matrices.
eam-03-crud-matrix

Example of a CRUD matrix in Alfabet

 

Methodical Setup of GDPR compliance

We support your organization in realizing GDPR compliance in a three-step approach:

  1. Inform: Get to know the GDPR regulation and its requirements from the legal and IT point of view in a one-day workshop.
  2. Define: Define the measures that need to be taken based on your individual requirements (e.g. how to configure EAM tools to provide information needed for GDPR, how to change processes to incorporate GDPR steps, etc.).
  3. Realize: We help you to implement the measures defined in step 2. Among other things: We set up and enhance your EAM tool for the GDPR use cases from step 2 and import the necessary data. We offer various tools to automate the retrieval of data about the IT landscape, e.g. with our Landscape Analzer for SAP systems and Amazon Web Service (AWS).

 

Would you like to know more…? For further information, please, visit our web page on GDPR. Feel free to contact us: sales(at)cti-consulting.de.

The Roadmap to Digitalization – Episode 6: How to Integrate the AWS Cloud in Enterprise Architecture Management

Digital transformation or digitalization is widely discussed today. Digitalization offers an abundance of products based on new technologies and technological platforms that possess the capability to reshape business processes, organizational structure and ways of working. It holds the power to reshape complete business models or even overall market situations.

One main element of digitalization is cloud computing, the usage of IT resources (CPU time, storage, etc.) only up to the amount that is necessary at a certain point in time. Enterprise architecture management (EAM) needs to include the resource used in the cloud (be it private, public or a community cloud) to prevent the IT landscape from spontaneous growth. Measures on how to govern the usage of cloud services should (or need to be) implemented. Today, we’d like to show you how.

Get Architecture Information from AWS

Cloud services like Microsoft Azure, OpenStack or Amazon Web Services (AWS) offer APIs by which many different cloud resources can be created and managed.

We had a closer look at AWS. Its API allows control of instances (virtual servers), virtual machine images, volumes, hosts or network infrastructures, etc. For our first implementation, we concentrated on the instances, to be exact, on the AWS Elastic Cloud Compute (EC2) instances. These are the resource most likely used by our customers – i.e. moving applications from an on-premise server to instances in the cloud.

We created a command line tool that runs regularly to request the instance information from the cloud provider and download it in a standardized format.

Integrate with Enterprise Architecture Management

Based on that an automated import job is started to draw the information in Alfabet. Alfabet is a powerful EAM tool that we use frequently in customer EAM projects. Alfabet provides an object type called “device” that represents a server where an application can be deployed on. We used this object type to describe the AWS instances in the realm of Alfabet:

eam-02-instance-description

Imported AWS EC2 instance

The import job also connects the imported instances to the existing IT landscape:

  • Instances are connected to the location where they are running (i.e. “eu-central-1” for the AWS data center in Frankfurt, Germany).
  • Users are assigned to the instances to manage them.
  • A workflow is run to ask responsible users what applications are running on the instances. This is necessary to link instances and applications, and thus make clear how instances are used for.

The steps above provide transparency about the cloud IT landscape. They are the preliminary work for the “actual” use cases:

  • One could review all running applications whether they can be deployed on a cloud instance or not. This would enhance IT standardization as cloud services are built on standardized hardware and software platforms.
  • One could import and collect cost information per instance and use this for reporting and budgeting purposes.

Presentation at EAMKON 2017

We will talk about the integration of the Alfabet EAM tool with AWS at the EAMKON 2017 conference in Stuttgart, 30th May 2017. Looking forward to seeing you there!

Would you like to know more…? If you’re interested in the big picture, refer to the first episode of our digitalization blogs, for enterprise architecture management see this list of posts.

Interested? Please, contact us: sales(at)cti-consulting.de. For further information, please, visit our website.

Custom EAM Reporting with LeanIX

Enterprise Architecture Management (EAM) belongs to the most important organizational capabilities these days. As we showed earlier, EAM comprises the necessary methodologies and means for a prudent IT landscape planning based on an organization’s strategic (and digital) objectives.

EAM tools offer functionality to collect and correlate information about many aspects of your IT landscape (i.e. applications, components, information flows, business supports, business services, service products) and come with several reports and views to make this abundance of information visible and “digestible”.

An architecture management is most effective when the information collected in the EAM tool can be queried and displayed individually for all intended target groups. Each user (be it CIO, enterprise architect, application owner or else) gets exactly the information about the architecture that is most relevant for his/her tasks.

LeanIX is a relatively young member of the EAM tool group (compared to tools like Alfabet or ADOit). It is developed by the Germany-based LeanIX GmbH, is based on a very compact meta-model and is completely web-based.

It offers several reporting capabilities out of the box, e.g. application and project portfolios, cost reports, application and component landscapes, matrices and roadmaps and even a free-drawing capability.

Beyond that, LeanIX can be customized for the individual questions of an organization. It comes with an open interface (API) based on common web technologies (JavaScript, JSON etc.) which is used to integrate custom developed reports or also dashboards.

EAM 01 Leanix Reporting

For example: An IT transition project might need a specific view of only a section of the IT landscape, or one would like to analyze specific information about some applications (is the application business critical, which data protection requirements should the application fulfil etc.) in preparation for an IT project (as shown in the picture above).

We support you designing your EAM reporting: As certified LeanIX partner we help you identify the information needs of the various user groups, design the report, realize it and integrate it into your LeanIX workspace. Feel free to contact us: sales(at)cti-consulting.de. For further information, please, also visit our website.

SUCCESS STORY – Service Portfolio Management with alfabet: First Implementation successfully completed!

First implementation of alfabet’s service portfolio management module at one of our customers is now completed.

The customer manages e.g. the following information in alfabet:
– services and interdependencies between services
– service descriptions
– roles and responsibilities
– service lifecycle
– service costs and cost centers
– service prices for different countries

Interested? Please contact us: info(at)cti-consulting.de

itsm_guidepage

CTI’s Landscape Analyzer for SAP with new Standard Interface for leanIX

CTI’s Landscape Analyzer for SAP provides a new out-of-the-box interface for leanIX.
It allows you to import your SAP system landscape into leanIX based on our best practice approach for modelling SAP.
The interface can also be customized according to your company’s individual requirements – e.g. if you are working with another mapping of SAP to the leanIX metamodel.

Interested? Please contact us: sales(at)cti-consulting.de

For more information about the Landscape Analyzer for SAP visit our Homepage.

la4sap_leanix_importer