Deployment guidelines for GDPR readiness

Information to help your organization with GDPR readiness.

This document is intended to help you in your preparations for GDPR readiness. It provides information about features of IBM Netcool Operations Insight® that you can configure, and aspects of the product’s use, to consider for GDPR readiness. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations.

The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM®® does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Contents

GDPR

General Data Protection Regulation (GDPR) has been adopted by the European Union (EU) and applies from May 25, 2018.

Why is GDPR important?
GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:
  • New and enhanced rights for individuals
  • Widened definition of personal data
  • New obligations for companies and organizations handling personal data
  • Potential for significant financial penalties for non-compliance
  • Compulsory data breach notification

Product Configuration - Considerations for GDPR Readiness

Data handling in Netcool® Operations Insight

In Netcool Operations Insight, data resides in the following databases or directory services:
  • The customer's directory service, or the Lightweight Directory Access Protocol (LDAP). The customer should manage users, passwords, and other attributes in their own directory service (or LDAP), and perform an integration between Netcool Operations Insight and LDAP by using the integration functionality provided the application server.
In addition, user data and configuration data can be located in other files, for example:
  • Other resource or property files. They can be configured or updated when users want to isolate credential or configuration information in these files to add more protection.
  • Log files. Some log files that are generated by Netcool Operations Insight might contain personally identifiable information (PII) for debugging purpose. A user (user name) can be often identified as the author of certain actions, which is traced or logged. Aside from the user name, the PII should not be in the log files, but the customer must verify their content.

Data privacy and security

The customer is responsible for data privacy and security of their LDAP and should follow the secure privacy and protection guidelines.

General privacy and security rules

  • Access control must be effective and enforced properly.
  • Credential strength must be high and strong.
  • Default passwords should be removed or at least changed.

Customer's directory service

  • Access control must be effective and enforced properly.
  • Encryption or hashing of credential information, such as passwords, should be implemented or configured.
  • Backups and restoration tests must be conducted regularly.

Databases

  • Secure the connection between the application and the database.
  • Access control must be in place and effective.
  • Credential strength must be high and strong.
  • Encryption should be implemented at database or file system level.
  • Backups and restoration tests should be conducted regularly.

Personally identifiable information (PII) in files

Any PII, credential information, or configuration information that is personal or sensitive should be isolated in specific files. Files that might contain PII, such as resource or property files, must be protected by setting file permissions. Implementing additional controls, such as access controls, logging, or encryption, are required to provide appropriate level of protection.

Netcool Operations Insight

For Netcool Operations Insight, the security framework provides various security functions, such as:
  • Authenticating and authorizing users
  • Protecting system resources
  • Logging accesses to protected systems and resources
  • Certificate management

Data lifecycle

Netcool Operations Insight processes the following types of personal data:

  • Authentication credentials (such as user names and passwords)
  • Basic personal information (such as name, address, phone number, and email)
  • Technically identifiable personal information (such as device IDs, usage based identifiers, static IP address, etc. - when linked to an individual)

This offering is not designed to process any special categories of personal data.

Netcool Operations Insight users can provide personal data through online comments/feedback/requests, as in the following examples:

  • Public comments area on pages of Netcool Operations Insight documentation in IBM Documentation
  • Public comments in the Netcool Operations Insight space of dWAnswers
  • Feedback forms in the Netcool Operations Insight community

Typically, only the client name and email address are used, to enable personal replies for the subject of the contact, and the use of personal data conforms to the IBM Online Privacy Statement.

Draft comment: DEIRDRELAWTON
Updated Dec 2020

Data collection

In general, data used for basic authentication is brought by the customer's directory service or LDAP. This data is required when the customer uses Netcool Operations Insight. LDAP is managed outside of Netcool Operations Insight, and any changes will be synchronized with Netcool Operations Insight.

Databases are provisioned by the customer. Netcool Operations Insight stores event data in these databases. The databases evolve with the deployment of services:
  • The databases must be maintained throughout the lifecycle of the product use.
  • Data must be backed up regularly, based on the customer's business needs and risk level.
  • When Netcool Operations Insight is no longer used, the databases can be securely deleted or backed up for future use. The customer is responsible for deleting and backing up the databases.
  • As a data controller, the customer should provide means to satisfy data access requests for personal information or other compliance requests.

Netcool Operations Insight requires basic personal data for authentication in its applications.

In Netcool Operations Insight, certain user information is collected, including:
  • User name
  • User's role and assigned permissions
User activities can be tracked during rule authoring and governance phases.

Data storage

The databases and LDAP should be protected by using appropriate security controls. This includes but is not limited to:
  • Encryption at rest, with keys stored separately in a secure location with a key management tool. For more information, see the Db2® documentation: https://www.ibm.com/docs/en/SSEPGG_11.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c_encrypt_static.html external link
  • Access controls to the databases.
  • The customer's IT infrastructure and security topology should implement:
    • Tracking and logging of user activities
    • A security event management system (SIEM) to monitor the connections and security events
  • Encryption of the data backups

Data access

The customer should implement protective measures concerning data access.
  • Access control to databases should be in place and effective. The customer should consider implementing certain protections, including:
    • Use of HTTPS for all the connections
    • Use of basic authentication or other authentication methods
    • Proper authorization, so that only authorized roles can use the corresponding API

Data processing

The following security guidelines are provided by default when invoking the REST APIs with Netcool Operations Insight:
  • HTTPS with secure ciphers should be used.
  • The security infrastructure should protect against DOS attacks.

Data processing activities, with regards to personal data within this offering, include the following activities:

  • Receipt of data from data subjects and/or third parties
  • Computer processing of data, including data transmission, data retrieval, data access, and network access to allow data transfer if required
  • Storage and associated deletion of data
This offering can integrate with the following IBM offerings, which might process personal data content:
  • IBM WebSphere® Application Server
  • IBM Db2
  • IBM Security Directory Server
Draft comment: DEIRDRELAWTON
Updated Dec 2020

Data deletion

Right to Erasure

Article 17 of the GDPR states that data subjects have the right to have their personal data removed from the systems of controllers and processors - without undue delay - under a set of circumstances.

The customer should implement appropriate controls and tools to satisfy the right to erasure.

The Netcool Operations Insight offering does not require any special method for data deletion. The customer is responsible for implementing appropriate methods for their storage media to securely delete data, which includes media zeroization if necessary. The customer is also responsible for deleting data.

Data monitoring

The customer should regularly test, assess, and evaluate the effectiveness of their technical and organizational measures to comply with GDPR. These measures should include ongoing privacy assessments, threat modeling, centralized security logging, and monitoring among others.

Responding to data subject rights

The personal data stored and processed by Netcool Operations Insight falls under the following categories:
  • Basic personal data, such as names, user names, and passwords
  • Technically identifiable personal information, such as IP addresses and hostnames to which user activity could potentially linked
This data is essential to the operation of an effective monitoring system. The customer should consider and implement methods so that they can respond to a request to:
  • Delete data
  • Correct data
  • Modify data
  • Extract specific data for export to another system
  • Restrict the use of the data within the overall system, securely and responsibly

GDPR PDFs

Each of the following PDF documents present considerations for General Data Protection Regulation (GDPR) readiness. A PDF document is provided for each product in the Netcool suite.

Table 1. GDPR documentation
Product or component PDF
IBM Agile Service Manager here
IBM Operations Analytics - Log Analysis here
IBM Tivoli® Netcool/Impact here
IBM Tivoli Netcool/OMNIbus here
IBM Tivoli Netcool Configuration Manager here
IBM Tivoli Network Manager here
For PDFs of other products in the Netcool suite, see: GDPR readiness