Deployment guidelines for GDPR readiness
Information to help your organization with GDPR readiness.
This document is intended to help you in your preparations for GDPR readiness. It provides information about features of IBM Netcool Operations Insight® that you can configure, and aspects of the product’s use, to consider for GDPR readiness. This information is not an exhaustive list, due to the many ways that clients can choose and configure features, and the large variety of ways that the product can be used in itself and with third-party applications and systems.
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations.
The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM®® does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
Contents
GDPR
General Data Protection Regulation (GDPR) has been adopted by the European Union (EU) and applies from May 25, 2018.
GDPR establishes a stronger data protection regulatory framework for processing of personal data of individuals. GDPR brings:
- New and enhanced rights for individuals
- Widened definition of personal data
- New obligations for companies and organizations handling personal data
- Potential for significant financial penalties for non-compliance
- Compulsory data breach notification
Product Configuration - Considerations for GDPR Readiness
Data handling in Netcool® Operations Insight
In Netcool Operations Insight, data resides in the following databases or directory services:- The customer's directory service, or the Lightweight Directory Access Protocol (LDAP). The customer should manage users, passwords, and other attributes in their own directory service (or LDAP), and perform an integration between Netcool Operations Insight and LDAP by using the integration functionality provided the application server.
- Other resource or property files. They can be configured or updated when users want to isolate credential or configuration information in these files to add more protection.
- Log files. Some log files that are generated by Netcool Operations Insight might contain personally identifiable information (PII) for debugging purpose. A user (user name) can be often identified as the author of certain actions, which is traced or logged. Aside from the user name, the PII should not be in the log files, but the customer must verify their content.
Data privacy and security
The customer is responsible for data privacy and security of their LDAP and should follow the secure privacy and protection guidelines.
General privacy and security rules
- Access control must be effective and enforced properly.
- Credential strength must be high and strong.
- Default passwords should be removed or at least changed.
Customer's directory service
- Access control must be effective and enforced properly.
- Encryption or hashing of credential information, such as passwords, should be implemented or configured.
- Backups and restoration tests must be conducted regularly.
Databases
- Secure the connection between the application and the database.
- Access control must be in place and effective.
- Credential strength must be high and strong.
- Encryption should be implemented at database or file system level.
- Backups and restoration tests should be conducted regularly.
Personally identifiable information (PII) in files
Any PII, credential information, or configuration information that is personal or sensitive should be isolated in specific files. Files that might contain PII, such as resource or property files, must be protected by setting file permissions. Implementing additional controls, such as access controls, logging, or encryption, are required to provide appropriate level of protection.
Netcool Operations Insight
For Netcool Operations Insight, the security framework provides various security functions, such as:- Authenticating and authorizing users
- Protecting system resources
- Logging accesses to protected systems and resources
- Certificate management
Data lifecycle
Netcool Operations Insight processes the following types of personal data:
- Authentication credentials (such as user names and passwords)
- Basic personal information (such as name, address, phone number, and email)
- Technically identifiable personal information (such as device IDs, usage based identifiers, static IP address, etc. - when linked to an individual)
This offering is not designed to process any special categories of personal data.
Netcool Operations Insight users can provide personal data through online comments/feedback/requests, as in the following examples:
- Public comments area on pages of Netcool Operations Insight documentation in IBM Documentation
- Public comments in the Netcool Operations Insight space of dWAnswers
- Feedback forms in the Netcool Operations Insight community
Typically, only the client name and email address are used, to enable personal replies for the subject of the contact, and the use of personal data conforms to the IBM Online Privacy Statement.
Data collection
In general, data used for basic authentication is brought by the customer's directory service or LDAP. This data is required when the customer uses Netcool Operations Insight. LDAP is managed outside of Netcool Operations Insight, and any changes will be synchronized with Netcool Operations Insight.
Databases are provisioned by the customer. Netcool Operations Insight stores event data in these databases. The databases evolve with the deployment of services:- The databases must be maintained throughout the lifecycle of the product use.
- Data must be backed up regularly, based on the customer's business needs and risk level.
- When Netcool Operations Insight is no longer used, the databases can be securely deleted or backed up for future use. The customer is responsible for deleting and backing up the databases.
- As a data controller, the customer should provide means to satisfy data access requests for personal information or other compliance requests.
Netcool Operations Insight requires basic personal data for authentication in its applications.
In Netcool Operations Insight, certain user information is collected, including:- User name
- User's role and assigned permissions
Data storage
- Encryption at rest, with keys stored separately in a secure location with a key management tool. For more information, see the Db2® documentation: https://www.ibm.com/docs/en/SSEPGG_11.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c_encrypt_static.html
- Access controls to the databases.
- The customer's IT infrastructure and security topology should implement:
- Tracking and logging of user activities
- A security event management system (SIEM) to monitor the connections and security events
- Encryption of the data backups
Data access
- Access control to databases should be in place and effective. The customer should consider
implementing certain protections, including:
- Use of HTTPS for all the connections
- Use of basic authentication or other authentication methods
- Proper authorization, so that only authorized roles can use the corresponding API
Data processing
The following security guidelines are provided by default when invoking the REST APIs with Netcool Operations Insight:- HTTPS with secure ciphers should be used.
- The security infrastructure should protect against DOS attacks.
Data processing activities, with regards to personal data within this offering, include the following activities:
- Receipt of data from data subjects and/or third parties
- Computer processing of data, including data transmission, data retrieval, data access, and network access to allow data transfer if required
- Storage and associated deletion of data
- IBM WebSphere® Application Server
- IBM Db2
- IBM Security Directory Server
Updated Dec 2020
Data deletion
Right to Erasure
Article 17 of the GDPR states that data subjects have the right to have their personal data removed from the systems of controllers and processors - without undue delay - under a set of circumstances.
The customer should implement appropriate controls and tools to satisfy the right to erasure.
The Netcool Operations Insight offering does not require any special method for data deletion. The customer is responsible for implementing appropriate methods for their storage media to securely delete data, which includes media zeroization if necessary. The customer is also responsible for deleting data.
Data monitoring
The customer should regularly test, assess, and evaluate the effectiveness of their technical and organizational measures to comply with GDPR. These measures should include ongoing privacy assessments, threat modeling, centralized security logging, and monitoring among others.
Responding to data subject rights
- Basic personal data, such as names, user names, and passwords
- Technically identifiable personal information, such as IP addresses and hostnames to which user activity could potentially linked
- Delete data
- Correct data
- Modify data
- Extract specific data for export to another system
- Restrict the use of the data within the overall system, securely and responsibly
GDPR PDFs
Each of the following PDF documents present considerations for General Data Protection Regulation (GDPR) readiness. A PDF document is provided for each product in the Netcool suite.
Product or component | |
---|---|
IBM Agile Service Manager | here |
IBM Operations Analytics - Log Analysis | here |
IBM Tivoli® Netcool/Impact | here |
IBM Tivoli Netcool/OMNIbus | here |
IBM Tivoli Netcool Configuration Manager | here |
IBM Tivoli Network Manager | here |
Updated Dec 2020