0 evaluări0% au considerat acest document util (0 voturi)
20 vizualizări5 pagini
The document discusses SuccessFactors' Safe Harbor certification and data security measures. Safe Harbor certification ensures that data transferred from the EU to the US complies with European privacy standards. It requires organizations to follow seven principles around data use, access, security, and enforcement. SuccessFactors has obtained Safe Harbor certification, protecting EU customer data and allowing legal claims to be heard in the US. The company also implements security controls like encryption, access controls, monitoring, and physical security at IBM data centers to safeguard customer information.
The document discusses SuccessFactors' Safe Harbor certification and data security measures. Safe Harbor certification ensures that data transferred from the EU to the US complies with European privacy standards. It requires organizations to follow seven principles around data use, access, security, and enforcement. SuccessFactors has obtained Safe Harbor certification, protecting EU customer data and allowing legal claims to be heard in the US. The company also implements security controls like encryption, access controls, monitoring, and physical security at IBM data centers to safeguard customer information.
The document discusses SuccessFactors' Safe Harbor certification and data security measures. Safe Harbor certification ensures that data transferred from the EU to the US complies with European privacy standards. It requires organizations to follow seven principles around data use, access, security, and enforcement. SuccessFactors has obtained Safe Harbor certification, protecting EU customer data and allowing legal claims to be heard in the US. The company also implements security controls like encryption, access controls, monitoring, and physical security at IBM data centers to safeguard customer information.
What is Safe Harbor Certification? Based on the European Commissions October 1998 directive that prohibits the transfer of personal data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection, Safe Harbor certification provides a streamlined means for US organizations to comply with the Directive, with a certification process developed jointly by US Department of Commerce in consultation with the European Commission. The Safe Harbor process approved by the European Union (EU) in 2000 is an important way for US companies to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by European authorities under European privacy laws. Certifying to the safe harbor standards assures that EU organizations know that a US company provides "adequate" privacy protection, as defined by the October 1998 Directive. Safe Harbor certified organizations must comply with the seven safe harbor principles. The principles require the following: Notice: Organizations must notify individuals about the purposes for which they collect and use information about those individuals. Organizations must provide information about how individuals can contact the organization with any inquiries or complaints, the types of third parties to which the organization discloses the information and the choices and means the organization offers for limiting its data use and disclosure. Choice: Organizations must give individuals the opportunity to choose (opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive information, affirmative or explicit opt in choice must be given if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual. Onward Transfer (Transfers to Third Parties): To disclose information to a third party, organizations must apply the notice and choice principles. Where an organization wishes to transfer information to a third party that is acting as an agent, it may do so if it makes sure that the third party subscribes to the safe harbor principles or is subject to the Directive or another adequacy finding. As an alternative, the organization can enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles. Access: Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the
SUCCESSFACTORS W Wo or rk kf fo or rc ce e P Pe er rf fo or rm ma an nc ce e M Ma an na ag ge em me en nt t individual's privacy in the case in question, or where the rights of persons other than the individual would be violated. Security: Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction. Data integrity: Personal information must be relevant for the purposes for which it is to be used. An organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current. Enforcement: In order to ensure compliance with the safe harbor principles, there must be (a) readily available and affordable independent recourse mechanisms so that each individual's complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) procedures for verifying that the commitments companies make to adhere to the safe harbor principles have been implemented; and (c) obligations to remedy problems arising out of a failure to comply with the principles. Sanctions must be sufficiently rigorous to ensure compliance by the organization. Organizations that fail to provide annual self certification letters will no longer appear in the list of participants and safe harbor benefits will no longer be assured.
Value of Safe Harbor Certification for our Customers Safe Harbor certification provides a number of important benefits to US and EU firms. Benefits for SuccessFactors customers include: All Member States of the European Union are bound by the European Commissions finding of adequacy so any information stored on SuccessFactors system is compliant with data privacy laws in all countries in the European Union. The data flow of all data stored on SuccessFactors system will not be interrupted due to European Privacy Law violations. Should a data privacy violation claim be brought about by a European citizen against SuccessFactors and/or your company, it will be heard in the US subject to limited exceptions. You can view SuccessFactors Safe Harbor Certification online by searching for Success Acquisition Corporation at the US Department of Commerce web site: http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list SuccessFactors Safe Harbor Certification SuccessFactors is Safe Harbor Certified by the US Department of Commerce to be in compliance with EU Regulations on data privacy. Our security (data encryption, passwords) and our permissions management functionality combined provide our users with total control over access to sensitive data (and data that Work Councils have the right to restrict/control access to and use of) and how that data is used in the process. Works Council and employee privacy rights issues are fully addressable in the configuration process (e.g., a process step to secure employee consent to the capture and storage of information can be inserted.) Security Overview SuccessFactors delivers an integrated suite of applications that allows the entire Workforce Performance Management process to be conducted in a secure yet easy to use and intuitive fashion.
Application level security controls are put in place on multiple levels. o The SuccessFactors suite is built on a robust, industry standard architecture utilizing JAVA and J2EE technologies. o Desktop security and encryption prevent unauthorized access. o Access controls restrict access to critical data based on configurable rules. o Security against external threats, such as hackers, protects data. o 24x7x365 intrusion monitoring by IBM helps to ensure that any significant security threat is discovered and resolved immediately. IBM data centers provide physical security for the best possible security of customer data. IBM provides redundant connectivity, data backups, and disaster recovery to ensure that the application and customer data are accessible.
Application Level Security Application level security is critical to ensuring that only authorized users are able to access data. The most fundamental application level security precaution is the robust, flexible design of the application itself, which allows users to configure workflow and access control while preventing against access by malicious parties. Additional application level security measures have been implemented to ensure comprehensive security of critical customer data.
Robust, industry standard architecture - the application utilizes JAVA and the J2EE industry standard. Integration is supported through .CSV, XML and SOAP Web Service standards. The application is portable to any platform and is deployed on Sun One Web Servers, BEA Application Servers, Oracle Database Servers, Veritas High Availability Cluster Servers and utilizes Cisco Networking. Desktop security and encryption ensure security in user desktop access. o Safe desktops SuccessFactors delivers only pure HTML and JavaScript so desktops do not require any changes or special permissions. o Session timeouts SuccessFactors times-out user sessions if the application is left inactive for thirty minutes. o Encryption to the desktop every page of the SuccessFactors Application is delivered via SSL. The only port enabled in the SuccessFactors infrastructure is port 443 for SSL. No HTTP or port 80 traffic is allowed. Access controls allow administrators to configure rules that allow line of sight of goal alignment for management but restrict access at the lower levels. Security against external threats IBM uses cutting edge technology to help protect the security of customer data against external threats, such as hackers. o Firewalls Redundant Cisco PIX Firewalls in a dedicated environment. o Network intrusion detection helps guard against attacks by monitoring all data center TCP/IP traffic around-the-clock and notifying SuccessFactors in the event of an imminent threat. IBM utilizes Cisco based IDS equipment. o Vulnerability scanning proactively tests the Internet-connected Web servers by openly searching for weaknesses in the same way that a hacker would. o Vulnerability assessment SuccessFactors uses multiple scanners to analyze Web servers and applications from a low-level, solitary hacker perspective and identify possible security holes. 24x7x365 Live Operator Monitoring IBM security teams monitor the SuccessFactors infrastructure 24x7x365 with live operators.
Physical Security and Connectivity SuccessFactors utilizes an IBM data center in Secaucus, New Jersey to manage its physical security and connectivity needs. Internet connectivity is managed through IBMs redundant relationships with multiple local ISPs.
Physical Security - managed at the secure IBM facility, physical security includes redundant power and environmental controls as well as measures to prevent unauthorized access. The hosting center is staffed around-the-clock with on-site support and skilled technicians. o Power distribution and backup power supply The IBM facility provides multiple levels of power redundancy for the highest levels of availability. Local power supplies enter the buildings via two services from local electric utilities and feed into two busses, providing diverse power distribution. Battery and Uninterruptible Power Supply (UPS) backup power sources automatically take over in emergencies and are augmented by diesel generators. o Environmental controls heating, ventilation and air conditioning systems provide appropriate and consistent airflow, temperature and humidity levels. The systems are fully redundant and are monitored 24 hours a day, 7 days a week. Maintenance contracts specify a four-hour-or-less response time for emergencies. o Fire suppression and water mitigation the hosting center is equipped with fire and smoke detectors, alarms and extinguishing systems based on local building codes. This includes pipe sprinkler systems and under-floor leak detection systems. In the event of city water supply failure, backup wells provide fresh water. o Physical access controls comprehensive physical security features and procedures are designed to protect servers and equipment. 24x7x365 onsite security personnel identify visitors and record each visit. "Man traps" secure entrances. Motion detectors and alarms are located throughout the facilities, and silent alarms automatically notify security and law enforcement of breaches. Biometric devices secure access doors and cages. o Security cameras monitor activity throughout the facility, including equipment areas, corridors and mechanical, shipping and receiving areas. Exterior cameras cover entrances, parking lots, rooftops and exterior facilities, such as generators and mechanical equipment.
Internet Connectivity is managed through IBMs redundant relationships with local ISPs and robust routing and load balancing architecture for distribution. o Bandwidth is managed by IBM through dual active Internet bandwidth providers (AT&T and Qwest). IBM utilizes weighted routing using BGP4 to allow traffic to take the best path. o Configuration redundant Cisco PIX Firewalls in a dedicated environment; redundant Cisco switches in dedicated environment; redundant Alteon load-balancer in dedicated environment; only allows SSL traffic on port 443 for the highest security standard.
Data Backups and Disaster Planning Backups and disaster planning ensures that customer data is always accessible.
Backup and recovery SuccessFactors utilizes IBMs backup and recovery services to protect your data against unforeseen hazards. o Weekly full data backups are run by IBM with incremental data backups run nightly. o Disk and tape IBM stores backups on disk and tape. Backups are available on disk to insure quick availability and high speed restores. o Offsite tape storage duplicate copies of backup tapes are transferred daily to a security-rich offsite storage facility. If recovery is impossible using onsite backup media, quick access to these vaulted copies can help limit business disruption. Disaster recovery - SuccessFactors maintains a disaster recovery plan for its customers and offers customized disaster recover plans.
For More Information: www.successfactors.com 1-800-809-9920