This document discusses Capgemini and Sogeti's end-to-end offering for database security and GDPR compliance. It outlines a four-phase approach including a GDPR readiness assessment, roadmap development, privacy impact assessment, and implementing database security solutions. Each phase has defined activities, timelines, and results to help organizations assess their GDPR compliance and secure databases containing personal data. The offering is designed to help organizations address new accountability and security requirements under the upcoming GDPR regulation.

1. Data- and database security & GDPR: end-to-end offer
Christer Jansson
Kim Boermans
February 2017

2. 2Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
GDPR & context
 In May 2018 the General Data Protection Regulation (2016/679, known as GDPR) will come
into force.
 The GDPR is EU regulation related to the protection of personal data and free movement of
such data.
 Organizations will be held more accountable for their data collection and use than ever
before.
 Risk evaluation is key and mitigation measures may include encryption or pseudonymization.
 Although many organizations have already adopted processes consistent with GDPR, the
new regulation will impact most organizations on all levels.
 Failing to comply with the GDPR can lead to a fine up to 4 percent of the worldwide turnover
or 20 million euro.

3. 3Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
End-to-end offering for database security (1)
In our vision databases and their security are critical for operations, innovation and competitive position.
Capgemini and Oracle are leading companies to secure databases.
Results: findings and
recommendations to
get ready for GDPR
Results: road map to
get ready for GDPR
Results: Privacy
impact, risk &
compliance
assessment
Results: access
solutions, encryption
and logging for
databases
2 weeks 6 weeks 3 months 10 months
GDPR readiness
assessment
GDPR road map
Privacy impact
assessment
DB solution
implementation

4. 4Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
End-to-end offering for database security (2)
Your databases contain your most prized assets. Clients entrust you with these assets. In our vision databases and their security are critical your
operations, innovation and competitive position. Capgemini and Oracle are leading companies to secure your databases. And get ready for the
GDPR too. Capgemini knows how to bridge business issues with technology solutions. Oracle has the best understanding of databases.
Main activities:
• Analysis and recommendations
on planning, governance,
process, culture, data and
technology
• Interview key persons
responsible for these areas
• Check available data in
databases
Main activities:
• Preparation
• Kick-Off
• Information gathering
• Analysis and assessment
• Building roadmap with
stakeholders in Capgemini ASE
• Presentation of key findings and
road map
Main activities:
• Preparation
• Awareness & instruction
• Tooling set-up, PIA triage and
PIA execution
• Dashboard & reporting
• Validation
• Auditing & iteration
Main activities:
• Streamlining, formalizing and
securing access to databases
• Ensure encryption key
management and process
• Database log and security alert
management and monitoring
• Installing and configuring the
solution and process
Results: ion gathering
• List of findings, conclusions and
actionable recommendations to
prepare for the GDPR, including:
• Territorial Scope, data breach
notification, record keeping,
DPO and consent and notice
Results:
• Analysis for readiness based on
ISF Framework, Interviews and
documentation
• ISF Health check
• Project charter for each Gap
• GDPR Roadmap to May 2018
Results:
• Privacy impact, risk &
compliance assessment.
• Customer charter
• Permission management
• Design & test audits for high
impact initiatives.
Results:
• Access solution, process and
governance in place
• Encryption key management
solution and process in place
• Database log and security
solution and process in place
Timeline: 2 weeks Timeline: 6 weeks Timeline: 3 months Timeline: 10 months
GDPR readiness assessment GDPR road map Privacy impact assessment DB solution implementation

5. 5Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
How to manage your data
… to manage 6 key topics of data protection / privacy
Organizational Awareness
Classification
Policies
Governance
Processes
Information Technology
Step 1:
As-is Assessment
Identifying the digital “crown jewels”, being
business oriented with stakeholders
Step 2:
Framework & Operating Model
Mitigating the risk by deploying consistent
cybersecurity rules, measures and
processes thought-out data lifecycle
Step 3:
Implementation
Establishing tools & run processes to
detect leaks and loss (be prepared to
notify)
Detection
& Reaction
Protection
& Operations
Classification
& Governance
A continuum...

6. 6Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
MONITORPROTECTBASELINEDISCOVERDEFINE
 Understand overall data
security strategy
 Determine data protection
objectives
 Develop organizational
data model / taxonomy
 Understand data
environment,
infrastructure and
lifecycle
 Perform iterative
discovery, analysis and
classification
 Establish baseline
security requirements
for personal data
 Assess current data
security processes and
controls
 Determine gaps and
identify solutions
 Plan and prioritize
technical and business
process transformations
 Design and implement
solutions that protect
critical data, enable
access and align to
business growth
objectives
 Develop governance
framework, risk metrics
and monitoring
processes
 Periodically validate
data protection strategy
and methodology
Five steps in protecting critical data
What is the personal
data?
Where are they? How
are they used?
What is required to
protect critical data?
How to plan, design
and implement?
How to manage critical
data protection?
Do not perceive Data Loss Prevention (DLP) as the holy grail…
Data at Rest – sitting idle in
storage
 File servers
 Databases
 Portals/Sharepoint
 Laptops
Data in Motion – traveling across
network
 Email
 Web
 Network
 FTP
Data in Use – Being used at the
endpoint
 USB
 CD/DVD/BluRay
 Printers
 Applications

7. 7Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
Oracle - Layered defense of critical data (1)
DB Access Control
• Ability to assure
access only to
authorized users
and to control
when/where/how
the data are
accessed
Monitoring / Blocking
and Audit
• Ability to analyze
the transactional
activities
(threats/blocks) and
to view current
transactional
activities and
historically
information
Data Protection
• Processes and
controls to secure
storage,
transmission and
accessing of an
Organization’s data
throughout its
lifecycle
Secure
Configuration
• Process and
controls to assure
DB configuration
for security and
compliance
Datasecurity

8. 8Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
Oracle - Layered defense of critical data (2)
*7#$%!!@!%afb
##<>*$#@34
Data
Encryption
Data
Redaction
dob:xx/xx/xxxx
ssn:xxx-xx-4321
DB
Controls
Access denied
Sensitive Data, IP,
PCI, PII, PHI
Privileged UsersPrivileged
Users
Region, Year
Size-based
Data
Subsetting
Dev/Test
Partners, BI
dob: 12/01/1987
Data
Masking
11/05/1999
xxxxxxxxxx

9. 9Copyright © 2017 Capgemini and Sogeti. All Rights Reserved
Contact details
 Christer Jansson
 Head Center of Excellence Cybersecurity
 christer.jansson@capgemini.com
 +46 703 149 359
 https://www.linkedin.com/in/christerjansson
 Kim Boermans
 Director data- and database security
 kim.boermans@capgemini.com
 +31654237563
 https://nl.linkedin.com/in/kimboermans