With these two new awards, organizations can identify Snow as a cloud provider whose security practices meet the industry best practice. Business leaders can feel reassured that the tools they depend on from Snow are on the cutting-edge of security and compliance.

Snow’s Technology Intelligence platform, Snow Atlas, provides comprehensive visibility and contextual insight across software, SaaS, hardware and cloud. With Snow, IT leaders can effectively optimize resources, enhance performance and enable operational agility in a hybrid world. Snow is changing the way organizations understand and manage their technology consumption. As technology partners, it’s important that we’re outspoken and deliberate in our commitment to security and compliance for our category-defining solutions.

ISO27001

ISO/IEC 27001:2013 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO/IEC 27002 best practice guidance. The basis of this certification is the development and implementation of a rigorous security program, which includes the development and implementation of an Information Security Management System (ISMS).

This is a widely recognized, international certification performed by independent, third-party auditor Schellman.

SOC2

Snow Software is announcing the successful completion of a SOC2 examination, formally known as a Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.  The examination was performed by an independent CPA firm for the scope of service described below. 

The examination scope was for the Snow Atlas Platform, and we selected the SOC2 Category of Security. The examination was a Type 1 with a review date of November 30, 2022, performed by the Service Auditor Schellman & Company, LLC.

The post Announcing ISO27001 and SOC2 for Snow Atlas appeared first on Snow Software.

We know there are countless cloud vendors out there and that it can be challenging to sort through them all to find the perfect solution for your organization’s unique set of challenges and criteria. This is one major reason why Snow pursued STAR and Trusted Cloud Provider certifications – to help both current and prospective customers cut through the noise and quickly and easily identify Snow as a cloud provider whose security practices meet the industry best practice.  And now, with this certification, business leaders can feel reassured that the tools they depend on from Snow are on the cutting-edge of security and compliance.

Snow’s Technology Intelligence platform, Snow Atlas, which is now listed on the STAR registry, provides comprehensive visibility and contextual insight across software, SaaS, hardware and cloud. With Snow, IT leaders can effectively optimize resources, enhance performance and enable operational agility in a hybrid world. Snow is changing the way organizations understand and manage their technology consumption. As technology partners, it’s important that we’re outspoken and deliberate in our commitment to security and compliance for our category-defining solutions.

To become a CSA Trusted Cloud Provider, Snow completed the following requirements:

• Complete a 270-point assessment of our security controls vs. the CSA Cloud Controls Matrix (CCM)
• Have at least one current member of staff who has achieved the CSA Certificate of Cloud Security Knowledge (CCSK)
• Volunteer at least 20 hours annually to CSA for activities such as research working groups, regional chapters, call for presentations, blog contributions and more
• Be a corporate member of the Cloud Security Alliance in good standing

The CSA is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. Built upon existing CSA programs, the Trusted Cloud Provider trust mark (which is displayed on qualifying organizations’ Security, Trust, Assurance & Risk (STAR) registrations) helps consumers and business leaders identify cloud providers that demonstrate their commitment to holistic security and are aligned with their individual security requirements. We’re proud to support the CSA and align ourselves with this industry-leading organization and its security and compliance values. Looking ahead, we intend to pursue additional certifications, ISO27001 and SOC2, to further demonstrate our commitment to cloud security competency, and a commitment to our customers and the industry at large.

We’re eager to engage with the networks, educational resources and knowledge-sharing gained through the CSA community to strengthen our security posture and enhance security across the cloud community. Given the exponential pace of cloud adoption to support modern business and a distributed workforce, it’s vital that businesses can be confident that their cloud providers are certified reliable, secure, compliant and have the CSA seal of approval.

Does this sound like something that could benefit your organization? Reach out to learn more about how STAR Level 1 and Trusted Cloud Provider certified Snow Atlas is defining the Technology Intelligence category and how it can help your organization unlock game-changing insights.

The post Announcing STAR Level 1 and Trusted Cloud Provider Certifications for Snow Atlas appeared first on Snow Software.

For background, the database Option Oracle Spatial and Graph is a product that allows for the storage and processing of geospatial objects inside the database. It includes an integrated set of functions and procedures that enable spatial data to be stored, accessed, and analyzed quickly and efficiently in an Oracle database.

Oracle Spatial and Graph used to be an add-on functionality for the Oracle Database Enterprise Edition and needed to be licensed separately (like other Options such as Partitioning or RAC). Removing a database Option from the price list is not common. What happens more often is that new database releases introduced new functionalities that needed to be licensed separately. An example of this was the introduction of the Multitenant Option with database release 12c. Removing Spatial and Graph is remarkable in that sense.

Spatial and Graph has always been a bit of a headache for Oracle, as it was notoriously difficult to detect true usage of this Database Option with the LMS scripts. To complicate matters, licenses of Oracle databases come with an included use right for Oracle Locator. Locator is a stripped-down version of Spatial and Graph and provides core features and services that are also available in Oracle Spatial and Graph. Usage of Locator could give false positives when audited with Oracle tools. Customers that had only used Locator would receive an audit report stating that they had used Spatial and Graph and needed to acquire licenses for this product. This fact may in some cases have forced customers who were not aware of this ambiguity to buy licenses for Spatial and Graph even though they had only used Locator. These customers would still be paying maintenance on these licenses every year to this day.  

It will be interesting to see how Oracle will handle customers who already purchased licenses for Spatial and Graph. There will be situations where customers have recently bought licenses for this product, maybe following an audit. Will these customers receive a refund? Will Oracle allow customers to terminate these licenses and associated support agreement without a recalculation of the support stream? Or will they force customers to keep paying maintenance on these licenses going forward?

Time will tell, but potentially there will be some uncomfortable conversations with current Oracle Spatial and Graph customers in 2020. For all Oracle customers, that have purchased Spatial and Graph in the past, it makes sense to verify with your SAM team if you are still paying maintenance on these licenses. You may be able to save some money on maintenance in 2020 and that’s not something that happens often with Oracle.

The post Oracle Removes Spatial and Graph Option from Official Price List – What Now? appeared first on Snow Software.

With more than 30 questions submitted by the live audience, there simply wasn’t time to answer them all on the day. 

So we’ve taken a selection of the questions posed and answered them below with the help of Dr Ljuba Kerschhoffer-Wallner, resident GDPR expert at Deloitte.

For more information on how Snow and Deloitte have joined forces to help organizations like yours prepare for GDPR, contact us today.

General GDPR Questions

Q: We only store business emails, addresses and contact numbers.  Does this require the same level of the GDPR as personal information? A: YES. Any kind of information stored about individuals that allows them to be personally identified is covered by the GDPR legislation.

Q: How can we balance the obligations of GDPR against the privacy rights of our employees?A: The GDPR does not require organizations to read or analyze the content of mails, etc. In contrast, the GDPR requires that you set up measures to protect this data, e.g. by using IT appropriate security measures.

Q: Would it also be prudent, when trying to get to a GDPR-ready state, to document exceptions for the entity, future plans and budgets for compliance control activities, and compensating controls?A: Documenting your approach shows that you have a plan and are willing to implement the GDPR regulation. Therefore, this is a good action.

Q: Will the GDPR be applied consistently across the EU, or is there any regional variation?A: The general principles of the GDPR apply to all EU countries in the same way, but the GDPR provides certain opening clauses that already are (or will be) concreted by national legislations (for example, concerning the manifestation of penalties).

Q: Do public sector/ authorities also have to comply with the GDPR? Are they also at risk for data misuse?A: YES. Public organizations also have to comply with the GDPR and are at risk for failure to comply.

The GDPR outside the European Union

Q: Will the GDPR impact UK customers’ data since the UK will no longer be part of the EU?A: For as long as UK is still part of the EU, GDPR is applicable. Upon Brexit, it is expected that all prevailing EU law will become UK law (at least in the short-term) which will mean that UK customers will continue to be afforded the same rights.

Q: We are in automotive sales and retails in the UAE.  If EU customers share their information (while booking car we collect personal information) with us, do we need to comply with the GDPR obligations?A: YES. The GDPR applies to any (personal data processing) organization that provides services or products to people located within the EU, no matter where the processing actually takes place.

Financial risks & implications

Q: Could you share any information in terms of potential financial risks if not GDPR compliant?A: The maximum penalty on GDPR incompliance, especially concerning violations against the most fundamental principles such as the data subject rights is up to €20 million or 4% of the offending organization’s total annual turnover, whichever is higher. Manifestations of penalties are dependent on the responsible Data Protection Authority and will become more transparent by precedence cases in 2018.

Q: Is the GDPR compliance going to be audited on a regular schedule or is it “self-reporting”?A: Audits can be conducted by national Data Protection Authorities or their sub-contractors. In general, audits are expected to be prompted when organizations are suspected for being in non-compliance (published security breaches, for example).

Q: Is “erasure” equal “to make unrecognizable” when it comes to backing-up records?A: NO. These are different as described by Article 18 of GDPR. [link]

Q: What do you know about the aspects and priorities that inspectors undertake during the “audit” so far?A: It is likely (but not yet certain) that regulators in different countries will have varying approaches to audits. There is some logic to suggest that regulators will continue to use existing audit practices in the short term, where they already exist.

The GDPR and the Snow platform

Q: Will the GDPR reports in Snow be made available as standard or is it an additional module?A: The GDPR reports are a separate chargeable data stream alongside the existing Software Recognition Service. 

Q: Is there a special Snow GDPR product? How will this work? Do we need special server resources?A: The GDPR solution is a data service and does not require extra modules to be installed or any additional server resources.

Q: When will the Snow for GDPR module be available to start using for Snow Service Providers?A: Snow GDPR Risk Assessment is available to both Snow customers and accredited partners today.

You can view an on-demand version of the webinar here and if you wish to learn more about the Snow GDPR Risk Assessment solution or the Deloitte GDPR ‘Emergency Kit’ contact us today.

The post The GDPR compliance Emergency Kit – How to address three of the most crucial obligations. appeared first on Snow Software.

The acronym “GDPR” seems innocuous enough, however, what it stands for, i.e. the new General Data Protection Regulation certainly is not. This legal obligation, affecting any organization around the world that does business in Europe (regardless of HQ location), results in stringent demands on the protection and management of personal data.  

After a slow start, organizations are waking up to the financial risks of failure to comply in a race against the clock, as the deadline of May 25, 2018 looms.

Many are yet to really make meaningful progress towards GDPR compliance. A recent Veritas survey found that less than two per cent of organizations currently meet the legal requirements. This isn’t necessarily due to laziness, but is perhaps more a case of decision paralysis.

Knowing where to start with the GDPR can be a real headache, thanks largely to the regulation’s complexity and number of moving parts.   

It’s not much different for the expensive consulting teams being paid millions of dollars to drive GDPR projects for their customers. 

While there are a number of approaches to tackling the GDPR, some may yield results more quickly than others. One approach is to first look at the IT estate and identify the applications that are likely to be used to access personal customer data. Understanding which applications are used by your organization to access such data can help focus teams tasked with driving compliance.

In one manufacturing organization we work with, its 35,000 employees regularly use as many as 11,000 distinct software titles –on-premise and in the cloud. That’s a lot of software, but no more than is typical of an organization of that scale. It doesn’t detract from 11,000 software titles being a very long list to sift through manually – identifying the nature of the application, what data it is likely to be accessed – and from where – who is using it, where they are based, and more. 

By running that software inventory against a database of applications with an identified potential GDPR risk, it could focus its efforts on less than 100 applications, rather than 11,000. Suddenly the impossible became possible.

The GDPR team still needed to identify what data was being accessed by what applications, where that data was being stored, who was using the applications and where they were located. But rather than having to do this for the entire software estate, the team could focus on the less-than-1 per cent of applications that really mattered in GDPR terms.   

Throw yourself a RoPA

For organizations that haven’t already made significant headway towards GDPR compliance, it’s time to face a harsh reality. Your chances of being ready by the May 2018 deadline are, well, practically non-existent. 

It is better to focus on what you need to do between now and then to make yourself less attractive to those regulators charged with rigorously enforcing the GDPR. 

The key to satisfying regulators and building a plan to achieve compliance in a reasonable timeframe can be found in the Record of Processing Activities (RoPA); also recognized as Article 30 of the regulation, comprising five key obligations. 

Talking with GDPR consultants, their key focus when embarking on an ‘emergency’ project for clients is to make it clear that the RoPA is key to short-term focus and success.

This is where the inventory of applications can significantly aid the process of creating the RoPA, to identify and manage risks associated with the data accessed by users and applications, and, more importantly, help instill a plan for internal and external teams to address the perceived major risks. 

Show ‘Best Efforts’ to reduce risks

To interpret the ‘you won’t be ready by May 2018’ statement as a reason to continue ignoring the GDPR is to misread the situation completely. Regulators across Europe are already under a lot of pressure to identify example cases to prosecute immediately upon the regulation’s introduction.

Most already have watch lists of organizations they intend to investigate. However, regulators are themselves under-staffed in most cases and simply don’t have the resources to chase everyone.  

So, even if you can’t complete your GDPR project (and arguably, GDPR compliance is never ‘complete’ as it will be an ongoing requirement) by May 2018, you can take firm steps to show ‘Best Efforts’ and make your organization a far less attractive target than those who continue to bury their heads in the sand. 

The key is to show that you understand the current situation, have identified the key risks, and have an ongoing plan to remediate any perceived risks.  

The post Decision paralysis – how to get started on the GDPR appeared first on Snow Software.