![Page 1: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/1.jpg)
Welcome to today’s webinar
How GDPR Should Change the Way You Test Workday
(we’ll get started shortly)
![Page 2: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/2.jpg)
o
How GDPR Should Change the Way You Test Workday
)
![Page 3: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/3.jpg)
Shelly WilsonProduct Marketing Manager
![Page 4: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/4.jpg)
Today’s Topics
WhatisGDPR?
HowGDPRimpactsWorkdaytesting
Changesneededforcompliance• Securityconfiguration• Securitytesting• Testdata
![Page 5: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/5.jpg)
Disclaimers
Wearenotlawexperts
Thisisnotlegaladvice
![Page 6: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/6.jpg)
1,100 KAINOS EMPLOYEES
300+ WORKSMART EMPLOYEES
![Page 7: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/7.jpg)
Damien TaylorChief Technology Officer, Kainos WorkSmart
![Page 8: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/8.jpg)
• Why
GDPR in 90 Seconds
![Page 9: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/9.jpg)
GDPR in 90 Seconds
• Why
• Who must comply
![Page 10: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/10.jpg)
GDPR in 90 Seconds
• Why
• Who must comply
![Page 11: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/11.jpg)
• Why
• Who must comply
• Who it protects
GDPR in 90 Seconds
![Page 12: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/12.jpg)
• Why
• Who must comply
• Who it protects
• Increased accountability
• Increased rights
• Penalties of €20M or 4%
GDPR in 90 Seconds
![Page 13: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/13.jpg)
GDPRARTICLE 24
Responsibility of the Controller"the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with
this Regulation."
ARTICLE 25Data Protection By Design & By Default
“… measures … which are designed to implement data-protection principles … and to integrate the necessary safeguards into the processing… ensuring that ensure that by default personal data are not made accessible without the individual’s intervention”
ARTICLE 32Security of Processing
“measures to ensure a level of security appropriate to the risk…in particular from accidental or unlawful … disclosure of, or access to personal data”
How GDPR Impacts HR Data
![Page 14: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/14.jpg)
Workday Security Configuration: Management Chain
SeniorManager
Manager
Executive
Executive
Executive
Manager
Executive
Executive
Executive
![Page 15: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/15.jpg)
Workday Security Configuration: N-Level/CRBSG
SeniorManager
Manager
Executive
Executive
Executive
Manager
Executive
Executive
Executive
![Page 16: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/16.jpg)
Workday Security Configuration: N-Level/CRBSG
SeniorManager
Manager
Executive
Executive
Executive
Manager
Executive
Executive
Executive
![Page 17: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/17.jpg)
Workday Security Configuration: N-Level/CRBSG
SeniorManager
Manager
Executive
Executive
Executive
Manager
Executive
Executive
Executive
![Page 18: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/18.jpg)
GDPRARTICLE 24
Responsibility of the Controller"the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with
this Regulation."
ARTICLE 25Data Protection By Design & By Default
“… measures … which are designed to implement data-protection principles … and to integrate the necessary safeguards into the processing… ensuring that ensure that by default personal data are not made accessible without the individual’s intervention”
ARTICLE 32Security of Processing
“
How GDPR Impacts Workday Teams
“… a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
![Page 19: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/19.jpg)
Testing Challenges
• Security testing uncommon
• Complexity always increases risk
• Tenant security evolves
• Change = risk of data exposure
![Page 20: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/20.jpg)
Advantages of Security Testing
• Verification, confidence and assurance
• Catch problems quickly
• Demonstrates due diligence
![Page 21: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/21.jpg)
SecurityTestStrategy
KeySecurityGroups KeyWorker
In the real world workers can have many responsibilities
Isolate & test security groups on an individual basis
![Page 22: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/22.jpg)
Security Testing Strategy
• Document all tests well
• Follow a formal process for all security configuration changes
• Test weekly
• Test at scale• Smart customers execute 60K checks consistently• in under 1 hour• aligned with GDPR
![Page 23: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/23.jpg)
How GDPR Affects Test ExecutionARTICLE 5
Purpose Limitation Principle" … collected for specified, explicit and legitimate purposes and not
further processed in a manner that is incompatible with those purposes…"
ARTICLE 5Integrity & Confidentiality Principle
“… processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
unlawful processing …”
![Page 24: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/24.jpg)
Test Data & GDPR
Production Tenant
SBXTenant
SBX PreviewTenant
ManualtesterstestonREALworkerdata
TestershaveMOREaccesstodataintesttenants
![Page 25: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/25.jpg)
Test Data & GDRP: Compliance options
1. Replicate Production security on SBX and SBX.
2. Scramble data
3. Test using synthetic data
Note: Strongly recommend that you do not relax security configuration on SBX and SBX Preview
![Page 26: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/26.jpg)
GDPROption 1: Replicate Production Security on SBXs
Pros• Controlled Access
• 100% of Testing
Cons• TestingcanonlybeperformedbyKeypeopleinkeyroles
• Limitedvaluefromtenante.g.cannotbeusedfortraining
![Page 27: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/27.jpg)
GDPROption 2: Scramble Data on SBXs
Pros• 100% of testing
• GDPR does not apply to scrambled data
Cons• Difficult&timeconsuming
• Can’tscramblehistory
• Losedataintegrity
• Differentdataeachweek
• Regressiontestingisdifficult
![Page 28: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/28.jpg)
Option 3: Synthetic Data
Data that is artificial but looks and behaves like real data for the purposes of testing and training
![Page 29: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/29.jpg)
GDPROption 3: Synthetic Data (with Synthetic Org)
![Page 30: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/30.jpg)
GDPROption 3: Synthetic Data (with Synthetic Org)Pros
• GDPR does not apply to synthetic data
• QA teams only need access to synthetic Org
• Can create rich scenarios and history
• Consistent data weekly
• Key staff members can focus on day job
• Suitable for training
• Can be automated
Cons• Time consuming (if doing manually)
• Some testing may not be possible using synthetic orgs
![Page 31: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/31.jpg)
In Summary
Explore an N-Level security configurationStart security testing
Use synthetic workers for testing
![Page 32: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/32.jpg)
NextWebinar
Workday&GDPR:ReducingRisk&DataExposureThruSmartTMAutomated
TestingMay22,2018
https://bit.ly/2rxjdwV
![Page 33: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/33.jpg)
Surveyhttps://www.surveymonkey.co.uk/r/BDMW3JW
Workday,GDPR&You:ABenchmarkingSurvey
bitly
![Page 34: Webinar Deck How GDPR Should Change Testing SiteUpload · Security Testing Strategy •Document all tests well •Follow a formal process for all security configuration changes •Test](https://reader033.vdocument.in/reader033/viewer/2022052802/5f1dc913e9ffca4f4737a9e8/html5/thumbnails/34.jpg)
Thanks for coming.