Enterprise Applications Services Architecture Web Services Security Meeting Disney’s Security Policies Meeting Notes Prepared by: Simon Barere October 25, 2005 Table of Contents: Agenda 2 Notes 2 Next Steps 3 Agenda • Project Overview • Who cares about security? • What is security policy at Disney? • How is it enforced / Audited? • International Policy Notes Main Security Groups • Security and Privacy Policy and Strategy • Security Architecture • Legal (Chief Privacy Officer) • Brett Briskin (Privacy Programs / Project Oriented) • These groups not responsible for security implementation for a particular application Policy • “IT Security Policy” Document • Version 2 Published • New Revision 3 (has PCI included) • Based on ISO standards • Safe Harbor • For international, WSS project should focus on Safe Harbor • For example, persistence, logging / auditing of messages Security at Disney • Security is Distributed at Disney • Business Unit Level • Policy publicly available • CIO ultimately responsible • Some BU’s have security practice (e.g., DIG, WDW, ESPN, DCP) International • Country by country differences • Cannot abstract • Encryption key strength only an issue for black listed countries (e.g., Iraq) PCI • Payment card industry • For merchants • Additional security rules SAP • Does Netweaver break Safe Harbor? • Securing Web services Management Audit • Compliance with policy • Architecture • Periodic BU audits • No official compliance audits Safe Harbor • Citizen data should remain in country except for Safe Harbor exclusions • Encryption of data • Notify if data is stolen Next Steps • Work with Policy group for WSS compliance • Does SAP’s Netweaver break Safe Harbor? • Securing SAP Web services Retrieve: • Self Assessment Questionnaire • PCI Policies • Safe Harbor • “IT Security Policy” Document • SAP Web Services documentation
Posted on: Sat, 10 Aug 2013 12:24:53 +0000