SlideShare a Scribd company logo

Compliance with the Requirements of GDPdU

GFI Software
GFI Software

This white paper examines the different methods for deploying and managing an email archive solution in an organization and specifies the key requirements that a full featured email archiving system should include.

Technology
1 of 14
Download to read offline
GFI Software | www.gfi.com WhitePaper Compliance with the Requirements of GDPdU using the Software GFI MailArchiver 6 for Exchange compiled in cooperation with August 09
A. Introduction ................................................. 2 According to this regulation, all e-mails with tax- B. Legal principles........................................... 3 relevant content are to be electronically retained C. Technical and organisational for the duration of the statutory retention period requirements ............................................... 4 and must be made available on request of the I. Electronic evaluation ............................ 4 fiscal authorities. II. Completeness and unalterability ......... 5 III. Secure and traceable data processing Specific requirements regarding nature, format and and data storage.................................... 5 processability of electronically retained e-mails IV. Adequate data accessibility ................. 5 must be satisfied. V. Assignment capability of e-mails and An arbitrary storage in individual mailboxes of related business transactions.............. 6 personnel or a printout of tax-relevant e-mails are VI. Provision of adequate process documentation....................................... 6 now insufficient. VII. Data protection requirements .............. 6 Companies that have not adjusted their financial D. Risks............................................................. 6 accounting to the new statutory requirements of E. GFI MailArchiver 6 Checklist ..................... 9 GDPdU may be subject to substantial sanctions in their next tax audit. Exceptionally severe violations A. Introduction may result in an estimation of the tax basis as well We can no longer imagine conducting busi- as penalty payments and a fine on arrears that can ness without e-mail. Today entire transactions amount to EUR 250,000. are conducted based on e-mail exchanges. Electronic archiving systems offer a compliance As e-mails often serve as business letters and solution to the high demands of e-mail retention. so-called “commercial letters“ and are also Note, however, that a solely technical solution by significant for taxation, specific requirements itself does not lead to compliance. regarding processing and retention of these e- mails are imposed. Compliance with retention requirements can be achieved only through technical solutions in The German Tax Code (§ 147 AO) controls combination with coordinated procedures and the requirements for tax-relevant e-mails. processes. Pursuant to the Tax Code, tax-relevant e-mails must be retained for either six or ten years. It is a prevalent misapprehension that a “certified“ system by itself suffices to comply with the various In addition, a detailed statutory regulatory requirements. That is simply not true. requirement on data access of the German fiscal authority called GDPdU (broadly Many software producers leave their customers translated as “Generally Accepted Principles unaware of the true extent of compliance of Data Access and Auditability of Digital requirements and may conceal that in addition to Documents“) has been in effect in Germany simple storage, organisational procedures in for several years. connection with the filing structure for e-mails and 2
attachments as well as prompt retrieval must Documents subject to retention obligations are be implemented. e. g.: GFI Software strikes a new path. In addition to accounting vouchers, account books and a certification issued by a German commercial letters accountancy of the e-mail archiving software physical documents in hard copy (e. g. GFI MailArchiver 6 concerning compliance incoming commercial letters or manually with GDPdU, GFI Software offers a generated accounting vouchers and other comprehensive solution. In addition to the vouchers) proven technical archiving solution, support for procedure documentation and user manual, the structuring of the necessary organisational documentation of the internal control system procedures and processes is provided. (ICS) as well as other documents needed for This document is designed to provide understanding the financial accounting information about the requirements of German E-mails with tax-relevant content also fall into the fiscal authorities and to support, on the basis category of documents with a retention obligation of a pragmatic checklist, the implementation of pursuant to § 147 (1) No. 5 AO. procedures pursuant to statutes. Details of the statutory specifications can be B. Legal principles gathered from different relevant statements, Pursuant to German commercial and fiscal law policies and regulations, including amongst others: (§§ 238, 239, 257 HGB and §§ 145-147 AO) Grundsätze ordnungsmäßiger Buchführung account books and other accounting records (GoB, broadly translated as “Generally Accept- can be maintained under certain conditions on ed Principles of Proper Accounting“) in an image carrier or any other data carrier. accordance with §§ 238 et seq., 257 HGB and Accordingly, storage of tax-relevant docu- §§ 147 et seq. AO ments on digital data carriers – e. g. in Grundsätze ordnungsmäßiger DV-gestützter electronic archiving systems – is possible. Buchführungssysteme (GoBS, broadly trans- Electronic archiving is defined as unalterable lated as “Generally Accepted Principles of long-term storage of documents subject to Computer-Assisted Accounting Systems“), retention obligations on machine-readable issued by the Federal Ministry of Finance data carriers to fulfill the statutory retention (BMF) in a written communication on 7 requirements pursuant to § 257 HGB and 147 November 1995 AO. 3
Grundsätze zum Datenzugriff und zur assignment capability of e-mails and related Prüfbarkeit digitaler Unterlagen (GDPdU), business transactions issued by the BMF in a written communi- provision of adequate process documentation cation on 16 July 2001 data protection requirements With an intent to provide details of these requirements, the Institute of German Public I. Electronic evaluation Auditors (“Institut der Wirtschaftsprüfer in According to GDPdU, electronic evaluation must Deutschland e.V.“, IDW) published on 11 July be provided. The data sourcing archiving system 2006 a statement for proper accounting when must have processing capacities, in a quantitive applying electronic archiving, called and qualitative degree, similar to that of the source “Grundsätze ordnungsmäßiger Buchführung system as if the data was still in the productive beim Einsatz elektronischer Archivierungs- system (broadly paraphrased from the BMF verfahren“ (IDW RS FAIT 3). pronouncement). Additionally, there are data protection During a transfer no changes may occur to the requirements determined by the Federal Data object to be archived or to its ability to be Protection Act (“Bundesdatenschutzgesetz“, evaluated. BDSG). With regard to generic digital documents, it is to be C. Technical and organisational noted whether structural information is present in requirements addition to content that is necessary for electronic Regulations, including pronouncements of the evaluation. German fiscal authorities, do not prescribe any For example, the “header“ of e-mails contains, certain technique for electronic archiving. amongst other information, details about the However, there is mutual agreement about sender, recipient and coding and is considered certain technical and organisational part of the structural information. requirements related to any system for In addition to the e-mail itself and the structural electronic archiving of e-mails: information, e-mail attachments are also of electronic evaluation importance. They are to be taken into completeness and unalterability consideration when the tax relevance of an e-mail is evaluated and should maintain their capability to secure and traceable data processing and be evaluated during the entire archiving process. data storage adequate data accessibility 4
II. Completeness and unalterability The complete storage of captured data is to be ensured in a retraceable manner and error-free All data must be fully archived. Therefore data saving is to be ensured by suitable plausibility from the source system may not be filtered in controls. any way. To assure information security and data protection, Fiscal authorities attach great importance that the archiving software may allow for read-only data no densification of information occur prior to access in light of separation of functions and acceptance by the archiving system or authorised interest, and as required in interaction subsequently to acceptance, because a loss with the operating system as well as applied third- of tax-relevant information cannot be party software (e. g. database system). precluded. Thus, encrypted storage as well as encapsulation The unalterability of archiving objects is to be of the master file is permissable to the extent that ensured during all stages of the archiving the master file can be readably retrieved without process. The duplicability of the process is to causing a delay in the audit process. be ensured through proper logging. Storage in a data format deviating from the master The applied archiving procedures have to be file is not acceptable and may act only as a performed such that the following supplement to the master file. requirements are fulfilled: parameterisation of all systems of the IV. Adequate data accessibility archiving solution that ensure the capture The applied archiving system must technically of tax-relevant data enable free access to data and documents. loss-free data transfer to the data capture To ensure prompt data access for fiscal authorities system the archiving solution must allow for readability and prompt periodic archiving reproducibility of the archiving objects at any time archiving of data true to the original in both during the entire retention period. imagery and content In order to ensure the retrievability of tax-relevant III. Secure and traceable data e-mails, the requirements for proper filing must be processing and data storage satisfied. Therefore it is essential that each e-mail is assigned a unique index value. Any subsequent changes to the archived objects must be prevented at all levels Moreover the system should dispose of a suitable including the operating system, database and method for keyword indexing to map relations on application level. data outside the archiving system. This ensures 5
that the tax auditor is able to retrace a logical user documentation chain of tax-relevant business transactions technical system documentation including the examination of particular data operational documentation objects. Therein the applicable procedures are to be V. Assignment capability of e-mails determined and verifed. This applies in particular and related business transactions to the controls designated to the respective The assignment of tax-relevant e-mails to procedures. corresponding business transactions is Moreover the process documentation shall contain mandatory. This is rather complicated due to technical (e. g. interface definitions to preceding the characteristics of e-mails. and subsequent systems) and organisational The following alternatives are possible: definitions (e. g. point in time and frequency of tax-relevant e-mails with reference to one archiving processes). business transaction VII. Data protection requirements tax-relevant e-mails with reference to Along with the fundamental problem of automated numerous business transactions e-mail qualification, using server-sided archiving in tax-relevant e-mails not in reference to any companies also includes difficulties with regard to business transaction data protection requirements. Fiscal authorities do not provide specific Through server-sided automated archiving of e- operational guidelines on how such an mails, all incoming e-mails are captured before assignment is to be made in a reliable they reach the recipient’s individual sphere of manner. Insofar the taxpayer is not subject to control on his workstation computer. In this case, any restrictions regarding his choice of private e-mails would also be subject to archiving. procedures. A suitable archiving system should nervertheless provide for convenient D. Risks methods to allow for such an assignment. The risks resulting from a failure to satisfy statutory requirements are numerous. In addition to potential VI. Provision of adequate process documentation legal consequences, they primarily affect image, profitability and efficiency of the company. The archiving solution must dispose of an adequate process documentation, consisting Material risks are e. g.: of the following components: non-deductibility of input VAT 6
sanctions for non-compliance with Loss of evidentiary value regulations Inadequate archiving may result in a loss of loss of evidentiary value evidentiary value and thus result in an indefinite financial risk. data protection violations This is particularly possible if the archived e-mails increased in-house expenses do not remain unaltered and in their original disclosure of sensitive internal information format, as required. For example, business Non-deductibility of input VAT correspondence between customers and suppliers may represent essential evidence in litigation As a result of inadequate or incomplete where the content and sequence of events are archiving of incoming invoices received by the material. company via e-mail in the context of transmission of electronic invoices (“e-billing“), Data protection violations there is a danger of losing the deductability of Violations of data protection requirements are input VAT. especially possible as a result of insufficient In this context, the proper archiving of the so- physical and logical access restrictions to material called “validated electronic signature“, data if access to or even manipulations of personal accompanying an electronic invoice must be data are thereby possible. considered. In Germany, the “Value Added A violation of data protection regulations may Tax Act“ (Umsatzsteuergesetz, UStG) result in substantial monetary fines ranging, in the demands a validated electronic signature on worst case, from EUR 50,000 as a consequence of electronically transmitted invoices in order for violations of procedural rules to EUR 300,000 for the company receiving the invoice to deduct violations of material data protection regulations. the input VAT. Increased in-house expenses Sanctions for non-compliance with The in-house expense of providing prompt and regulations free data access to fiscal authorities must also be Violations of regulations may result in considered. sanctions by fiscal authorities ranging from For example, a subsequent sorting of a penalties and fines on arrears for exeptionally progressive increase of e-mail data may result in a severe violations that can amount to EUR considerable operating expense. 250,000 (§ 146 2b AO) and may extend to an estimation of the tax basis. In contrast, proper filing normally results in 7
significant efficiency advantages. In addition, the implementation of a dedicated e-mail archiving solution avoids unnecessary data redundancy and excess use of resources (e. g. storage capacity). Disclosure of sensitive internal information The fiscal authorities are not subject to any restrictions regarding exploitation of information that has accidentally come into their possession or which exceeds the object of the audit. Failed or flawed separation of tax-relevant e- mails from non tax-relevant e-mails may lead to a situation where, as a result of the disclosure of internal information which was not an object of the audit, fiscal authorities could acquire facts that might be to the company’s disadvantage. This represents an avoidable risk. 8
E. GFI MailArchiver 6 Checklist Parameterisation and interfaces System Design In order to allow for a configuration of the archving solution that complies with the requirements of Selection of a suitable archive storage GDPdU, the following mandatory preparations on Does the selected archive storage comply the side of the source system (MS Exchange with the requirements of unalterable and Server) are to be made prior to the initial operation: traceable archiving? Definition and installation of the journaling It is essential that the archive storage mailbox that is to contain all e-mails designated allows for comprehensive logging of all for archiving of the corresponding server saving processes and subsequent data Activation of envelope journaling in MS access (including the database level). Exchange Server to ensure the completeness The database system MS SQL Server of the scope of archiving, comprising all serves as a suitable data storage. possible e-mail recipients including blind Subject to appropriately configured access carbon copy recipients (BCC) rights the above referenced requirements This feature is already activated by default are fulfilled by complete storage of all data when using MS Exchange Server 2007. within the database to enable GDPdU- Activation of the message tracking function to compliant storage. allow for subsequent verification of complete Security of data connection archiving Does the archiving of e-mails occur via In addition to the mandatory preparations for network connections from source systems GDPdU-compliant archiving, the following that are not located within the user’s recommendations should be considered: sphere of confidence (e. g. from remote Is it ensured that the scope of e-mails MS Exchange Servers)? designated for archival storage is not limited by In this case unalterability within the archiving option settings of GFI MailArchiver? transmission path has to be ensured by With regard to completeness aspects the encryption protected file transfer. following settings are to be made: For this purpose it is necessary to select Capture of e-mails in all possible directions the transmission protocol IMAP with (incoming, outgoing and internal) secure sockets layer (SSL) in GFI MailArchiver to connect with the source No exclusions based on blacklisted user system. 9
accounts of the windows domain or archiving system and/or is an administration specific e-mail addresses manual placed at its disposal? No limitations on the number of users Are maintenance and operations control tasks based on whitelisted user accounts of of the archiving system properly defined and the windows domain or specific e-mail contained in a superordinated concept of IT addresses related controlled operations? Exceptions result from user accounts or e- Are all verification tasks properly defined? mail addresses where tax relevance of the Does the configured authorisation concept e-mail traffic can definitely be excluded. comply with the predetermined competencies Is it ensured that no archiving policies are and is the procedure adequately documented? installed which allow for a storage time Capture shorter than the statutory retention period (e. g. retention policies for immediate Are all procedures and techniques that allow deletion based on predefined features)? for verifiable complete and correct capture and archival storage of e-mails properly defined Processes and organisation and documented? Does the written definition serve as a GFI MailArchiver does not support the logging suitable method to allow a competent third of e-mails transferred via standard interface party to comprehend content, structure from MS Exchange Server. Therefore the and process flow of the procedures within verification of loss-free and thus complete data an appropriate timeframe? transfer, according to the requirements of Are all responsibilities for the particular GDPdU, must be provided by the logging process steps (functional and IT related protocol generated by the particular source operations) for all archiving components system (MS Exchange Server). fully defined? If necessary, it is possible to verify complete Is it ensured that users are instructed on archiving by comparison of the logging how to operate the archiving system protocols (which are generated by the and/or is a user manual placed at their message tracking function of MS Exchange disposal? Server and show the processed e-mails) with the subsequently stored e-mails in the archive Is it ensured that the system administration on the basis of common identifying features. is instructed on how to operate the 10
Are suitable procedures in place that based automated labelling – especially as a ensure compliance with the requirements sole technique. An evaluation of tax relevance of GDPdU with regard to the archival is usually too complex for predetermined storage of signed and encrypted e-mails? policies to operate in a reliable manner. A subsequent editing of archived e-mails In any case, such policy-based automated and the combined capture of e-mails with procedures should be accompanied by a additional data sets that are not directly manual verification. obtained from MS Exchange Server are Has a procedure been defined that allows for not supported by GFI MailArchiver. an assignment to one or multiple business Therefore appropriate procedures should transactions by means of a suitable keyword be installed (e. g. manual keyword indexing in GFI MailArchiver? indexing) to allow for an assignment of The option provided by GFI MailArchiver to signed or encrypted e-mails to their individually apply labels visible to all users to corresponding verification records or e-mails that are accessible by the user allows, decrypted e-mails and related decryption in addition to a labelling of tax relevance, for a keys. direct assignment to a corresponding business Indexing and keyword indexing transaction. Are the procedures for the labelling of tax- This can be implemented by applying a label relevant archived e-mails unambiguously (e. g. keyword index) that contains identifying specified? features allowing for a retrieval of corresponding content in other systems. There are two fundamentally different options provided by GFI MailArchiver 6 on Has a procedure been defined that allows for a how labels can be attached to e-mails: distinct assignment of the archived e-mails in a separate accounting system? Automatically through policy-based labelling at the moment of archiving by In this regard, the identifier (“Identification means of definable categorisation Code“) that enables distinct identification of policies archived e-mails within GFI MailArchiver is important. Manually through subsequent manual Assimilated in an external system (e. g. ERP labelling of archived e-mails that are system ), this identifier can serve as a so-called accessible to the user “foreign key” to establish a logical reference to It is advisable to refrain from a policy- 11
the related e-mails and, in this way, an Addition of the second parameter, the assignment to the business transaction. Connection-ID (“connectionId“): http://localhost/mailarchiver/mailview- The “Identification Code“ accessible at the .aspx?id=-2147483647&connectionId- application level provides valuable help in =b44d3270-8bdb-43d2-8fa2- enabling technical usage of such a foreign 67eb6ead54a9 key reference in a networked system environment. Entering the URL results in a view of the specific e-mail in the archive: Subject to appropriately set up access http://localhost/mailarchiver/mailview.aspx?id= rights, the archived e-mails can be directly -2147483647&connectionId=b44d3270-8bdb- addressed out of external systems via 43d2-8fa2-67eb6ead54a9 hyperlink. However, for this to function, it is necessary that the referencing system Storage and administration contain a method to generate the uniform Is it ensured that the selected archive storage resource locator (URL) autonomously. provides the forseeably required storage The utilisation of GFI MailArchiver’s capacity and that this is monitored regularly? identifier “Identification Code“ to serve as a referencing linkage out of an external Is it ensured that subsequent verifiability of software system is possible using the complete archiving based on a comparison of therein contained parameters “id“ and e-mails transferred by MS Exchange and “connectionId“. e-mails archived by GFI MailArchiver Such a URL can be composed as follows: (preferably by means of their message-id) is possible? Addressing the user interface of GFI MailArchiver to view the e-mail: Accordingly, it is necessary to assure that the http://localhost/mailarchiver/mailview- MS Exchange Server logs which enable the .aspx? comparison on the source side be stored loss- free (e. g. no overwriting, only append mode) Addition of the (“id“) representing the as long as the archived data itself. active archive store of GFI MailArchiver: Readability and retrieval http://localhost/mailarchiver/mailview- Is a tax auditor user account set up that .aspx?id=-2147483647 enables access to all tax-relevant e-mails? 12
As GFI MailArchiver does not support or Software security allow for restricted access based on Is there an authorisation concept that allows for labels, it is advisable to install an a determination of the required separation of organisational procedure for labelling tax functions and the assignment of access rights? relevance to ensure separation of data Are adequate access controls available at the within the archive prior to a tax audit (e. g. following access levels: systematic designation of tax relevance using the manual method for individual operating system labelling). MS Windows including Active Directory, web server and MS Exchange Server In a further step, an export based on such labels followed by a subsequent reimport database system into a dedicated archive store can be MS SQL Server conducted in preparation of a tax audit. In archiving software this way a tax auditor is granted GFI MailArchiver 6 comprehensive access to exclusively tax- relevant e-mails based on labels. Process documentation Are all settings regarding the parameterisation Retention and deletion of software and interfaces properly Is it ensured that no retention policies are documented? defined that cause a deletion of archived Are all interfaces between the particular e-mails prior to expiration of the statutory components of the archiving solution (e. g. retention period? designation, source/destination system, Some tax-relevant e-mails – in certain interface content/type, matching) documented cases – may contain information that in a comprehensible manner? requires a retention period of ten years. Are the interfaces between the archiving Therefore it is advisiable to refrain from a solution and other software systems of the policy-based determination of the retention company (e. g. ERP system or financial period by means of the retention policies accounting system) with regard to referencing of GFI MailArchiver to the extent that they business transactions documented in a do not correspond with the longest comprehensible manner? statutory minimum period for retention. Are operating instructions for users available that allow for proper performance of their 13
activities including the manual controls and Is it ensured that changes to the e-mail matching (operational documentation) archiving solution are only applied subject to an provided by the procedure? orderly procedure (change management)? Is a description of the applied components IT operations available that illustrates the technical Are the IT operations (controlled and architecture of the archiving solution and emergency operations) properly defined in how the operational requirements are organisational instructions (e. g. tasks and realised (technical system documenta- authority of administrators, rules for change tion)? management and the administration of storage Are operating instructions for IT personnel media)? available that allow for proper performance Has an emergency concept been prepared for of controlled operation (e. g. backup and a possible failure of the archiving solution (e. g. restoration manual)? disaster recovery and contingency plan)? Is it ensured that the documentation of all Are suitable data backup and data backup effective procedures is archived as a safekeeping procedures defined and are document subject to retention? regular verification tests scheduled concerning Implementation and change effective data recovery? Is ensured that the compliance and Outsourcing security of the applied systems and When engaging an external service provider to software are subject to functional and operate the archiving solution (outsourcing), is technical test procedures prior to the initial it ensured that the requirements regarding operation of the archiving solution? compliance and security are guaranteed by the Is a test procedure defined and service provider? documented and do the test cases allow Appropriate contractual provisions and service for a verification of the requirements level agreements are required. regarding compliance and security? Is a release procedure defined and documented that contains rules on release competencies and are release approvals for all components of the archiving solution available? 14

Recommended

Records Retention and Destruction Policies 2015
Records Retention and Destruction Policies 2015Records Retention and Destruction Policies 2015
Records Retention and Destruction Policies 2015Richard Austin
 
Integration of omni suite products with third party los and core banking solu...
Integration of omni suite products with third party los and core banking solu...Integration of omni suite products with third party los and core banking solu...
Integration of omni suite products with third party los and core banking solu...Newgen Software Technologies Limited
 
Die GoBD in der praktischen Umsetzung
Die GoBD in der praktischen UmsetzungDie GoBD in der praktischen Umsetzung
Die GoBD in der praktischen UmsetzungVeR_Verband
 
KPMG's Guide to XBRL Fundamentals
KPMG's Guide to XBRL FundamentalsKPMG's Guide to XBRL Fundamentals
KPMG's Guide to XBRL FundamentalsSAP
 
Quadira, e invoicing, digital signatures and document archiving
Quadira, e invoicing, digital signatures and document archivingQuadira, e invoicing, digital signatures and document archiving
Quadira, e invoicing, digital signatures and document archivingFriso de Jong
 
Paper case studies admissibility of digital records as legal evidence in mala...
Paper case studies admissibility of digital records as legal evidence in mala...Paper case studies admissibility of digital records as legal evidence in mala...
Paper case studies admissibility of digital records as legal evidence in mala...malar17
 
Legal requirements for document management in europe
Legal requirements for document management in europeLegal requirements for document management in europe
Legal requirements for document management in europesoftay
 
PCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application SecurityPCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application SecurityCitrix
 

Recommended

Records Retention and Destruction Policies 2015
Records Retention and Destruction Policies 2015Records Retention and Destruction Policies 2015
Records Retention and Destruction Policies 2015Richard Austin
 
Integration of omni suite products with third party los and core banking solu...
Integration of omni suite products with third party los and core banking solu...Integration of omni suite products with third party los and core banking solu...
Integration of omni suite products with third party los and core banking solu...Newgen Software Technologies Limited
 
Die GoBD in der praktischen Umsetzung
Die GoBD in der praktischen UmsetzungDie GoBD in der praktischen Umsetzung
Die GoBD in der praktischen UmsetzungVeR_Verband
 
KPMG's Guide to XBRL Fundamentals
KPMG's Guide to XBRL FundamentalsKPMG's Guide to XBRL Fundamentals
KPMG's Guide to XBRL FundamentalsSAP
 
Quadira, e invoicing, digital signatures and document archiving
Quadira, e invoicing, digital signatures and document archivingQuadira, e invoicing, digital signatures and document archiving
Quadira, e invoicing, digital signatures and document archivingFriso de Jong
 
Paper case studies admissibility of digital records as legal evidence in mala...
Paper case studies admissibility of digital records as legal evidence in mala...Paper case studies admissibility of digital records as legal evidence in mala...
Paper case studies admissibility of digital records as legal evidence in mala...malar17
 
Legal requirements for document management in europe
Legal requirements for document management in europeLegal requirements for document management in europe
Legal requirements for document management in europesoftay
 
PCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application SecurityPCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application SecurityCitrix
 
Ch02
Ch02Ch02
Ch02Badrul Hisham
 
Yet another cybersecurity framework for Financial Services
Yet another cybersecurity framework for Financial ServicesYet another cybersecurity framework for Financial Services
Yet another cybersecurity framework for Financial ServicesOlivier Busolini
 
Disclosure of Transfer Pricing Policies: An Internal Prespective
Disclosure of Transfer Pricing Policies: An Internal PrespectiveDisclosure of Transfer Pricing Policies: An Internal Prespective
Disclosure of Transfer Pricing Policies: An Internal Prespectiveiosrjce
 
Computer Audit an Introductory
Computer Audit an IntroductoryComputer Audit an Introductory
Computer Audit an IntroductoryMNorazizi HM
 
Blockchain Technology - A game-changer in accounting?
Blockchain Technology - A game-changer in accounting?Blockchain Technology - A game-changer in accounting?
Blockchain Technology - A game-changer in accounting?Robert Bratusa Brant
 
Blockchain Technology A game-changer in accounting ?
Blockchain Technology A game-changer in accounting ?Blockchain Technology A game-changer in accounting ?
Blockchain Technology A game-changer in accounting ?Ian Beckett
 
Microsoft: Financial Exchange Speeds Development and Audit Reviews by 20 Percent
Microsoft: Financial Exchange Speeds Development and Audit Reviews by 20 PercentMicrosoft: Financial Exchange Speeds Development and Audit Reviews by 20 Percent
Microsoft: Financial Exchange Speeds Development and Audit Reviews by 20 PercentEnterprise Technology Management (ETM)
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliantDivya Kothari
 
Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docx
Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docxPage 1 of 4 Bullzeye Data Breach Readiness Assessment .docx
Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docxalfred4lewis58146
 
Financial Services-ready Public Cloud white paper [march 9, 2020]
Financial Services-ready Public Cloud white paper [march 9, 2020]Financial Services-ready Public Cloud white paper [march 9, 2020]
Financial Services-ready Public Cloud white paper [march 9, 2020]Scott Satterwhite
 
Document Management Regulations Ii Payment Processing
Document Management Regulations Ii Payment ProcessingDocument Management Regulations Ii Payment Processing
Document Management Regulations Ii Payment Processingguest709aa8
 
618201483114 pmguide on-accounting-software-as-09032014-final-g5-treatment
618201483114 pmguide on-accounting-software-as-09032014-final-g5-treatment618201483114 pmguide on-accounting-software-as-09032014-final-g5-treatment
618201483114 pmguide on-accounting-software-as-09032014-final-g5-treatmentBrian Khoon
 
MODERNIZATION OF NTUC INCOME
MODERNIZATION OF NTUC INCOMEMODERNIZATION OF NTUC INCOME
MODERNIZATION OF NTUC INCOMEmyteratak
 
Accounting conventions
Accounting conventionsAccounting conventions
Accounting conventionsshrahuman@yahoo.com shrahuman@yahoo.com
 
Active directoryaccountprovisioningwp
Active directoryaccountprovisioningwpActive directoryaccountprovisioningwp
Active directoryaccountprovisioningwpwardell henley
 
GBI Case Study Midstream Energy Company 2015
GBI Case Study Midstream Energy Company 2015GBI Case Study Midstream Energy Company 2015
GBI Case Study Midstream Energy Company 2015Pamela Weitberg
 
Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1
Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1
Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1David Spinks
 
Updated mca queries
Updated mca queries Updated mca queries
Updated mca queries Avisek Kundu
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelinesamburyj3c9
 
CMS_Technical1.pdf
CMS_Technical1.pdfCMS_Technical1.pdf
CMS_Technical1.pdfBIRHANASRAT
 
Spotlight on GFI EndPoint Security 2013
Spotlight on GFI EndPoint Security 2013Spotlight on GFI EndPoint Security 2013
Spotlight on GFI EndPoint Security 2013GFI Software
 
Network Environments
Network EnvironmentsNetwork Environments
Network EnvironmentsGFI Software
 

More Related Content

Similar to Compliance with the Requirements of GDPdU

Yet another cybersecurity framework for Financial Services
Yet another cybersecurity framework for Financial ServicesYet another cybersecurity framework for Financial Services
Yet another cybersecurity framework for Financial ServicesOlivier Busolini
 
Disclosure of Transfer Pricing Policies: An Internal Prespective
Disclosure of Transfer Pricing Policies: An Internal PrespectiveDisclosure of Transfer Pricing Policies: An Internal Prespective
Disclosure of Transfer Pricing Policies: An Internal Prespectiveiosrjce
 
Computer Audit an Introductory
Computer Audit an IntroductoryComputer Audit an Introductory
Computer Audit an IntroductoryMNorazizi HM
 
Blockchain Technology - A game-changer in accounting?
Blockchain Technology - A game-changer in accounting?Blockchain Technology - A game-changer in accounting?
Blockchain Technology - A game-changer in accounting?Robert Bratusa Brant
 
Blockchain Technology A game-changer in accounting ?
Blockchain Technology A game-changer in accounting ?Blockchain Technology A game-changer in accounting ?
Blockchain Technology A game-changer in accounting ?Ian Beckett
 
Microsoft: Financial Exchange Speeds Development and Audit Reviews by 20 Percent
Microsoft: Financial Exchange Speeds Development and Audit Reviews by 20 PercentMicrosoft: Financial Exchange Speeds Development and Audit Reviews by 20 Percent
Microsoft: Financial Exchange Speeds Development and Audit Reviews by 20 PercentEnterprise Technology Management (ETM)
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliantDivya Kothari
 
Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docx
Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docxPage 1 of 4 Bullzeye Data Breach Readiness Assessment .docx
Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docxalfred4lewis58146
 
Financial Services-ready Public Cloud white paper [march 9, 2020]
Financial Services-ready Public Cloud white paper [march 9, 2020]Financial Services-ready Public Cloud white paper [march 9, 2020]
Financial Services-ready Public Cloud white paper [march 9, 2020]Scott Satterwhite
 
Document Management Regulations Ii Payment Processing
Document Management Regulations Ii Payment ProcessingDocument Management Regulations Ii Payment Processing
Document Management Regulations Ii Payment Processingguest709aa8
 
618201483114 pmguide on-accounting-software-as-09032014-final-g5-treatment
618201483114 pmguide on-accounting-software-as-09032014-final-g5-treatment618201483114 pmguide on-accounting-software-as-09032014-final-g5-treatment
618201483114 pmguide on-accounting-software-as-09032014-final-g5-treatmentBrian Khoon
 
MODERNIZATION OF NTUC INCOME
MODERNIZATION OF NTUC INCOMEMODERNIZATION OF NTUC INCOME
MODERNIZATION OF NTUC INCOMEmyteratak
 
Active directoryaccountprovisioningwp
Active directoryaccountprovisioningwpActive directoryaccountprovisioningwp
Active directoryaccountprovisioningwpwardell henley
 
GBI Case Study Midstream Energy Company 2015
GBI Case Study Midstream Energy Company 2015GBI Case Study Midstream Energy Company 2015
GBI Case Study Midstream Energy Company 2015Pamela Weitberg
 
Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1
Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1
Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1David Spinks
 
Updated mca queries
Updated mca queries Updated mca queries
Updated mca queries Avisek Kundu
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelinesamburyj3c9
 
CMS_Technical1.pdf
CMS_Technical1.pdfCMS_Technical1.pdf
CMS_Technical1.pdfBIRHANASRAT
 

Similar to Compliance with the Requirements of GDPdU (20)

Ch02
Ch02Ch02
Ch02
 
Yet another cybersecurity framework for Financial Services
Yet another cybersecurity framework for Financial ServicesYet another cybersecurity framework for Financial Services
Yet another cybersecurity framework for Financial Services
 
Disclosure of Transfer Pricing Policies: An Internal Prespective
Disclosure of Transfer Pricing Policies: An Internal PrespectiveDisclosure of Transfer Pricing Policies: An Internal Prespective
Disclosure of Transfer Pricing Policies: An Internal Prespective
 
Computer Audit an Introductory
Computer Audit an IntroductoryComputer Audit an Introductory
Computer Audit an Introductory
 
Blockchain Technology - A game-changer in accounting?
Blockchain Technology - A game-changer in accounting?Blockchain Technology - A game-changer in accounting?
Blockchain Technology - A game-changer in accounting?
 
Blockchain Technology A game-changer in accounting ?
Blockchain Technology A game-changer in accounting ?Blockchain Technology A game-changer in accounting ?
Blockchain Technology A game-changer in accounting ?
 
Microsoft: Financial Exchange Speeds Development and Audit Reviews by 20 Percent
Microsoft: Financial Exchange Speeds Development and Audit Reviews by 20 PercentMicrosoft: Financial Exchange Speeds Development and Audit Reviews by 20 Percent
Microsoft: Financial Exchange Speeds Development and Audit Reviews by 20 Percent
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliant
 
Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docx
Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docxPage 1 of 4 Bullzeye Data Breach Readiness Assessment .docx
Page 1 of 4 Bullzeye Data Breach Readiness Assessment .docx
 
Financial Services-ready Public Cloud white paper [march 9, 2020]
Financial Services-ready Public Cloud white paper [march 9, 2020]Financial Services-ready Public Cloud white paper [march 9, 2020]
Financial Services-ready Public Cloud white paper [march 9, 2020]
 
Document Management Regulations Ii Payment Processing
Document Management Regulations Ii Payment ProcessingDocument Management Regulations Ii Payment Processing
Document Management Regulations Ii Payment Processing
 
618201483114 pmguide on-accounting-software-as-09032014-final-g5-treatment
618201483114 pmguide on-accounting-software-as-09032014-final-g5-treatment618201483114 pmguide on-accounting-software-as-09032014-final-g5-treatment
618201483114 pmguide on-accounting-software-as-09032014-final-g5-treatment
 
MODERNIZATION OF NTUC INCOME
MODERNIZATION OF NTUC INCOMEMODERNIZATION OF NTUC INCOME
MODERNIZATION OF NTUC INCOME
 
Accounting conventions
Accounting conventionsAccounting conventions
Accounting conventions
 
Active directoryaccountprovisioningwp
Active directoryaccountprovisioningwpActive directoryaccountprovisioningwp
Active directoryaccountprovisioningwp
 
GBI Case Study Midstream Energy Company 2015
GBI Case Study Midstream Energy Company 2015GBI Case Study Midstream Energy Company 2015
GBI Case Study Midstream Energy Company 2015
 
Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1
Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1
Cloud Security And Cyber Security Legal And Regulatory Hp Version V 2.1
 
Updated mca queries
Updated mca queries Updated mca queries
Updated mca queries
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelines
 
CMS_Technical1.pdf
CMS_Technical1.pdfCMS_Technical1.pdf
CMS_Technical1.pdf
 

More from GFI Software

Spotlight on GFI EndPoint Security 2013
Spotlight on GFI EndPoint Security 2013Spotlight on GFI EndPoint Security 2013
Spotlight on GFI EndPoint Security 2013GFI Software
 
Network Environments
Network EnvironmentsNetwork Environments
Network EnvironmentsGFI Software
 
The Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesThe Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesGFI Software
 
Understanding Data Backups
Understanding Data BackupsUnderstanding Data Backups
Understanding Data BackupsGFI Software
 
Master Class Series
Master Class SeriesMaster Class Series
Master Class SeriesGFI Software
 
Security Threats for SMBs
Security Threats for SMBsSecurity Threats for SMBs
Security Threats for SMBsGFI Software
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability ManagementGFI Software
 
Deploying GFI EventsManager™
Deploying GFI EventsManager™Deploying GFI EventsManager™
Deploying GFI EventsManager™GFI Software
 
How to Perform Network-wide Security Event Log Management
How to Perform Network-wide Security Event Log ManagementHow to Perform Network-wide Security Event Log Management
How to Perform Network-wide Security Event Log ManagementGFI Software
 
How to configure IBM iSeries event collection with Audit and GFI EventsManager
How to configure IBM iSeries event collection with Audit and GFI EventsManagerHow to configure IBM iSeries event collection with Audit and GFI EventsManager
How to configure IBM iSeries event collection with Audit and GFI EventsManagerGFI Software
 
Email Security Solutions
Email Security SolutionsEmail Security Solutions
Email Security SolutionsGFI Software
 
Messaging and Web Security
Messaging and Web SecurityMessaging and Web Security
Messaging and Web SecurityGFI Software
 
How to Keep Spam Off Your Network
How to Keep Spam Off Your NetworkHow to Keep Spam Off Your Network
How to Keep Spam Off Your NetworkGFI Software
 
How to Block NDR Spam
How to Block NDR SpamHow to Block NDR Spam
How to Block NDR SpamGFI Software
 
How to tell if that pop-up window is offering you a rogue anti-malware product
How to tell if that pop-up window is offering you a rogue anti-malware productHow to tell if that pop-up window is offering you a rogue anti-malware product
How to tell if that pop-up window is offering you a rogue anti-malware productGFI Software
 

More from GFI Software (20)

Spotlight on GFI EndPoint Security 2013
Spotlight on GFI EndPoint Security 2013Spotlight on GFI EndPoint Security 2013
Spotlight on GFI EndPoint Security 2013
 
Network Environments
Network EnvironmentsNetwork Environments
Network Environments
 
The Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesThe Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage Devices
 
Hybrid Technology
Hybrid TechnologyHybrid Technology
Hybrid Technology
 
Email Continuity
Email ContinuityEmail Continuity
Email Continuity
 
Understanding Data Backups
Understanding Data BackupsUnderstanding Data Backups
Understanding Data Backups
 
Data Backups
Data BackupsData Backups
Data Backups
 
Master Class Series
Master Class SeriesMaster Class Series
Master Class Series
 
Security Threats for SMBs
Security Threats for SMBsSecurity Threats for SMBs
Security Threats for SMBs
 
Security and SMBs
Security and SMBsSecurity and SMBs
Security and SMBs
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Deploying GFI EventsManager™
Deploying GFI EventsManager™Deploying GFI EventsManager™
Deploying GFI EventsManager™
 
How to Perform Network-wide Security Event Log Management
How to Perform Network-wide Security Event Log ManagementHow to Perform Network-wide Security Event Log Management
How to Perform Network-wide Security Event Log Management
 
How to configure IBM iSeries event collection with Audit and GFI EventsManager
How to configure IBM iSeries event collection with Audit and GFI EventsManagerHow to configure IBM iSeries event collection with Audit and GFI EventsManager
How to configure IBM iSeries event collection with Audit and GFI EventsManager
 
Email Security Solutions
Email Security SolutionsEmail Security Solutions
Email Security Solutions
 
Maxmp greylisting
Maxmp greylistingMaxmp greylisting
Maxmp greylisting
 
Messaging and Web Security
Messaging and Web SecurityMessaging and Web Security
Messaging and Web Security
 
How to Keep Spam Off Your Network
How to Keep Spam Off Your NetworkHow to Keep Spam Off Your Network
How to Keep Spam Off Your Network
 
How to Block NDR Spam
How to Block NDR SpamHow to Block NDR Spam
How to Block NDR Spam
 
How to tell if that pop-up window is offering you a rogue anti-malware product
How to tell if that pop-up window is offering you a rogue anti-malware productHow to tell if that pop-up window is offering you a rogue anti-malware product
How to tell if that pop-up window is offering you a rogue anti-malware product
 

Recently uploaded

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 

Recently uploaded (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 

Compliance with the Requirements of GDPdU

  • 1. GFI Software | www.gfi.com WhitePaper Compliance with the Requirements of GDPdU using the Software GFI MailArchiver 6 for Exchange compiled in cooperation with August 09
  • 2. A. Introduction ................................................. 2 According to this regulation, all e-mails with tax- B. Legal principles........................................... 3 relevant content are to be electronically retained C. Technical and organisational for the duration of the statutory retention period requirements ............................................... 4 and must be made available on request of the I. Electronic evaluation ............................ 4 fiscal authorities. II. Completeness and unalterability ......... 5 III. Secure and traceable data processing Specific requirements regarding nature, format and and data storage.................................... 5 processability of electronically retained e-mails IV. Adequate data accessibility ................. 5 must be satisfied. V. Assignment capability of e-mails and An arbitrary storage in individual mailboxes of related business transactions.............. 6 personnel or a printout of tax-relevant e-mails are VI. Provision of adequate process documentation....................................... 6 now insufficient. VII. Data protection requirements .............. 6 Companies that have not adjusted their financial D. Risks............................................................. 6 accounting to the new statutory requirements of E. GFI MailArchiver 6 Checklist ..................... 9 GDPdU may be subject to substantial sanctions in their next tax audit. Exceptionally severe violations A. Introduction may result in an estimation of the tax basis as well We can no longer imagine conducting busi- as penalty payments and a fine on arrears that can ness without e-mail. Today entire transactions amount to EUR 250,000. are conducted based on e-mail exchanges. Electronic archiving systems offer a compliance As e-mails often serve as business letters and solution to the high demands of e-mail retention. so-called “commercial letters“ and are also Note, however, that a solely technical solution by significant for taxation, specific requirements itself does not lead to compliance. regarding processing and retention of these e- mails are imposed. Compliance with retention requirements can be achieved only through technical solutions in The German Tax Code (§ 147 AO) controls combination with coordinated procedures and the requirements for tax-relevant e-mails. processes. Pursuant to the Tax Code, tax-relevant e-mails must be retained for either six or ten years. It is a prevalent misapprehension that a “certified“ system by itself suffices to comply with the various In addition, a detailed statutory regulatory requirements. That is simply not true. requirement on data access of the German fiscal authority called GDPdU (broadly Many software producers leave their customers translated as “Generally Accepted Principles unaware of the true extent of compliance of Data Access and Auditability of Digital requirements and may conceal that in addition to Documents“) has been in effect in Germany simple storage, organisational procedures in for several years. connection with the filing structure for e-mails and 2
  • 3. attachments as well as prompt retrieval must Documents subject to retention obligations are be implemented. e. g.: GFI Software strikes a new path. In addition to accounting vouchers, account books and a certification issued by a German commercial letters accountancy of the e-mail archiving software physical documents in hard copy (e. g. GFI MailArchiver 6 concerning compliance incoming commercial letters or manually with GDPdU, GFI Software offers a generated accounting vouchers and other comprehensive solution. In addition to the vouchers) proven technical archiving solution, support for procedure documentation and user manual, the structuring of the necessary organisational documentation of the internal control system procedures and processes is provided. (ICS) as well as other documents needed for This document is designed to provide understanding the financial accounting information about the requirements of German E-mails with tax-relevant content also fall into the fiscal authorities and to support, on the basis category of documents with a retention obligation of a pragmatic checklist, the implementation of pursuant to § 147 (1) No. 5 AO. procedures pursuant to statutes. Details of the statutory specifications can be B. Legal principles gathered from different relevant statements, Pursuant to German commercial and fiscal law policies and regulations, including amongst others: (§§ 238, 239, 257 HGB and §§ 145-147 AO) Grundsätze ordnungsmäßiger Buchführung account books and other accounting records (GoB, broadly translated as “Generally Accept- can be maintained under certain conditions on ed Principles of Proper Accounting“) in an image carrier or any other data carrier. accordance with §§ 238 et seq., 257 HGB and Accordingly, storage of tax-relevant docu- §§ 147 et seq. AO ments on digital data carriers – e. g. in Grundsätze ordnungsmäßiger DV-gestützter electronic archiving systems – is possible. Buchführungssysteme (GoBS, broadly trans- Electronic archiving is defined as unalterable lated as “Generally Accepted Principles of long-term storage of documents subject to Computer-Assisted Accounting Systems“), retention obligations on machine-readable issued by the Federal Ministry of Finance data carriers to fulfill the statutory retention (BMF) in a written communication on 7 requirements pursuant to § 257 HGB and 147 November 1995 AO. 3
  • 4. Grundsätze zum Datenzugriff und zur assignment capability of e-mails and related Prüfbarkeit digitaler Unterlagen (GDPdU), business transactions issued by the BMF in a written communi- provision of adequate process documentation cation on 16 July 2001 data protection requirements With an intent to provide details of these requirements, the Institute of German Public I. Electronic evaluation Auditors (“Institut der Wirtschaftsprüfer in According to GDPdU, electronic evaluation must Deutschland e.V.“, IDW) published on 11 July be provided. The data sourcing archiving system 2006 a statement for proper accounting when must have processing capacities, in a quantitive applying electronic archiving, called and qualitative degree, similar to that of the source “Grundsätze ordnungsmäßiger Buchführung system as if the data was still in the productive beim Einsatz elektronischer Archivierungs- system (broadly paraphrased from the BMF verfahren“ (IDW RS FAIT 3). pronouncement). Additionally, there are data protection During a transfer no changes may occur to the requirements determined by the Federal Data object to be archived or to its ability to be Protection Act (“Bundesdatenschutzgesetz“, evaluated. BDSG). With regard to generic digital documents, it is to be C. Technical and organisational noted whether structural information is present in requirements addition to content that is necessary for electronic Regulations, including pronouncements of the evaluation. German fiscal authorities, do not prescribe any For example, the “header“ of e-mails contains, certain technique for electronic archiving. amongst other information, details about the However, there is mutual agreement about sender, recipient and coding and is considered certain technical and organisational part of the structural information. requirements related to any system for In addition to the e-mail itself and the structural electronic archiving of e-mails: information, e-mail attachments are also of electronic evaluation importance. They are to be taken into completeness and unalterability consideration when the tax relevance of an e-mail is evaluated and should maintain their capability to secure and traceable data processing and be evaluated during the entire archiving process. data storage adequate data accessibility 4
  • 5. II. Completeness and unalterability The complete storage of captured data is to be ensured in a retraceable manner and error-free All data must be fully archived. Therefore data saving is to be ensured by suitable plausibility from the source system may not be filtered in controls. any way. To assure information security and data protection, Fiscal authorities attach great importance that the archiving software may allow for read-only data no densification of information occur prior to access in light of separation of functions and acceptance by the archiving system or authorised interest, and as required in interaction subsequently to acceptance, because a loss with the operating system as well as applied third- of tax-relevant information cannot be party software (e. g. database system). precluded. Thus, encrypted storage as well as encapsulation The unalterability of archiving objects is to be of the master file is permissable to the extent that ensured during all stages of the archiving the master file can be readably retrieved without process. The duplicability of the process is to causing a delay in the audit process. be ensured through proper logging. Storage in a data format deviating from the master The applied archiving procedures have to be file is not acceptable and may act only as a performed such that the following supplement to the master file. requirements are fulfilled: parameterisation of all systems of the IV. Adequate data accessibility archiving solution that ensure the capture The applied archiving system must technically of tax-relevant data enable free access to data and documents. loss-free data transfer to the data capture To ensure prompt data access for fiscal authorities system the archiving solution must allow for readability and prompt periodic archiving reproducibility of the archiving objects at any time archiving of data true to the original in both during the entire retention period. imagery and content In order to ensure the retrievability of tax-relevant III. Secure and traceable data e-mails, the requirements for proper filing must be processing and data storage satisfied. Therefore it is essential that each e-mail is assigned a unique index value. Any subsequent changes to the archived objects must be prevented at all levels Moreover the system should dispose of a suitable including the operating system, database and method for keyword indexing to map relations on application level. data outside the archiving system. This ensures 5
  • 6. that the tax auditor is able to retrace a logical user documentation chain of tax-relevant business transactions technical system documentation including the examination of particular data operational documentation objects. Therein the applicable procedures are to be V. Assignment capability of e-mails determined and verifed. This applies in particular and related business transactions to the controls designated to the respective The assignment of tax-relevant e-mails to procedures. corresponding business transactions is Moreover the process documentation shall contain mandatory. This is rather complicated due to technical (e. g. interface definitions to preceding the characteristics of e-mails. and subsequent systems) and organisational The following alternatives are possible: definitions (e. g. point in time and frequency of tax-relevant e-mails with reference to one archiving processes). business transaction VII. Data protection requirements tax-relevant e-mails with reference to Along with the fundamental problem of automated numerous business transactions e-mail qualification, using server-sided archiving in tax-relevant e-mails not in reference to any companies also includes difficulties with regard to business transaction data protection requirements. Fiscal authorities do not provide specific Through server-sided automated archiving of e- operational guidelines on how such an mails, all incoming e-mails are captured before assignment is to be made in a reliable they reach the recipient’s individual sphere of manner. Insofar the taxpayer is not subject to control on his workstation computer. In this case, any restrictions regarding his choice of private e-mails would also be subject to archiving. procedures. A suitable archiving system should nervertheless provide for convenient D. Risks methods to allow for such an assignment. The risks resulting from a failure to satisfy statutory requirements are numerous. In addition to potential VI. Provision of adequate process documentation legal consequences, they primarily affect image, profitability and efficiency of the company. The archiving solution must dispose of an adequate process documentation, consisting Material risks are e. g.: of the following components: non-deductibility of input VAT 6
  • 7. sanctions for non-compliance with Loss of evidentiary value regulations Inadequate archiving may result in a loss of loss of evidentiary value evidentiary value and thus result in an indefinite financial risk. data protection violations This is particularly possible if the archived e-mails increased in-house expenses do not remain unaltered and in their original disclosure of sensitive internal information format, as required. For example, business Non-deductibility of input VAT correspondence between customers and suppliers may represent essential evidence in litigation As a result of inadequate or incomplete where the content and sequence of events are archiving of incoming invoices received by the material. company via e-mail in the context of transmission of electronic invoices (“e-billing“), Data protection violations there is a danger of losing the deductability of Violations of data protection requirements are input VAT. especially possible as a result of insufficient In this context, the proper archiving of the so- physical and logical access restrictions to material called “validated electronic signature“, data if access to or even manipulations of personal accompanying an electronic invoice must be data are thereby possible. considered. In Germany, the “Value Added A violation of data protection regulations may Tax Act“ (Umsatzsteuergesetz, UStG) result in substantial monetary fines ranging, in the demands a validated electronic signature on worst case, from EUR 50,000 as a consequence of electronically transmitted invoices in order for violations of procedural rules to EUR 300,000 for the company receiving the invoice to deduct violations of material data protection regulations. the input VAT. Increased in-house expenses Sanctions for non-compliance with The in-house expense of providing prompt and regulations free data access to fiscal authorities must also be Violations of regulations may result in considered. sanctions by fiscal authorities ranging from For example, a subsequent sorting of a penalties and fines on arrears for exeptionally progressive increase of e-mail data may result in a severe violations that can amount to EUR considerable operating expense. 250,000 (§ 146 2b AO) and may extend to an estimation of the tax basis. In contrast, proper filing normally results in 7
  • 8. significant efficiency advantages. In addition, the implementation of a dedicated e-mail archiving solution avoids unnecessary data redundancy and excess use of resources (e. g. storage capacity). Disclosure of sensitive internal information The fiscal authorities are not subject to any restrictions regarding exploitation of information that has accidentally come into their possession or which exceeds the object of the audit. Failed or flawed separation of tax-relevant e- mails from non tax-relevant e-mails may lead to a situation where, as a result of the disclosure of internal information which was not an object of the audit, fiscal authorities could acquire facts that might be to the company’s disadvantage. This represents an avoidable risk. 8
  • 9. E. GFI MailArchiver 6 Checklist Parameterisation and interfaces System Design In order to allow for a configuration of the archving solution that complies with the requirements of Selection of a suitable archive storage GDPdU, the following mandatory preparations on Does the selected archive storage comply the side of the source system (MS Exchange with the requirements of unalterable and Server) are to be made prior to the initial operation: traceable archiving? Definition and installation of the journaling It is essential that the archive storage mailbox that is to contain all e-mails designated allows for comprehensive logging of all for archiving of the corresponding server saving processes and subsequent data Activation of envelope journaling in MS access (including the database level). Exchange Server to ensure the completeness The database system MS SQL Server of the scope of archiving, comprising all serves as a suitable data storage. possible e-mail recipients including blind Subject to appropriately configured access carbon copy recipients (BCC) rights the above referenced requirements This feature is already activated by default are fulfilled by complete storage of all data when using MS Exchange Server 2007. within the database to enable GDPdU- Activation of the message tracking function to compliant storage. allow for subsequent verification of complete Security of data connection archiving Does the archiving of e-mails occur via In addition to the mandatory preparations for network connections from source systems GDPdU-compliant archiving, the following that are not located within the user’s recommendations should be considered: sphere of confidence (e. g. from remote Is it ensured that the scope of e-mails MS Exchange Servers)? designated for archival storage is not limited by In this case unalterability within the archiving option settings of GFI MailArchiver? transmission path has to be ensured by With regard to completeness aspects the encryption protected file transfer. following settings are to be made: For this purpose it is necessary to select Capture of e-mails in all possible directions the transmission protocol IMAP with (incoming, outgoing and internal) secure sockets layer (SSL) in GFI MailArchiver to connect with the source No exclusions based on blacklisted user system. 9
  • 10. accounts of the windows domain or archiving system and/or is an administration specific e-mail addresses manual placed at its disposal? No limitations on the number of users Are maintenance and operations control tasks based on whitelisted user accounts of of the archiving system properly defined and the windows domain or specific e-mail contained in a superordinated concept of IT addresses related controlled operations? Exceptions result from user accounts or e- Are all verification tasks properly defined? mail addresses where tax relevance of the Does the configured authorisation concept e-mail traffic can definitely be excluded. comply with the predetermined competencies Is it ensured that no archiving policies are and is the procedure adequately documented? installed which allow for a storage time Capture shorter than the statutory retention period (e. g. retention policies for immediate Are all procedures and techniques that allow deletion based on predefined features)? for verifiable complete and correct capture and archival storage of e-mails properly defined Processes and organisation and documented? Does the written definition serve as a GFI MailArchiver does not support the logging suitable method to allow a competent third of e-mails transferred via standard interface party to comprehend content, structure from MS Exchange Server. Therefore the and process flow of the procedures within verification of loss-free and thus complete data an appropriate timeframe? transfer, according to the requirements of Are all responsibilities for the particular GDPdU, must be provided by the logging process steps (functional and IT related protocol generated by the particular source operations) for all archiving components system (MS Exchange Server). fully defined? If necessary, it is possible to verify complete Is it ensured that users are instructed on archiving by comparison of the logging how to operate the archiving system protocols (which are generated by the and/or is a user manual placed at their message tracking function of MS Exchange disposal? Server and show the processed e-mails) with the subsequently stored e-mails in the archive Is it ensured that the system administration on the basis of common identifying features. is instructed on how to operate the 10
  • 11. Are suitable procedures in place that based automated labelling – especially as a ensure compliance with the requirements sole technique. An evaluation of tax relevance of GDPdU with regard to the archival is usually too complex for predetermined storage of signed and encrypted e-mails? policies to operate in a reliable manner. A subsequent editing of archived e-mails In any case, such policy-based automated and the combined capture of e-mails with procedures should be accompanied by a additional data sets that are not directly manual verification. obtained from MS Exchange Server are Has a procedure been defined that allows for not supported by GFI MailArchiver. an assignment to one or multiple business Therefore appropriate procedures should transactions by means of a suitable keyword be installed (e. g. manual keyword indexing in GFI MailArchiver? indexing) to allow for an assignment of The option provided by GFI MailArchiver to signed or encrypted e-mails to their individually apply labels visible to all users to corresponding verification records or e-mails that are accessible by the user allows, decrypted e-mails and related decryption in addition to a labelling of tax relevance, for a keys. direct assignment to a corresponding business Indexing and keyword indexing transaction. Are the procedures for the labelling of tax- This can be implemented by applying a label relevant archived e-mails unambiguously (e. g. keyword index) that contains identifying specified? features allowing for a retrieval of corresponding content in other systems. There are two fundamentally different options provided by GFI MailArchiver 6 on Has a procedure been defined that allows for a how labels can be attached to e-mails: distinct assignment of the archived e-mails in a separate accounting system? Automatically through policy-based labelling at the moment of archiving by In this regard, the identifier (“Identification means of definable categorisation Code“) that enables distinct identification of policies archived e-mails within GFI MailArchiver is important. Manually through subsequent manual Assimilated in an external system (e. g. ERP labelling of archived e-mails that are system ), this identifier can serve as a so-called accessible to the user “foreign key” to establish a logical reference to It is advisable to refrain from a policy- 11
  • 12. the related e-mails and, in this way, an Addition of the second parameter, the assignment to the business transaction. Connection-ID (“connectionId“): http://localhost/mailarchiver/mailview- The “Identification Code“ accessible at the .aspx?id=-2147483647&connectionId- application level provides valuable help in =b44d3270-8bdb-43d2-8fa2- enabling technical usage of such a foreign 67eb6ead54a9 key reference in a networked system environment. Entering the URL results in a view of the specific e-mail in the archive: Subject to appropriately set up access http://localhost/mailarchiver/mailview.aspx?id= rights, the archived e-mails can be directly -2147483647&connectionId=b44d3270-8bdb- addressed out of external systems via 43d2-8fa2-67eb6ead54a9 hyperlink. However, for this to function, it is necessary that the referencing system Storage and administration contain a method to generate the uniform Is it ensured that the selected archive storage resource locator (URL) autonomously. provides the forseeably required storage The utilisation of GFI MailArchiver’s capacity and that this is monitored regularly? identifier “Identification Code“ to serve as a referencing linkage out of an external Is it ensured that subsequent verifiability of software system is possible using the complete archiving based on a comparison of therein contained parameters “id“ and e-mails transferred by MS Exchange and “connectionId“. e-mails archived by GFI MailArchiver Such a URL can be composed as follows: (preferably by means of their message-id) is possible? Addressing the user interface of GFI MailArchiver to view the e-mail: Accordingly, it is necessary to assure that the http://localhost/mailarchiver/mailview- MS Exchange Server logs which enable the .aspx? comparison on the source side be stored loss- free (e. g. no overwriting, only append mode) Addition of the (“id“) representing the as long as the archived data itself. active archive store of GFI MailArchiver: Readability and retrieval http://localhost/mailarchiver/mailview- Is a tax auditor user account set up that .aspx?id=-2147483647 enables access to all tax-relevant e-mails? 12
  • 13. As GFI MailArchiver does not support or Software security allow for restricted access based on Is there an authorisation concept that allows for labels, it is advisable to install an a determination of the required separation of organisational procedure for labelling tax functions and the assignment of access rights? relevance to ensure separation of data Are adequate access controls available at the within the archive prior to a tax audit (e. g. following access levels: systematic designation of tax relevance using the manual method for individual operating system labelling). MS Windows including Active Directory, web server and MS Exchange Server In a further step, an export based on such labels followed by a subsequent reimport database system into a dedicated archive store can be MS SQL Server conducted in preparation of a tax audit. In archiving software this way a tax auditor is granted GFI MailArchiver 6 comprehensive access to exclusively tax- relevant e-mails based on labels. Process documentation Are all settings regarding the parameterisation Retention and deletion of software and interfaces properly Is it ensured that no retention policies are documented? defined that cause a deletion of archived Are all interfaces between the particular e-mails prior to expiration of the statutory components of the archiving solution (e. g. retention period? designation, source/destination system, Some tax-relevant e-mails – in certain interface content/type, matching) documented cases – may contain information that in a comprehensible manner? requires a retention period of ten years. Are the interfaces between the archiving Therefore it is advisiable to refrain from a solution and other software systems of the policy-based determination of the retention company (e. g. ERP system or financial period by means of the retention policies accounting system) with regard to referencing of GFI MailArchiver to the extent that they business transactions documented in a do not correspond with the longest comprehensible manner? statutory minimum period for retention. Are operating instructions for users available that allow for proper performance of their 13
  • 14. activities including the manual controls and Is it ensured that changes to the e-mail matching (operational documentation) archiving solution are only applied subject to an provided by the procedure? orderly procedure (change management)? Is a description of the applied components IT operations available that illustrates the technical Are the IT operations (controlled and architecture of the archiving solution and emergency operations) properly defined in how the operational requirements are organisational instructions (e. g. tasks and realised (technical system documenta- authority of administrators, rules for change tion)? management and the administration of storage Are operating instructions for IT personnel media)? available that allow for proper performance Has an emergency concept been prepared for of controlled operation (e. g. backup and a possible failure of the archiving solution (e. g. restoration manual)? disaster recovery and contingency plan)? Is it ensured that the documentation of all Are suitable data backup and data backup effective procedures is archived as a safekeeping procedures defined and are document subject to retention? regular verification tests scheduled concerning Implementation and change effective data recovery? Is ensured that the compliance and Outsourcing security of the applied systems and When engaging an external service provider to software are subject to functional and operate the archiving solution (outsourcing), is technical test procedures prior to the initial it ensured that the requirements regarding operation of the archiving solution? compliance and security are guaranteed by the Is a test procedure defined and service provider? documented and do the test cases allow Appropriate contractual provisions and service for a verification of the requirements level agreements are required. regarding compliance and security? Is a release procedure defined and documented that contains rules on release competencies and are release approvals for all components of the archiving solution available? 14