I have several questions regarding IT requirements and other topics. Unfortunately I could not find the answers in the material and trainings. I really appreciate if someone could help out here 🙂 Thank you!
Apologies for the tardy answer it took me some time to gather all responses. I answered as best as I could.
What is SIGNAVIOS information security concept for secure operation of the solution and how do they regularly update it? Please provide documentation for it.
Signavio is ISO 27001 certified. We have implemented a comprehensive information security management system (ISMS) based on international standards. Customers can have confidence that Siganvio takes information security seriously.
The SAP Signavio Process Manager (SPM) gateway plays a crucial role in guaranteeing robust security for external communication within the network. It upholds various security facets, including:
Network Security: Through the implementation of protected routes and authenticated headers, the SPM gateway ensures that all communication originating from outside the network is subject to rigorous authentication, safeguarding against unauthorized access.
Communication Channel Security: To fortify communication channel security, the SPM gateway employs HTTPS request protection. This cryptographic protocol not only encrypts data exchanged between clients and the server but also authenticates the parties involved, ensuring secure and confidential data transmission.
In addition to these security measures, Signavio's suite of products, including SAP Signavio Process Governance and SAP Signavio Process Manager, goes a step further to protect sensitive data. Notably, these applications have the capability to store sensitive information, such as passwords, in an encrypted format. This encryption process involves the use of a dedicated secret key that is explicitly generated for the application, providing a robust layer of security for confidential data storage. For comprehensive insights into data storage security, we recommend referring to the "Data Storage Security" section for more detailed information on Signavio's approach to safeguarding sensitive information.Data storage security .
Here are some concept you can use that will strenght the security of your operation
Manage Access Rights: Effective management of access rights is pivotal for maintaining a secure environment. We highly recommend creating user groups with access rights tailored to your organizational needs, as elaborated in the "User groups." section. This approach ensures that permissions align with your specific requirements, promoting controlled access. It's essential to note that if users are not initially assigned to any group, they inherit extensive privileges, granting them the ability to read, write, delete, or publish within all folders and models located in the Shared Documents folder. Therefore, assigning users to appropriate groups should be a fundamental part of your access control strategy. Additionally, granting access rights to a folder extends access to all subfolders and diagrams contained within it. This hierarchical permission structure simplifies access management while preserving security.
Define Access Rights: define access rights is a crucial aspect of ensuring that users can only perform actions that align with their roles and responsibilities. This granular control not only safeguards sensitive information but also maintains the integrity of your workspace.
Set Up IP Address Filtering: Implementing an IP address filter is a valuable security measure. It enables you to establish a list of trusted IP addresses that are permitted to access SAP Signavio Products. By limiting access to authorized IP addresses, you enhance security by reducing the attack surface and potential threats.
Define a Password Policy: Enforcing a robust password policy is a vital component of security. This policy ensures that secure passwords are used, mitigating access security issues even when multiple users have access to your workspace. A well-defined password policy is an essential line of defense against unauthorized access.
Trusted Domains: For users looking to embed SAP Signavio products in iframes using trusted domains, two options are available: Utilize one of the public trusted domains, which provides a secure and reliable means of embedding. Alternatively, you can add workspace-specific trusted domains, granting you greater control over the embedding process. This customization ensures that embedding is restricted to domains you explicitly trust, bolstering security. Incorporating these access management and security measures into your SAP Signavio setup contributes significantly to safeguarding your data and operations, promoting a secure and controlled environment for your organization.
What is SIGNAVIOS concept for protection of PII (personally identifiable information) data and how do they update it? Please provide documentation for technical and organizational measures.
In Signavio we have created this Privacy Statement to demonstrate our firm commitment to the individual’s right to data protection and privacy. It outlines how we handle information that can be used to directly or indirectly identify an individual “Personal Data”.
We can design our Data Extraction and Transformation setup to align our management of PII along the guidelines of GDPR.
Does SIGNAVIO do security audits?
You can use the Security Audit Log to record changes to user data records or user removal. You can then access this information for evaluation in the form of an audit analysis report. The Security Audit Log provides for long-term data access. Currently there is no direct access to logs, it needs to be requested through Customer Support. Please contact our SAP Signavio service experts from the SAP for Me portal.
In which country does SIGNAVIO host the data?
The country where your data is located depends on where the client is located. secure servers are located in Germany, Australia, and the USA. You are free to choose in which one of these countries you wish to store your data. SAP Signavio is ISO 27001 certified
SAP does only store your Personal Data for as long as it is required:
SAP may retain your Personal Data for additional periods if necessary for compliance with legal obligations to process your Personal Data or if the Personal Data is needed by SAP to assert or defend itself against legal claims. SAP will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled. For further information please refer to Signavio Privacy
Where/Who is SIGNAVIOS main contact for Information Security, IT-Security or Cybersecurity?
Does SIGNAVIO ensure that the customer will remain the owner of the data?
Signavio is ISO 27001 certified, we focuses on establishing and maintaining an effective information security management system (ISMS) within an organization. through this information security controls and processes, Signavio meets its data protection obligations and ensure the confidentiality, integrity, and availability of data. Ownership of data typically hinges on the terms and conditions outlined in the contract or service agreement. To get a comprehensive answer regarding data ownership, I would suggest to review Signavio's terms of service in your contract.
In case the contract may be discontinued at a certain point of time - how does SIGNAVIO hand back data to customers?
The standard retention time is 30 days and within these the customer can access the data (currently on request, soon probably the whole 30 days) and after an additional 30 days the data is deleted. there is no handover. (maybe internal) As there is no export for PI, in the end there is also simply no way at all to export the data.
What happens to the customer’s data, configuration, dashboards etc. created when ending the contract?
At contract end the customers tenant is first deactivated and then deleted
What needs to be considered when going further with process mining? What transfer would afterwards be possible in an own process mining environment and in which timeframe?
It sounds like you're interested in taking your process mining efforts further. In order to provide you with the best guidance and insights, we would need a more detailed conversation about your specific use case and objectives. This will allow us to understand your unique needs, challenges, and goals. Once we have a clear understanding of your requirements, we can discuss what kind of transfer or migration might be possible to your own process mining environment. This could include transferring data, models, or configurations, depending on what aligns with your objectives. The timeframe for any transfer or implementation would depend on the complexity of your use case and the scope of the project.
Is it possible to have direct access (with 5-10 own licenses) to the process mining solutions? How is the access handled?
You need another license to be able to access the workspace. its not possible to have additional internal licenses at a customers workspace, if you need a license to work, it needs to come out of the customers amount
In case you would like to review a part of the answer in details do not hesitate to contact us via firstname.lastname@example.org