By Soujanya Madhurapantula.
Best Practices for Automating Electronic Export Control
So at this point, I’m sure you can appreciate the challenges that an end-to-end export control solution has to handle. Not only must it effectively and carefully track shipments of goods, but also deal with all the technical documents that come with the product throughout the lifecycle of collaboration that you have with the customer or supplier. The challenge with technical data is that it exists in so many different forms and you can get them from so many different points of access, whether it’s in SAP itself, or within your extranet like SharePoint or cFolders or just plain old email.
There are a couple of best-practice recommendations that we like to share with our customers:
1. Implement a platform that will help you manage your export authorizations
What a lot of our customers end up doing today when they’ve won a new project that is export controlled is to set up a new instance or do some custom ABAP programming in order to control access through certain transactions. All of this takes a lot of energy, effort, and months to ramp up. What you want is a platform where you can easily define your export authorisation constructs. These constructs could be, “what is a US person” for example, or “what is technical data” and by having these constructs pre-defined you can then very easily combine them to form meaningful policies and authorisations. The result are simple and consolidated policies like “only individuals who are classified as US persons part of project X may have access to Project X’s technical data”
2. Using a process and framework, classify your data and users (including suppliers, contractors and whoever else has access to your systems)
This is a very important piece because unless you can easily define which documents, SAP objects, and other information is in fact under export control, you cannot effectively control access to them. There are different ways to do this. If you have been using GTS to classify your products and materials, you can inherit or import these classifications from GTS and extend them to your data. You can also classify the data by adding attributes that are important to you (based on export license numbers, or your own IP security parameters), and you can do association to propagate these classifications across all the different associated documents.
In addition to content classification, don’t forget that the information about your users is also very important. Their location and nationality are key attributes in determining if an export license is required and whether an access is to be granted. Other things that might be driven by your own IP security perspective, such as project designation, are also important.
3. Put in place access control mechanisms (we recommend attribute-based access control)
What complements the previous two is the ability to use this information to control access. If you have a policy that says “only US persons in US locations can access ITAR technical data,” there are at least 3 decision attributes here. One is that the content is classified as technical data, the second is the definition of a US person, and the third is the definition of a US location. So even in this colloquially-English policy example, there are 3 decision attributes. What you want to be able to do is to put in place an access control mechanism like ABAC to make dynamic decisions at the point of access based on these attributes. Remember, what ABAC allows you to do, as we’ve learned in previous posts is to control data-level access into SAP either at the material level, documents, BOMs, routings or other transactions like into your cFolders.
4. Employ policy-based audit and control.
The last thing we recommend is proper record-keeping and reporting capabilities so that when it comes time to report, the data already exists in one place.
There are a lot of reporting and compliance requirements when it comes to export control and it is important that you have policies in place that automate what kind of information you want to log. For example, we should log every time a user tries to access technical data, whether it is approved or denied.
Not only should you have in place a trade management system like GTS, but don’t forget that in order for you to effectively implement end-to-end control, you also need to have effective technical data control systems to accompany GTS.
Soujanya is the Product Manager for the Entitlement Manager for Enterprise Applications at NextLabs. She works with the Solutions Management team to devise best practices for securing and controlling data in order to develop solutions for Global 5000 business around partner collaboration, export regulations, IP and Data security.