Case 1: Kraft Foods Inc.: Protecting Employee Data
Kraft Foods Inc. is the largest food and beverage company in North America and the second largest food and beverage company in the world. It employs a workforce of about 98,000 individuals; approximately 45,000 in the United States, and 53,000 in sixty-five countries around the world, including fourteen European Union (EU) states (Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, The Netherlands, Portugal, Spain, Sweden, and the United Kingdom).
When the EU Directive on the Protection of Personal Data became effective in 1998, Kraft needed to revise the means by which it collected, processed, transmitted, and stored employee data. Improvements were made to the Unified Personnel and Payroll System (UPPS) to better protect North American human resources (HR) transactions. International HR systems were converted to the SAP HR system. A Data Transfer Agreement was legally established between Kraft and its operating entities in the EU member states, which specified restrictions on personal data and mandatory data protection principles. The position of Chief Information Security Officer was created, and stronger data security policies and practices were developed and implemented throughout the company.
1.a) The EU Directive requires “appropriate technical and organizational controls” to be in place to protect the confidentiality and integrity of personal data. How can an organization determine whether its security controls are appropriate?
b) What user access controls are in place for the UPPS and SAP HR systems?