Five steps to implementing an effective SAP cyber security program

Cyber Security Program

Cyber Security Program

Establishing an effective SAP cyber security program ties key activities to clearly defined business risks specific to your organization.

The high level steps to do this are:
1.Evaluate the organization’s capabilities and identify gaps
2.Understand the SAP landscape and the role SAP plays
3.Identify risks within the SAP environment
4.Define and deploy a cyber program to address identified SAP risks
5.Measure progress and manage risks on an on-going basis

Step 1 – Evaluate capabilities and identify gaps

Understanding your business drivers, what you do and what you don’t do for information security is the first step for establishing a value-add SAP cyber security program. Common business drivers include shareholder value, customer loyalty, brand protection, legal and regulatory commitments and innovation and agility.

•Make sure look across people, processes and technology
•SAP specific evaluation areas include the following

-Information privacy and protection
-Risk, compliance and policy management
-Security architecture and operations
-Identity and access management

Successful evaluations use a well defined set of criteria and scoring system to measure existing capabilities. A prescriptive set of criteria across people, process and technology domains should be defined for each of the nine security services.

  • People – The ability of the people that support the information security program to successfully execute the requisite activities
  • Process – The ability of the operational processes that comprise the information security program to meet the anticipated expectations of stakeholders
  • Technology – The ability of the technology infrastructure to support the operational processes that comprise the information security program

Step 2 – Understand the SAP landscape and what SAP is used for

The second step is to map out your SAP landscape to understand the assets within it:

•It is important to understand your SAP assets so you understand the “playing field”
•Often times, there are “forgotten” SAP systems and SAP clients that are discovered during this step
•Make sure to document the:

-Connections between systems
-Type of systems you have (i.e. development, production, staging)
-The business processes and information that each system processes or scores

Then prioritize your SAP systems based on the role they play within your business processes and organization:

•Based on your company, industry and how your SAP systems are used within your organization, you will be able to understand and prioritize the different SAP systems in context to your business
•Next you’ll be able to gauge the potential economic impact to your organizations if an SAP system were to be breached
•Look at any gaps in your compliance structure, or policies could impact your organization

Step 3 – Identify the business risks within SAP

The third step is to understand the business risks that exist within your SAP system.

Identify risks in environment

Identify risks in environment

•Measure the security posture and compliance status of your SAP systems
•Evaluate what measures you have to identify a negative change in security and compliance for these business critical systems
•Identify the SLAs to restore these systems to an acceptable level of security and compliance
•Quantify exposure to the identified risks

Common risks within SAP include critical asset loss and stoppage of operations. Loss of critical assets, such as sensitive data and intellectual property
Stoppage of operations

Step 4 – Define and deploy a program to address identified SAP risks

The fourth step is to define a program and key activities to monitor and manage identified risks with SAP. Five key considerations for an SAP specific cyber security program include:

  • Vulnerability management
  • Secure system lifecycle management
  • Identity and access management
  • Controls
  • Event and log monitoring

Vulnerability management

Vulnerability management includes scanning, reporting on and managing potential SAP application vulnerabilities, appropriate patch levels and misconfiguration.

•Start by performing an initial scan of your SAP environment to establish a baseline for your SAP vulnerability management program.

-Make sure to review identified vulnerabilities for applicability and risk to help prioritize remediation efforts. The review is also important because some vulnerabilities may need to be accepted.

•Vulnerability management is an on-going activity. A recurring process should be put in place to identify, review and take action on vulnerabilities.

-Tools such as Onapsis Secure Platform help simplify and automate on-going SAP vulnerability management

Identity and access management

An effective SAP identity & access management program includes the following:

  1. An understanding of your critical assets within SAP and how to get at them
  2. A single set of processes, roles and tools to support SAP access needs across locations and business units.
  3. An effective role design that considers the “who”, “what” and “where” of user access.
  4. GRC tools to proactively monitor and manage business risks.
  5. Self service workflow tools to streamline the user access request process.
  6. Regular re-certification of user access to ensure entitlements are appropriate and risks are managed

Identify SAP key controls to manage identified business risks.

Make sure to determine the relevant security frameworks (i.e., NIST or SANS) to align controls and risks.

•Leverage your existing SAP controls whenever possible. Many of the key controls performed today support leading security frameworks.
•Analytics can be leveraged to simplify key control performance while increasing frequency of control execution.

Event monitoring

Event & log monitoring is identify threats and anomalies within the SAP environment

  • SAP logs a significant amount of data related to system activities. Some example logs include the SAP audit, ICM and gateway logs.
  • The volume of data stored in SAP requires logging and monitoring policies and procedures to be specific and refined in order to deliver valuable insights and eliminate false positives.
  • Event & log monitoring is an on-going activity. A recurring process should be put in place to continuously adapt monitoring activities and to review and take actions on results.

Secure Software Lifecycle Management

Secure Software Lifecycle Management focuses on embedding good on-going security principles into new SAP deployments and releases.

Step 5 – Measure progress and manage risk on an on-going basis

Monitoring progress of SAP cyber program

Monitoring progress of SAP cyber program

The final step is to establish an on-going process for monitoring and communicating progress, results and priority issues.

  • Collaborate across functional teams to define shared KPIs to monitor, measure and communicate success
  • Tie vulnerabilities, threats and potential issues back to business risks and KPIs to make results meaningful and understandable to non-technical and executive audiences.
  • Regularly communicate results to drive results and promote a healthy security culture within your organization

Key takeaways

  1. Tie SAP cyber security activities to key business risks and performance indicators to maximize reach and buy-in.
  2. Effective SAP cyber security programs start with a clear understanding of your business risks and SAP assets.
  3. Cyber security activities should be embedded in both on-going operations and new SAP deployments and releases.
  4. Take advantage of what you are already doing to accelerate the implementation of an SAP cyber security program.
  5. Automated tools and analytics solutions can simplify and improve the accuracy of SAP cyber security related activities.

Thoughts or questions? Feel free to leave comments below. Thanks

Posted in Security | Tagged , , , , , , , , , , , | Leave a comment

What is Segregation of Duties?

People in Business Attire

Segregation of Duties (SoD) is a control activity where an activity or set of activities are divided among several people in order to reduce the risk of fraud. Segregation of Duties is built around the idea that a critical or sensitive task be split from one person, thus reducing the likelihood of intentional fraud. Segregation of Duties represents a key internal control to help ensure no single person has too much control over a specific business operation. Segregation of duties is an essential component of a properly function internal controls environment within an organization.

There are a number of objectives Segregation of Duties (SoD) helps accomplish:

  • Improve accuracy and completeness of financial data, thus improving financial reporting for executive management
  • Satisfy increased customer and stakeholder demands for sound, reliable internal controls
  • Comply with industry regulatory requirements including the Sarbanes-Oxley legislation
  • Align the organization with common best practices
  • Give company stakeholders a level of confidence that financial statements are free from misstatement
  • Improve enterprise-wide internal controls structure
  • Mitigate the risk of intentional fraud across the enterprise

Segregation of Duties (SoD) segregates the following four general categories of duties:

  • Authorization of Operations – The process of reviewing and approving a specific operation
  • Handling of Assets – Having custody over to a particular physical asset
  • Record Keeping – The ability to create and maintain records of operations and transactions
  • Reconciliation – Verify the proper processing and recording of transactions to help provide assurance that all transactional data are authorized, recorded timely, and valid
Posted in Security | Tagged , , , , , , , , , | Leave a comment

ST01 Authorization Trace Reason Codes

In April 2013, through SAP Note 1373111, SAP offered enhancements to the popular ST01 authorization trace. These enhancements improve SAP security administrator’s ability to troubleshoot authorization errors using ST01 and help analyze what really is going on with the authorization checks.

FOR_USER – This references the user that the authorization trace is hitting against

TCODE – This indicates through what transaction the authorization check is occurring

REASON – I find this to be the most helpful. There are currently four reason codes:

    • A: The authorization object was globally deactivated through transaction AUTH_SWITCH_OBJECTS
    • B: The authorization object was locally deactivated through SU24 for this transaction
    • C: The S_TCODE check was deactivated through the CALL TRANSACTION via transaction SE97. You can find more information in SE97 in SAP Note 358122
    • D: The S_TCODE check through system profile parameter auth/tcodes_not_checked was deactivated. Relates to SU53/SU56.

One issue I had was solved because of this trace enhancement. There was an S_TCODE authorization check with an RC (reason code) of zero even though the user did not have access to the transaction through S_TCODE. Reason code C came up and we had to update the transaction via SE97.


Posted in Security, Troubleshooting | Tagged , , , , , | Leave a comment