STD Security V10

Embed Size (px)

Text of STD Security V10

Version: 1.0

June 2009

SAP Standard for Security

Whitepaper

Active Global Support SAP AG

2009 SAP AG

SAP Standard for Security Version: 1.0

Page 1 of 59

SAP Standard for Security

Table of Content1 2 3 44.1 4.2 4.3 4.3.1

Management Summary ........................................................................3 SAP Standards for E2E Solution Operations.....................................4 Security Standard at a Glance ............................................................7 What is the basic concept of the Security Standard ....................... 10Process Flow ...................................................................................................10 People und Roles ............................................................................................12 Activities for Run SAP operations & optimization ............................................14 Compliance......................................................................................................14

4.3.1.1 Audit ................................................................................................................14 4.3.1.2 Outsourcing .....................................................................................................17 4.3.1.3 Emergency Concept ........................................................................................20 4.3.2 Collaboration Security .....................................................................................23 4.3.2.1 Secure process and people collaboration .......................................................23 4.3.3 Identity and Access Management ...................................................................28 4.3.3.1 User and Authorization Management ..............................................................28 4.3.3.2 Administration Concept ...................................................................................35 4.3.4 Infrastructure Security .....................................................................................39 4.3.4.1 Network, System, Database and Workstation Security ...................................39 4.3.5 Software Lifecycle Security .............................................................................45 4.3.5.1 Secure Application Lifecycle............................................................................45 4.3.5.2 Secure Configuration.......................................................................................50 4.3.5.3 Secure Support................................................................................................53

5

How to measure the success of the implementation ...................... 56

2009 SAP AG

SAP Standard for Security Version: 1.0

Page 2 of 59

SAP Standard for Security

1 Management SummaryManaging complexity, risk, costs as well as skills and resources is at the heart of implementing mission critical support for SAP-centric solutions. The complexity rises even further with the trend of out-tasking and out-sourcing of process components. To help customers manage their SAP-centric solutions, SAP provides a comprehensive set of standards for solution operations. Out of this set of standards, the security standard provides best-practices for the secure operation of SAP-centric solutions. It is primarily suited for solutions or processes with low or medium security requirements. Elevated requirements demand a detailed, in-depth analysis that is out of scope of this document. The security measures and processes described in this standard ensure a baseline protection of business critical assets against common threats such as internal or external fraud, virus infections or information leakage, hereby covering common IT scenarios and processes (such as support, outsourcing, collaboration or development scenarios) and addressing compliance with regard to the increasing number of national and international regulations. Main security areas are treated separately to speed-up the initiation of responsible personnel and to serve as a reference document. Before describing the SAP standard for security in detail, chapter 2 of this document explains briefly the general purpose of the SAP Standards for E2E Solution Operations. Chapter 3 highlights the 10 different security topics that are covered in this paper. After this, chapter 4 describes the relevant activities for targeting these topics are described in more detail. And finally, chapter 5 lists criteria to measure the success of the implementation.

2009 SAP AG

SAP Standard for Security Version: 1.0

Page 3 of 59

SAP Standard for Security

2 SAP Standards for E2E Solution OperationsMission-critical operations are a challenge. While the flexibility of SAP-centric solutions rises, customers have to manage complexity, risks, costs, as well as skills and resources efficiently. Customers have to run and incrementally improve the IT solution to ensure stable operation of the solution landscape. This includes the management of availability, performance, process and data transparency, data consistency, IT process compliance, and other tasks. Typically, multiple teams in the customer organization are involved in the fulfillment of these requirements (see Figure 1). They belong to the key organizational areas Business Unit and IT. While the names of the organizations may differ from company to company, their function is roughly the same. They run their activities in accordance with the corporate strategy, corporate policies (for example, corporate governance, compliance and security), and the goals of their organizations.

Figure 1 Organizational model for end-to-end solution operations The different teams specialize in the execution of certain tasks: On the business side, end users use the implemented functionality to run their daily business. Key users provide first level support for their colleagues. Business process champions define how business processes are to be executed. A program management office communicates these requirements to the IT organization, decides on the financing of development and operations, and ensures that the requirements are implemented. On the technical side, the application management team is in direct contact with the business units. It is responsible for implementing the business requirements and providing support for 2009 SAP AG SAP Standard for Security Version: 1.0 Page 4 of 59

SAP Standard for Security

end users. Business process operations covers the monitoring and support of the business applications, their integration, and the automation of jobs. Custom development takes care of adjusting the solution to customer-specific requirements and developments. SAP technical operations is responsible for the general administration of systems and detailed system diagnostics. And the IT infrastructure organization provides the underlying IT infrastructure (network, databases ). Further specialization is possible within these organizations as well. For example, there may be individual experts for different applications within SAP technical operations. Efficient collaboration between these teams is required to optimize the operation of SAPcentric solutions. This becomes even more important if customers engage service providers to execute some of the tasks or even complete processes. Customers have to integrate the providers of out-tasking and out-sourcing services closely into the operation of their solutions. Key prerequisite for efficient collaboration of the involved groups is the clear definition of processes, responsibilities, service level agreements (SLAs), and key performance indicators (KPIs) to measure the fulfillment of the service levels. Based on the experiences gained by SAP Active Global Support while serving more than 40,000 customers, SAP has defined process standards and best practices, which help customers to set up and run End-to-End (E2E) Solution Operations for their SAP-centric solutions. This covers not only applications from SAP but also applications from independent software vendors (ISVs), original equipment manufacturers (OEMs), and custom code applications integrated into the customer solution. SAP provides the following standards for solution operations: Incident Management describes the process of incident resolution Exception Handling explains how to define a model and procedures to manage exceptions and error situations during daily business operations Data Integrity avoids data inconsistencies in end-to-end solution landscapes Change Request Management enables efficient and punctual implementation of changes with minimal risks Upgrade guides customers and technology partners through upgrade projects SOA Readiness covers both technical and organizational readiness for serviceoriented architectures (SOA) Root Cause Analysis defines how to perform root cause analysis end-to-end across different support levels and different technologies Change Control Management covers the deployment and the analysis of changes Solution Documentation and Solution Documentation for Custom Development define the required documentation and reporting regarding the customer solution Remote Supportability contains five basic requirements that have to be met to optimize the supportability of customer solutions Business Process and Interface Monitoring describes the monitoring and supervision of the mission critical business processes Data Volume Management defines how to manage data growth SAP Standard for Security Version: 1.0 Page 5 of 59

2009 SAP AG

SAP Standard for Security

Job Scheduling Management explains how to manage the planning, scheduling, and monitoring of background jobs Transactional Consistency safeguards data synchronization acros