D-009 - SAP Security Assessment
Summary – SAP Security Assessment
Triple EEE IT Services will assess the security and compliance of your SAP Systems against the de-facto industry standard of the SAP Security Baseline. The SAP Security Baseline defines a minimum set of secu-rity requirements to keep your business-critical SAP systems secure with regards to SAP parameters, spe-cific settings, users and their access rights. The assessment also checks if components like the kernel, ap-plication layer, database layer and operating system layer are on a current version. The assessment deliv-ers a clearly structured report and is invaluable input to your SAP risk posture.
Cyber security and legal compliance are critical capabilities for any organization in the light of ever evolving cyber threats and increasing regula-tory pressures.
SAP Systems are at the core of any organisation, and are often critical to the business.
Traditionally, SAP Security efforts have focused on access controls & segregation of duties. How-ever, SAP Systems are very complex and a holistic end-to-end approach of the entire technology stack is needed to protect your SAP Systems against Cyber attacks.
SAP Developed the SAP Security Baseline in 2014/15 on request of a number of large SAP cus-tomers , as a way to give businesses an consistent way of implementing SAP Security. SAP has con-tinued to update the SAP Security Baseline since, releasing new versions (v2.2 in 2020), and provid-ing additional tooling to validate the configura-tion.
The assessment will be conducted through a re-view of SAP system parameters, technical and process documentation, interviews with stake-holders inside and outside your security and com-pliance function, and – optional – technical as-sessments and penetration testing of your SAP systems.
The assessment will be carried out by deep ex-perts with a minimum of 15 years relevant expe-rience in governance, operations, and SAP Secu-rity.
The optional technical assessments will consider the latest vulnerabilities, techniques and exploits used by your adversaries.
The effort of the assessment depends on the depth of the review and the scope of your envi-ronments being assessed. Paper assessments (in-cluding interviews) can be conducted from an ef-fort of 15 man-days. Assessments including tech-nical work will require a minimum of 30 man-days.
The assessment will produce one or more reports depending on the scope. The reports will pro-pose improvements based on priority. The service delivery will be concluded with a read-out of the reports to your stakeholders, and a joint evalua-tion of the delivery.
The scoping of the assessment will consider which SAP landscapes to include, the number of documents to review, the number of stakehold-ers to interview, the number of SAP systems to include in vulnerability testing and pentesting. Scoping is determined as part of the service in-take process and is followed by a specific service proposal for agreement.
Send me an email
Contact Hugo Cerutti
Do you have questions about how we can help your company?
Send me an email and we will contact you.