Corporate Security
Security Solution Map

Crisis Management

Internal Awareness

                                                                                         Social Engin...

                                                             Caroline Wirthle,
Upcoming SlideShare
Loading in …5

Security @ SAP


Published on

1 Comment
  • In SAP secirty is very good but basis consultant have to take care while granting acccess rights to any user. they have to take care of SOD segrigation of duties.
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security @ SAP

  1. 1. Corporate Security Product Security Coordination Security @ SAP Regulatory Compliance Crisis Management Caroline Wirthle SAP Security Policy & Standards SAP AG Security Awareness A New Approach to Protection: Openness and Control Vision & Mission, aligned with SAP’s overall strategy Protect individual assets, such as notebooks, 1. Asset vs. Ecosystem Protection servers, documents… Vision …Instead of buildings and the “whole network” SAP Solutions and Services form a cornerstone of the global marketplace by providing modular, networked, and secure processes. If possible, inhibit logical / physical access to the asset using strong authentication and SAP‘s forefront position in all security aspects assures the capabilities and conditions 2. Prevention Instead of Detection authorization functions for permanent innovation for SAP and its customers. Analyzing detection alerts is too expensive and comes after the fact Intelligent detection allows to learn about attacker’s behaviors, but does not increase security without prevention 3. From Baseline towards Risk- Concentrate on individual, asset-specific measures and controls Mission based Approach Assess the “Return on Security Investment” for these measures Don’t expect silver bullets, one-size-fits-all With the increasing use of service-oriented architectures (SOA), all members of the solutions to protect adequately SAP Community will consider security as a core quality of any innovation. SAP employees‘ competence will assure SAP‘s thought leadership in security; 4. Decentralized vs. Centralized YOU are responsible for securing the assets you SAP Solutions and Services will manage security risks with high effectiveness; work with Central teams (Corporate Security, GRM, GIAS, SAP as a corporate entity will be a showcase for innovative security concepts; Security Responsibility IT Security & Quality, NW PM Security, Security Engineering,…) offer services to support you SAP will define the new business process security market. Note: New regulations are a heavy burden on management’s responsibility for security and follow the same principles: Sarbanes-Oxley Act, Basel II, Aktiengesetz, Data Protection Laws Key security approach: openness and control Regional laws like California Civil Act SB 1386, upcoming software liability regulations  SAP AG 2005, University Day 26.04.2005 St.-Leon Rot / 3  SAP AG 2005, University Day 26.04.2005 St.-Leon Rot / 4 SAP Corporate Security: facilitate and moderate! Activity Areas and Target Groups SAP ecosystem SAP as a corporate entity People Processes Technology Customer awareness Product & service security Security bulletin service SAP Defense secrecy processes Security Steering Committee (Board) Customers & Benchmarking Product security maturity Partners model Lobbying Field SAP Corporate Security GRM Certifications Customer Information Physical Business Awareness Identity management Consulting Security Security Security Security Defense secrecy Global data protection Technology watch S&S GIAS coordination Benchmarking Security advisory service Employees & Security policy Security maturity model (CERT) Production Policies Legal Internal Global security Global security organization IT security strategy Concepts Customers coordination Crisis & incident management Security Service Level Risk management integration Agreements PTG Projects HR Security governance Awareness Audit coordination All of the above All of the above All of the above R&I Reporting IT Shareholders Regulatory compliance & Board Security reporting Security Workgroup (LoB’s) Security audit coordination Global Security Organization Aligned with GOAL principles  SAP AG 2005, University Day 26.04.2005 St.-Leon Rot / 5  SAP AG 2005, University Day 26.04.2005 St.-Leon Rot / 6
  2. 2. Security Solution Map Role and Application Regulatory Data protection authorization Auditing Security compliance and privacy concepts Secure Identity Message Security Trust Collaboration federation security interoperability management Corporate Security Secure User Identity management Authentication and Access control Access single sign-on Product Security Coordination Regulatory Compliance Network and Crisis Management Infrastructure Platform System Front-end communications Security security security security security SAP Security Policy & Standards Security Awareness Software Secure Secure default Secure change Life-Cycle Secure delivery Security development configuration management  SAP AG 2005, University Day 26.04.2005 St.-Leon Rot / 8 SAP Security Response Process Process Management by Security PM Discovery Investigation Resolution Release Triggered by finder: Inform about solution: Analysis Plan •External evaluations •Finder •external sources •Customers (hacker, press, …) Fix, Workaround, Assessment Documentation •Public •customers Corporate Security •… •internal evaluations Search for similar Test vulnerabilities Product Security Coordination •… Regulatory Compliance Validation Crisis Management Security Security Investigation Investigation Resolution Resolution Security Security SAP Security Policy & Standards Issue Report Report Report Bulletin, Rollout Issue Report Report Report Bulletin, Rollout (Notification) (Notification) Security Awareness Interaction with stakeholders  SAP AG 2005, University Day 26.04.2005 St.-Leon Rot / 9 Regulatory Compliance - an Extract of Regulations Regulatory Compliance Objectives Regulatory Compliance to security issues Preparation of changing and growing regulatory requirements Proactive preparation of external audits Care of reputation of SAP (trusted advisor) Tasks Collect and structure regulatory requirements on security - Regulatory Requirements Library Work out compliance demands on security Coordination of security compliance demands to SAP organization Represent mutuality of different regulations and laws in terms of reporting obligations Audit support  SAP AG 2005, University Day 26.04.2005 St.-Leon Rot / 11  SAP AG 2005, University Day 26.04.2005 St.-Leon Rot / 12
  3. 3. Crisis Management Why is crisis management important In a crisis situation a fast reaction is needed to avoid further aggravation of the situation Avoid the occurrence of a catastrophe Crisis (chin.) What is done to support Crisis Management Crisis squad with decision power Corporate Security Clearly defined responsibilities Product Security Coordination Systematically arranged communication Regulatory Compliance Formalized processes Crisis Management Danger Chance Approved and tested tasks SAP Security Policy & Standards Security Awareness Overall Goal Avoidance of personal, financial and economic damage and avoid loss of reputation  SAP AG 2005, University Day 26.04.2005 St.-Leon Rot / 14 Corporate Security Role in Crisis Management Corporate Security Board Decides about crisis situation and activation of the crisis squad Cor HR Moderates the process Sec GC FA Call additional supporters if needed Coordinates crisis squad Legal ... Corporate Security Process owner of crisis management 1st level crisis squad Product Security Coordination process Executive level crisis squad Regulatory Compliance Crisis Management SAP Security Policy & Standards Experts from internal departments affected by the incident Security Awareness  SAP AG 2005, University Day 26.04.2005 St.-Leon Rot / 15 SAP Security Policy SAP Security Framework Objectives The SAP Security Policy governs fundamental aspects relating to security at SAP for the protection of its employees, assets, information and systems. It also forms the basis for the security measures to be taken in the individual business areas and SAP companies. SAP Security Policy GLOBAL The overall aim of this policy and corresponding standards is to achieve SAP Security Standards and maintain an effective and appropriate level of security within SAP and to reinforce the position of SAP as a trusted partner to its customers. Security Procedures LOCAL Local Security Standards  SAP AG 2005, University Day 26.04.2005 St.-Leon Rot / 17  SAP AG 2005, University Day 26.04.2005 St.-Leon Rot / 18
  4. 4. Internal Awareness Social Engineering Additional tasks SAPNet pages SAPNet News Corporate Security Infosessions Product Security Coordination Regulatory Compliance Rise Security Awareness and trust in our Crisis Management employees SAP Security Policy & Standards Additional information Security Awareness how to act can be found in SAPNet  SAP AG 2005, University Day 26.04.2005 St.-Leon Rot / 20 University Awareness Days Inhalt der Veranstaltung Tagesveranstaltung „Sichere Programmierung“ Tagesprogramm Wieso ist Sicherheit wichtig? 2005 werden im Rahmen unseres University Alliance Programmes mehrere eintägige Informationsveranstaltungen stattfinden Keynote – aktuelle Thematiken Goldene Regeln der sicheren Programmierung Veranstaltungsorte sind Walldorf, Berlin und München Sicheres Programmieren in Softwareunternehmen Eingeladen werden interessierte Studenten und Dozenten der SAP Research Forschungsprojekt Fachbereiche IT, Mathematik und Wirtschaft Podiumsdiskussion „sicheres Programmieren an Hochschulen“ Ziel die Verbesserung der Zusammenarbeit mit den Hochschulen zum Termine Thema Sicherheit St.Leon-Rot 13.09.2005 mehr Bewusstsein für sichere Entwicklung im SAP Umfeld bei der Berlin 16.09.2005 neuen Generation Entwickler zu schaffen München 07.10.2005 Die Teilnahme ist kostenfrei  SAP AG 2005, University Day 26.04.2005 St.-Leon Rot / 21  SAP AG 2005, University Day 26.04.2005 St.-Leon Rot / 22 SAP Handlungsversprechen Mai Online-Portal für Kinder zur Steigerung der Medienkompetenz Juni Kostenloser Sicherheitscheck Juli Lernpaket zum Thema „sicherer Online- Handel und Schutz persönlicher Daten“ September Mittelstandspaket Informationssicherheit Oktober Entwicklung sicherer Software November Sicherheitsbarometer Dezember Online-Anwendungszentrum und Vergabe von Testzertifikaten an kleine und mittlere Unternehmen und Behörden  SAP AG 2005, University Day 26.04.2005 St.-Leon Rot / 23  SAP AG 2005, University Day 26.04.2005 St.-Leon Rot / 24
  5. 5. Questions? Caroline Wirthle, Corporate Security  SAP AG 2005, University Day 26.04.2005 St.-Leon Rot / 25