Those looking to test the security of their SAP landscape should follow a holistic approach. However, many of the most common security audits available only focus on individual aspects of security. A truly comprehensive inspection needs to cover a good deal more – particularly when it comes to an SAP system’s more sensitive data.
Secnic would help you achieve:
If you’d like to get started with an initial appraisal, SCS comprehensive SAP security audit would cover:
- General system profile parameters: check the configuration of allowed message server hosts
- Password guidelines: check your password security settings
- User administration: check whether all user settings are in order (and if any users have been locked for multiple incorrect login attempts, for example)
- Standard users: check whether the standard SAP users have been adjusted as recommended
- Authorizations: Do any users or user groups have critical authorizations? This question can be divided into individual checks of the following:
- General critical authorizations
- Basis administration (general)
- User administration
- Job and spool administration
- Primary functions
- Communication security: Are there any holes in internal or external communication interfaces?
- Specific aspects of your SAP system’s installation
- Database security (covers the security of the database in use)
- Operating system security: From an SAP perspective, is your operating system sufficiently secure without hampering your ongoing operations?
- Logging: Have the available options been configured correctly?
- Web Application Server (WAS) security: check whether HTTPS is in use, for example
- Safeguarding system integrity: Is your system correctly configured? (This is particularly important with regard to ongoing system changes, as often occur in production systems)
We will audit to check further facets relating to the quality, robustness, and performance of your SAP systems. SCS will address customer-specific factors, as well. The list above will already enable you to achieve a minimum standard of security, but a truly comprehensive security concept obviously needs to include a sophisticated role and authorization concept, identity and access management, encryption, the security of custom programming, and other subjects.