Professional Documents
Culture Documents
SAP Baseline Security Audit: Essential Technical Controls
SAP Baseline Security Audit: Essential Technical Controls
A SAP Baseline Security Audit tells enterprises how their SAP security posture stacks up
against industry best practices. The Baseline Security Audit is the first step in a
comprehensive security audit program and is ideal for generating a quick win early. This
article outlines the areas covered under the SAP Baseline Security Audit we perform. The
audit covers two high-level areas:
1. Essential Technical Controls
2. Essential Process Controls
Essential Technical Controls
The key components of the SAP infrastructure are checked for technical vulnerabilities.
These components include:
SAP web servers
SAP ECC servers
SAP database servers
Firewalls
The technical controls we examine are categorized as:
Authentication and Access controls
Server controls
Network controls
Next, we drill down into a few specific checks to illustrate the type of checks that are
performed in practice:
Authentication and Access Controls
Has a minimum password length (login/min_password_lng) been enforced?
Have the default passwords for default users (“SAP”, “DDIC”, etc) been changed?
Has an expiration time been set for passwords?
(login/password_expiration_time)
Is the maximum number of failed logins before an account is locked set?
(login/fails_to_user_lock)
Are multiple user sessions suppressed?
Have the password of default database accounts been changed?
Access protection and requisite authorisations
Network Controls
Has RFC communication in the SAP gateway been secured with the secinfo file?
Is SSL or SNC in place to encrypt traffic for DIAG or RFC connections?
Has the network been segmented with adequate isolation for various SAP
elements?
Does the firewall rulebase have insecure rules?
Are blocked connections logged?
Server Controls
Have the latest patches been applied on the server?
Are unnecessary and unsecured Internet services running?
Are the OS file permissions adequately restrictive?
Have OS commands that can be executed from SAP via SM49 been prevented?
Essential Process Controls
Key processes for administering the SAP environment are checked for compliance with
the enterprise policy and industry best practices in this phase of the audit.
The area that are covered under this are:
Backup and Recovery Processes
Change Management Processes
Identity Management Processes
Incident Management Processes
Next, we drill down into a few specific checks to illustrate the type of checks that are
performed in practice:
Key Roles and Responsibilities
Have responsibilities been defined for key roles?
Are key administrative roles separated? Eg. User creation and approval
Backup and Recovery Processes
Does the backup schedule adhere to policy?
Are backups encrypted?
Are backup tapes labeled?
Are offsite copies of backups maintained?
Is recovery tested periodically in line with policy?
Change Management Processes
Are well-defined processes adhered to for change management?
Does a change management committee review and approve all changes to
production?
Are changes to production tested in staging before being migrated to
production?
Identity Management Processes
Is the administrative process for communicating passwords to new users secure?
Incident Management Processes
Are incident management procedures defined and communicated to all key
personnel?
The above are sample checks performed as part of the baseline audit.
What a Baseline Security Audit Does Not Cover
The Baseline Security Audit focuses on quick wins; it does not cover the following audits
which require greater investment in time and effort:
Authorizations audit, to check if authorizations have been given correctly
Business process audit, to check if frauds can be permitted within the business
processes in SAP
Transactions
- ABAP programs
- Tables
- Files
- Authorizations, authorization profiles and user master records
- Data carriers
- Other security measures (such as table types and separating different
clients)
Functional Scope
C)Realization Phase
Level-2 traing and Feed back reports
Unit Testing plans
Unit test by consultants and core team members and test scripts acceptance.
Base line integration test scripts and results.
User acceptance tests and results.
Testing of reports and acceptance.
Testing of developments and acceptance.
Base line configuration documents.
Functional and technical specs for developments.
D)Final Preparation
Final Configuration and documentation
Completion of Interface development and testing and user acceptance.
Cutover strategy preparation and documentation.
Level 3 traing of core team members.Traing feed back.
Training of End users and feed back
Retraining as per feed back.
Test scripts for Integration testing and user testing and acceptance.
Closure of open issues.
Volume testing and stress testing of SAP system and Interphases.
Preparation for Go-live
Setting up of Help desk and issue redressal mechanism and SLAs
E)Go live-
Review of support desk activities