Search This Blog

Wednesday, March 23, 2011

SAP Security FAQs - Application Level Security

What does the certification ITSEC E2 medium (SAP's security certification) mean?

SAP has received the ITSEC security certificate from the German Federal Office for Security in Information Technology (Bundesamt für Sicherheit in der Informationstechnik (BSI)).
SAP R/3 4.0B has been evaluated according to the Information Technology Security Evaluation Criteria (ITSEC) Version 2.1, June 1991 and the IT Security Evaluation Manual (ITSEM) Version 1.0, September 1993. The evaluation result was E2/Medium.
The certificate is recognized in the following countries: Germany, Finland, France, Great Britain, Italy, Holland, Norway, Portugal, Sweden, Switzerland, and Spain.
The ITSEC classification F-C2, E2 corresponds to the US TCSEC (Orange Book) classification C2. You can find further information on the ITSEC certification under the alias Security on the SAP Service Marketplace and in SAP Note 0077462.

Where do I get information about partners?

First, see the partner directory on the SAP Service Marketplace using the alias /partnerdir. Second, you can e-mail a question to security@sap.com with your details and we will try to answer your questions about partners.

Can specific transactions be allowed or disallowed on the backend?

This should be administered through a qualified authorization concept. All transactions you wish to give to a user should be integrated into a role using the Profile Generator (transaction PFCG). More information is provided by the training course CA940 (SAP R/3 Authorization Concept).

What security-related training courses are there?

BC940 (Security and Auditing), CA940 (SAP R/3 Authorization Concept), HR307 (Technical aspects in HR, one chapter concerning authorizations in HR), BC305 (Advanced System Administration, chapters about CUA, CCMS and auditing). In addition to the training offered by SAP, there are a variety of partners providing training in fields like Public Key Infrastructures and directory integration.

Where can I find more information about mySAP Technology for Security?

Use the aliases /Security and /Securityguide on the SAP Service Marketplace. You can also use the general e-mail Service@sap.com.
See also: composite SAP Note 30724.

Which Quick Links on the SAP Service Marketplace (http://service.sap.com) are relevant for Security?

/Security (Information and literature about all security topics)
/TCS (Information about the SAP Trust Center Service)
/AIS (Information about SAP's Audit Information System)
/Securityguide (Download the SAP Security Guide)
/Systemmanagement (Computer Center Management System (CCMS); a tool for System Monitoring and Alert Management)
/Securityconsulting (Consulting services from SAP concerning security)

You might also want to have a look on the website of SAPLabs, Palo Alto: wwwtech.saplabs.com/guidebooks. There are downloads of predefined roles available as well as info and downloads of the "Made Easy Guide Books" one of which is the "Authorizations Made Easy 4.6A/B Guide Book" explaining the Profile Generator and how to set up authorizations in detail.

Is there information available on a security review by SAP (costs, benefit, and so on)?

Refer to SAP Deutschland AG&Co.KG´s (SAP LGD) Security Consulting service (alias Securityconsulting on the SAP Service Marketplace).

 

2 comments: