SAP Security Guidelines
On September 2010, SAP released Secure Configuration of SAP NetWeaver ABAP - SAP Security Recommendations, which describes "a set of security measures for ABAP systems against unauthorized access within the corporate network.” These measures are not addressed by segregation of duties controls nor the security of base operating systems and databases; their sole focus is on the security of the SAP technology platform (Basis/NetWeaver).
SAP systems are more exposed to risk than ever before. Reported SAP security notes have rose from 20 per year in 2007, to over 1000 in 2014. SAP is proactively trying to help their customers mitigate the growing security risks on their SAP systems, however the risks continue to grow.
In order to help organizations reduce risks around business-critical applications, Onapsis has streamlined the process of mapping to SAP Security Guidelines. Our products allow you to rapidly check your SAP infrastructure against new guidelines, to spot gaps, and to quickly align your initiatives.
The PCI DataSecurity Standard (PCI DSS) is the widely-adopted security standard developed by the Payment Card Industry to protect cardholder information.
As a global standard, the PCI DSS applies to any entity that stores, processes or transmits credit cardholder information. Therefore, if your SAP systems are involved in any of these activities, they must align with PCI DSS standards and remain in-scope with your compliance initiatives.
However, most organizations cannot easily identify which of their 1500+ SAP configuration parameters and 80,000+ tables are affected by this regulation. They also do not know how to perform vulnerability scans and penetration tests at the SAP application layer. Additionally, organizations cannot efficiently check compliance of their dozens or hundreds of SAP systems.
Onapsis experts and partners have helped many global organizations align their SAP infrastructure to current PCI-DSS compliance initiatives. Onapsis products allow you to quickly detect PCI-DSS violations on your SAP infrastructure, and implement remediation plans to ensure that your SAP systems and applications are PCI-DSS compliant.
Onapsis also offers a PCI DSS Security Audit service. This service analyzes your SAP platform to detect SAP-specific non-compliance items and provides information on how to effectively resolve PCI related issues prior to performing a company-wide PCI assessment by an auditor. Learn more about Onapsis PCI-DSS Security Audit.
Sarbanes-Oxley (SOX) Compliance
The Sarbanes-Oxley Act of 2002 has dramatically affected overall awareness and management of internal controls in public corporations. Responsibility for accurate financial reporting has landed squarely on the shoulders of senior management, including the potential for personal criminal liability for CEOs and CFOs.
Since modern accounting systems typically run on SAP systems and applications, financial reporting depends on reliable and secure SAP environments. Every organization that is publicly traded is subject to Sarbanes-Oxley regulations and it is important to include SAP in your SOX compliance initiatives. SAP systems handle financial transactions, house general ledger (GL), accounts payable (AP), account receivable (AR) and asset accounting. Additionally. SAP Systems handle cost center accounting, profit center accounting (PCA) product costing, profitability analysis and internal ordering (IO).
Onapsis solutions are designed to quickly and efficiently perform security and compliance audits to identify compliance gaps on your SAP systems. Onapsis also offers a SOX Security Audit which verifies if your business-critical applications are within the scope of SOX compliance. To do so, our consultants assess your SAP platforms beyond segregation of duties conflict matrix to identify and mitigate risk where applicable. Learn more about Onapsis SOX Security Audit.