At Onapsis we recognize that information security means more than just protecting your business-critical applications from possible invaders. Worldwide, we see cybersecurity regulations maturing, leading to added pressure for companies to stay compliant. It is clear that, apart from the obvious technical component, the legal aspects of the information security domain demand a growing slice of attention to maintain business prosperity.
Enforcing a new password policy on an SAP system isn't always an easy task. Most of the existing SAP implementations have been running in production for many years, and since that moment SAP password-related profile parameters evolved to provide enhanced security based on the complex and always changing compliance requirements (SOX, PCI, HIPAA, etc). The problem is, basically, the fact that by default user passwords are compliant to the policies only when created/changed. If the user is never forced to change the password they could potentially have ever-lasting non-compliant passwords.