SAP Security Checklist
ERPSecure
User Management
- Quick Win: Review and document dialog users regularly
- Review and document background users
- Review and document RFC users
- Quick Win: Review users with critical authorizations
- Quick Win: Review and limit users with SAP_ALL profile access
- Quick Win: Regularly review and remove obsolete or inactive users
- Review background and RFC user authorizations
- Quick Win: Check and review users with user administration rights
- Review standard users, especially after system upgrades or new installations
- Implement and review user access provisioning workflows
- Monitor and document high-privilege user activities
- Implement a regular user access review process, including role-based access control (RBAC) reviews
- Implement a formal user offboarding process to ensure timely removal of access
- Ensure user roles are assigned based on the principle of least privilege
- Set up automated alerts for critical user activities, such as creation of high-privilege accounts
Password and Authentication
- Quick Win: Create and document company password policy
- Quick Win: Document current password policy parameters in the system
- Change password parameters to reflect company policy
- Define illegal passwords in table USR40
- Quick Win: Disable login with SAP* user
- Define a new super user as replacement for SAP*
- Check and maintain standard system users (SAP*, DDIC, etc.)
- Review and enforce password expiration policies
- Consider implementing risk-based authentication for sensitive transactions
- Regularly update and test password blacklists to prevent common or compromised passwords
- Quick Win: Implement account lockout policies after a specified number of failed login attempts
- Enable multi-factor authentication (MFA) where possible
System Security
- Quick Win: Document and secure operating system and database users
- Review SAP password tables access (USR* tables)
- Define procedures for emergency user access
- Configure SAP Security Audit Log
- Configure SAP table logging (when required)
- Quick Win: Disable STMS 'import all' function for transport requests
- Consider enabling STMS Quality Assurance procedures
- Quick Win: Define a security contact for the company
- Regularly review and update the system security policies
- Review and implement secure transport layer security settings (e.g., SNC, SSL)
- Ensure that all security patches and updates are applied promptly
- Implement network segmentation to isolate SAP systems from other parts of the corporate network
- Use SAProuter for controlled remote access to SAP systems
- Implement and regularly review firewall rules specific to SAP traffic
- Consider implementing a Web Application Firewall (WAF) for SAP applications exposed to the internet
Application Security
- Regularly review and update authorization objects and profiles
- Monitor and document changes to critical tables
- Ensure secure configuration of business-critical applications (e.g., financial modules, HR)
- Implement logging and monitoring for application-level activities
- Conduct regular application security assessments and audits
- Review and restrict access to sensitive transactions (e.g., SE38, SE80, SA38)
- Implement and enforce secure coding guidelines for ABAP development
- Avoid hardcoding passwords in ABAP code
- Implement a process for creating, reviewing, and maintaining custom authorization objects
- Implement code scanning tools specifically designed for ABAP to detect security vulnerabilities
- Establish a secure development lifecycle (SDLC) process for SAP development
- Implement and enforce input validation and output encoding in all ABAP programs
- Regularly review and update custom ABAP code for security best practices
Data Protection and Privacy
- Ensure compliance with data protection regulations (e.g., GDPR, CCPA)
- Implement encryption for sensitive data at rest and in transit
- Conduct regular reviews of data access permissions
- Monitor and document data access activities
- Implement data masking or anonymization where necessary
- Review and document data retention policies
- Implement data masking for sensitive information in non-production environments
- Use SAP's Data Privacy Integration service to manage data subject rights requests (e.g., GDPR compliance)
- Implement database-level encryption for sensitive data at rest
- Regularly conduct data classification exercises and ensure appropriate controls are in place
Logging and Monitoring
- Implement a Security Information and Event Management (SIEM) solution to centralize and analyze SAP logs
- Set up real-time alerts for critical security events in SAP systems
- Regularly review and update logging and monitoring rules to detect new threats
- Implement user behavior analytics to detect anomalous activities
Change Management and Transport Security
- Implement and document change management procedures
- Ensure that all changes are approved and tested before deployment
- Maintain a record of all changes made to the system
- Review and monitor changes for potential security impacts
- Implement a robust change management process for all SAP changes, including emergency changes
- Use SAP Change and Transport System (CTS+) for managing transports across landscapes
- Implement segregation of duties in the transport management process
- Regularly audit transport logs and approvals
Interface and RFC Security
- Regularly review and update RFC destination security settings
- Implement SSL/TLS encryption for all external RFC connections
- Use SAP's Trust Manager to manage certificates for secure communications
- Regularly audit and remove unused or insecure RFC connections
Vulnerability Management
- Implement a regular vulnerability scanning process specific to SAP systems
- Subscribe to SAP security notes and implement a process to regularly review and apply them
- Conduct regular penetration testing on SAP applications and infrastructure
- Implement a formal process for tracking and remediating identified vulnerabilities
Business Continuity and Disaster Recovery
- Quick Win: Develop and document overall backup strategy
- Implement and test backup processes (scheduled and unscheduled)
- Quick Win: Set up backup monitoring and logging
- Implement database monitoring
- Quick Win: Set up free space monitoring
- Develop and test disaster recovery plan
- Implement backup consistency checks
- Ensure secure backup storage and retrieval processes
- Regularly review and update the disaster recovery plan
- Ensure the disaster recovery plan includes clear recovery time objectives (RTOs) and recovery point objectives (RPOs)
- Regularly test and update SAP-specific disaster recovery plans
- Implement and test high availability solutions for critical SAP systems
- Ensure SAP systems are included in the overall business continuity planning
Incident Response
- Develop and document an incident response plan
- Conduct regular incident response drills
- Monitor for and respond to security incidents in a timely manner
- Ensure there is a clear escalation process for security incidents
- Document and review incidents to prevent future occurrences
Compliance and Audit
- Regularly conduct internal audits of SAP security settings and practices
- Prepare and maintain documentation for external audits
- Ensure compliance with industry-specific security standards (e.g., SOX, PCI-DSS)
- Review and update compliance-related configurations regularly
Third-Party and Cloud Security
- If using SAP cloud services, implement and regularly review security configurations specific to those services
- For on-premises systems, ensure physical security measures are in place for SAP servers and infrastructure
- Implement a vendor risk management process for SAP-related third-party services and add-ons
SAP-Specific Compliance
- Implement SAP GRC (Governance, Risk, and Compliance) modules for automated control monitoring
- Regularly conduct SAP license audits to ensure compliance with licensing terms
- Implement SAP-specific controls to meet industry regulations (e.g., SOX, HIPAA, PCI-DSS)