SAP Secure Operations Map. SAP Active Global Support Security Services May 2015

Size: px
Start display at page:

Download "SAP Secure Operations Map. SAP Active Global Support Security Services May 2015"

Transcription

1 SAP Secure Operations Map SAP Active Global Support Security Services May 2015

2 SAP Secure Operations Map Security Compliance Security Governance Audit Cloud Security Emergency Concept Secure Operation Users and Authorizations Authentication and Single Sign-On Support Security Security Review and Monitoring Secure Setup Secure Configuration Communication Security Data Security Secure Code Security Maintenance of SAP Code Custom Code Security Infrastructure Security Network Security Operating System and Database Security Frontend Security 2015 SAP SE. All rights reserved. 2

3 SAP Secure Operations Map The 16 Secure Operation Tracks cover the following topics: Security Governance: Adopt security policies for your SAP landscape, create and implement an SAP Security Baseline Audit: Ensure and verify the compliance of a company s IT infrastructure and operation with internal and external guidelines Cloud Security: Ensure secure operation in cloud and outsourcing scenarios Emergency Concept: Prepare for and react to emergency situations Users and Authorizations: Manage IT users and authorizations including special users like administrators Authentication and Single Sign-On: Authenticate users properly but only as often as really required Support Security: Resolve software incidents in a secure manner Security Review and Monitoring: Review and monitor the security of your SAP systems on a regular basis Secure Configuration: Establish and maintain a secure configuration of standard and custom business applications Communication Security: Utilize communication security measures available in your SAP software Data Security: Secure critical data beyond pure authorization protection Security Maintenance of SAP Code: Establish an effective process to maintain the security of SAP delivered code Custom Code Security: Develop secure custom code and maintain the security of it Network Security: Ensure a secure network environment covering SAP requirements Operating System and Database Security: Cover SAP requirements towards the OS and DB level Frontend Security: Establish proper security on the frontend including workstations and mobile devices 2015 SAP SE. All rights reserved. 3

4 Security Governance Create and implement an SAP Security Baseline, containing the governing SAP-specific regulations to be applied for all SAP systems in the customer s landscapes. Define and implement an operational model with clear defined roles and responsibilities as well as the operational process ensuring that the requirements become real action in the different system landscapes. Goal is to achieve a common understanding about the responsibilities of the different parties involved and comparable results for implementation of measures and the regular reporting. To ensure full transparency on the implemented IT Security level each area has to implement and operate and appropriate Risk Management and IT Risk and Security Lifecycle Identify systems or landscapes for which on a first informal assessment the standard SAP Security Baseline may not be sufficient. This may be the case if specific security requirements or restrictions apply to a certain system. For such systems after covering the SAP Security Baseline requirements a detailed risk analysis is required. Measures required beyond the Baseline need then to be included into the rule set, operations and risk management for such systems SAP SE. All rights reserved. 4

5 Audit Prepare for internal and external audits Identify relevant regulations like ITIL, BASEL II, SOX, FDA, Data Protection or ISO and derive required measures and controls from there. Ensure the auditability of systems by enforcing appropriate and effective security, e.g. no unrestricted authorizations (e.g. SAP_ALL ) or debug/change authorizations on production systems. Define logs and traces to be collected (consider data protection laws, put limits on production environment, define clipping levels etc.). Restrict access to log data and logging facilities. Assess your systems on a regular basis Analyze logs with appropriate tools (Audit Information System, Security Audit Log, User Information System (SUIM), SAP Solution Manager, etc.) Perform Security Assessments (Security Optimization Services, penetration tests) Audit the different Secure Operations Tracks e.g. infrastructure settings and communication interfaces (firewall, RFC destinations, ALE, ICF, WS, etc.) users and authorizations (spot checks, GRC access control, etc.) Respond to audit results resolve audit complaints appropriately improve operations and rule sets to avoid similar findings in future 2015 SAP SE. All rights reserved. 5

6 Cloud Security Define minimum security requirements for Service Level Agreements (SLAs) Definition of roles and responsibilities (e.g. basis administration by the outsourcing partner, application administration by the company itself) Definition of interfaces, communication and controls between the parties Regulations for security maintenance, secure configuration and secure operation of systems For those parts, that remain in the customer s responsibility (e.g. application operations for HEC systems) the standard recommendations and Secure Operation Tracks recommendations remain unchanged Establish suitable infrastructures (Identity Management, Single Sign-On) and secure connections to integrate the cloud service into your landscape and to connect hybrid scenarios SAP SE. All rights reserved. 6

7 Emergency Concept Prepare for incidents Define processes and responsibilities Create and maintain emergency users for relevant systems Collect required logs and data Define rules and triggers for incident identification and classification Define processes for incident response, impact containment and remediation and incident recovery Prepare for technical and non-technical (e.g. legal) follow-up and improvements Ensure a suitable backup and recovery concept (which targets availability; not part of the Security standard) 2015 SAP SE. All rights reserved. 7

8 Users & Authorizations Define a User Authorization Concept including Define appropriate authorizations for business users and roles Ensure cross-system and landscape consistency of authorizations Segregate basis authorization from application-level authorizations Define appropriate roles and authorizations for all administration topics (security administrator, IT administrator, data custodian, auditor, etc.) Define and maintain support and emergency users with appropriate roles and authorizations as well as activation/deactivation rules and documentation requirements. Clarify the overall identity and authorization provisioning architecture Define and implement processes for the proper creation, modification and removal of users and authorizations (led by HCM) Implement Identity Management or integrate with an existing Identity Management Infrastructure. Integrate with any existing Corporate Directory. Check replication and synchronization among user stores (IdM, LDAP, UME, CUA, etc.) Implement proper Segregation of Duty (SoD) rules, controls and mechanisms 2015 SAP SE. All rights reserved. 8

9 Authentication and Single Sign-On Establish appropriate single- or multi-factor authentication mechanisms Decide and implement central authentication and Single Sign-On to connected systems or integrate with existing Single Sign-On infrastructures. This may include Maintenance and Operation of corresponding Public Key Infrastructures Managements of certificates (maintenance of key stores, revocation lists, certification requests, etc.) Operation of initial authentication points and Identity Provider / Identity Consumer services Prepare for authenticator (password, certificate, token) renewal and revocation SAP SE. All rights reserved. 9

10 Support Security Address the needs for getting support in a secure manner on the different levels Secure internal support by the internal support group of the respective company or organization Secure external support from third parties Secure support from SAP as the vendor Advanced Secure Support offering from SAP for companies and organization with enhanced security needs like cleared support personnel or secure support rooms Define requirements for support connections and select accordingly (NetViewer, opening of remote connections etc.) Manage support user accounts and authorizations (password policies, validity period etc.) Allow reproduction of errors on development and test systems (TDMS) Develop guidelines for message handling (interaction employee and support etc.) 2015 SAP SE. All rights reserved. 10

11 Security Review and Monitoring Monitor and review security settings, which includes external or internal assessments as well as tools and services like the EarlyWatch Alert Security chapter or the Security Optimization Self or Remote Service Monitor and review activity logs (including the security audit logs) Periodically review security relevant configuration settings of all systems and installed software components, e.g. via Configuration Validation and Security Dashboards. Integrate security monitoring with Alerting (e.g. SAP Solution Manager Monitoring and Alerting Infrastructure), Operation Control Centers (OCC) or Risk Management and Mitigation (e.g. GRC Process Control) 2015 SAP SE. All rights reserved. 11

12 Security in Operations The Big Picture Management Dashboards Provide an overview on system landscape status For Security could also include the progress of get-clean projects Mainly used for quick status overview as required by management and operations Incident Management Guided Procedures (Immediate Resolution) Inbox of Work Items used as trigger for action For Security may contain Snapshot spot checks (identified issues at time of check) Security critical events (independent of time of check) Change Management (Change Projects) Risk Management (Remediation/Exception Handling) 2015 SAP SE. All rights reserved. 12

13 Secure Configuration Maintain security configuration settings and changes Especially refer to the SAP Security Guides and to the SAP Security Baseline Template Setup and maintain the transport management system for ABAP and Java (protect transport directory) 2015 SAP SE. All rights reserved. 13

14 Communication Security Secure data in transit via communication encryption, e.g. via SSL/TLS or SNC Maintain and operate the corresponding Public Key Infrastructure Secure RFC communication by respecting system security hierarchy and setting up connections appropriately restricting RFC access e.g. via UCON assigning proper network / RFC authorizations using RFC Gateway security mechanisms to secure the usage of started or registered RFC servers Limit ICF / Web services to the required minimum 2015 SAP SE. All rights reserved. 14

15 Data Security Message-level security, including data encryption (e.g. of credit card numbers) and digital signatures e.g. via the Secure Store and Forward (SSF) framework. Anti-Virus scanning of files and documents, e.g. via the Virus Scan Interface (VSI) 2015 SAP SE. All rights reserved. 15

16 Security Maintenance of SAP Code Security Maintenance approach for handling Security Notes published on the SAP Patch Days. Note risk evaluation and Note implementation Kernel updates General software maintenance (Support Packages (SP), new versions, new patch levels) including corresponding Security Notes planning Implementation and use of corresponding tools like Maintenance Optimizer System Recommendations Configuration Validation 2015 SAP SE. All rights reserved. 16

17 Custom Code Security Custom Code Lifecycle Management and Custom Code Clean-Up Custom Code Secure Development Lifecycle Knowledge & Awareness Introduce security in the SW development organizations and processes Procedures & Guidelines Define and implement Secure Software Development Lifecycle Provide guidelines, best practices etc. Develop test concept for in-house and 3rd party development Tool Support Implement Code Security Scanners as e.g. the Code Vulnerability Analyzer (CVA) 2015 SAP SE. All rights reserved. 17

18 Network Security Maintain an appropriate network topology, network segregation and domain concept Limit network services and protocols Implement and secure SAP network components like SAProuter and SAP Web Dispatcher Cover key SAP requirements towards the network layer, e.g. introduce at least a separation between server and client networks SAP SE. All rights reserved. 18

19 Operating System and Database Security Operating Systems (OS) Verify OS hardening, update and test systems, maintain and perform anti-virus checks, ensure integrity of critical system files and configurations, keep user base up-to-date Cover SAP security needs, e.g. OS level protection of critical directories like the transport directory Databases (DB) Restrict use of database, proprietary database tools and database specific functions by proper authorization management at the database level Log and analyze database security events Cover SAP security needs, e.g. avoid database usage bypassing the SAP DB abstraction layer (if not required e.g. for direct access to a HANA database) 2015 SAP SE. All rights reserved. 19

20 Frontend Security Manage devices and applications especially for mobile devices. Manage secure software distribution and configuration Monitor usage of licenses and installations of unauthorized software Maintain secure communication channels. Configure, distribute and activate SAPGUI security mechanisms including the SAPGUI Access Control Lists SAP SE. All rights reserved. 20

21 Thank You! Contact information: SAP Active Global Support Security Services

SAP SECURITY AND AUTHORIZATIONS - RISK MANAGEMENT AND COMPLIANCE WITH LEGAL REGULATIONS IN THE SAP ENVIRONMENT

SAP SECURITY AND AUTHORIZATIONS - RISK MANAGEMENT AND COMPLIANCE WITH LEGAL REGULATIONS IN THE SAP ENVIRONMENT SAP SECURITY AND AUTHORIZATIONS - RISK MANAGEMENT AND COMPLIANCE WITH LEGAL REGULATIONS IN THE SAP ENVIRONMENT Foreword by Prof. Wolfgang Lassmann... 15 Foreword by Dr. Sachar Paulus... 17 1 Introduction...

More information

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts SAP Cybersecurity Solution Brief Objectives Solution Benefits Quick Facts Secure your SAP landscapes from cyber attack Identify and remove cyber risks in SAP landscapes Perform gap analysis against compliance

More information

SAP Certified Technology Professional - Security with SAP NetWeaver 7.0. Title : Version : Demo. The safer, easier way to help you pass any IT exams.

SAP Certified Technology Professional - Security with SAP NetWeaver 7.0. Title : Version : Demo. The safer, easier way to help you pass any IT exams. Exam : P_ADM_SEC_70 Title : SAP Certified Technology Professional - Security with SAP NetWeaver 7.0 Version : Demo 1 / 5 1.Which of the following statements regarding SSO and SAP Logon Tickets are true?

More information

Compliance & SAP Security. Secure SAP applications based on state-of-the-art user & system concepts. Driving value with IT

Compliance & SAP Security. Secure SAP applications based on state-of-the-art user & system concepts. Driving value with IT Compliance & SAP Security Secure SAP applications based on state-of-the-art user & system concepts Driving value with IT BO Access Control Authorization Workflow Central User Management Encryption Data

More information

Master Data Governance Security Guide

Master Data Governance Security Guide Master Data Governance Security Guide PUBLIC Document Version: 01.08 2014 Master Data Governance Security Guide 70 1 Copyright Copyright 2013 SAP AG. All rights reserved. Portions Copyright 2014 Utopia

More information

SAP Standard for Security

SAP Standard for Security SAP Standard for E2E Solution Operations Document Version: 1.0 2014-12-12 SAP Solution Manager 7.1 Typographic Conventions Type Style Example Description Words or characters quoted from the screen. These

More information

SAP Standard for Remote Supportability

SAP Standard for Remote Supportability SAP Standard for E2E Solution Operations Document Version: 1.0 2014-12-12 SAP Solution Manager 7.1 Typographic Conventions Type Style Example Description Words or characters quoted from the screen. These

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

SAP SECURITY CLEARING THE CONFUSION AND TAKING A HOLISTIC APPROACH

SAP SECURITY CLEARING THE CONFUSION AND TAKING A HOLISTIC APPROACH SAP SECURITY CLEARING THE CONFUSION AND TAKING A HOLISTIC APPROACH WWW.MANTRANCONSULTING.COM 25 Mar 2011, ISACA Singapore SOD SAS70 Project Controls Infrastructure security Configurable controls Change

More information

Session 0804 Security Control Center by SAP Active Global Support Kristian Lehment, Senior Product Manager, SAP AG

Session 0804 Security Control Center by SAP Active Global Support Kristian Lehment, Senior Product Manager, SAP AG Orange County Convention Center Orlando, Florida June 3-5, 2014 Session 0804 Security Control Center by SAP Active Global Support Kristian Lehment, Senior Product Manager, SAP AG Abstract Running secure

More information

Information Technology Solutions. Managed IT Services

Information Technology Solutions. Managed IT Services Managed IT Services System downtime, viruses, spyware, lost productivity; if these problems are impacting your business, it is time to make technology work for you. At ITS, we understand the importance

More information

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)? SaaS vs. COTS Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)? Unlike COTS solutions, SIMCO s CERDAAC is software that is offered as a service (SaaS). This offers several

More information

SAP SECURITY OPTIMIZATION

SAP SECURITY OPTIMIZATION SAP SECURITY OPTIMIZATION ABAP Checks This documents shows the description of all checks which are executed by the SAP Security Optimization Service for an ABAP system (Version from May 2014). Author:

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015.

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015. Preparing an RFI for Protecting cardholder data is a critical and mandatory requirement for all organizations that process, store or transmit information on credit or debit cards. Requirements and guidelines

More information

Security from a customer s perspective. Halogen s approach to security

Security from a customer s perspective. Halogen s approach to security September 18, 2015 Security from a customer s perspective Using a cloud-based talent management program can deliver tremendous benefits to your organization, including aligning your workforce, improving

More information

Achieving PCI Compliance with Red Hat Enterprise Linux. June 2009

Achieving PCI Compliance with Red Hat Enterprise Linux. June 2009 Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving

More information

Client Security Risk Assessment Questionnaire

Client Security Risk Assessment Questionnaire Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

More information

SAP Netweaver Application Server and Netweaver Portal Security

SAP Netweaver Application Server and Netweaver Portal Security VU University Amsterdam SAP Netweaver Application Server and Netweaver Portal Security Author: Nick Kirtley Supervisors: Abbas Shahim, Frank Hakkennes Date: 28-09-2012 Organization: VU University Amsterdam,

More information

Use of The Information Services Active Directory Service (AD) Code of Practice

Use of The Information Services Active Directory Service (AD) Code of Practice Use of The Information Services Active Directory Service (AD) Code of Practice Introduction This code of practice is intended to support the Information Security Policy of the University and should be

More information

Security Controls for the Autodesk 360 Managed Services

Security Controls for the Autodesk 360 Managed Services Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control

More information

Processed on SAP Solution Manager Service Center Release EHP 1 for Solution Manager 7.0 Telephone Service Tool 701_2011_1 SP0 Fax

Processed on SAP Solution Manager Service Center Release EHP 1 for Solution Manager 7.0 Telephone Service Tool 701_2011_1 SP0 Fax SERVICE REPORT SAP Security Optimization Self-Service SAP System ID SAP Product Release DB System Customer Processed on SAP Solution Manager Service Center Release EHP 1 for Solution Manager 7.0 Telephone

More information

SAP R/3 Security Assessment Framework

SAP R/3 Security Assessment Framework NII CONSULTING SAP R/3 Security Assessment Framework Version 1.0 N E T W O R K I N T E L L I G E N C E (IN D I A ) P VT. L TD. Contents Objective... 3 Methodology... 4 Phase 1: User Authentication... 4

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

Security and Risk Management

Security and Risk Management Mario Linkies and Horst Karin SAP Security and Risk Management Bonn Boston Contents at a Glance PART I Basic Principles of Risk Management and IT Security... 31 1 Risk and Control Management... 33 2 Enterprise

More information

How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions

How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions Introduction This paper provides an overview of the integrated solution and a summary of implementation options

More information

Managing Cloud Computing Risk

Managing Cloud Computing Risk Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify

More information

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM Policy Compliancy Checklist September 2014 The server management responsibilities described within are required to be performed per University, Agency or State

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

Securing the Cloud through Comprehensive Identity Management Solution

Securing the Cloud through Comprehensive Identity Management Solution Securing the Cloud through Comprehensive Identity Management Solution Millie Mak Senior IT Specialist What is Cloud Computing? A user experience and a business model Cloud computing is an emerging style

More information

3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance

3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance 3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security

More information

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams

More information

Developing the Corporate Security Architecture. www.avient.ca Alex Woda July 22, 2009

Developing the Corporate Security Architecture. www.avient.ca Alex Woda July 22, 2009 Developing the Corporate Security Architecture www.avient.ca Alex Woda July 22, 2009 Avient Solutions Group Avient Solutions Group is based in Markham and is a professional services firm specializing in

More information

Cloud-based Managed Services for SAP. Service Catalogue

Cloud-based Managed Services for SAP. Service Catalogue Cloud-based Managed Services for SAP Service Catalogue Version 1.8 Date: 28.07.2015 TABLE OF CONTENTS Introduction... 4 Managed Services out of the Cloud... 4 Cloud-based Flexibility, Efficiency and Scalability...

More information

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities

More information

SonicWALL PCI 1.1 Implementation Guide

SonicWALL PCI 1.1 Implementation Guide Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard

More information

PortWise Access Management Suite

PortWise Access Management Suite Create secure virtual access for your employees, partners and customers from any location and any device. With todays global and homogenous economy, the accuracy and responsiveness of an organization s

More information

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,

More information

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance

More information

AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW. 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR

AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW. 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR AUDIT REPORT 03-11 WEB PORTAL SECURITY REVIEW 2004 FEBRUARY R. D. MacLEAN CITY AUDITOR Web Portal Security Review Page 2 Audit Report 03-11 Web Portal Security Review INDEX SECTION I EXECUTIVE SUMMARY

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

InfoSphere Guardium Ingmārs Briedis (ingmars.briedis@also.com) IBM SW solutions

InfoSphere Guardium Ingmārs Briedis (ingmars.briedis@also.com) IBM SW solutions InfoSphere Guardium Ingmārs Briedis (ingmars.briedis@also.com) IBM SW solutions Agenda Any questions unresolved? The Guardium Architecture Integration with Existing Infrastructure Summary Any questions

More information

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing Your Platform of Choice The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing Mark Cravotta EVP Sales and Service SingleHop LLC Talk About Confusing? Where do I start?

More information

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07 EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

How RSA has helped EMC to secure its Virtual Infrastructure

How RSA has helped EMC to secure its Virtual Infrastructure How RSA has helped EMC to secure its Virtual Infrastructure A new solution, the RSA solution for Cloud Security and Compliance, has been developed and is now available to all of our customers. Luciano

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

Business-Driven, Compliant Identity Management

Business-Driven, Compliant Identity Management SAP Solution in Detail SAP NetWeaver SAP Identity Management Business-Driven, Compliant Identity Management Table of Contents 3 Quick Facts 4 Business Challenges: Managing Costs, Process Change, and Compliance

More information

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,

More information

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems Course: Information Security Management in e-governance Day 1 Session 5: Securing Data and Operating systems Agenda Introduction to information, data and database systems Information security risks surrounding

More information

Security for Cloud- and On Premise Deployment. Mendix App Platform Technical Whitepaper

Security for Cloud- and On Premise Deployment. Mendix App Platform Technical Whitepaper Security for Cloud- and On Premise Deployment Mendix App Platform Technical Whitepaper Security for Cloud- and On Premise Deployment EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 THE MENDIX APP PLATFORM...

More information

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility

More information

ITKwebcollege.ADMIN-Basics Fundamentals of Microsoft Windows Server

ITKwebcollege.ADMIN-Basics Fundamentals of Microsoft Windows Server ITKwebcollege.ADMIN-Basics Fundamentals of Microsoft Windows Server Inhalte Teil 01 Network Architecture Standards Network Components and Terminology Network Architecture Network Media Access Control Methods

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

The Protection Mission a constant endeavor

The Protection Mission a constant endeavor a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring

More information

Ellucian Cloud Services. Joe Street Cloud Services, Sr. Solution Consultant

Ellucian Cloud Services. Joe Street Cloud Services, Sr. Solution Consultant Ellucian Cloud Services Joe Street Cloud Services, Sr. Solution Consultant Confidentiality Statement The information contained herein is considered proprietary and highly confidential by Ellucian Managed

More information

SAP Single Sign-On 2.0 Overview Presentation

SAP Single Sign-On 2.0 Overview Presentation SAP Single Sign-On 2.0 Overview Presentation March 2016 Public Agenda SAP security portfolio Overview SAP Single Sign-On Single sign-on main scenarios Capabilities Summary 2016 SAP SE or an SAP affiliate

More information

SAP Standard for System Administration

SAP Standard for System Administration SAP Standard for E2E Solution Operations Document Version: 1.0 2014-12-12 SAP Solution Manager 7.1 Typographic Conventions Type Style Example Description Words or characters quoted from the screen. These

More information

Digital Pathways. Harlow Enterprise Hub, Edinburgh Way, Harlow CM20 2NQ. 0844 586 0040 intouch@digitalpathways.co.uk www.digpath.co.

Digital Pathways. Harlow Enterprise Hub, Edinburgh Way, Harlow CM20 2NQ. 0844 586 0040 intouch@digitalpathways.co.uk www.digpath.co. Harlow Enterprise Hub, Edinburgh Way, Harlow CM20 2NQ 0844 586 0040 intouch@digitalpathways.co.uk Security Services Menu has a full range of Security Services, some of which are also offered as a fully

More information

Fundamentals of a Windows Server Infrastructure MOC 10967

Fundamentals of a Windows Server Infrastructure MOC 10967 Fundamentals of a Windows Server Infrastructure MOC 10967 Course Outline Module 1: Installing and Configuring Windows Server 2012 This module explains how the Windows Server 2012 editions, installation

More information

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances - 45 min Webinar: November 14th, 2014 The Cloud in Regulatory Affairs - Validation, Risk Management and Chances - www.cunesoft.com Rainer Schwarz Cunesoft Holger Spalt ivigilance 2014 Cunesoft GmbH PART

More information

PREMIER SUPPORT STANDARD SERVICES BRONZE SILVER GOLD

PREMIER SUPPORT STANDARD SERVICES BRONZE SILVER GOLD SERVICE SUMMARY ITonDemand provides four levels of service to choose from to meet our clients range of needs. Plans can also be customized according to more specific environment needs. PREMIER SUPPORT

More information

Payment Card Industry Self-Assessment Questionnaire

Payment Card Industry Self-Assessment Questionnaire How to Complete the Questionnaire The questionnaire is divided into six sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.

More information

THE BLUENOSE SECURITY FRAMEWORK

THE BLUENOSE SECURITY FRAMEWORK THE BLUENOSE SECURITY FRAMEWORK Bluenose Analytics, Inc. All rights reserved TABLE OF CONTENTS Bluenose Analytics, Inc. Security Whitepaper ISO 27001/27002 / 1 The Four Pillars of Our Security Program

More information

Application Gateway with Apache

Application Gateway with Apache Application Gateway with Apache Multi-backend scenarios Nghia Nguyen SAP NetWeaver RIG Americas, SAP Labs, LLC Introduction Session Objectives and Requirements Use Cases and Scenarios Limitations Configuring

More information

March 2012 www.tufin.com

March 2012 www.tufin.com SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

Security aspects of e-tailing. Chapter 7

Security aspects of e-tailing. Chapter 7 Security aspects of e-tailing Chapter 7 1 Learning Objectives Understand the general concerns of customers concerning security Understand what e-tailers can do to address these concerns 2 Players in e-tailing

More information

SERVICES BRONZE SILVER GOLD PLATINUM. On-Site emergency response time 3 Hours 3 Hours 1-2 Hours 1 Hour or Less

SERVICES BRONZE SILVER GOLD PLATINUM. On-Site emergency response time 3 Hours 3 Hours 1-2 Hours 1 Hour or Less SERVICE SUMMARY ITonDemand provides four levels of service to choose from to meet our clients range of needs. Plans can also be customized according to more specific environment needs. SERVICES BRONZE

More information

BSM for IT Governance, Risk and Compliance: NERC CIP

BSM for IT Governance, Risk and Compliance: NERC CIP BSM for IT Governance, Risk and Compliance: NERC CIP Addressing NERC CIP Security Program Requirements SOLUTION WHITE PAPER Table of Contents INTRODUCTION...................................................

More information

State of Oregon. State of Oregon 1

State of Oregon. State of Oregon 1 State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information

More information

Data Security and Healthcare

Data Security and Healthcare Data Security and Healthcare Complex data flows Millions of electronic medical records across many systems New and emerging business relationships Changing and maturing compliance frameworks Diverse population

More information

Service Catalog. it s Managed Plan Service Catalog

Service Catalog. it s Managed Plan Service Catalog Service Catalog it s Managed Plan Service Catalog 6/18/2012 Document Contents Contents Document Contents... 2 Overview... 3 Purpose... 3 Product Description... 3 Plan Overview... 3 Tracking... 3 What is

More information

Governance, Risk & Compliance for Public Sector

Governance, Risk & Compliance for Public Sector Governance, Risk & Compliance for Public Sector Steve Hagner EMEA GRC Solution Sales From egovernment to Oracle igovernment Increase Efficiency and Transparency Oracle igovernment

More information

MINISTRY OF FINANCE, PLANNING AND ECONOMIC DEVELOPMENT THE THIRD FINANCIAL MANAGEMENT AND ACCOUNTABILITY PROGRAMME (FINMAPIII) TERMS OF REFERENCE

MINISTRY OF FINANCE, PLANNING AND ECONOMIC DEVELOPMENT THE THIRD FINANCIAL MANAGEMENT AND ACCOUNTABILITY PROGRAMME (FINMAPIII) TERMS OF REFERENCE MINISTRY OF FINANCE, PLANNING AND ECONOMIC DEVELOPMENT THE THIRD FINANCIAL MANAGEMENT AND ACCOUNTABILITY PROGRAMME (FINMAPIII) TERMS OF REFERENCE IT SYSTEMS COMPLIANCE AND QUALITY ASSURANCE SPECIALIST

More information

Vendor Audit Questionnaire

Vendor Audit Questionnaire Vendor Audit Questionnaire The following questionnaire should be completed as thoroughly as possible. When information cannot be provided it should be noted why it cannot be provided. Information may be

More information

ATTACKS TO SAP WEB APPLICATIONS

ATTACKS TO SAP WEB APPLICATIONS ATTACKS TO SAP WEB APPLICATIONS by Mariano Nuñez Di Croce mnunez@onapsis.com BlackHat DC 2011 Briefings Abstract "SAP platforms are only accessible internally". While that was true in many organizations

More information

Enterprise Architecture Review Checklist

Enterprise Architecture Review Checklist Enterprise Architecture Review Checklist Software as a Service (SaaS) Solutions Overview This document serves as Informatica s Enterprise Architecture (EA) Review checklist for Cloud vendors that wish

More information

Checking Security Configuration and Authorization.. or how best to protect your data and keep the availability of your SAP solutions

Checking Security Configuration and Authorization.. or how best to protect your data and keep the availability of your SAP solutions Checking Security Configuration and Authorization.. or how best to protect your data and keep the availability of your SAP solutions SAP Active Global Support Security Services November 2015 Disclaimer

More information

Inception of the SAP Platform's Brain Attacks on SAP Solution Manager

Inception of the SAP Platform's Brain Attacks on SAP Solution Manager Inception of the SAP Platform's Brain Attacks on SAP Solution Manager Juan Perez-Etchegoyen jppereze@onapsis.com May 23 rd, 2012 HITB Conference, Amsterdam Disclaimer This publication is copyright 2012

More information

Intelligent Security Design, Development and Acquisition

Intelligent Security Design, Development and Acquisition PAGE 1 Intelligent Security Design, Development and Acquisition Presented by Kashif Dhatwani Security Practice Director BIAS Corporation Agenda PAGE 2 Introduction Security Challenges Securing the New

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

HP Security Framework. Jakub Andrle

HP Security Framework. Jakub Andrle HP Security Framework Jakub Andrle Hewlett-Packard 11.place in Fortune Magazine chart In fiscal year 2007 we achieved $7bilions growth CEO HP - Mark Hurd, company residence - Palo Alto, California, USA

More information

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services February 30, 2012 2012 Xerox Corporation. All rights reserved. Xerox and Xerox and Design are trademarks of Xerox Corporation

More information

PUBLIC Secure Login for SAP Single Sign-On Implementation Guide

PUBLIC Secure Login for SAP Single Sign-On Implementation Guide SAP Single Sign-On 2.0 SP04 Document Version: 1.0-2014-10-28 PUBLIC Secure Login for SAP Single Sign-On Implementation Guide Table of Contents 1 What Is Secure Login?....8 1.1 System Overview.... 8 1.1.1

More information

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

What IT Auditors Need to Know About Secure Shell. SSH Communications Security What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic

More information

PortWise Access Management Suite

PortWise Access Management Suite Create secure virtual access for your employees, partners and customers from any location and any device. With todays global and homogenous economy, the accuracy and responsiveness of an organization s

More information

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security

More information

Information Security @ Blue Valley Schools FEBRUARY 2015

Information Security @ Blue Valley Schools FEBRUARY 2015 Information Security @ Blue Valley Schools FEBRUARY 2015 Student Data Privacy & Security Blue Valley is committed to providing an education beyond expectations to each of our students. To support that

More information

IT Service Management in SAP Solution Manager

IT Service Management in SAP Solution Manager Nathan Williams IT Service Management in SAP Solution Manager Bonn Boston Contents at a Glance PART I Introduction 1 An Overview of IT Service Management... 29 2 User Interfaces for SAP ITSM Functions

More information

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc. Company Co. Inc. LLC Multiple Minds, Singular Results LAN Domain Network Security Best Practices An integrated approach to securing Company Co. Inc. LLC s network Written and Approved By: Geoff Lacy, Tim

More information

IBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation

IBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation IBM Cloud Security Draft for Discussion September 12, 2011 IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns surrounding cloud computing

More information

CYBER-ATTACKS & SAP SYSTEMS Is our business-critical infrastructure exposed?

CYBER-ATTACKS & SAP SYSTEMS Is our business-critical infrastructure exposed? CYBER-ATTACKS & SAP SYSTEMS Is our business-critical infrastructure exposed? by Mariano Nunez mnunez@onapsis.com Abstract Global Fortune 1000 companies, large governmental organizations and defense entities

More information

Position Description. Job Summary: Campus Job Scope:

Position Description. Job Summary: Campus Job Scope: Position Description Report Run Date Sep 10 2015 11:07AM Position Number: 02018467 Dept: ENT APPS & INFRASTRUCTURE SVCS - 061419 Position: WNDOWS SYSTEM APPLICATION ADMINISTRATOR Approved Payroll Title

More information