Section Two: Description of Controls Provided by SAP OnDemand

Transcription

1 SAS70 Type I SAP OnDemand Report on Controls Placed in Operation in Accordance with The 1801 Page Mill Road Palo Alto, California 94304

2 Table of Contents Section One: INDEPENDENT SERVICE AUDITORS REPORT... 3 Section Two: Description of Controls Provided by SAP OnDemand... 5 A. Overview of SAP OnDemand... 5 B. Description of Internal Control Components Control Environment Risk Assessment Monitoring Information and Communication Control Activities C. Control Objectives and Related Controls Organization and Administration Physical and Environmental Security Security Access Core Security Security Access Core Security Security Access Logical Access Security Access Network Security Change Management Computer Operations and Availability Customer Implementation and Setup D. Client Control Considerations Section Three: Information Provided by the Service Auditor Section Four: Other Information Provided by SAP OnDemand... 37

3

4

5 Section Two: Description of Controls Provided by SAP OnDemand A. Overview of SAP OnDemand SAP AG is comprised of three business segments: product, consulting, and training. Its product portfolio consists of SAP Business Suite software for large organizations and international corporations; SAP Business All-in-One solutions, the SAP Business ByDesign solution, the SAP Business One application, which address the needs of small businesses and midsize companies; the SAP OnDemand portfolio, which covers a variety of demands from small to large companies; SAP solutions for sustainability, and the SAP NetWeaver technology platform. Overview of OnDemand Solutions SAP s OnDemand approach is to build an open, networked platform with a choice of shared technology services governed by a common framework of standards around quality, security, performance, integrity, ease of integration, openness, developer productivity, and extensibility. OnDemand applications are designed to seamlessly integrate with customers on-premise and on-demand systems, as well as mobile devices. The SAP OnDemand portfolio includes, but is not limited to, three key applications: SAP StreamWork, Business Intelligence On-Demand (BIOD), and Crystal Reports Dot Com (CRDC). StreamWork and BIOD applications are built on a shared BusinessObjects platform and utilize shared services for application logic and user authentication. This allows for a user to have the same credentials in both applications online. SAP StreamWork is an on-demand, collaborative decision-making application. Currently, most businesses use a range of applications on a daily basis, including e- mail, collaboration products, business systems and Web 2.0 applications to do their work and make decisions. As a result, work often becomes chaotic and hard to follow and can hinder clear decisions. SAP addresses this challenge with SAP StreamWork, which brings together people, information and proven business methodologies to help teams naturally and fluidly work toward goals and outcomes. Teams can assess situations together, develop strategies and make clear decisions, with a full record of what transpired. BIOD is a hosted business intelligence platform that allows users to bring in different data sources to the online engine and explore the data with the software s unique search and browse functionality. The integrated solution lets users create accurate, timely dashboards and reports. Users no longer need to pull together sales reports from various sources or manually create pivot tables, charts, and graphs. BIOD allows users to share information created online with team members. 5

6 CRDC is an on-demand service for users to distribute Crystal Reports files over the Web, instead of by or hard copy. SAP OnDemand hosts customer report files online thereby eliminating the need to deploy infrastructure or depend on internal IT departments. Customers upload existing reports to crystalreports.com and direct users to the reports specific URLs to let others view the reports online. Managing all reports at a central location ensures that users view the most recent version of the report, refreshed with current data. Scope of SAS 70 Report The scope of this report is limited to the SAP StreamWork application, BIOD application, and CRDC application. Unless specifically noted otherwise, the description of controls in this report applies to all three applications. Management responsibilities of these three applications reside within the OnDemand department. SAP OnDemand is an entity within the global SAP AG organization and must follow company-wide requirements. In addition, OnDemand polices have been created to address the specific needs of the three applications managed by SAP OnDemand. B. Description of Internal Control Components An enterprise s control foundation is designed to provide reasonable assurance that specific objectives can be achieved through aspects of the: (1) control environment; (2) risk assessment; (3) information and communication systems; (4) monitoring; and (5) control activities. This report is specifically intended to provide an SAP OnDemand client or user auditor with an understanding of controls that comprise SAP s OnDemand internal control structure that may be relevant to a user organization. 1. Control Environment A company s internal control environment reflects the overall attitude, awareness, and actions of management and others regarding the importance of controls and the emphasis given to controls in the organization s policies, procedures, methods, and organizational structure. The IT control environment is directed by a top-level set of objectives and policies. SAP OnDemand management takes the organizational structure and responsibilities seriously, and plays an active role in the governance of company controls. The organization has defined a clear reporting structure and company departments to allow for clear responsibilities and measurement against defined objectives. Information security enforcement responsibility resides with the Information Security Officer and specific security duties have been delegated to Engineering, Operations, and Administration departments to address specific business risks. See figure 1. 6

7 Figure 1: SAP OnDemand Governance & Security Administration Organization Overview A properly implemented control environment is attained when all three aspects of maturity (capability, coverage and control) have been addressed. Improving maturity reduces risk and improves efficiency, leading to fewer errors, more predictable processes and a cost-efficient use of resources. Operational excellence, including a strong control environment, is encouraged at all levels within the organization. SAP OnDemand requires all managers to continually emphasize integrity as a standard of performance for all employees. Policies and Procedures Polices in place at SAP OnDemand are defined at two levels, level one is at the corporate level and level two is by SAP OnDemand. Corporate wide polices set by SAP AG are followed and cover general business operational procedures, such polices include: Employee On-Boarding and Termination Process SAP Global Security Policy SAP Internal Password Requirements SAP Internal Authorization Policy SAP Data Protection Policy SAP Secure Software Development Life Cycle 7

8 SAP OnDemand has defined their own written policies and procedures for specific functions performed continuously. SAP OnDemand policies meet all the general corporate guidelines, but are designed to address the specific risks associated with the SaaS function of SAP OnDemand. The following policies and procedures are in place to guide department and company operations: Information Security Management System (ISMS) Policy OnDemand Change Management Policy Data Backup and Restoration Policy StreamWork Enterprise Security Guide CSC Remote Access Policy CSC Password Requirements JIRA change board workflow Sub-service Organizations SAP OnDemand has contracted with a co-location service provider to provide and maintain data processing and network operations for on-demand applications. The primary data center is operated by Computer Sciences Corporation (CSC) and is located in Chicago, Illinois. CSC provides managed services and core physical security for StreamWork, BIOD, and CRDC applications. 2. Risk Assessment SAP OnDemand management has incorporated an annual risk assessment throughout its processes. Management is responsible for implementing procedures to monitor and mitigate risks. In the event that new risks are identified, SAP OnDemand evaluates the current control environment and implements additional controls to address crucial risks. SAP OnDemand recognizes that risk assessment is a critical component of its operations and it helps ensure that client data is properly protected and that ondemand services are provided in an accurate and timely manner. SAP OnDemand has identified the following factors as significant business risks to their on-demand software products and monitors their impact accordingly. Changes to regulations in the operating environment Rapid growth in the customer base Changes and/or updates to the relevant Company technology Addition of new products and/or services to clients Addition of new staff to execute business operations Based on the factors above, SAP OnDemand management determines the potential risks involved, identifies strategies for mitigating those risks, and monitors the identified risks for changes. 8

9 3. Monitoring The SAP OnDemand operations team monitors the daily business and operational activities including the internal control environment as a routine part of the Company s activities. Key indicator reports have been implemented to measure the performance of mission critical processes. Reports are analyzed over time to chart system performance and respond with corrective action as necessary GroundWork Open Source (GWOS) is used for system monitoring of critical application and system performance. SAP OnDemand monitors physical usage including: CPU, disk, and bandwidth utilization of production servers. Additionally several system checks are in place to alert management of system availability and response time of services. In the event that a system monitor detects excessive utilization or response times out of approved thresholds, management is automatically notified of the issue. To track customer reported system incidents regarding the BIOD application, SAP OnDemand has implemented ZenDesk issue tracking software. ZenDesk provides a centralized repository to document actions taken and allows for post incident review and root cause analysis. WhiteHat Security performs weekly pen tests on the staging environment to evaluate the application security of the StreamWork application. SAP OnDemand reviews the results from the WhiteHat testing on a regular basis and addresses vulnerabilities identified. Qualys network penetration testing is employed by CSC to test the network security of the SAP OnDemand platform. 4. Information and Communication Production servers and client facing applications are logically and physically secured separately from SAP OnDemand s internal corporate information systems. Awareness and understanding of business and IT objectives have been communicated to appropriate stakeholders and users throughout the enterprise. SAP OnDemand has implemented formal communication procedures to keep employees informed of Company objectives and changes. Communications on Company updates and client information are necessary for employees to make informed decisions directly impacting the Company s business and client service delivery. SAP uses the StreamWork application and regularly held management, department, and cross-functional team meetings to communicate within the organization. Regular correspondences are sent via informing staff of significant events, news, and other important business information. 9

10 5. Control Activities SAP OnDemand has established a set of policies, procedures and practices to help ensure business objectives are achieved and risk mitigation strategies are carried out. Control activities are developed to specifically address each control objective to mitigate the risks identified. These controls are part of the information technology structure and architecture and include: Organizational and Administration controls over hiring and terminations as well as defining roles and responsibilities of employees; Physical and Environmental Security controls over unauthorized access and physical control surrounding information systems; Security Access Core Security controls over day to day and periodic security procedures performed at SAP OnDemand; Security Access Logical Access controls to prevent inappropriate and unauthorized use of systems; Security Access Network Security controls over network authentication, both local and remote; Change Management controls over development methodology, which includes system design and implementation, outlining specific phases, documentation requirements, approvals, and checkpoints to control the development or maintenance of the project; Computer Operations and Availability controls over system backups and monitoring. 10

11 C. Control Objectives and Related Controls The following outline lists control objectives relevant to SAP OnDemand s processing environment. Organization and Administration (OA) OA-1: Organizational structure with roles and responsibilities has been defined. OA-3: Appropriate termination procedures are followed when an individual s employment is terminated or separated from or by the Company. OA-5: Appropriate background verification checks are performed for hiring personnel. OA-7: Orientation and training programs are established for employees and contractors to maintain current knowledge and skills. Physical and Environmental Security (PES) PES-1: Physical access restrictions are implemented to prevent unauthorized access to critical processing centers. PES-3: Hosting 3rd party vendor provides complete support and in a needed time frame. Security Access Core Security (SA/C) SA/C-1: Management has ensured that corrective security measures have been implemented, including policies, procedures and activities to protect the organization's assets as well as customer assets. SA/C-3: Network penetration testing is performed periodically while application penetration and security testing is performed weekly. SA/C-4: Management and staff receive security training and security awareness. Security Access Logical Access (SA/L) SA/L-1: Management has established proper security controls to prevent unauthorized access to sensitive company and customer data. SA/L-2: Super-user accounts are restricted to appropriate personnel and critical activities are monitored accordingly. SA/L-3: Segregation of duties exists between those requesting, approving and provisioning user access, with provisioning capabilities being appropriately restricted. SA/L-5: Management has implemented two-factor authentication for access to the primary application code and access to the production environment. SA/L-6: Authentication/Authorization into the core application and database is role or user-based. 11

12 SA/L-7: Passwords for accessing the data center systems (network, servers) are unique and required to follow the datacenter's password security guidelines. Passwords for accessing the application and database are required to follow the SAP OnDemand corporate password guidelines. SA/L-8: Identity integration: Automated password policy enforcement has been established for the hosted application. Shared authentication has been established for the OnDemand applications. Security Access Network Security (SA/N) SA/N-1: Network authentication exists, is restricted and terminated employees, staff, consultants are removed in a 24 hour window. SA/N-3: Remote access into the sandbox, staging and production environments is restricted. Change Management (CM) CM-1: Management has defined and implemented a process for managing changes to existing software systems. CM-2: Proper testing, quality assurance and approvals are performed prior to the deployment of new systems and changes to existing systems. CM-3: Separate environments exist for development, testing, production, and backup of systems software. CM-4: Procedures exist and are enforced for emergency changes. CM-5: Roll-back procedures are in-place in the event system upgrades and new releases do not work or become corrupted. CM-6: Segregation of duties is enforced when promoting changes into production. Computer Operations & Availability (COPA) COPA-4: Backup and restoration schedules are enforced. Incremental backups happen daily and full backups weekly. Customer Implementation and Setup (CIS) CIS-1: Management has defined and established a process for the setup and management of only BIOD enterprise customers in accordance to established contracts. CIS-2: Management has established service level agreements with third party hosting provider to meet the necessary requirements. 12