SAP Standard for Security

SAP Standard for E2E Solution Operations Document Version: 1.0 2014-12-12 SAP Solution Manager 7.1

Typographic Conventions Type Style Example Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Textual cross-references to other documents. Example EXAMPLE Example Example <Example> Emphasized words or expressions. Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. E X A MPLE Keys on the keyboard, for example, F2 or ENTER. 2 2014 SAP SE or an SAP affiliate company. All rights reserved. Typographic Conventions

Document History Version Date Change 1.0 2014-12-12 First version created Document History 2014 SAP SE or an SAP affiliate company. All rights reserved. 3

Table of Contents 1 SAP Standards for E2E Solution Operations... Error! Bookmark not defined. 2 Overview of the Standard for Security... 5 2.1 People and Roles... 11 3 Lifecycle of Security... 13 3.1 Plan... 13 3.2 Build... 14 3.3 Run... 14 3.4 Optimize... 14 4 Driving Continuous Improvement... 17 4.1 Quality Assurance Tasks... 17 4.2 Quality Targets and KPIs... 17 5 Training... 19 6 More information... 22 4 2014 SAP SE or an SAP affiliate company. All rights reserved. Table of Contents

1 SAP Standards for E2E Solution Operations IT organizations face new challenges every day as they attempt to remain effective and future safe while also keeping costs for day-to-day operations as low as possible. They are also being challenged more than ever to demonstrate their value to businesses. Therefore, it is important to optimize the day-to-day tasks that have less obvious business value and to use KPI and benchmark-based reporting to make IT processes more visible, demonstrating the real value that IT can provide. In order to minimize the costs of IT, it is necessary to standardize and automate IT processes end-to-end (E2E) without reducing the SLAs required by the business, such as stability, availability, performance, process and data transparency, data consistency, IT process compliance, and so on. Based on the experience gained by SAP Active Global Support (AGS) while serving more than 36,000 customers, SAP has defined process standards and best practices to help customers set up and run E2E solution operations for their SAP-centric solutions. The Build phase of SAP best practices supports a Build SAP Like a Factory approach, consisting of the following processes: Custom code management Change, test, and release management Incident, problem, and request management Solution documentation Remote supportability During the Run phase of a solution, adapting your IT infrastructure to a Run SAP Like a Factory operation impacts both application operations and business process operations. Therefore, operations processes, such as technical monitoring, end-to-end root-cause analysis, technical administration, and data volume management need to be optimized to achieve state-of-the-art application operations. In business process operations, the same applies to business process and interface monitoring (including performance optimization), data consistency management, and job scheduling management. Quality management processes and tasks need to be established throughout the lifecycle to guarantee continuous improvement of the end-to-end operations processes while simultaneously ensuring the flexibility needed to react to changing requirements. SAP Standards for E2E Solution Operations 2014 SAP SE or an SAP affiliate company. All rights reserved. 5

Figure 1: Organizational model for solution operations This figure shows an organizational model for solution operations that aligns SAP best practice topics and E2E standards with SAP's control center approach. The Operations Control Center executes and controls the Run SAP Like a Factory processes, while the Innovation Control Center ensures optimal custom code management and a smooth transition to production with integration validation procedures. SAP connects to these control centers from the Mission Control Center to ensure that professional support is available to the customer. The following Application Lifecycle Management (ALM) functions are not provided directly in one of the control centers because they must be handled across different areas: Change, test, and release management Incident, problem, and request management Solution documentation Remote supportability The quality management methodologies are an essential part of SAP's Advanced Customer Center of Expertise (CoE) concept and ensure that the KPI-driven processes are continuously improved across all processes and teams. In addition, the quality manager roles ensure consistent and value-centric reporting to the business and management. This unified reporting platform is known as the Single Source of Truth. 1.1 Control Center Approach The Operations Control Center (OCC) is the physical manifestation of the Run SAP Like a Factory philosophy. The OCC allows for automated, proactive operations, which simultaneously reduces operational costs while increasing the quality of IT services, leading to improved business satisfaction. The OCC also drives continuous improvement of business processes and IT support. To achieve these goals, it relies on a close interaction with both the Innovation Control Center (ICC) and the SAP Mission Control Center (MCC). 6 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Standards for E2E Solution Operations

Figure 2: Interaction Between ICC, OCC, and MCC The OCC is a central IT support entity at the customer site, which monitors the productive SAP environment as well as important non-sap applications. During operation, the OCC requires a workforce of 2 full-time equivalent (FTE) per shift to ensure that incidents are detected and resolved as quickly as possible. The OCC is equipped with large screens that display the status of business processes, IT landscape components, as well as exceptions and alerts. If problems occur, you use a video link to get live support from SAP and partners. The customer usually sets up the room with assistance from SAP Active Global Support (AGS). The customer is responsible for managing the OCC and the team of technical and functional IT operators who act on the alerts. The OCC is most effective when closely integrated with other IT processes, such as IT Service Management (ITSM) and Change Management. Central monitors and dashboards based on application and business process operations display the current status of business and IT-related processes. This data can also be used to drive continuous improvement. An effective system monitoring and alerting infrastructure is fundamental to the success of an OCC. SAP Standards for E2E Solution Operations 2014 SAP SE or an SAP affiliate company. All rights reserved. 7

Figure 3: OCC Concept The OCC is most effective when closely integrated with other IT processes, such as IT Service Management (ITSM) and Change Management. Central monitors and dashboards based on application and business process operations display the current status of business and IT-related processes. This data can also be used to drive continuous improvement. An effective system monitoring and alerting infrastructure is fundamental to the success of an OCC. For Job Scheduling Management, the OCC supervises all background monitoring processes, SAP controls and legacy background operations. It reacts to job monitoring alerts according to predefined error-resolution activities, and triggers follow-up activities for error handling if the relevant task are not completed within a certain timeframe. 8 2014 SAP SE or an SAP affiliate company. All rights reserved. SAP Standards for E2E Solution Operations

2 Overview of the Standard for Security The aims to protect the company s critical business processes and assets, as well as to ensure compliance with external regulations and standards, such as data protection laws and the Sarbanes Oxley Act (SOX). It secures the availability and integrity of critical business processes both company internal processes as well as collaborative processes with customers or other contractors and protects the confidentiality and integrity of sensitive information. These objectives are accomplished by addressing ten different security topics, known as secure operations tracks, as shown in the Secure Operations Map. Figure 4: Secure Operations Map The Secure Operations Map provides an overview of the secure operations tracks, relating each track to one of the following five principal areas: Compliance Secure Collaboration Identity and Access Management Infrastructure Security Software Lifecycle Security This classification follows the SAP Security Solution Map, which structures the SAP product and service offering with regard to security. For more information about the SAP Security Solution Map, see the SAP Developer Network at https://www.sdn.sap.com/irj/sdn/security. Compliance Audit: Ensure and verify the compliance of your company's IT infrastructure and operation with internal and external guidelines and regulations Overview of the Standard for Security 2014 SAP SE or an SAP affiliate company. All rights reserved. 9

Outsourcing: Ensure secure operation for outsourced IT services Emergency Concept: Prepare for and react to emergency situations Secure Collaboration Secure Process and People Collaboration: Maintain security of processes and collaboration using the security capabilities of automated business processes and document exchanges Identity and Access Management User and Authorization Management: Manage IT users, authorizations, and authentication Administration Concept: Securely administer all aspects of solution operations Infrastructure Security Network, System, Database, and Workstation Security: Establish and maintain the security of all infrastructure components Software Lifecycle Security Secure Application Lifecycle: Securely develop and maintain the code base of standard and custom business applications Secure Configuration: Establish and maintain a secure configuration of standard and custom business applications Secure Support: Resolve software incidents securely For more information about each operations track, see the SAP Security Optimization page on SAP Service Marketplace at https://service.sap.com/sos. Note The secure operations tracks only describe security measures for SAP business solutions. Other security measures that constitute a comprehensive and complete security concept, such as physical measures that control access to facilities or sites, are not covered by this document. SAP recommends performing the specific design, setup, and operation activities within all of the secure operations tracks to ensure comprehensive security for your SAP systems. 10 2014 SAP SE or an SAP affiliate company. All rights reserved. Overview of the Standard for Security

Figure 5: General Activities Mapped to Single Tracks For low or medium security requirements, you can follow the best practice recommendations provided for each secure operations track. However, for elevated security requirements, you need to perform a comprehensive risk analysis in order to determine the appropriate security measures. This risk analysis is based on a profound knowledge of the company s critical business processes and must be performed during the Plan (Design) phase. Successfully designing, implementing, and operating a comprehensive IT security concept requires support and commitment from top-level management. In addition, you need personnel with the relevant knowledge of security and an understanding of the company's critical business processes. As part of their commitment to security, management must implement the following measures: Create a company-wide security policy that outlines general security principles and guidelines. This document should manifest the company s commitment to security. Define dedicated security roles and establish a clear reporting line with the overall responsibility at board level. Provide those responsible for security with a dedicated security budget. 2.1 People and Roles This section provides a basic introduction to common security roles and provides an overview of typical activities associated with each role. This overview is not a complete guide to roles and is not intended for use as a blueprint. Role concepts are unique to each company because they vary depending on both the size of the organization and how it is structured. However, the organization model of each company must still comply with the Segregation of Duties (SoD) requirements imposed by legal regulations, such as the Sarbanes-Oxley Act (SOX). Group Role Activities and Responsibilities Technical System Administrator Maintains technical systems, defines backup and recovery Overview of the Standard for Security 2014 SAP SE or an SAP affiliate company. All rights reserved. 11

Group Role Activities and Responsibilities concept, performs emergency response process Security Team (technical and operational) Security Team (legal and technical assessment) Network Administrator Application Management Database Administrator Test Management Internal Help Desk Personnel Security Administrator Authorization Administrator User Administrator Security Management Data Protection Office Internal Auditor Security Analyst Network segmentation, firewall configuration, communication channel encryption Policy definition on application level, definition of security requirements Configuration of database, implementing encryption Test concepts for in-house or third-party developments Management of support connections, handling or forwarding of incidents, incident reproduction on test systems Defines alerting and emergency response concept Creates and manages roles Creates and manages users, performs risk analysis of user authorization assignment, ensures user-appropriate provisioning and deprovisioning of roles Policy definition, approval and publication, requirements definition, selection and assessment of security measures Identification and verification of privacy requirements with regard to employees and customers Verification of legal (external) or internal requirements In-depth security assessments External Auditor Independent assessment of the internal security compliance Business Process Owner (planning of processes) Identify and document process-specific risks, process monitoring, conflict resolution, role design (SoD) Business Management (responsibility) Business Expert (manages implemented processes) IT-Management Risk Analyst Budgeting, requirements definition, decision on tools, selection and assessment of security measures (in accordance with Security Team) Comprehensive risk analysis, impact and probability estimations, cost/benefit estimations 12 2014 SAP SE or an SAP affiliate company. All rights reserved. Overview of the Standard for Security

3 Lifecycle of Security This document describes the best practices for the security-relevant activities that you need to perform during the operations and optimization phase. The prerequisite activities of the design and setup phase are only briefly outlined here. For more detailed information, see the SAP Security Optimization page on SAP Service Marketplace at http://service.sap.com/sos. The SAP Security Optimization page is structured according to the Secure Operations Map and its secure operations tracks. On the SAP Security Optimization page, the relevant chapters for the operations tacks consist of an operations track document describing the relevant prerequisites and best practices for all phases within the track. To address a certain track, the responsible security stakeholders can focus on the relevant section in each of these documents. Each section describes important activities related organizational roles, standard and optional SAP tools, as well as relevant training activities. Activities follow the same pattern in the Design, Setup, and Operations & Optimization phases, regardless of the actual track. This pattern complies with the common understanding of a security process as outlined by international standards, such as ISO/IEC 27001:2005, and refinements by national standardization bodies, for example, the German Federal Office for Information Security (BSI). Figure 6 Security Process for All Secure Operations Tracks 3.1 Plan The criticality of each business process affects how you need to design your security process. For standard security requirements, you can simply follow a best practice approach; however, for critical business processes, Lifecycle of Security 2014 SAP SE or an SAP affiliate company. All rights reserved. 13

you need to perform a comprehensive risk analysis and additional supporting processes. For more information about how to design a risk analysis in the design operation phase, as well as the specific responsibilities and future actions, see the Design Operations chapter of the relevant operations track document on SAP Service Marketplace at http://service.sap.com/sos. 3.2 Build Implementing the security concepts usually involves several steps and various installation and configuration activities. For a list of all typical activities as well as details about testing and review, see the Setup Operations chapter of the relevant operations track document on SAP Service Marketplace at http://service.sap.com/sos. 3.3 Run Dedicated review processes conducted by administrative roles verify the successful enforcement of the company s security policy and ensure that the correct implementation of security measures is not harmed by changes to systems and applications. For detailed information about who should be involved in the review processes, how to measure the defined security KPIs, and references to the company's security policy, see the Operations & Optimization chapter of the relevant operations track document on SAP Service Marketplace at http://service.sap.com/sos. 3.4 Optimize This section introduces a series of general criteria that allow organizations to measure the quality or maturity of information security management systems (ISMS) as well as individual secure operations tracks as they are used in the. You can then use this information to optimize security in your organization. Note These criteria only provide initial guidance; you need to continuously monitor and evaluate them during operation to determine their effectiveness and drive improvement. Depending on individual needs and requirements, you should define a different set of objectives for each of the 10 secure operations tracks to compare with the actual situation. The different criteria are categorized as follows: Process criteria: Concern the quality and type of security-related workflows within the company Organizational criteria: Indicate the commitment and support of security by top-level management Tool criteria: Describe the quality and extent of tool support Measurement and improvement criteria: Describe feedback and improvement cycles Process Criteria Predefined security workflows 14 2014 SAP SE or an SAP affiliate company. All rights reserved. Lifecycle of Security

Without predefined workflows, security-related activities are performed on an ad-hoc basis, that is, without a clear concept and procedure description. In such cases, the same type of security incident may result in entirely different mitigations. Predefined processes for specific incidents result in effective, reliable, and controllable mitigation activities that are always performed in the same manner, regardless of who actually executes the workflow. Proactive security-related activities Less mature organizations only perform security-related activities if there is an immediate need, for example, if there is a security breach, an external audit, or they need to import a new support package. In such companies, security-related activities are primarily reactive or event driven. More mature companies operate proactively. They continuously prepare for and plan security activities, without an immediate need but with a planned and controlled schedule, for example, in terms of review processes and internal audits that help verify the compliance of the company's security implementation with internal and external requirements. Documentation of activities More advanced security implementations ensure comprehensive documentation of security activities. Ideally, the documentation is available from a central information repository that also provides access to all relevant security concepts and, for example, a full description of the IT infrastructure. Coverage of RunSAP security topics High coverage of RunSAP security topics generally leads to a high level of security. More mature companies define security workflows, that is, maintenance and review processes, for most of the secure operations tracks. Less mature companies only define the most central tracks, such as user provisioning. Organizational Criteria Company-wide security policy A company-wide security policy ensures that top-level management is committed to the objectives, value, scope, and direction of all security activities performed within the company. This policy should be made available to all employees, for example, from the company's internal portal. Dedicated budget and personnel There should be a dedicated budget for security. Security-related activities should also be performed by trained security experts who are assigned to specific areas. In less mature organizations, security activities are performed by other administrative personnel, such as system administrators, which can eventually cause SoD conflicts. Regular training and awareness campaigns There should be regular training activities and campaigns to increase awareness of security issues among all personnel. Tool Criteria Workflow tools Tools should be implemented to enforce and document security workflows during operations. In less mature organizations, workflows might exist on paper, but compliance and execution are not enforced. The Change Request Management and Change Control Management components of SAP Solution Manager can provide significant support in this context. Monitoring and review tools Security-related information should be monitored and reviewed as close to real-time as possible using intrusion detection systems. Configuration and authorization settings should also be verified on a periodic basis, for example, using the SAP Security Optimization Service. Lifecycle of Security 2014 SAP SE or an SAP affiliate company. All rights reserved. 15

Automatically triggered workflows Incidents detected by monitoring and review tools must automatically trigger the corresponding workflows for incident resolution. Measurement and Improvement Criteria Continuous measurement and periodic evaluation of KPIs Continuously measuring and evaluating KPI results steadily optimizes implemented processes, without the need to repeat the RunSAP Design and Setup phases. Systematic and extensive approach to the Operations & Optimization phase Bigger optimization measures after go-live usually involve substantial changes to the company's security concept. For such large-scale optimizations, you should repeat all RunSAP phases for the given secure operations track. These changes improve the company's standard security level by introducing qualitative measures, for example, tool support of security processes. The maturity of an organization in this regard depends on the extent and systematic approach with which such automations are performed during the RunSAP Operations & Optimization phase. 16 2014 SAP SE or an SAP affiliate company. All rights reserved. Lifecycle of Security

4 Driving Continuous Improvement It is important that your organization learns from the day-to-day operations of security-related activities so that security measures become increasingly effective and efficient. This section describes some key steps you can take to drive continuous improvement and increased value for your security processes. 4.1 Quality Assurance Tasks From a quality management perspective the key tasks are as follows: Track implementation status of SAP Security Notes (implementation vs. release date) Track results of security audit and ensure follow-up Track compliance to security controls Evaluate results of security-related SLA agreements Ensure action items are identified for SLA deviations Deploy security awareness campaigns Request an SAP Security Optimization Service Portfolio For an indication of appropriate KPI setup and measurement, consider the answers to the following questions to ensure that security for users and systems are under control and are communicated within all related parties: How do you decide to implement SAP Security Notes? How and how often do you review user authorizations? How and how often do you review infrastructure security? How and how often do you review your security policy? How often do you hold security meeting and who (what roles) must participate? 4.2 Quality Targets and KPIs To ensure continuous improvement of the security management process and drive the value recognition of IT, the most important quality targets are as follows: Increase trust and reliability of SAP solutions by keeping them secure, confidential, and available Ensure legal compliance through transparency and authenticity Protect investment and reduce TCO To assess the quality of the security management process, clearly-defined parameters and measurable objectives are required. The key parameters should be collated and evaluated in regular reports. The historical data that is created in this way can be used to identify trends and then derive the necessary measures to take. The following table describes the main challenges for each of these quality targets and which KPIs can be used to measure the success of your implementation: Driving Continuous Improvement 2014 SAP SE or an SAP affiliate company. All rights reserved. 17

Quality Targets Challenges KPIs Increase trust and reliability of SAP solutions by keeping them secure, confidential, and available Taking action proactively before severe security problems occur Coverage of identified security threats with implemented preventive measures Identifying and prioritizing risks Reviewing security maintenance processes as described in this standard Rate of response for high-risk incidents Number of incidents related to remediation of security issues Reviewing secure programming policy adherence Number of vulnerabilities not proactively identified Ensuring appropriate SAP landscape security monitoring Setting up individual security thresholds Ensure Legal Compliance Through Transparency and Authenticity Transparency Ensuring that security for users and systems is under control and communicated within all related parties according to updated policy Number of security reviews Number of security alignment meetings Percentage of IT staff who participated in trainings in one year Maintenance and review of authorizations to make sure that they meet legal and company-specific requirements Review of managed access Communication within different departments Gap between implemented SAP Security Note from released SAP Security Note Number of incidents caused by missing SAP Security Note Number of reviews of assigned roles vs. actual requirements Ratio of changes in standards/policies leading to IT reviews Protect Investment and Reduce TCO Reducing the risk of costly downtime due to wrong user interaction Number of security-related downtimes Ratio of profile changes for users in one year Number of incidents caused by incorrect or missing roles 18 2014 SAP SE or an SAP affiliate company. All rights reserved. Driving Continuous Improvement

5 Training GRC300 SAP Business Objects Access Control - Implementation and Configuration Course Content Introduction to SAP Access Control Architecture, Security, and Authorizations Authorization Risks and the SoD Risk Management Process Shared Configuration Settings SAP Access Control Repository Business Rule Framework (BRF) MSMP Workflow Analyze and Manage Risk Emergency Access Management Design and Manage Roles Provision and Manage Users Periodic Access Review Process Reports and Custom Fields SAP Access Control Implementation TZGC53 EPT SAP BusinessObjects Access Control 5.3 Course Content Overview of SAP Access Control 5.3 Risk Analysis and Remediation Superuser Privilege Management Compliant User Provisioning Enterprise Role Management Integration and Security Integration with Non-SAP systems Customer Scenarios FIN900 System Audit with SAP Course Content Impact of the Sarbanes-Oxley Act and other auditing standards (for example, ISA) that are relevant for the auditors on the audit process Compact overview of the authorization concept Role-based setup of the AIS and commercial audits with the AIS Basic system settings and logs Organizational units and organizational structure within an SAP system Training 2014 SAP SE or an SAP affiliate company. All rights reserved. 19

Practical analysis of the risks and controls using test cases General Customizing and controls in Accounting while taking into account the impact on the audit process Auditing business processes, for example, Procurement, Production, and Sales Order Processing Auditing the end of period financial statements, Auditing of specific evaluation methods, Transfer of the financial accounting data, balances, and document information to the auditor's computer in standard format for further analysis (for example, in ACL, IDEA, Excel) FIN910 Management of Internal Controls Course Content MIC positioning Maintaining the organizational structure Maintaining the central process catalog Scheduling assessments and testing Performing assessments and testing Management controls Roles and responsibilities in MIC Sign off and reporting MIC Dashboard ADM950 Secure SAP System Management Course Content Introduction to Internal Security Auditing Customize and Usage of AIS Users and Authorizations Audit System Audit Repository and Table Audit Security in Change Management Security Assessment Curriculum: SAP NetWeaver Process Integration Exchange Infrastructure Course Content Architecture and components of the SAP NetWeaver Process Integration Configuration and runtime behavior of synchronous and asynchronous scenarios Connecting back-end systems using proxies and adapters Overview of mapping Overview of cross-component Business Process Management Outlook to SAP NetWeaver Process Integration in the context of Enterprise SOA Curriculum: Cross Component Role User and Security Administration Course Content Fundamentals of SAP NetWeaver Application Server (SAPTEC) 20 2014 SAP SE or an SAP affiliate company. All rights reserved. Training

Administration AS ABAP I (ADM100) Security in SAP System Environments (ADM960) Secure SAP System Management (ADM950) Authorization Concept AS ABAP (ADM940) TZNWIM User Management by SAP NetWeaver Identity Management Course Content SAP NetWeaver Identity Management 7.1 SAP NetWeaver Identity Management 7.2 GRC310 SAP BusinessObjects Access Control Compliant User Provisioning & Enterprise Role Management Course Content Overview of SAP GRC AC Basic Concepts of Role Design Strategies for Role Maintenance in SAP GRC AC Pre-workflow System Configuration Workflow Configuration Integration in the System landscape and Master data Reporting Business case integrating SAP GRC AC Risk analysis, role maintenance and user provisioning features Training 2014 SAP SE or an SAP affiliate company. All rights reserved. 21

6 More Information Documentation Security and Optimization Service SAP Security Notes Configuration Validation (Details) Security Audit Log SIS264 Securing Remote Access within SAP NetWeaver AS ABAP Link http://service.sap.com/sos https://service.sap.com/securitynotes http://wiki.scn.sap.com/wiki/display/techops/conf Val_Home https://help.sap.com/nw70 Security Information Security Guide Security Aspects for System Management Auditing and Logging The Security Audit Log Protecting SAP Applications Against Common Attacks Secure Configuration SAP NetWeaver Application Server ABAP Governance, Risk, and Compliance Access Control Governance, Risk, and Compliance Process Control SAP NetWeaver Identity Management SAP Help Portal: User and Role Administration (of NetWeaver AS ABAP) SAP Anti Virus Interface SAP Help Portal: Enabling Business-to-Business Processes: Security Aspects https://support.sap.com/content/dam/library/supp ort/support-programs-services/supportservices/sis264_011b_securing_rfc.pdf https://websmp204.sapag.de/~sapdownload/011000358700001376952010e /Protecting-SAP-Apps.pdf https://websmp204.sapag.de/~sapdownload/011000358700000968282010 E/SAP-Sec-Rec.pdf http://help.sap.com/grc-ac10 Application Help SAP Library Work Centers Work Centers for Access Control in the GRC Application http://help.sap.com/grc-pc25 Application Help SAP Library https://scn.sap.com/community/netweaver-idm https://websmp202.sapag.de/~form/handler?_app=002006825000000026 72&_EVENT=DISPLAY&_SCENARIO=&_HIER_KEY=50 1100035870000016962&_HIER_KEY=601100035870 000210454&_HIER_KEY=601100035870000210480 &_HIER_KEY=601100035870000210525&_HIER_KEY =601100035870000210605& https://help.sap.com/nw70 Application Help Function-Oriented View Security System Security Virus Scan Interface https://help.sap.com/nw70 Security Information Security Guide Security Guides for the NetWeaver 22 2014 SAP SE or an SAP affiliate company. All rights reserved. More Information

Documentation Link Security Scenarios Enabling Business-to-Business Processes: Security Aspects SAP Help Portal: Web Services Security https://help.sap.com/nw70 Development Information Developer Guide Fundamentals Using Java Getting Involved Working with the Developer Studio Web Service Toolset Web Service Security More Information 2014 SAP SE or an SAP affiliate company. All rights reserved. 23

www.sap.com/contactsap 2014 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Please see www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices. Material Number: