data protectionprivacy & security at sap

Data Protection/Privacy andSecurity@SAPData Protection and PrivacyUnited States vs. EMEASecurity@SAPSecurity@SAP Support

Michael MorgenthalerHans UlmerMichael Wiedemann

ASUG WebEx sessionApril 22, 2010

INTRODUCTIONMichael Wiedemann

SAP AG 2010. All rights reserved. / Page 2

Agenda for Today

Michael Morgenthaler Data Protection and Privacy The proper (lawful) use and protection of personal identifying information (PII) /

personal data (PD) is a huge challenge for every organization with multinational orglobal business. You will learn about the different ways countries define PII / PDand will be given details of the existing (and even missing) national regulations inEurope and the United States, as well as learn ways that the two frameworks canconnect.

Hans Ulmer Security@SAP This part of the presentation provides a brief overview of SAPs efforts in the

information security area. It describes the underlying threat landscape and goesinto detail regarding SAPs security organization as part of the global governance,risk, and compliance organization; its goals; and the organizationalimplementation.

Michael Wiedemann Security@SAP Support The last part provides some insights on how SAP ensures compliant and

confidential processing of customer information. Special aspects include remoteconnectivity, contractual enforcement, staff awareness training sessions, andcustomer obligations.


47,578 SAP EMPLOYEESWORLDWIDE

ANNUAL REVENUESEXCEED 10.7 BILLION

OVER 95,000 COMPANIES INOVER 120 COUNTRIES RUN

SAP SOFTWARE


35 YEARS OF INDUSTRY EXPERTISE

SERVICES

CONSUMERINDUSTRIES

TRADINGINDUSTRIES

FINANCIALSERVICES

PROCESSMANUFACTURING

DISCRETEMANUFACTURING

PUBLICSERVICES


Executive Board

Werner BrandtChief Financial Officer, Financeand Administration? Finance and administration? F&A shared services? SAP ventures? Global intellectual property? Mergers and acquisitions? Global compliance? Human resources

Bill McDermottCo-CEO, Global Field Operations? Worldwide responsibility for sales

regions (Asia Pacific Japan,Americas, EMEA)

? SME go-to-market strategy andapproach

Jim Hagemann SnabeCo-CEO, Business Solutions &Technology? Large enterprise solutions

(SAP Business Suite)? SME solutions? Shared responsibility for Technology

group

Gerhard OswaldChief Operating Officer, Global Service &Support? Worldwide responsibility for SAP

services (including consulting,education, and custom development)

? Worldwide responsibility for support? Quality governance and production

Vishal SikkaChief Technology Officer? Technology and innovation

strategy? Emerging technologies? Global SAP research? Architecture governance and

standards


DATA PROTECTION ANDPRIVACY

Michael Morgenthaler, CISM, CISA


Data Protection What Is It All About?

Protects:

Hardware and software,any data

Risk:

Loss, deletion,abuse withoutauthorization

Protects:

Natural persons

Risk:

Infringement ofpersonal rights,privacy

Technicaland

organiza-tional

measures(security)

Data Protection Data Security ?

Data protection is more of a universal,

? Data protection is more than datasecurity (which is a prerequisite).

? Data protection is more than privacy.The rights of individuals have to berespected on the job and throughoutother economic relations.

? Data protection is more of a universal,European approach and includesprivacy.

? Privacy is more of a U.S. approach,concentrating on consumers rightsand defining only special data asprivate.

The protection of individuals withregard to the processing ofpersonal data. (It is not the

protection of bits and bytes.)


Rationale Why Must a Company Comply withData Protection?

Any noncompliance with required or expected data protection andprivacy standards is likely to generate negative publicity and damage

customer perception of the brand and of the organization.

In many countries, data protection and privacy are subject to jurisdiction.

Law

Customers are increasingly aware of their rights.

Customer Awareness

It is good business behavior to work accordingly withcustomers, employees, and suppliers regarding personal data.

Market Expectation


Data Protection Laws Worldwide

Source: http://www.privacyinternational.org/survey/dpmap.jpg

Blue: comprehensive data protection law enactedRed: pending effort to enact law

White: no law


Focus of Presentation

European data protection laws and regulations

Data protection in the United States

In Focus: 30+ Countries and More Than 1.5 Billion People

Personal Data Flow

Not in Focus Today

Between the European Union and the United States and around the world

Source: http://www.forrester.com/cloudprivacyheatmap SAP AG 2010. All rights reserved. / Page 11

Europe: Regulation

? It is not a European privacy law, but country-specific laws had to be enactedwithin the member countries based on the directive.

Directive 95/46/EC of the European Parliament and of the Councilon the protection of individuals with regard to the processing of

personal data and on the free movement of such data

? Remove the obstacles to flow of personal data.

? Ensure that the level of protection of the rights and freedoms of individuals with regard tothe processing of such data is equivalent in all Member States.

? Reduce barriers within the European Union (EU).

? Support free flow of personal data within the EU.

? Define rules of data handling and processing for the flow of data out of the EU.

? Apply to all processing of personal data by any person whose activities aregoverned by community law.

All 27 countries have enacted an adequate law to:


United States: Self-Regulation andSectoral Approaches

? The United States prefers what is called a sectoral approach to data protectionlegislation, relying on a combination of legislation, regulation, and self-regulationrather than on overarching governmental regulations.

? Many regulations regarding data handling are only in the direction of a singleattribute or local law.

? In the United States, access to private data is culturally acceptable in many cases,such as credit reports for employment or housing purposes.

? Although partial regulations exist, such as the Children's Online Privacy ProtectionAct and the Health Insurance Portability and Accountability Act, there is no all-encompassing law regulating the use of personal data.

? Privacy legislation in the United States tends to be adopted on an as-needed basis,with legislation arising when certain sectors and circumstances require it.

To date, the United States has no single, overarching privacy lawcomparable to the EU Directive.


What Is Personal Data?

Personal data includes the following:

? Date of birth

? Social Security number

? Drivers license number

? Passport number

? Credit card numbers

But it is by far not limited to datausable for identity theft.*

It could also include:

? Business e-mail address

? Business telephone number

? Business e-mail content

? Call content using VoIP

? Recorded phone calls

? Number of children

? More

Directive 95/46/EC, Article 2, Definitionsa) personal data shall mean any information relating to an

identified or identifiable natural person (data subject)

*The unauthorized use of an individuals information for financial gain is popularly referred to as identity theft.


What Is Personally Identifiable Information(PII)? Also known as personal identifying information

such as their name, social security number,

Information which can be used todistinguish or trace an individual's identity,such as their name, social security number,biometric records, etc. alone, or whencombined with other personal or identifyinginformation which is linked or linkable to aspecific individual, such as date and placeof birth, mothers maiden name, etc.

code, access code, or password that would

An individuals first name or first initial andlast name in combination with any one ormore of the following data elements, wheneither the name or the data elements arenot encrypted:1. Social Security number2. Driver's license number or Californiaidentification card number3. Account number or credit or debit card numberin combination with any required securitycode, access code, or password that wouldpermit access to an individuals financialaccount

Personally Identifiable InformationOffice of Management and Budget

Personal InformationCalifornia data breach notification law,SB 1386

Information such as a name that lacks context cannot be said to be SB 1386 personalinformation, but it must be said to be PII as defined by the Office of Management and Budget.

For example, the name John Smith has no meaning in the current context and is therefore notSB 1386 personal information, but it is PII.

Source: http://en.wikipedia.org/wiki/Personally_identifiable_information SAP AG 2010. All rights reserved. / Page 15

The European Data Protection Approach

PROCESSING OF PERSONAL DATA IS PROHIBITED.


Additional Definitions from Article 2, 95/46/EC

an identifiable person is one who can be identified, directly or indirectly, in particular byreference to an identification number or to one or more factors specific to his physical,physiological, mental, economic, cultural or social identity

shall mean any natural or legal person, public authority, agency or any other bodyother than the data subject, the controller, the processor and the persons who, underthe direct authority of the controller or the processor, are authorized to process the data

`processing of personal data' (`processing') shall mean any operation which is performed`processing of personal data' (`processing') shall mean any operation which is performedupon personal data such as collection, recording, organization, storage, adaptation oralteration, retrieval, consultation, use, disclosure by transmission, dissemination orotherwise making available, alignment or combination, blocking, erasure or destruction

shall mean the natural or legal person, public authority, agency or any other body whichalone or jointly with others determines the purposes and means of the processing ofpersonal data;

shall mean a natural or legal person, public authority, agency or any other body whichprocesses personal data on behalf of the controller;

DataSubject

Controller

Processor

3rd party

Processing


EU Data Protection Directive 95/46/EC

(1)

(2)

(4)

(5)

(3)

... ensuring economic and social progress to eliminate the barriers ..., improve the living conditions... ensuring economic and social progress to eliminate the barriers ..., improve the living conditionsof its peoples, preserving and strengthening peace and liberty and promoting democracy on thebasis of the fundamental rights ...;

... whatever the nationality or residence of natural persons, respect their fundamental rights andfreedoms, notably the right to privacy, and contribute to economic and social progress, tradeexpansion and the well-being of individuals;

establish an internal market, the free movement of goods, persons, services and capital ...personal data should be able to flow freely from one Member State to another, but also thefundamental rights of individuals should be safeguarded;

... the progress made in information technology is making the processing and exchange of suchdata considerably easier;

... the internal market will necessarily lead to a substantial increase in cross-border flows ofpersonal data between all those involved in a private or public capacity in economic and socialactivity in the Member States;

on the protection of individuals with regard to the processing ofpersonal data and on the free movement of such data

(Extract of the preamble of Directive 95/46/EC) SAP AG 2010. All rights reserved. / Page 18

Principles of EC Directive 95/46/EC I

Data Protection Laws of the Member States

Data Protection in the EU

Data Protection Directive


Principles of EC Directive 95/46/EC II

Processing OK!

Contract with data subject?

Legal obligation?

Not permitted!

Yes

Yes

Yes

Yes

No

No

No

No

Data subjects consent?

Special regulations?


Rights of the Data Subject

Notification Provision ofinformation

Erasure orblocking

Data subjectJane Doe

RightsObligations

Correction

The controller has to ensure that rights of the data subject and thecontrollers own legal obligations are covered by the processor, too.

Contract

Supplier or serviceprovider XY

Controller = YOU


Parties Involved in Processing of Data

Data Subjects

? Customers? Suppliers? Employees

Collection

Third Parties

? Processing? Use

Transfer

Controller(companys top management,single employee by delegation)

? Collection? Processing? Use?

Contractor

Processing onlyas contracted

Not a

transfer

ACME


Transfer of Personal Data to Third Countries

? There is an adequate level of data protection in the destination country.

? The adequate level can be stated by the European Commission for specificcountries (including Switzerland, Argentina, and Canada). Note that such astatement has not been given for the United States or Australia!

? Alternative solution: Safe Harbor principles for the United States

The adequate level can also be realized:? By contract between the data controller and the recipient (standard clauses)? By a code of conduct concerning data protection in a company worldwide

safeguards

Data transfer is also possible:? With the consent of the data subject? For the performance of a contract between the data subject and the controller? For the performance of a contract in the interest of the data subject between the controller

and a third party? With the consent of data protection authorities if the exporter cites adequate safeguards

The directive allows the transfer of personal data to countriesoutside the European Union only under specific conditions:


Safe Harbor List I

? Since 2000, Safe Harbor has aimed to harmonize data privacy practices intrading between the United States of America and the stricter privacy controlsof the European Union Directive 95/46/EC on the protection of personal data.

? This list contains the names of all U.S. companies that have self-certified withthe Safe Harbor framework.

? An organization needs to self-certify annually with the Department of Commerce,stating in writing that it agrees to adhere to the Safe Harbor requirements.

? Any U.S. organization subject to the jurisdiction of the Federal TradeCommission or any U.S. air carrier or ticket agent subject to the jurisdictionof the Department of Transportation may participate in Safe Harbor.

? Currently more than 1,920 companies are listed.

? Since December 2008, the Swiss Safe Harbor agreement has been in place.

Certification Program by theUnited States Department of Commerce


Benefits

Safe Harbor List II

? All 27 Member States of the European Union will be bound by the EuropeanCommissions finding of adequacy.

? Companies participating in Safe Harbor will be deemed adequate, and data flowsto those companies will continue.

? Member State requirements for prior approval of data transfers will either bewaived or automatically granted approval.

? Claims brought by European citizens against U.S. companies will be heard in theUnited States, subject to limited exceptions.


Choice

Notice

Dataintegrity

Security Enforce-ment

AccessOnwardtransfer

SafeHarbor


Safe Harbor Requirements

Model Clauses for Data Transfersto Non-EU Countries

of standard contractual clauses offers companies and other organizations a? The use of standard contractual clauses offers companies and other organizations astraightforward means of complying with their obligation to ensure adequateprotection.

? Contractual clauses are not necessary when transferring data to Switzerland,Canada, Argentina, or the UK territories of Guernsey and the Isle of Man. They arealso not needed for transfers to U.S. companies adhering to the Safe Harbor privacyprinciples.

? Parties are free to agree to add other clauses as long as the clauses do notcontradict, either directly or indirectly, the standard contractual clauses.

Standard contractual clauses are a contribution toward improvingdata flow across borders without compromising privacy.


Links

Safe Harborwww.export.gov/safeharbor/

EU Justice and Home Affairs Data Protection

ec.europa.eu/justice_home/fsj/privacy/

EU Standard Clauseseuropa.eu/rapid/pressReleasesAction.do?reference=MEMO/05/3&format=HTML&aged=0&language=EN&guiLanguage=en

The Johns Hopkins University, American Institute for Contemporary German Studies

A reasonable expectation of privacy? Data protection in the United States and Germanywww.aicgs.org/documents/polrep22.pdf

European Commission Europes Information Society

Comparison of privacy and trust policies in the area of electronic communicationsec.europa.eu/information_society/policy/ecomm/library/ext_studies/index_en.htm#2008


Key Takeaways

1Processingof personal data in Europe is limited, andpersonal data has a broad scope.

3Transfer Outside the EUrequires consent, a statement of dataprotection level or contracts.

2Use of Personal Datarequires a specified purpose in advance;use outside this purpose is prohibited.

4Transfer/Use in a CompanyGroup/Enterpriserequires the same procedures as forany other legal entity.


SAP 2008 / Page 30, Miriam Kraus SAP 2007 / Page 30

Thank You!Questions?


Questions?

Michael MorgenthalerCISM, CISADep.Data Protection Officer

SAP AGDietmar-Hopp-Allee 1669190 Walldorf, Germany

[email protected]


SECURITY@SAPHans J. Ulmer


2. Security Challenges

3. Security Elements at SAP

1. Quick Overview: SAP Global GRC

4. Organizational Set-Up

5. Summary


Quick Overview:SAP Global GRC


SAPs Governance, Risk, and Compliance (GRC)Program

Risk Management

Establishment of state-of-the-art, company-wide riskmanagement based on aglobal policy and model

Securing of an effectiveannual internal control

system for the SAP Group

Internal Controls

Compliance with internaland external regulations

and adherence to thebusiness code of conduct

ComplianceManagement

Security

Safeguarding of SAPsmost important assets

through a global securitymanagement program

Establishment of a risk-adjusted, effective global

insurance program

Insurance StrategyEnforcement of

compliance with allpolicies and guidelines,including statutory and

legal requirements

Global Internal AuditServices


The Global GRC Organization Covers All Aspects ofGovernance, Risk, and Compliance

Head of Global GRC

GRC OfficerBoard Area

? Risk and Security? SarbanesOxley? Compliance

GlobalGRC

Operations

GlobalGRC

Security

GlobalSarbanes

OxleyTeam

GRC OfficerBoard Area

? Risk & Security? SarbanesOxley? Compliance



GlobalComplianceDepartment

CEO

Central LegalDepartment

Internal Audit

RegionalComplianceDepartment

EMEARegional

ComplianceDepartmentAmericas

RegionalComplianceDepartment

APJ

InsuranceManagement

Risk ManagementGFO

GRC Officer Board AreaHRPI

SOXCompliance

Risk &Security

Management

GRC Officer Board AreaService & Support

SOXCompliance

Risk &Security

Management

GRC Officer Board AreaDevelopment (PZ & HK)

SOXCompliance

Risk &Security

Management

GRC OfficerStrategic Risk Management

SOXCompliance

Risk &Security

Management

GRC Officer Board AreaCOO, IT, HR

SOXCompliance

Risk &Security

Management

GRC Officer Board AreaDevelopment, AGS

SarbanesOxleyCompliance

Risk andSecurity

Management

Local GRCOfficer

Local GRCOfficer

Regional GRC ManagerEMEA

Regional SOXCompliance

Regional Risk &Security

Management

Regional GRC ManagerAPJ



Management

Regional GRC ManagerAmerika



Management

Regional GRC ManagerEMEA



Management

Regional GRC ManagerAPJ



Management

Regional GRC ManagerAmericas

RegionalSarbanesOxley

Compliance

Regional Riskand SecurityManagement

CFO


SecurityChallenges


Dealing with these traditional threats

Public SAP AG 2010. All rights reserved. / Page 38

as new ones emerge

Cloud Computing

On Demand

Software as a Service

Social Media

OutsourcingOffshoring

DAY Exploits


by delivering the following Security tasks:

Goal: Protect SAPs various assets people, information(including personal, customer, IP, financial, and mergers andacquisitions), infrastructure, brand, business processes, etc.

? Create and manage an adequate, efficient, and effectivesecurity management framework

? Coordinate overall Security efforts through managingpanels and stakeholders on multiple levels

? Coordinate effective crisis management and businesscontinuity processes

? Achieve comprehensive security awareness amongemployees and partners

? Maintain security of the SAP partner and customerenvironment

Public SAP AG 2010. All rights reserved. / Page 40

Elements ofSecurity at SAP


People

TechnologyProcesses

Security Is About

Create and sustain awareness; ensure know-how and adherence to SAPs security policy

Offer and update adequatesecurity measures and use

of technology

Evaluate processes andrisks and implementsecurity measures

Public

Information


Global GRC Security:GRC Security Pursues Four Distinct Goals

Ensure a high level of awareness and compliance with the securitypolicy and security standards through training, assessments, andreporting

Act as a trusted advisor and business partner in all matters ofinformation security for internal and external partners

Provide thought leadership in all matters ofinformation security

Establish a highly effective, risk-based security management systemthat achieves a desired level of security for all assets of SAP, that iscommunicated through the security policy and security standards,and that ensures compliance with applicable laws and regulations

Trusted Advisorand Business

Partner

Awareness andCompliance

ThoughtLeadership

EffectiveSecurity

Management


Effective Security Management Security Governance

? Definition of the global security strategy

? Definition of security responsibilities andaccountability

? Management of the global security policyframework (policy plus standards)

? Definition and enforcement of securitypolicies specific to target groups

? Management of security specifications forvendors and partners

? Coordination of global efforts in crisismanagement and business continuityplanning


Partner


ThoughtLeadership

Effective SecurityManagement


Effective Security Management Security Measures

? Definition of protection targets in globalsecurity policy and standards(what needs to be protected)

? Implementation of the most suitable andeffective security measures by the respectivebusiness areas, such as SAP IT, GlobalFacilities Management, SAP Active GlobalSupport, etc.

? Evaluation of new technologies based on achanging risk landscape


Partner


ThoughtLeadership



SAP Global GRC Security Takes a Risk-BasedSecurity Approach

? Risk management of local and globalsecurity threats

? Risk-based tier structure for businesscontinuity and crisis management

? Early warning system through globalincident reporting and management

? Synergistic effect through sharedresponsibility for risk management andsecurity

? Global outreach of security-relatedstandards through GRC organization,thereby fostering broader riskawareness


Partner


ThoughtLeadership



Security Awareness and ComplianceTransparency through Reporting

? Security awareness campaigns

? Information for managers andexecutives

? Security Risk Management

? Security Status Report

? Security Incident Reporting


Partner


ThoughtLeadership



We position ourselves as Business Facilitators

? Training specific to business areas

? Internal security consulting

? Staff clearance for special projects andcustomers

? Audit support

? Travel risk coordination


Partner


ThoughtLeadership



Centralized plus Networked Know-How

? Information security management experts(CISMs, security consultants)plus building and maintenance of internalnetwork

? Close cooperation with internalstakeholders: SAP IT, Physical Security,DPPO, Internal Audit, Bus. Security Officers

? Cooperation with external work groups,forums, agencies, and public authorities

? Continuous monitoring of new threatscenarios and potential countermeasures

? Evaluation of new security concepts


ThoughtLeadership



Partner

ThoughtLeadership


Organizational Setup


Board

Security SteeringCommittee (SSC)

Security Council

Global GRC SecurityFocus Groups: IT Security, Physical

Security

Security Governance and Management at SAPFollows a Multilayered Approach

Board level:strategic direction

Line of business (LOB) operational level:implementation of SSC decisions by

extending the Council with responsiblerepresentatives from each LOB

Subject matter experts:provision of expert

know-how


SAP ITSecurity

GlobalGRC

Security

Global GRCOrganization

GFMPhysicalSecurity

ProductSecurity

DataProtection

Office

Other SecurityAreas: GSS,

GIAS,travel, and more

Interaction with Other Security Stakeholders Certification and Programs

Certifications

ISO 900x

ISO 27001

SAS 70

U.S. Department of Defense5015.2 standard

SOX (Sarbanes-Oxley Act)

http://service.sap.com/certificates


Security Programs - Examples

SAP ITSecurity

Network security concept security zones, security monitoring center, penetration

testing

Encryption universal mail and hard disk drive

Client and server protection conceptsGFM

PhysicalSecurity

Global ID card concept, rollout, enforcement

Physical security standard location concept

GlobalGRC

Security Information classification concept integration with businessprocesses

Incident management integration and management of allsecurity-relevant incidents


Summary


Summary

? Security awareness among employees and managers andsupport by senior management are prerequisites for goodsecurity.

? Security strategies and policies should be continuouslyadapted in response to changing requirements in an evolvingthreat environment.

? Security works best as an integral part of businessprocesses.

? A risk-based approach supports correct prioritization andhence improves effectiveness and efficiency.

? The global organization supports risk assessment and theimplementation of security measures.


Hans J. Ulmer, CISMInformation Security Manager


[email protected]

Public

SECURITY@SAP SUPPORTMichael Wiedemann



Organizational OverviewMessage Flow and Follow the SunThe Worldwide SAP Support OrganizationAssignment of Support Requests

SAP Active Global Support


LOCAL SUPPORT

REGIONAL SUPPORT

GLOBAL SUPPORT CENTER

ASIA / PACIFICEUROPE / AFRICAAMERICAS

IEIE

ATATUKUK

FFCHCH

MXMXKRKR

CNCNUSUS

BRBR

JPJP

ANZANZ

ESES

SGPSGP

DEDE

ININININ

CNCN

MYMY

The SAP Active Global Support OrganizationYour Engagement Partner

SAP ACTIVE GLOBAL SUPPORT(SAP AGS):

? Is the only team within the SAP ecosystemthat supports all SAP installations from allover the world

? Acquires comprehensive knowledge about alltechnical risks (product- and non-product-related) that customers are facing, whilesupporting the complete installed base

? Shares this unique expertise in a customer-tailored approach for successfulimplementation, operation, and continuousimprovement

SAP AGS supports more than 95,000 customers;12,000,000 users; and over 120,000 installations.

Global supportorganization

...with more than3,300 employees

...in over40 countries

backed up by over6,000 developers


The Follow-the-Sun Principle

Europe

Asia

02 01 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 0 9 08 07 06 05 04 03 02 01

Americas


Global Support Center Message Solving

GLOBAL SUPPORT CENTER (GSC)DEVELOPMENT SUPPORT

GSC EMEA(locations in Austria, Spain, Hungary, and India)?Germany, Austria, Switzerland?EMEA, excluding the UK and Ireland?Eastern Europe and Russia?Turkey and Middle East?Africa (excluding South Africa)? India and neighboring countries?Malaysia

Canada Ireland

India

France China

MalaysiaBrazil

Spain India

Germany

SAP HeadquartersGermany

USA

Czech Republic

Austria/Hungary

Bulgaria

Canada

GSC Americas(locations in Canada, Brazil, and Ireland)?North America?Latin America?UK and Ireland

GSC APJ(locations in China and India)

?Greater China?Southeast Asia?Korea?Australia?New Zealand?Japan


Two-Step Dispatching

GLOBAL SUPPORT CENTERIRELAND

Support Consultant 1

Step A: Select supportcenter in charge

Step B: Select supportconsultant in charge

GLOBAL SUPPORT CENTERAUSTRIA

GLOBAL SUPPORT CENTERXYZ

Support Consultant 2 ......

- Language / country / time zone- Component

- Priority- Customer support agreement

- Capacity of support center

- Skill and experience of employee- Current workload of employee

- Employee who has already handledthis customer

Intelligent message logging



Remote Connectivity OverviewAvailable Connection TypesNetviewerLine Opener Program

Customer obligations (connection control, authorization, session control, logs)Secure Area

Remote Connectivity


Remote Connections Customer and SAP

? The customer has to register an availableservice once.? Configuration of the SAProuter has to be done

as well.? All registered services can be used by the

customer.? The customer has full control.

Purpose of remote connections:? Analyze and solve problems with

customer solutions? Run services on customer solutions? The SAP customer has to install a

remote connection only once


Security Advantages of SAP RemoteConnection

? The customer has full controland opens connections.

? Each remote connection to acustomer system is logged.

? Various encryption mechanismsare available:? Software encryption with

secure network communications(SNC)

? Hardware encryption withvirtual private network (VPN)


Available Connection Types

Service Connection Type Description SAP Note

SAP GUI-based connection SAP R/3 support enables remote access to an SAP system via SAP GUI 812732SAP Solution Manager Provides access to the solution graphic in SAP Solution Manager 962516SAP Solution Manager diagnostics Enables system-related access to SAP Solution Manager diagnostics 962516

Java or HTTP-based connection types that enable or ease service connection to Java-based systemsHTTP connect URL access Provides access to HTTP-based applications 592085LoadRunner test Enables remote load testing 850213Java debug Enables remote debugging of Java-based applications 545519

Connection types providing application sharing methods or access on operating system levelNetviewer Enables collaboration and application sharing access via Netviewer 1036616Windows Terminal Server Enables application sharing access via Windows Terminal Server 605795Citrix MetaFrame Enables application sharing access via Citrix MetaFrame 701588T.120 NetMeeting Enables application sharing access via Microsoft NetMeeting 356635pcAnywhere Enables application sharing access via pcAnywhere 100740AS/400-5250 connection Enables operating system access for AS/400-based servers 79411Telnet connection Enables operating system access via Telnet 37001SSH connection Enables SSH connection to customer systems 1275351VNC connection Enables VNC connection to customer systems 1327257

Further connection typesBW RFC connection Enables an RFC connection to SAP NetWeaver Business Warehouse 195715BW GUI connection Enables a GUI connection to SAP NetWeaver Business Warehouse 195715Upgrade Assistant Enables remote use of Upgrade Assistant 125971SAPinst-GUI Enables remote use of SAPinst-GUI 707848SAP-DB connection Enables a remote connection to an SAP database 202344TREX/BIA Enables access to TREX or SAP NetWeaver Business Warehouse Accelerator

1058533Integration repository Enables a connection to the integration repository 800267Integration directory Enables a connection to the integration directory 800267


Netviewer Enables Collaboration andRemote Support

Main Focus of Netviewer Is To Ease Collaboration? Education and training of customers? Provide remote support

Netviewer Features? Easy and fast setup of connections (only Internet access is required)? Encrypted data exchange

? 100% control by the customer

? Possibility to enhance conferences to further persons or PCs

? Supports session recording

? Provides application sharing; quick and easy to set up and use

How To Get Started? Download Netviewer client to your PC once (Internet access required)? Join session upon request


Netviewer Session

1. SAP employee initiates a Netviewer session and provides session ID to customer.

2. Customer starts Netviewer client and joins session.

3. SAP employee can viewcustomers screen.

Each Netviewer session can be logged.


Semiautomatic Opening of CustomerSystems

How Does Semiautomatic Opening Work?

To use semiautomatic opening, you need to have the line opener program (LOP) on one of your PCs or servers. The LOPperiodically checks (by HTTPS) the SAP Service Marketplace to see whether an opening request for one of your systems exists.If such a request exists, the LOP opens the connection between your SAProuter and SAP. An e-mail notification will inform youthat a network connection was opened. Use of semiautomatic opening can be granted for each system.

Process Steps? The SAP employee requests access to a customers system.? The request is replicated to the SAP Service Marketplace.? The LOP regularly checks the SAP Service Marketplace for requests.? When a request is received, the LOP opens the network connection. (An e-mail notification is sent.)? The SAP employee can now connect to the customer's system through the given SAProuter to the SAProuter infrastructure.

Want To Learn More?

Note 797124 Line Opener Program (LOP)



Data Secrecy Obligations for All SAP StaffSAP Security Policy StandardsTrainingAuditsAwareness of Special Topics

Security Enforcement at SAP


Data Secrecy Obligations of SAPEmployees and Partners

Data Secrecy Obligations

All employees of SAP AG are obliged to comply with data secrecy according to 5 of the German DataProtection Act. This is done in writing when they are first employed by the personnel department. Text of the currentversion:

You are forbidden to process, pass on, allow access to or otherwise use confidential personal data for any purposeother than to fulfill the relevant lawful objective. Your data protection obligations continue to apply even after youhave finished your activities. These obligations expressly also apply to such confidential personal data in possessionof the business partners. Infringements may be punished under sections 43 and 44 of the German Data ProtectionAct and other relevant legal regulations with either a fine of up to 250,000 or imprisonment of up to 2 years.

Protection of Business and Company Secrets

Because SAP employees come into contact with business and operational secrets of foreign companies, thisobligation is enhanced beyond the limits of the German Data Protection Act.

All employees are also obligated to keep secret any information they may have regarding confidential matters andprocesses that were acquired as part of their job, even after withdrawing from the work relationship. This also appliesto operational and business secrets of SAP customers and partners that employees acquire as part of their job.

This agreement means that the employee is obliged to keep secret any knowledge gained as part of his or her jobconcerning operational or business secrets of customers and partners. The employee is also obliged not to discussthis information with other SAP employees unless this is necessary for the relevant task to be completedsuccessfully.

It is made explicitly clear that SAP has no interest whatsoever in foreign business or operating secrets that have notbeen released. In particular, the employee is prohibited from making documents containing business or operationalsecrets of partners or customers accessible to third parties or from allowing a third party access to such material.This material is to be kept in a secure location or protected with a password.

The employee is obligated to comply with all third-party copyright, especially when applied to software. If there is nocorresponding authorization on the part of the copyright owner, foreign software may be used neither independentlyor as part of SAP software.

The employee is obligated not to pass on any knowledge of other foreign business or operational secrets orcopyrights within the SAP Group and not to store relevant documents on the premises of the SAP Group.


SAP Security Policy

The SAP Executive Board has established the SAP security policy, which isbinding for all companies within the SAP Group.

Objective of the global SAP security policy:

The overall aim of the security policy and corresponding standards is to achieve andmaintain an effective and appropriate level of security within SAP and to reinforce theposition of SAP as a trusted partner to its customers.

All employees must be aware of their responsibility with regard to the issue of securityand be proactive in exercising this responsibility. The security policy defines the securityobjectives. The aim of the security standards is to provide employees with instructionsthat enable them to implement the security requirements and thereby also make businessintegrity possible.


IT-RelatedStandards

Special Groups

All Employees

? Clean desk? Information classification? Data protection? Communication

? Internal applications? Crisis management? Physical security? Board security

? IT systems? Third-party system? Virus protection? Authorization? Passwords

? Facility access card? Private use of infrastructure? Secure authentication

? Access of external parties at SAP? Business process outsourcing? Business continuity? Product certification

? Mobile devices? Key management for encryption? Secure disposal of data storage

devices and media? Business use of Infrastructure

Overview of SAP Security StandardsS

AP

Sec

urit

y S

tand

ards


Security Standard: Clean Desk

? Desk?Confidential information: must be locked away?Personal valuables: best locked away?Mobile devices: Kensington lock, personal locker?Screensaver: lock screen when leaving the office

? Printer/copier rooms?Personal print jobs (with PIN)?Secure disposal boxes for paper, CDs, and DVDs?Shredder for strictly confidential documents; scratch CDs

? Meeting rooms?Whiteboards: wipe off (after taking a photo)?Phone conferences: check participants


Audits

ISO 9001:2000 A globally acknowledged industrial standardfor continued quality management of SAP support

It is valid and issued annually for more than 20 countries.

Our customers benefit from the following:? Process adherence of a heterogeneous operation on a global level? Reliable high-quality standard of the entire SAP support organization? Permanent quality control by internal audits of all major support hubs? Annual external audits and recertification by TV Nord

Audit figures for 2008:? Internal ISO audits in total: 32

Internal operational audits: 10 Internal ISO system audits, on site: 24 Internal ISO system audits, remote: 6

? External ISO system audits: 6


Print Your Security Certificate AfterSuccessfully Completing the Online Training

Support-specific awareness campaign in 2008/2009SAP worldwide campaign in 2009

Security self-assessment checks in 2009/2010


Security Instructions for Remote Logon(Reminder Pop-Up)Security Standards and Data Protection

SAP attaches the greatest importance to applying the highest security standards to both customer data access and customerdata protection. We are obligated to maintain secrecy with regard to confidential data, in particular with regard to all personaldata and trade secrets. SAP Support staff act on the customers instructions only, and the company must abide by the legalregulations relating to the processing of personal data at the customers request.

Please remember that our customers are legally responsible for access to their systems and for any changes that are made totheir systems. This means that we access customer systems and make changes to them on the customers instructions only.

We would like to draw your attention to the fact that you are not permitted to extract, process, or use personal data withoutconsent and to remind you that you have signed a written undertaking to observe a duty of confidentiality under the GermanData Protection Act which remains in force after termination of your employment with SAP. For further information, please referto /dataprotection.

The following security standards are mandatory for remote access to live customersystems:? Never store logon data in CS* message notes and such. Rather, store logon data in

the designated logon data memory only.? Never store confidential customer system data in CS* messages, in SAP systems,

on your own PC, or on any other media.? Never make changes to the customer system (with the exception of logs, trace

activation, debugging, and so on) without the customers prior agreement. Be sure todocument any changes you make to the system in the customer message so that thecustomer can trace and check them.

? If a customer offers to give you access to a live system, accept the offer only if thereare no alternatives. Your main focus must be on reproducing errors in systems that donot contain any confidential or personal data.


Security Instructions for Remote Logon(Reminder Pop-Up)

? Never request SAP_ALL authorization, but ask only for those authorizations that will enable you to perform yoursupport tasks. If a customer offers you SAP_ALL, make it clear to them that the allocation of authorizations lies withintheir sphere of responsibility.

? Never make printouts or screenshots without first obtaining the customers permission.

You will find further recommendations and guidelines under the following quick links in the portal:

/remote-access/securitypolicy/security@sap/dataprotection

All employees are obligated toobserve the above procedureswhenever you set up a remoteconnection.


Security Measures by the Customer

Customers should adhere to the following guidelines to operate their WAN connections as securely aspossible:

Password-protect all access paths to your system:? After installation, change the default passwords.? Use only nontrivial passwords.? Change passwords at regular intervals.

Define separate user IDs for remote access to your system by SAP employees, and release or activate these IDs only when anSAP employee needs to access your system. Immediately after the connection is terminated, change the password for thatparticular ID or block the user. This ensures that this user can access your system only when you want him or her to.

Configure your remote connection such that only outgoing calls are possible. You should generally block acceptance of outsideconnection requests. If X.25 is used, you can request this setting from your provider (for example, your phone company). VPNproviders can supply you with more information about whether this option is available for your remote connection.

Whenever possible, use a hardware router for the WAN connection rather than a router card in a production SAP system orother system. Routers are much more flexible, and they increase the security standard for the WAN connection because theyhave their own built-in security mechanisms.

Use only hardware components (such as routers) that you can configure yourself. Design the configuration such thatconnections are possible only to specific partner systems (such as SAP). Your consulting partner will tell you how to configureyour router.

Use the specific protection mechanisms provided by your system or network hardware. For example, most systems and routersenable you to permit access only for certain programs (access lists). For information about configuration, please refer to thehardware documentation.

Secure the access to your SAProuter by creating route permission tables.

Integrate your SAProuter into a firewall system. Obtain support from network specialists. SAP AG 2010. All rights reserved. / Page 80

SAP Security Optimization Service

Value Proposition

Keeping the security and availability of your SAP solution high is atremendous value to your business a value delivered by the SAPSecurity Optimization service. Analysis is the key to this value. Itarms you with the information you need to do the following:

? Decrease the risk of a system intrusion? Ensure the confidentiality of your business data? Ensure the authenticity of your users? Substantially reduce the risk of costly downtime due to wrong user

interaction

The underlying concept of SAP Security Optimization is to ensure smooth operation of yourSAP solution by taking action proactively, before severe security problems occur. This checkconsists of hundreds of checks based on the SAP security guidelines and on SAP securityconsultants knowledge.

Analysis for Optimal Security Settings of Your SAP Solutions



SAP Security GuidesSAP Security NotesSecurity in the SAP Community NetworkSAP Standard for Security and Remote Supportability

Security Information for Customers


SAP Security Guides

The SAP Security Guides provide you with a collection of our guidelines andrecommendations pertaining to SAP system security, from network security toindustry-specific guidelines.


SAP Security Notes

SAP Security Notes contain SAPs expert advice regarding important action items andpatches to ensure the security of our customers SAP systems.


Security in the SAP Community Network

The SAP Community Network is an active online community where ABAP, Java,.NET, and other cutting-edge technologies converge to form a resource andcollaboration channel for SAP developers, consultants, integrators, and businessanalysts. The SAP Developer Network (SDN) hosts a technical library, expert blogs,exclusive downloads and code samples, an extensive e-learning catalog, and active,moderated discussion forums. SDN contains sites on security and the SAPNetWeaver Identity Management component.


End-to-End Standard Security and RemoteSupportability

The SAP standard for security describes basic activities to set up, maintain, andevolve security measures for the operation and organization of SAP solutions.

The remote supportability standard defines five basic requirements that must be metto optimize the supportability of customer solutions.


Michael Wiedemann


[email protected]

Thank You!


Speaker Bios

Michael Morgenthaler works in information security, particularly data protection and privacy, at SAP. He joined SAP in 2001and has broad knowledge and professional expert skills in information security, audit, and the legal requirements of Europeandata protection law as well as the relevant global equivalents. He is a certified information security manager (CISM) and certifiedinformation system auditor (CISA) and is a member of the board of the ISACA Germany Chapter.

As the deputy data protection officer for SAP AG, Michael is currently involved in all areas relating to data protection and privacyand the processing of personal data by SAP. In this position he regularly interacts with customers as well as with suppliers thatprocess personal data during outsourced business processes.

Hans J. Ulmer, CISM, joined SAP in 1999 as a support manager at the SAP Service and Support Center (SSC) in Dublin,Ireland. After having served as the IT and security manager during the SSCs major growth phase, he moved to SAPs corporateheadquarters in Walldorf, Germany. He managed SAPs CERT from 2004 to 2008 and has led a number of security-relatedprojects and initiatives in the fields of security governance, incident management, and information classification.

Michael Wiedemann is a long-time veteran of SAP and holds the position of chief security officer and vice president for GlobalService & Support at SAP AG. Michael started at SAP as a support consultant for technology in 1996. Since then he has gainedprofound knowledge about the support organization and its processes while working as head of local support in Germany, globalproduct manager for message processing, head of the U.S. technology support team, and head of the operations office of SAPsproduct support organization. Since November 2008, Michael has been responsible for the process security and data protectionof SAPs service and support organization as chief security officer, Global Service & Support.


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained hereinmay be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries,eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+,POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex,MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or othercountries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respectivelogos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries.Business Objects is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only.National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only,without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construedas constituting an additional warrant.

Copyright 2010 SAP AGAll Rights Reserved


data protectionprivacy & security at sap

Documents

sap ventures

cisa sap ag

global sap research

sapdata protection

global governance

global compliance

worldwide responsibility

saps security organization