Securing SAP Systems from Cyber Attacks Enabled by SAP GRC / SolMan + Deloitte’s SAP Cyber Security Best Practices & Control Library

Proactively protect and monitor your assets with our Cyber Security Solution

• 20 key elements that organisations should address in order to block or mitigate known attacks on SAP systems

• Guidelines to facilitate the design and implementation of automated monitoring controls

Protect your environments with...

Centre for Internet Security (CIS)Top 20 Critical Security Controls

Why is your SAP environment ripe for the picking?

Top 5 reasons why your organisation is exposed to emerging cyber threats

Achieve a peace of mind and meet your security needs with Deloitte’s Cyber Security Solution. Leveraging on Deloitte’s proprietary cyber security content and powered by SAP’s GRC and Solution Manager (SOLMAN) platforms, the solution enables automated monitoring and continuous detection. This allows businesses to effectively safeguard vulnerabilities found across the different types of assets supporting your SAP landscape.

Is your SAP landscape vulnerable?

With business-critical data being hosted on essential SAP applications, cyberattacks against systems have dramatically increased in ferocity and complexity, compromising information security of organisations and even governments worldwide. However, preventing these attacks and securing your systems can be simpler – Deloitte can help increase your security baseline by implementing industry best practices established by the Centre for Internet Security.

High return for hackers with critical and sensitive business data stored in core SAP

systems

Large attack surface area exposedas monitoring all interconnected SAP

systems is a challenge

Outdated patches, notes or scripts can lead to vulnerabilities being exploited when

updates are not installed

Lack of investment in SAP infrastructure and skills to adequately

defend cyberattacks and intrusions

Insufficient awareness and education of employees can potentially expose firm's

internal environment

Establish Security Framework1

ProtectandMonitor2

RiskRemediation3

Report and Improve4

S4HANA

Windows Solaris Linux AIX

HANA Oracle MySQL

DB2

Framework

Processes

Control Library

ERP, CRM, SRM, HCM

Portal Mobile

Pro

tect

Mon

itor

Rea

ct

Continuously

Automatically

SAP Cyber Security Solution Assets

Provide confidence to top management with Deloitte’s SAP Cyber Security Dashboard

Deloitte is recognised as the leading strategist to translate the following 20 key control points for automated governance across your organisation's multiple SAP fronts. Developed and refined by a community of leading global experts, we apply this set of crucial and concise cyber practices into actionable security measures for your enterprise in a cost effective approach without any additional third-party licensing.

With customised visuals showing insights of current system performance, achieve real-time comprehensive monitoring with Deloitte’s SAP Cyber Security Dashboard. This helps you to monitor all your systems with ease and analyse all key information with the embedded drill-down capabilities.

1 6 11 16

2 7 12 17

3 8 13 18

4 9 14 19

5 10 15 20

Inventory of Authorised DevicesActively manage all hardware devices on the network

Maintenance, Monitoring,and Analysis of Audit LogsCollect logs of events to recover from attacks

Secure SAP Configurationsfor Network DevicesImplement configuration management and change control process for SAP security configurations

Account ManagementActively monitor and control SAP user accounts

Inventory of Authorised SoftwareActively manage all software on the network

E-mail and Web Browser ProtectionMinimise attack surface via web browsers and e-mail platforms

Boundary DefensePrevent flow of information transfer over networks

Security Skills Assessment and Appropriate Training to Fill GapsIdentify skills needed to support defence of enterprise

Secure Configurations for Hardware and SoftwareEstablish and manage security configurations on of all devices and software

Malware DefensesControl the spread of malicious code, while optimising the use of automation

Data ProtectionPrevent data exfiltration, and ensure privacy and integrity of SAP data

Application Software SecurityManage SAP and non-SAP application software security

Vulnerability Assessmentand Patch ManagementMonitoring Patch fixes and Critical Security notes for SAP

Limitation and Control of Network Ports & ProtocolsManage operational use of ports and protocols to minimise vulnerability

Controlled Access Based on the Need to KnowSecure access to critical assets based on a need and right to access

Incident Response and ManagementDevelop and implement incident response infrastructure

Controlled Use of Administrative PrivilegesAccess to SAP Databases only on a need-to-know basis

Data Recovery CapabilityEnsure SAP data is regularly backed up and available for disaster recovery

Wireless Access ControlControl the security use of WLANs and other wireless client systems.

Penetration Tests and Red Team ExercisesSimulate attackers actions to test defence over attacks

Windows Solaris Linux AIX

ERP, CRM, SRM, HCM

Portal

S4HANA

MobileHANA Oracle MySQL DB2

Achieve automated governance with CIS Top 20 controls in your SAP landscape

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/sg/about to learn more about our global network of member firms.

Deloitte provides audit, consulting, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500® companies through a globally connected network of member firms in more than 150 countries and territories bringing world-class capabilities, insights, and high-quality service to address clients’ most complex business challenges. To learn more about how Deloitte’s approximately 245,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter.

About Deloitte Southeast AsiaDeloitte Southeast Asia Ltd – a member firm of Deloitte Touche Tohmatsu Limited comprising Deloitte practices operating in Brunei, Cambodia, Guam, Indonesia, Lao PDR, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam – was established to deliver measurable value to the particular demands of increasingly intra-regional and fast growing companies and enterprises. Comprising 290 partners and over 7,400 professionals in 25 office locations, the subsidiaries and affiliates of Deloitte Southeast Asia Ltd combine their technical expertise and deep industry knowledge to deliver consistent high quality services to companies in the region.

All services are provided through the individual country practices, their subsidiaries and affiliates which are separate and independent legal entities.

About Deloitte SingaporeIn Singapore, services are provided by Deloitte & Touche LLP and its subsidiaries and affiliates.

© 2017 Deloitte & Touche Enterprise Risk Services Pte Ltd.

Step 1 - Define your SAP Cyber Security ScopeSelect your SAP areas of concern and let us help you safeguard your organisation

Step 2 - Want to know more? Let's talk

Philip ChongExecutive Directorpchong@deloitte.com

Tang KeDirectortke@deloitte.com

Annie LimDirectoranlim@deloitte.com

Vineet SinhaDirectorvsinha@deloitte.com

ERP / CRM / SRM / HCM S4 HANA Enterprise Portal Mobile

HANA Oracle SQL DB2

Windows Solaris Linux AIX

SAP App

Database

OS