Welcome to the third article of GDPR series on restricting access to personal data (the previous articles answer the questions What are the Security Requirements? and How to find personal data and assess privacy risks?).
Numerous organizations, which implemented SAP products, have a large backlog of measures needed to establish secure information processing. SAP systems are so complicated and mission-critical that many IT professionals consider unsafe but functioning SAP systems as an upbeat state of affairs.
The forthcoming GDPR will disrupt the status quo and force CISOs to implement data privacy controls in SAP systems. This article is intended to contribute to the improvement of security of existing SAP systems and data handling to meet GDPR requirements.
In the light of the increasing number of attacks against ERP systems and weaknesses discovered almost every day, there is a need to reorient a cybersecurity approach. The trend of coping with countless cybersecurity challenges in a fragmentary manner menaces organizations by sabotage, espionage, and fraud. Without C-level guidance, an enterprise security team working with a chaotic security solution stack, cloud applications, and eroding system boundaries cannot keep up with the imminent security hazards. This way, aiming to systemize the methods of coping with potential attacks, SAP Security Framework was created.
We continue to describe the implementation of Vulnerability Management in SAP environment and turn to the very specific topic – vulnerability analysis. Vulnerability Management has two goals: reducing attack vectors and providing assurance in SAP systems. Both of these objectives require assessing of the existing vulnerabilities in terms of risk and remediation effort. This will be today’s topic – how to analyze vulnerability reports and develop remediation plans.
This is the second article in the series “Implementing SAP Vulnerability Management”. In the first part, we’ve described the motivation for the practice, mentioned that vulnerability assessment tools generate tons of reports of enormous size and we need an approach to organize remediation work efficiently and swiftly.
In order to prioritize our remediation activities, we need to be aware of all assets, their relative importance, and vulnerabilities.
If you have opened this article, you understand that SAP security and ERP Security in general deserves special considerations. Just look at the number of issued SAP Security Notes – more than 3500 of them released now. Also, more arguments provided in an article about ERP Vulnerability Management. Just to give you an idea: ERP systems contain special components, handle critical assets, and employ specific security controls.
This series of articles describes an approach to increase ERP security by leveraging proactive vulnerability management process and ERP security control solutions.
The provided information will come in handy for:
- preparing a business case for ERP security control solutions;
- developing requirements to the project;
- selecting the best product;
- designing the ERP Vulnerability Management (ERP VM) processes.
The first article contains introductory material, business requirements to ERP VM process, and its basic structure.