Skip to content

Latest commit

 

History

History
73 lines (51 loc) · 2.82 KB

tab_security_verification_standard.md

File metadata and controls

73 lines (51 loc) · 2.82 KB
title displaytext layout tab order tags
Security_Verification_Standard
SAP Security Verification Standard
true
2
cbas

SAP Security Verification Standard

The CBAS - SAP Security Verification Standard (SSVS) project allows organizations to determine their SAP security posture based on controls used to define a standard security baseline that organizations can maintain and adopt. This enables organizations to plan and enhance their security mechanisms when protecting SAP resources.

Whats In It For Me (WIIFM)

The project intends to be used by different professionals:

  • SAP Security Experts
  • non-SAP Security Experts
  • Consultants
  • Auditors
  • Advisors
  1. The project helps operations, security, and audit teams assess, plan, and verify security controls that affect SAP implementations in their organizations.
  2. Helps organizations determine their maturity in protecting their SAP applications.
  3. Enables and supports organizations with implementing security controls that are required to protect their SAP applications.

Standard Definition

In our initial release, we want to create a security baseline every organization must maintain to secure SAP applications.

The initial release is derived from the below standards:

  • SAP Security Baseline Template V2.4
  • German Federal Office for Information Security - BSI 4.2 SAP ERP System
  • German Federal Office for Information Security - BSI 4.6 SAP ABAP Programming
  • SAP security white papers - used for critical areas missing in the security baseline template and BSI standards
  • OWASP Application Security Verification Standard ASVS 2.0
  • NO MONKEY Security Matrix

Controls

We aim to create controls in a structured, easy, and understandable way.

  • Every control follows the same identification schema and structure
  • Markdown language used for presenting the controls
  • Excel tool to present maturity levels, risk areas represented by the NO MONKEY Security Matrix, and implementation status

Control Header:

  • NIST Security Function
  • NIST Category
  • IPAC Model
  • SAP Technology
  • Maturity Level
  • Defender (People, Process, Technology)
  • Control Prerequisite

Appendix A lists the acronyms used in either the control header or the naming convention for controls.

Control Structure:

  • Description of the control
  • Implementing the control
  • Verification of the control
  • References

Example:


button