SAP Security and Risk Management

Mario Linkies is an entrepreneur and heads up the international advisory firm LINKIES. Management Consulting. As a business consultant for risk management and SAP access control, he has published several books in English, German, and Japanese. He also works as a poet, photographer, painter, and musician and is a member of the Supervisory Board of Public Performance GmbH and the Society for Contemporary Poetry Association in Leipzig. He has written hundreds of poems, short stories, and fables inspired by his travels in over 60 countries. Mario was born in 1963 in Leipzig and studied finance, banking, and foreign trade at Humboldt University in Berlin. In the summer of 1989, he left with thousands of other young people via Hungary and in 1994 emigrated to the Canadian province of Ontario. Today, he lives in Oakville, Canada and Leipzig, Germany. Dr. Horst Karin is a professional with over 12 years consulting experience in information security, risk management, controls and sustainable compliance. He is also advising in security strategy and technical integration of security solutions for SAP NetWeaver, BusinessObjects XI, access and identity management and Public Key Infrastructure. His exceptional experience is based on SAP and IT security projects with over 50 international clients, such as The Coca-Cola Company, Procter & Gamble, Eli Lilly and Company or The Royal Bank of Canada. Dr. Horst Karin is certified in SAP, as CISA, CISSP and in ITIL.

. Preface by Wolfgang Lassmann. 19

. Preface by Monika Egle. 21

. Preface by Jose Estrada. 23

. Introduction. 25

PART I. Basic Principles of Risk Management and IT Security. 31

1. Risk and Control Management. 33

. 1.1. Security Objectives. 34

. 1.2. Company Assets. 36

. 1.3. Risks. 40

. 1.4. Controls. 45

2. Enterprise Risk Management Strategy. 49

. 2.1. Status Quo. 51

. 2.2. Components. 52

. 2.3. Best Practices of an SAP Security Strategy. 60

3. Requirements. 79

. 3.1. Legal Requirements. 79

. 3.2. Industry-Specific Requirements. 93

. 3.3. Internal Requirements. 99

4. Security Standards. 101

. 4.1. International Security Standards. 102

. 4.2. Country-Specific Security Standards. 116

5. IT Security. 127

. 5.1. Cryptography. 127

. 5.2. Public Key Infrastructure. 137

. 5.3. Authentication Procedures. 140

. 5.4. Basic Principles of Networks and Security Aspects. 144

PART II. Security in SAP NetWeaver and Application Security. 153

6. Enterprise Risk Management (ERM) Navigation Control Map. 155

. 6.1. SAP Applications. 163

. 6.2. SAP NetWeaver Components. 165

. 6.3. Security Technologies. 167

. 6.4. Influencing Factors. 173

7. Web Services, Enterprise Services, and Service-Oriented Architectures. 175

. 7.1. Introduction and Technical Principles. 177

. 7.2. Security Criteria for Web Services. 181

. 7.3. Service-Oriented Architectures and Governance. 193

8. GRC Solutions in SAP BusinessObjects. 197

. 8.1. Introduction and Functions. 197

. 8.2. SAP BusinessObjects RM. 205

. 8.3. SAP BusinessObjects Access Control. 214

. 8.4. SAP BusinessObjects Process Control. 229

. 8.5. SAP BusinessObjects Global Trade Services (GTS). 238

. 8.6. SAP Environment, Health, and Safety (EHS) Management. 248

. 8.7. SAP BusinessObjects Sustainability Performance Management. 255

9. SAP NetWeaver Application Server. 257

. 9.1. Introduction and Functions. 257

. 9.2. Risks and Controls. 260

. 9.3. Application Security. 269

. 9.4. Technical Security. 287

10. SAP NetWeaver Business Warehouse. 309

. 10.1. Introduction and Functions. 309

. 10.2. Risks and Controls. 310

. 10.3. Application Security. 313

. 10.4. Technical Security. 323

11. BI Solutions in SAP BusinessObjects. 325

. 11.1. Introduction and Functions. 326

. 11.2. Risks and Controls. 327

. 11.3. Application Security. 332

. 11.4. Technical Security. 344

12. SAP NetWeaver Process Integration. 347

. 12.1. Introduction and Functions. 348

. 12.2. Risks and Controls. 350

. 12.3. Application Security. 357

. 12.4. Technical Security. 361

13. SAP Partner Connectivity Kit. 383

. 13.1. Introduction and Functions. 383

. 13.2. Risks and Controls. 384

. 13.3. Application Security. 388

. 13.4. Technical Security. 388

14. Classic SAP Middleware. 391

. 14.1. SAP Web Dispatcher. 391

. 14.2. SAProuter. 403

. 14.3. SAP Internet Transaction Server (ITS). 407

15. SAP NetWeaver Master Data Management. 423

. 15.1. Introduction and Functions. 423

. 15.2. Risks and Controls. 424

. 15.3. Application Security. 429

. 15.4. Technical Security. 436

16. SAP NetWeaver Portal. 439

. 16.1. Introduction and Functions. 439

. 16.2. Risks and Controls. 447

. 16.3. Application Security. 456

. 16.4. Technical Security. 481

17. SAP NetWeaver Mobile. 505

. 17.1. Introduction and Functions. 505

. 17.2. Risks and Controls. 508

. 17.3. Application Security. 515

. 17.4. Technical Security. 520

18. SAP Auto-ID Infrastructure. 527

. 18.1. Introduction and Functions. 527

. 18.2. Risks and Controls. 529

. 18.3. Application Security. 533

. 18.4. Technical Security. 535

19. SAP Solution Manager. 537

. 19.1. Introduction and Functions. 537

. 19.2. Risks and Controls. 540

. 19.3. Application Security. 544

. 19.4. Technical Security. 550

20. Authorizations in SAP ERP. 555

. 20.1. Introduction and Functions. 555

. 20.2. Risks and Controls. 556

. 20.3. Application Security. 563

. 20.4. Technical Security. 597

21. SAP ERP Human Capital Management and Data Protection. 599

. 21.1. Introduction and Functions. 599

. 21.2. Risks and Controls. 602

. 21.3. Application Security. 609

. 21.4. Technical Security. 617

22. SAP Strategic Enterprise Management. 619

. 22.1. Introduction and Functions. 619

. 22.2. Risks and Controls. 620

. 22.3. Application Security. 622

. 22.4. Technical Security. 623

23. SAP Customer Relationship Management. 625

. 23.1. Introduction and Functions. 625

. 23.2. Risks and Controls. 626

. 23.3. Application Security. 628

. 23.4. Technical Security. 636

24. SAP Supply Chain Management. 639

. 24.1. Introduction and Functions. 639

. 24.2. Risks and Controls. 640

. 24.3. Application Security. 641

. 24.4. Technical Security. 644

25. SAP Supplier Relationship Management. 647

. 25.1. Introduction and Functions. 647

. 25.2. Risks and Controls. 649

. 25.3. Application Security. 651

. 25.4. Technical Security. 664

26. Industry-Specific SAP Solution Portfolios. 667

. 26.1. Introduction and Functions. 668

. 26.2. Risks and Controls. 668

. 26.3. Application Security. 671

. 26.4. Technical Security. 675

27. Database Server. 677

. 27.1. Introduction and Functions. 677

. 27.2. Risks and Controls. 678

. 27.3. Application Security. 681

. 27.4. Technical Security. 683

28. User Interfaces. 689

. 28.1. SAP GUI. 689

. 28.2. Web Browser. 701

. 28.3. Mobile Devices. 706

. Appendices. 717

. A. Bibliography. 717

. B. The Authors. 719

Index. 721