Home   FAQs   New Arrivals   Specials   Pricing & Shipping   Location   Corporate Services   Why Choose Bookware?  
 Search:   
Call our store: 9955 5567 (from within Sydney) or 1800 734 567 (from outside Sydney)
 View Cart   Check Out   
 
Browse by Subject
 TAFE Accounting
 TAFE I.T./Computing
 TAFE - Other
I.T
 .NET
 Windows 8
 Adobe CS6
 Cisco
 CCNA 2012
 CCNP 2012
 Java
 VB
 ASP
 Web Design
 E-Commerce
 Project Management
 ITIL
 Macintosh
 Mobile Devices
 Linux
 Windows Server 2012
 SQL Server 2012
 SAP
Certification
 MCITP
 MCTS
Economics and Business
 Accounting
 Business Information Systems
 Economics
 Finance
 Management
 Marketing
 TAX
 Human Resources
Academic
 Law
 Nursing
 Medical
 Psychology
 Engineering

SAP Security and Risk Management (2nd Edition)

by: Mario Linkies and Horst Karin

Notify me when in stock

On-line Price: $84.95 (includes GST)

Hardcover package 0

15%Off Retail Price

You save: $15.00

Usually ships within 2 - 3 weeks. All orders will be confirmed by reply email prior to charging.

Retail Price: $99.95

Publisher: SAP Press,15.10.10

Category: SAP Level:

ISBN: 1592293557
ISBN13: 9781592293551

Add to Shopping Cart

Explains best practices for SAP system security
· Offers examples and solutions for the implementation of security technologies in all SAP components
· Contains new chapters on SAP NetWeaver, SAP BusinessObjects, GRC solutions, and much more

The revised and expanded second edition of this best-selling book describes all requirements, basic principles, and best practices of security for an SAP system. You'll learn how to protect each SAP component internally and externally while also complying with legal requirements; furthermore, you'll learn how to master the interaction of these requirements to provide a holistic security and risk management solution. Using numerous examples and step-by-step instructions, this book will teach you the technical details of implementing security in SAP NetWeaver.

Comprehensive Description
Learn where and how you can secure processes or improve the security of existing SAP systems. This
description includes both sample risk potentials with their possible effects, as well as the corresponding control measures.

Tried and Tested Solutions
Understand the proven methods of an SAP security strategy, as well as international guidelines and standards. Step-by-step examples describe how to technically implement security solutions.

Up-to-Date Information
Explore new technologies, as well as SAP products and procedures, and learn how you can integrate them with your risk analysis.

ERM Navigation Control Map
Take advantage of the ERM Navigation Control Map, included as a supplement to the book, which presents the technical, process-oriented, organizational, and legal aspects of SAP components and security solutions.
Highlights

· Risk and Control Management, GRC, Enterprise Risk Management
· SAP NetWeaver AS, Solution Manager, PI, Portal, MDM
· SAP BusinessObjects, SAP NetWeaver BW
· Web Services, Enterprise Services, and SOA
· SAP ERP, HCM, CRM, SRM, SCM, SEM
· Database Server, SAP Middleware, UIs
· SOX, J-SOX, GoBS, IFRS, FDA, Basel II, REACh
· ISO/IEC 27001, ISO/IEC 27002, CoBIT, ITIL, BSI
The Authors

Mario Linkies is CEO and President of LINKIES. Management Consulting Group. Dr. Horst Karin is President of DELTA Information Security Consulting, Inc. The two business consultants have engaged in the topics of SAP security and information security, risk control, identity and authorization solutions, data privacy, and compliance for many years.
Table of Contents


  ... Preface by Wolfgang Lassmann ... 19


  ... Preface by Monika Egle ... 21


  ... Preface by Jose Estrada ... 23


  ... Introduction ... 25


  PART I ... Basic Principles of Risk Management and IT Security ... 31


  1 ... Risk and Control Management ... 33


  1.1 ... Security Objectives ... 34


  1.2 ... Company Assets ... 36


  1.2.1 ... Types of Company Assets ... 38


  1.2.2 ... Classification of Company Assets ... 39


  1.3 ... Risks ... 40


  1.3.1 ... Types of Risks ... 41


  1.3.2 ... Classification of Risks ... 44


  1.4 ... Controls ... 45


  1.4.1 ... Types of Controls ... 45


  1.4.2 ... Classification of Controls ... 46


  2 ... Enterprise Risk Management Strategy ... 49


  2.1 ... Status Quo ... 51


  2.2 ... Components ... 52


  2.2.1 ... General Framework ... 56


  2.2.2 ... Strategy ... 57


  2.2.3 ... Methods ... 58


  2.2.4 ... Best Practices ... 59


  2.2.5 ... Documentation ... 59


  2.3 ... Best Practices of an SAP Security Strategy ... 60


  2.3.1 ... Procedure ... 60


  2.3.2 ... Principle of Information Ownership ... 68


  2.3.3 ... Identity Management ... 74


  3 ... Requirements ... 79


  3.1 ... Legal Requirements ... 79


  3.1.1 ... Sarbanes-Oxley Act (SOX) ... 80


  3.1.2 ... SOX Implementation in Japan ... 89


  3.1.3 ... Principles for IT-Supported Accounting Systems ... 90


  3.1.4 ... International Financial Reporting Standards ... 92


  3.2 ... Industry-Specific Requirements ... 93


  3.2.1 ... Food and Pharmaceutical Industry and Biomedical Engineering ... 93


  3.2.2 ... Finance and Banking Industry - Basel (I, II, III) ... 94


  3.2.3 ... Chemical Substances and Environmental Protection ... 98


  3.3 ... Internal Requirements ... 99


  4 ... Security Standards ... 101


  4.1 ... International Security Standards ... 102


  4.1.1 ... ISO/IEC 27002:2005 ... 102


  4.1.2 ... CobiT ... 107


  4.1.3 ... ITIL ... 110


  4.1.4 ... COSO ... 112


  4.2 ... Country-Specific Security Standards ... 116


  4.2.1 ... NIST Special Publication 800-12 ... 117


  4.2.2 ... IT Baseline Protection Manual ... 120


  4.2.3 ... PIPEDA ... 122


  5 ... IT Security ... 127


  5.1 ... Cryptography ... 127


  5.1.1 ... Symmetric Encryption Procedure ... 128


  5.1.2 ... Asymmetric Encryption Procedure ... 129


  5.1.3 ... Elliptic Curve Cryptography ... 130


  5.1.4 ... Hybrid Encryption Procedure ... 131


  5.1.5 ... SSL Encryption ... 133


  5.1.6 ... Hash Procedures ... 134


  5.1.7 ... Digital Signature ... 135


  5.2 ... Public Key Infrastructure ... 137


  5.3 ... Authentication Procedures ... 140


  5.3.1 ... User Name and Password ... 140


  5.3.2 ... Challenge Response ... 140


  5.3.3 ... Kerberos ... 141


  5.3.4 ... Secure Token ... 142


  5.3.5 ... Digital Certificate ... 143


  5.3.6 ... Biometric Procedures ... 143


  5.4 ... Basic Principles of Networks and Security Aspects ... 144


  5.4.1 ... OSI Reference Model ... 144


  5.4.2 ... Overview of Firewall Technologies ... 150


  PART II ... Security in SAP NetWeaver and Application Security ... 153


  6 ... Enterprise Risk Management (ERM) Navigation Control Map ... 155


  6.1 ... SAP Applications ... 163


  6.2 ... SAP NetWeaver Components ... 165


  6.3 ... Security Technologies ... 167


  6.3.1 ... Authorizations, Risk and Change Management, and Auditing ... 168


  6.3.2 ... Identity Management ... 169


  6.3.3 ... Secure Authentication and SSO ... 171


  6.3.4 ... Technical Security ... 172


  6.4 ... Influencing Factors ... 173


  7 ... Web Services, Enterprise Services, and Service-Oriented Architectures ... 175


  7.1 ... Introduction and Technical Principles ... 177


  7.2 ... Security Criteria for Web Services ... 181


  7.2.1 ... Security and Risk Management for Service-Oriented Architectures ... 186


  7.2.2 ... SAP Enterprise Services ... 187


  7.2.3 ... Security Guidelines for SAP Enterprise Services ... 190


  7.3 ... Service-Oriented Architectures and Governance ... 193


  8 ... GRC Solutions in SAP Business­Objects ... 197


  8.1 ... Introduction and Functions ... 197


  8.1.1 ... Goals of the GRC Solutions in SAP Business­Objects ... 198


  8.1.2 ... Methods of the GRC Solutions in SAP Business­Objects ... 199


  8.1.3 ... Planning the Deployment of GRC Solutions in SAP Business­Objects ... 200


  8.1.4 ... Overview of the GRC Solutions in SAP Business­Objects ... 201


  8.2 ... SAP Business­Objects RM ... 205


  8.2.1 ... Main Components ... 205


  8.2.2 ... Phases ... 206


  8.2.3 ... Responsibilities ... 212


  8.2.4 ... Reporting ... 214


  8.3 ... SAP Business­Objects Access Control ... 214


  8.3.1 ... General Requirements on the SAP Authorization System ... 214


  8.3.2 ... Main Components ... 221


  8.4 ... SAP Business­Objects Process Control ... 229


  8.4.1 ... My Home ... 232


  8.4.2 ... Compliance Structure ... 233


  8.4.3 ... Evaluation Setup ... 234


  8.4.4 ... Evaluation Results ... 234


  8.4.5 ... Certification ... 235


  8.4.6 ... Report Center ... 236


  8.4.7 ... User Access ... 238


  8.5 ... SAP Business­Objects Global Trade Services (GTS) ... 238


  8.5.1 ... Compliance Management ... 241


  8.5.2 ... Customs Management ... 243


  8.5.3 ... Risk Management ... 245


  8.5.4 ... Electronic Compliance Reporting ... 247


  8.5.5 ... System Administration ... 247


  8.6 ... SAP Environment, Health, and Safety (EHS) Management ... 248


  8.6.1 ... Overview ... 248


  8.6.2 ... Chemical Safety ... 250


  8.6.3 ... Environment, Health, and Safety ... 252


  8.6.4 ... Compliance with Product-Related Environmental Specifications ... 252


  8.6.5 ... Compliance and Emission Management ... 253


  8.7 ... SAP Business­Objects Sustainability Performance Management ... 255


  9 ... SAP NetWeaver Application Server ... 257


  9.1 ... Introduction and Functions ... 257


  9.2 ... Risks and Controls ... 260


  9.3 ... Application Security ... 269


  9.3.1 ... Technical Authorization Concept for Administrators ... 269


  9.3.2 ... Authorization Concept for Java Applications ... 277


  9.3.3 ... Restricting Authorizations for RFC Calls ... 283


  9.4 ... Technical Security ... 287


  9.4.1 ... Introducing an SSO Authentication Mechanism ... 287


  9.4.2 ... Connecting the SAP NetWeaver AS to a Central LDAP Directory ... 289


  9.4.3 ... Changing the Default Passwords for Default Users ... 291


  9.4.4 ... Configuring Security on the SAP Gateway ... 291


  9.4.5 ... Restricting Operating System Access ... 293


  9.4.6 ... Configuring Important Security System Parameters ... 294


  9.4.7 ... Configuring Encrypted Communication Connections (SSL and SNC) ... 296


  9.4.8 ... Restricting Superfluous Internet Services ... 301


  9.4.9 ... Secure Network Architecture for Using the SAP NetWeaver AS with the Internet ... 303


  9.4.10 ... Introducing an Application-Level Gateway to Make Internet Applications Secure ... 304


  9.4.11 ... Introducing Hardening Measures on the Operating System Level ... 304


  9.4.12 ... Introducing a Quality Assurance Process for Software Development ... 305


  9.4.13 ... Security and Authorization Checks in Custom ABAP and Java Program Code ... 307


  10 ... SAP NetWeaver Business Warehouse ... 309


  10.1 ... Introduction and Functions ... 309


  10.2 ... Risks and Controls ... 310


  10.3 ... Application Security ... 313


  10.3.1 ... Authorizations ... 314


  10.3.2 ... Analysis Authorizations ... 318


  10.3.3 ... Other Concepts ... 319


  10.4 ... Technical Security ... 323


  11 ... BI Solutions in SAP Business­Objects ... 325


  11.1 ... Introduction and Functions ... 326


  11.2 ... Risks and Controls ... 327


  11.3 ... Application Security ... 332


  11.3.1 ... Authorization Concept for SAP Business­Objects ... 332


  11.3.2 ... Application Examples for Authorization Concepts ... 339


  11.3.3 ... Securing the Administration Access and the Guest User ... 342


  11.3.4 ... Configuring Password Rules ... 342


  11.3.5 ... Application Authorizations ... 343


  11.4 ... Technical Security ... 344


  11.4.1 ... External Authentication and SSO ... 344


  11.4.2 ... Using the Audit Function ... 345


  11.4.3 ... Network Communication via SSL and CORBA Services ... 346


  12 ... SAP NetWeaver Process Integration ... 347


  12.1 ... Introduction and Functions ... 348


  12.2 ... Risks and Controls ... 350


  12.3 ... Application Security ... 357


  12.3.1 ... Authorizations for Enterprise Services Builder ... 357


  12.3.2 ... Passwords and Authorizations for Technical Service Users ... 359


  12.3.3 ... Authorizations for Administrative Access to SAP NetWeaver PI ... 360


  12.3.4 ... Password Rules for Administrators ... 361


  12.4 ... Technical Security ... 361


  12.4.1 ... Definition of Technical Service Users for Communication Channels at Runtime ... 362


  12.4.2 ... Setting Up Encryption for Communication Channels ... 363


  12.4.3 ... Digital Signature for XML-Based Messages ... 371


  12.4.4 ... Encryption of XML-Based Messages ... 376


  12.4.5 ... Network-Side Security for Integration Scenarios ... 376


  12.4.6 ... Audit of the Enterprise Services Builder ... 377


  12.4.7 ... Securing the File Adapter at the Operating System Level ... 379


  12.4.8 ... Encrypting PI Communication Channels and Web Services ... 380


  12.4.9 ... Security for Web Services ... 380


  13 ... SAP Partner Connectivity Kit ... 383


  13.1 ... Introduction and Functions ... 383


  13.2 ... Risks and Controls ... 384


  13.3 ... Application Security ... 388


  13.4 ... Technical Security ... 388


  13.4.1 ... Separate Technical Service User for Every Connected Partner System ... 389


  13.4.2 ... Setting Up Encryption for Communication Channels ... 389


  13.4.3 ... Digital Signature for XML-Based Messages ... 389


  13.4.4 ... Network-Side Security for Integration Scenarios ... 389


  13.4.5 ... Audit of the Message Exchange ... 389


  13.4.6 ... Securing the File Adapter at the Operating System Level ... 390


  14 ... Classic SAP Middleware ... 391


  14.1 ... SAP Web Dispatcher ... 391


  14.1.1 ... Introduction and Functions ... 392


  14.1.2 ... Risks and Controls ... 392


  14.1.3 ... Application Security ... 395


  14.1.4 ... Technical Security ... 395


  14.2 ... SAProuter ... 403


  14.2.1 ... Introduction and Functions ... 403


  14.2.2 ... Risks and Controls ... 404


  14.2.3 ... Application Security ... 405


  14.2.4 ... Technical Security ... 405


  14.3 ... SAP Internet Transaction Server (ITS) ... 407


  14.3.1 ... Introduction and Functions ... 408


  14.3.2 ... Risks and Controls ... 410


  14.3.3 ... Application Security ... 413


  14.3.4 ... Technical Security ... 415


  15 ... SAP NetWeaver Master Data Management ... 423


  15.1 ... Introduction and Functions ... 423


  15.2 ... Risks and Controls ... 424


  15.3 ... Application Security ... 429


  15.3.1 ... Identity Management and Authorizations ... 429


  15.3.2 ... Revision Security ... 436


  15.4 ... Technical Security ... 436


  15.4.1 ... Communication Security ... 436


  15.4.2 ... Important Additional Components ... 437


  16 ... SAP NetWeaver Portal ... 439


  16.1 ... Introduction and Functions ... 439


  16.1.1 ... Technical Architecture ... 441


  16.1.2 ... Description of the UME ... 443


  16.2 ... Risks and Controls ... 447


  16.3 ... Application Security ... 456


  16.3.1 ... Structure and Design of Portal Roles ... 456


  16.3.2 ... Authorizations for the UME ... 463


  16.3.3 ... Portal Security Zones ... 464


  16.3.4 ... Authentication Check for iView Access ... 470


  16.3.5 ... Standard Portal Roles and Delegated User Administration ... 470


  16.3.6 ... Synchronization of Portal Roles with ABAP Roles ... 473


  16.3.7 ... Change Management Process for New Portal Content ... 480


  16.4 ... Technical Security ... 481


  16.4.1 ... Connecting SAP NetWeaver Portal to a Central LDAP Directory or SAP System ... 481


  16.4.2 ... Implementation of an SSO Mechanism Based on a One-Factor Authentication ... 484


  16.4.3 ... Implementation of an SSO Mechanism Based on an Integrated Authentication ... 487


  16.4.4 ... Implementation of an SSO Mechanism Based on a Person-Related Certificates ... 489


  16.4.5 ... Configuration for Anonymous Access ... 491


  16.4.6 ... Secure Initial Configuration ... 492


  16.4.7 ... Secure Network Architecture ... 493


  16.4.8 ... Introducing an Application-Level Gateway to Make Portal Applications Secure ... 496


  16.4.9 ... Configuration of Encrypted Communication Channels ... 500


  16.4.10 ... Implementation of a Virus Scan for Avoiding a Virus Infection ... 502


  17 ... SAP NetWeaver Mobile ... 505


  17.1 ... Introduction and Functions ... 505


  17.2 ... Risks and Controls ... 508


  17.3 ... Application Security ... 515


  17.3.1 ... Authorization Concept for Mobile Applications ... 515


  17.3.2 ... Authorization Concept for Administration ... 518


  17.3.3 ... Restricting the Authorizations of the RFC User to ­Back-End Applications ... 519


  17.4 ... Technical Security ... 520


  17.4.1 ... Setting Up Encrypted Communications Connections ... 520


  17.4.2 ... Securing the Synchronization Communication ... 521


  17.4.3 ... Deactivating Unnecessary Services on the SAP NetWeaver Mobile Server ... 523


  17.4.4 ... Secure Network Architecture ... 523


  17.4.5 ... Monitoring ... 524


  17.4.6 ... Secure Program Code ... 525


  18 ... SAP Auto-ID Infrastructure ... 527


  18.1 ... Introduction and Functions ... 527


  18.2 ... Risks and Controls ... 529


  18.3 ... Application Security ... 533


  18.3.1 ... Authorization Concept for SAP Auto-ID Infrastructure ... 533


  18.3.2 ... Authorization Concept for Administration ... 533


  18.3.3 ... Restricting the Authorizations of the RFC User to Back-End Applications ... 534


  18.3.4 ... Authentication, Password Rules, and Security ... 534


  18.4 ... Technical Security ... 535


  18.4.1 ... Setting Up Encrypted Communication Connections ... 535


  18.4.2 ... Deactivating Unnecessary Services on the Server ... 535


  18.4.3 ... Secure Network Architecture ... 535


  19 ... SAP Solution Manager ... 537


  19.1 ... Introduction and Functions ... 537


  19.2 ... Risks and Controls ... 540


  19.3 ... Application Security ... 544


  19.4 ... Technical Security ... 550


  19.4.1 ... Security Measures for User Access ... 550


  19.4.2 ... System Monitoring Function ... 551


  19.4.3 ... RFC Communication Security ... 551


  19.4.4 ... Data Communication Security ... 552


  19.4.5 ... Important Components of SAP NetWeaver ... 553


  20 ... Authorizations in SAP ERP ... 555


  20.1 ... Introduction and Functions ... 555


  20.2 ... Risks and Controls ... 556


  20.3 ... Application Security ... 563


  20.3.1 ... Authentication ... 563


  20.3.2 ... Authorizations ... 563


  20.3.3 ... Other Authorization Concepts ... 578


  20.3.4 ... Best-Practice Solutions ... 589


  20.4 ... Technical Security ... 597


  21 ... SAP ERP Human Capital Management and Data Protection ... 599


  21.1 ... Introduction and Functions ... 599


  21.1.1 ... Data Protection in Human Resources ... 599


  21.1.2 ... Technical and Organizational Measures ... 600


  21.2 ... Risks and Controls ... 602


  21.3 ... Application Security ... 609


  21.3.1 ... HR Master Data Authorizations ... 610


  21.3.2 ... Applicant Authorizations ... 612


  21.3.3 ... Personnel Planning Authorizations ... 613


  21.3.4 ... Reporting Authorizations ... 613


  21.3.5 ... Structural Authorizations ... 613


  21.3.6 ... Authorizations for Personnel Development ... 614


  21.3.7 ... Tolerance Periods for Authorizations ... 614


  21.3.8 ... Authorizations for Inspection Procedures ... 614


  21.3.9 ... Customized Authorization Checks ... 614


  21.3.10 ... Indirect Role Assignment through the Organizational Structure ... 615


  21.3.11 ... Additional Transactions Relevant to Internal Controls ... 615


  21.4 ... Technical Security ... 617


  22 ... SAP Strategic Enterprise Management ... 619


  22.1 ... Introduction and Functions ... 619


  22.2 ... Risks and Controls ... 620


  22.3 ... Application Security ... 622


  22.4 ... Technical Security ... 623


  23 ... SAP Customer Relationship Management ... 625


  23.1 ... Introduction and Functions ... 625


  23.2 ... Risks and Controls ... 626


  23.3 ... Application Security ... 628


  23.3.1 ... Authorizations in SAP CRM ... 629


  23.3.2 ... Authorizations for Portal Roles ... 635


  23.4 ... Technical Security ... 636


  23.4.1 ... Technical Protection of the Mobile Application ... 636


  23.4.2 ... Important Additional Components ... 636


  24 ... SAP Supply Chain Management ... 639


  24.1 ... Introduction and Functions ... 639


  24.2 ... Risks and Controls ... 640


  24.3 ... Application Security ... 641


  24.3.1 ... Authorizations for the Integrated Product and Process Engineering (iPPE) Workbench ... 642


  24.3.2 ... Authorizations for Supply Chain Planning ... 642


  24.3.3 ... Authorizations for SAP Event Management ... 643


  24.4 ... Technical Security ... 644


  25 ... SAP Supplier Relationship Management ... 647


  25.1 ... Introduction and Functions ... 647


  25.2 ... Risks and Controls ... 649


  25.3 ... Application Security ... 651


  25.3.1 ... Important Authorizations ... 651


  25.3.2 ... Rules-Based Security Checks Using Business Partner Attributes ... 659


  25.3.3 ... User Management ... 663


  25.4 ... Technical Security ... 664


  25.4.1 ... Security Environment Based on SAP NetWeaver ... 664


  25.4.2 ... Security Environment for RFC Communication ... 665


  26 ... Industry-Specific SAP Solution Portfolios ... 667


  26.1 ... Introduction and Functions ... 668


  26.2 ... Risks and Controls ... 668


  26.3 ... Application Security ... 671


  26.3.1 ... SAP MaxSecure Support ... 671


  26.3.2 ... SAP Role Manager ... 672


  26.4 ... Technical Security ... 675


  27 ... Database Server ... 677


  27.1 ... Introduction and Functions ... 677


  27.2 ... Risks and Controls ... 678


  27.3 ... Application Security ... 681


  27.4 ... Technical Security ... 683


  27.4.1 ... Changing Default Passwords ... 683


  27.4.2 ... Removing Unnecessary Database Users ... 686


  27.4.3 ... Limiting Database Access ... 686


  27.4.4 ... Creation and Implementation of a Database Backup Concept ... 686


  27.4.5 ... Filtering Database Queries ... 687


  27.4.6 ... Creation and Implementation of an Upgrade Concept ... 688


  28 ... User Interfaces ... 689


  28.1 ... SAP GUI ... 689


  28.1.1 ... Introduction and Functions ... 689


  28.1.2 ... Risks and Controls ... 690


  28.1.3 ... Application Security ... 693


  28.1.4 ... Technical Security ... 698


  28.2 ... Web Browser ... 701


  28.2.1 ... Introduction and Functions ... 702


  28.2.2 ... Risks and Controls ... 702


  28.2.3 ... Application Security ... 704


  28.2.4 ... Technical Security ... 704


  28.3 ... Mobile Devices ... 706


  28.3.1 ... Introduction and Functions ... 706


  28.3.2 ... Risks and Controls ... 707


  28.3.3 ... Application Security ... 712


  28.3.4 ... Technical Security ... 712


  ... Appendices ... 717


  A ... Bibliography ... 717


  B ... The Authors ... 719


  ... Index ... 721