Do your doors have locks? Are they installed? If not today, when?
Do your company’s financials rely on data integrity and accurate balances? Do you have trade secrets, customer, vendors or pricing that is key to maintaining your market share? If you company information was no longer protected, would the image, perception or value of your company change? I believe that the answer for most all public and private companies is YES. Absolutely YES!
In today’s world the rules have changed as security gaps are openly published on the internet. This information is accessed daily by hackers and protectors alike. The results are good and bad. Rather than searching for days or assuming that your systems are protected, the information is available to assist you in closing doors and protecting information integrity. On the other hand if you have not addressed these issues in a timely manner, others, both external and internal to your company, may be knocking at the door.
As the ASUG Security Program Chair I have been engaged with SAP Germany, SAP America, the America’s SAP User Group and customers just like you to insure that we are taking the right steps. During 2009, SAP was alarmed that many companies were slow to apply security patches. As a first step SAP partnered with ASUG to communicate to CIO’s several high priority messages that should be applied. Many companies reacted quickly and applied these messages as a onetime event. Do you have processes in place to review security notes?
SAP has taken steps to alert companies and ease the pain of searching through thousands of messages to find the critical security notes. However, at the end of the line we must take steps to enable these processes and implement the corrections. One of these solutions is to setup SAP Early Watch reports. The newer reports have an expanded security section which documents security vulnerabilities and the known correction. This is one of the easiest ways to receive information specific to your environment. The notes are a combination of the priority notes documented through the HOTNEWS Solution Manager functionality and the notes documented on the https://service.sap.com/securitynotes page. For reference on these enhancements see SAP Note 863362 (Security checks in the SAP Early Watch Alert).
With feedback from companies like yours, SAP has also improved the ability to search for security notes. The old method of searching the Service Market place for security notes still exists, but many times notes are buried in functional areas and have no keyword search related to security. The manual list SAP previously complied of critical security notes has not been updated since June 2009. For the new solution, SAP created a page within Service Marketplace to consolidate security note information. I consider this page a Portal into the sea of all SAP messages with a filter on security relevant. With the improved security notes page, you can quickly find all notes that have been updated in the past 30 days. Filters are available to quickly search by priority or application area. The site has improved and the classification of corrections is getting better.
In closing, SAP has provided us tools through the security notes page and the Early Watch Report to quickly identify security relevant notes. If you have taken steps to implement processes within your company you should be commended. Many companies have not been pro-active and do not truly know where the holes are within their SAP software. Do your part by using these tools to correct the issues and protect the integrity of your systems. The protection of information is a critical component of all computer systems.