Quite often we get contacted with the question – what does SAP offer as Consulting Services in the area of Cybersecurity & Compliance? Or what are the related services you can get within the support-contract from SAP?

Where Do I Begin?

Let me try to sort this out for the area of cybersecurity & compliance.

The main contacts typically for you as our customer are for consulting services the Service Account Manager (SAM) and as part of our support the Technical Quality Manager (TQM) is responsible.

In general the process becomes more manageable if you break it down establishing a systematic approach.  The chart below diagrams the 5 categories to review and the areas that should be considered.  This is a joint, collaborative process between you and SAP, and involves more than system or landscape hardening as process failure points are just as vulnerable.

Secure Operations Map

When looking at these 5 layers for review, the Environment at the bottom and the Organization layer at the top are areas where each business would take the lead and SAP can advise on SAP-specific items.  But the focus for your SAP Consultants, SAP MaxAttention or SAP ActiveAttention team will be on the center 3 blocks: System, Application, and Process.

When Should I Start?

Ideally, you should start planning your security approach as early in your project as possible.  If you are in the early stages of transitioning to the cloud or a hyperscaler for instance, preparing now will avoid a lot of work in the future.

McKinsey had noted that while some industries didn’t see an effect at the beginning of the pandemic, most anticipate that this will change in the coming months.  The majority of security professionals are asking for budget increases in 2021 in preparation for mounting security concerns in the changing business environment.

Security does not remain static of course.  You don’t make recommended changes and then decide that it is all done.  Hackers are always looking for opportunities, landscapes and technologies change, new attack patterns arise.  Thus, the review process should be repeated annually to ensure that things do not become lax as time goes on.

What can I get as Consulting Service?

for consulting we packaged two major services with scope options you can choose from:

• Architecture and planning service for cybersecurity & compliance
• Execution and implementation service for cybersecurity & compliance

The architecture and planning service covers all areas of our Secure Operations Map by combining the available scope options as shown in the following:

Information Security Compliance Review

Identity Access Management Scoping

Infrastructure Security Architecture

Data Protection and Privacy Assessment

Cybersecurity Reference Architecture

If you have a request for a specific area of cybersecurity & compliance or topics not mentioned here please also contact your SAM, as this blog focuses on the defined services.

What can I get as SAP MaxAttention or SAP ActiveAttention customer?

Ask your TQM for a Security and Compliance Workshop.

It starts the review identifying gaps and weak points, and through this discussion awareness of less obvious security issues can come to light.  Trying to address 100% of these findings is not the goal as this would be expensive and time consuming.  But prioritizing the recommendations, especially identifying and closing the most common ‘open doors,’ yields an effective approach that can lead to long lasting success.  This is the first step in the 3 steps process currently available remotely with your SAP MaxAttention and SAP ActiveAttention contract (also available as an SAP Value Assurance offering):

1. Focus on HARDENING of your security settings ‘Close known open doors’
2. Focus on PREVENTION of cyber-attacks ‘Protect and ensure’
3. Focus on DETECTION of cyber-attacks ‘Monitor and respond’

The approach is also shown in the following figure:

SAP MaxAttention and SAP ActiveAttention related services

There are also things that you can start with right away: utilize the SAP EarlyWatch Alert Workspace available to you as a collaboration platform with SAP![1] It provides you with a quick overview of critical situations in your landscape. Keeping your software up-to-date is also key and should be done on annual basis at minimum. In the interim, fix urgent issues leveraging the SAP Security Notes.

For further information – or if this blog post might be already older then a year – please reach out also to our Security Optimization Service Page and at the Cloud Trust Center.

[1] Authorization is required.  Please see https://blogs.sap.com/2019/10/01/displaying-security-alerts-in-the-sap-earlywatch-alert-workspace/