Data is the lifeblood of today’s modern, global economy. As a multi-national company with offerings that enables businesses to run better, we have the responsibility of securing our customers’ data while staying compliant. This blog is an overview of how SAP supports our customers’ data security and data privacy by following standards, establishing policies, and staying compliant with layers of security.

Key Terms of Security Framework

Data security and data privacy are important elements of SAP’s security strategy. Data security ensures the confidentiality, integrity, and availability of the data and lays the foundation for information security and privacy. Privacy refers to the appropriate use of data—companies should only use the data they collect for the agreed upon purposes.

There are also different types of data that need to be secured. Personally Identifiable Information (PII), Sensitive Personal Information (SPI), and Personal Data are terms referring to any information relating to an identified or identifiable natural person. A Data Subject is any individual whose personal data is collected.

Data controller is the people or bodies that collect and manage personal data. Data processor is any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

Privacy Regulations

Data privacy regulation is a shared responsibility between the cloud provider and the customer. In a cloud environment, the customers are the controllers and SAP is the processor. While there is no established global standard for data privacy, countries, states, and organizations have developed their own data privacy standards that companies have to follow to stay compliant. Some regulations are well-known like the U.S. Health Insurance Portability and Accountability Act (HIPAA), which establishes national standards to protect individuals’ health information, and the European Union’s General Data Protection Regulation (GDPR), which is a regulation on data protection and privacy.

All privacy regulations follow the same core principles: demonstration of compliance, lawful processing, breach notification, accountability, and individual rights. However, each individual private regulation may have specific controls that are needed to satisfy the core principles.

Guidelines, Standards, and Certifications

SAP’s Security Privacy Framework is based on standards created by regulatory and non-regulatory bodies that ensure our customers’ data is secure. The National Institute of Standards and Technology (NIST) is a non-regulatory body of the U.S. Department of Commerce whose mission is to promote innovation and competitiveness. NIST has created standards for different industries, including Information Technology. The International Organization for Standardization (ISO) is a Switzerland-based organization that has developed standards to ensure the world is safer, cleaner, and more efficient. SAP takes guidance from the NIST Cybersecurity Framework for our Global Security Policy and is certified in multiple ISO standards.

SAP Security Privacy Framework

SAP’s established data privacy and data security controls come together to create SAP’s Security Privacy Framework. Our Security Privacy Framework is composed of the following layers: Foundation, Best Practices, Events, Privacy, and Transparency. Each layer is based on different ISO certifications and other data privacy regulations.

Foundation

The Foundation aspect of the Security Privacy Framework consists of standards that concern Information Security Management, Code of Practice, and Certification. The ISO/IEC 27000 standard covers the security of all forms of information, including physical security, compliance, networking, operations, etc. SAP leverages this standard to make sure it covers all forms of security for our cloud products. The Code of Practice, covered in ISO/IEC 27002, establishes the four administrative standards and security controls for 14 security domains. The Certification (ISO/IEC 27001) ensures the security controls in the Code of Practice are fine-tuned to keep up with the current security threats, vulnerabilities, and business impact. SAP is audited by KPMG, a third-party auditor who issues ISO certificates specific to each SAP cloud application.

Best Practices

We also have other standards that build on top of the Foundation mentioned above. These standards include, but are not limited to, Quality Management (ISO/IEC 9000), Service Delivery (ISO/IEC 20000), and Business Continuity (ISO/IEC 22300). The Quality Management standard is designed to help organizations meet the needs of their customers while staying compliant. SAP Support, SAP Development, and multiple SAP cloud solutions are certified in this standard. The Service Delivery standard was developed to reflect the best practices in IT Service Management Framework. Finally, the Business Continuity Management standard was created to help companies continue operations in the event of a disaster, like a cyber incident.

Events

A lot of SAP cloud solutions are multi-tenant, which means that knowing who accessed what data is imperative to Incident Response. This layer is based on the Incident Management standard (ISO/IEC 27035). This standard focuses on the assessing, reporting, and responding to a cyber incident and the overall improvement of the incident management process. The goal is to minimize the impact of business operations in the event of a cyber incident.

Privacy

SAP has data privacy controls in place so we can fully protect our customers’ data and make sure they stay compliant. SAP is certified in The British Standard (BS) 10012 and the ISO/IEC 27018—standards specific to data privacy. The BS 10012 is a British legal standard that was created to maintain the privacy of SPI that is held by companies. It also outlines what you can and can’t do with the data and provides guidelines on how to communicate with the data subject about the information. The ISO/IEC 27018 is specific to cloud providers because the standard is around processing personal information and the public cloud acting as a processor. SAP also follows the GDPR framework, which provides the protection of personal data for EU citizens, and the Standard Contractual Clauses (SCC) in the data processing agreement.

Transparency

The final portion of the SAP Security Framework is Transparency. SAP wants to operate in a way that informs the customer of what actions are being performed with confidentiality, integrity, and availability of their data that is stored within SAP systems. KPMG is the issuer of our audit reports and they provide System and Organization Controls (SOC) reports. SOC reports are a way for customers to verify that SAP is following best practices and staying compliant.

SAP’s Security Framework embodies the security in depth philosophy and aims to provide the highest level of security for our customers. We will continue to find ways to improve our policies and follow industry best practices to secure our customer’s data.

The certifications and reports mentioned above are available for customers in the SAP Trust Center, along with more information about SAP’s security and privacy practices, compliance, and agreements. For more in-depth information about SAP’s security practices and policies, customers under NDA can visit the SAP My Trust Center.