/CBAS-SAP-SecurityMaturityModel

SAP security maturity model

Primary LanguagePythonCreative Commons Attribution Share Alike 4.0 InternationalCC-BY-SA-4.0

SAP Security Maturity Model


The CBAS - SAP Security Maturity Model (CBAS-SSMM) project allows organizations to determine their SAP security posture based on controls used to define a maturity level that organizations can maintain or adopt. This enables organizations to plan and enhance their security mechanisms when protecting SAP resources.

Whats In It For Me (WIIFM)

The project intends to be used by different professionals:

  • SAP Security Experts
  • non-SAP Security Experts
  • Consultants
  • Auditors
  • Advisors
  1. The project helps operations, security, and audit teams assess, plan, and verify security controls that affect SAP implementations in their organizations.
  2. Helps organizations determine their maturity in protecting their SAP applications.
  3. Enables and supports organizations with implementing security controls that are required to protect their SAP applications.

Maturity Levels

We follow different methodologies and standards to define the different controls for each maturity level.

In our initial release, and for defining maturity level 1, we want to create a security baseline every organization must maintain to secure SAP applications.

Maturity level 1:

The first maturity level is the initial baseline and derived from the below standards:

  • SAP Security Baseline Template V2.1
  • German Federal Office for Information Security - BSI 4.2 SAP ERP System
  • German Federal Office for Information Security - BSI 4.6 SAP ABAP Programming
  • SAP security white papers - used for critical areas missing in the security baseline template and BSI standards

Controls

We aim to create controls in a structured, easy, and understandable way.

  • Every control follows the same identification schema and structure
  • Markdown language used for presenting the controls
  • Excel tool to present maturity levels, risk areas represented by the NO MONKEY Security Matrix, and implementation status

Check our current released controls here.

We are continuously adding controls to cover the different maturity levels defined in the project. You can check our projects page to stay updated for upcoming controls.

Control Header:

  • NIST Security Function
  • NIST Category
  • IPAC Model
  • SAP Technology
  • Maturity Level
  • Defender (People, Process, Technology)
  • Control Prerequisite

Appendix A lists the acronyms used in either the control header or the naming convention for controls.

Control Structure:

  • Description of the control
  • Implementing the control
  • Verification of the control
  • References

Example:


Leaders

Communication channel

Anyone interested in supporting, contributing or giving feedback join us in our discord channel.

License

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.