S 2.345 Outsourcing of an SAP system
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: IT Security Officer, Head of IT
The following must be considered when outsourcing SAP systems:
- The safeguards in module S 1.11 Outsourcing must be implemented by the outsourcing partner.
- Special attention should also be paid to smooth process integration so that the outsourcing partner can provide the outsourcing client with feedback, for example. This also applies to the processes arising in the context of user and authorisation management.
- It is recommended to create a table containing all tasks required for an SAP system. This table should contain information on which tasks will be performed by employees of the outsourcing partner and which will be performed by internal employees. The persons in charge must be documented. The following table is provided as an example, but it is by no means complete and must be adapted to the local conditions. The tasks will generally need to be divided into subtasks.
| Task | Responsibility |
|---|---|
| Planning the SAP system | Company/government agency(the outsourcing partner should also be involved, though) |
| Definition of the authorisation concept | Company/government agency |
| Installation of the SAP system | Outsourcing partner |
| Basic configuration of the SAP system | Outsourcing partner(using the specifications of the company and/or government agency from the planning phase) |
| Configuration at the module or application levels | Company/government agency(corresponding to the specifications from the planning phase) |
| Basic administration - creating users | Outsourcing partner(after being contracted by the company and/or government agency, for separating the roles at the outsourcing partner) |
| Basic administration - managing authorisations | Outsourcing partner(after being contracted by the company and/or government agency, for separating the roles at the outsourcing partner) |
| Application administration - creating users | Company/government agency (after an internal approval process) |
| Application administration - managing authorisations | Company/government agency (after an internal approval process) |
| Installing updates and patches | Outsourcing partner |
Table: Tasks and responsibilites for SAP systems
Explanations:
- In general, the operation of the computers and the basic administration of the SAP system are performed by the outsourcing partner. The management and administration of the applications are generally performed by the outsourcing client. It must be ensured that the outsourcing partner is informed of the application-specific (security) requirements. This is the only way to ensure the basic administration is adequate.
- Meetings should be held regularly to coordinate security issues. In these meetings, new or modified requirements of the outsourcing client and suggestions from the outsourcing partner for increasing security can be discussed.
- Within the framework of the risk analysis, it must be noted that the outsourcing partner has full control over the data of the SAP system it operates. This must be examined critically from a security perspective by all government agencies and companies. The presence of such controls is also checked in the context of Sarbanes Oxley, for example.
- If sensitive data is processed and its processing results in an implicit duty to take special care due to legal regulations or explicit requirements, the outsourcing partner must be made aware of the corresponding duties. The outsourcing partner must then be bound legally by signing a corresponding non-disclosure statement.
- For user and authorisation management, it makes sense to involve an employee from the outsourcing contractor in the authorisation planning process, since this is the only way to ensure the outsourcing partner will be able to meet the application-related security requirements, for example. Do the processes for user and authorisation management also ensure that authorisations cannot be accumulated in the outsourcing scenario?
Review questions:
- Is an adequate outsourcing concept available for the SAP system?
- Have all tasks and responsibilities for customer and contractor been clearly defined when outsourcing SAP systems?
- Has the outsourcing partner been informed of the application-specific (security) requirements?
- Are coordination meetings for the field of security held regularly between the outsourcing client and the outsourcing partner?
- Has it been guaranteed that the outsourcing partner is involved in the authorisation planning process?