S 2.348 Security aspects relating to the customisation of SAP systems

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

When an SAP system is customised, it is configured and modified in such a way that it is able to offer the organisation the support it desires. This task generally takes a lot of time. For this reason, the following must be taken into consideration:

• A corresponding concept must be drawn up for customising that describes the desired target state of the SAP system as precisely as possible and defines the processes to be used for customising purposes.
• A requirements analysis is necessary for the concept. The requirements analysis must specify which changes should be made during customisation in order to obtain the desired system response (see also safeguard S 2.341 Planning the use of SAP).
• Feedback processes that allow changes to be made to the concept during implementation must be used within the framework of the customising process (see also S 4.258 Secure configuration of the SAP ABAP Stack).
• Customising may only be performed by knowledgeable and trustworthy personnel.
• Changes should not be made to the configurations in the productive system, but installed in a controlled manner using the transport system.

Review questions:

• Has a concept been created for customising that describes the desired target state of the SAP system and defines the processes to be used for customising purposes?
• Are SAP systems customised by knowledgeable and trustworthy persons?
• Are configuration changes installed in a controlled manner to the SAP system using the transport system?