topic Re: Security Blueprint doc in Application Development and Automation Discussions

Security Blueprint doc

Former Member — Thu, 18 Sep 2008 22:47:23 GMT

Hello,

1.Do we have document / template for SAP security blueprint?

2. What is meaning of AS-IS processes, with respect to security?

3.How do we go about documenting To-Be processes, with respect to security?

Thanks in advance.

Re: Security Blueprint doc

Former Member — Fri, 19 Sep 2008 06:36:28 GMT

1. Yes thankyou

2. As-Is means the current procesess. Your question can be interpreted in 2 ways.

i. your security design supports the business processes, e.g. transactions & restrictions used and allocation of those to users so they can run those business processes.

ii. Your current security processes e.g. your user & role creation process etc

3. The functional team will document the to-be processes. They (and you) can use these processes to identify inscope transactions, important restrictions (e.g. new doctypes being used) and creation of roles. There are lots of ways of documenting it, at the minimum you want to capture the new tx to role mapping, important restrictions per business process or functional area & to-be organisational structure.

Re: Security Blueprint doc

Former Member — Fri, 19 Sep 2008 09:00:12 GMT

>alex

>1. Yes thankyou

If you are talking of ASAP doc then I am sorry to say the ASAP security plan is very complex to follow and doc are not comprehensive.

There is nothing as in blue print. Requirements gathering and Testing of role (its and documentation) is not properly explained.

Re: Security Blueprint doc

Former Member — Fri, 19 Sep 2008 09:38:35 GMT


> >alex
> >1. Yes thankyou
> 
> If you are talking of ASAP doc then I am sorry to say the ASAP security plan is very complex to follow and doc are not comprehensive. 
> There is nothing as in blue print. Requirements gathering and Testing of role (its and documentation) is not properly explained.

I am not referring to ASAP, though from a security perspective, in my experience, ASAP is fine to follow & use if you spend the time required to get used to it.

I have seen many, many security blueprints which would benefit from using the various ASAP elements, despite it's weak points.

Re: Security Blueprint doc

Former Member — Fri, 19 Sep 2008 12:25:41 GMT

Hello Alex,

Thank you for answers.

Is there any place i can get a sample of document / template of security blueprint.

Thanks,

Vijay

Re: Security Blueprint doc

Former Member — Fri, 19 Sep 2008 14:21:36 GMT

I can't think of anywhere where blueprint docs are available. Blueprint docs usually take quite a while to put together & there is obvious reluctance of people to make available work which likely remains the property of their company/client.

Hussein did well to mention ASAP, you can download it and get some useful templates from there. More info here: https://websmp101.sap-ag.de/roadmaps

Have a think about stuff like the following:

Security Objectives

Security Approach

TX to Role Mappings

Restriction Requirements

Compliance Requirements (SOX, internal security standards)

Build Standards

Developer Security standards

User Management

Basically all the stuff you need to be able to build from your set of blueprint docs

Have fun & good luck

Re: Security Blueprint doc

jurjen_heeck — Fri, 19 Sep 2008 14:25:22 GMT

> I can't think of anywhere where blueprint docs are available. Blueprint docs usually take quite a while to put together & there is obvious reluctance of people to make available work which likely remains the property of their company/client.

Very well put Alex! Julius, Maybe a small text like this one could enter the sticky?