6 checks the Data Protection Officer must do in SAP

Posted by Andrea Mazzolani on Feb 17, 2023 8:15:00 AM
Andrea Mazzolani

 

What should the Data Protection Officer do in SAP systems? 

DPO_SAP
 
What are the controls to be carried out in the management system?

Who is the Data Protection Officer?

The Data Protection Officer (DPO)  is a figure that was introduced by the GDPR  (the European Data Protection Regulation).

 

It is a figure who independently supports the data controller to protect and manage personal data. Articles 37, 38 and 39 of the European Regulation define this figure.

 

One of the goals of the DPO position is to conduct periodic audits to verify that personal data are being handled properly.

 

But what to do within SAP to carry out this audit? Here is a list of activities to perform.

 

1 How to check the exported data from SAP?

It can be very easy to export data from SAP. One of the verification aspects might be understanding how much the SAP system does or does not allow or how it is protected with respect to exporting data.

 

We talked about this topic in the following article: How to export data from SAP?

The use of tools like SAP DAM Dynamic Authorization Management di NextLabs possono essere un ulteriore aiuto.

 

Remember that you can also see who downloaded what from SAP using the SAP Security Audit Log.

 

2 How are the interfaces towards third party systems managed?

A new functionality introced by SAP is the UCON meaning Unified Connectivity.

 

This tool enables you to think about the management of calls towards SAP from a third party system in a way that wasn't possible until today.

 

In fact, by default, the services exposed by SAP are callable, but only after authenticating and following the authorization check phase it's possible to execute a specific functionality like exporting data (by using the function recall or BAPI).

 

Thanks to this tool, included in the SAP suite, it's possible to activate a log which is used to identify the calls made and, as a result, creating a whitelist of functions that can be recalled and by whom.

 

3 Program development management

Over the security aspects and secure development, read here the 10 basic rules for secure development in SAP, also the minimization of personal data is important.

 

In other words, reports should expose only personal data closely related to the use of the feature.

 

All the personal data possibly present but not strictly necessary should be removed.

 

This principle is called Data Minimization.

 

4 Access profiling

It is certainly a key aspect of ensuring that only people formally authorized to access certain data (in this case personal data) are allowed to do so.

 

In this case, even reading alone can be critical.

 

  • How is it controlled that people who are not authorized to access personal data cannot actually access it?
  • In the personal data processing log, have the relevant tables and fields in SAP for handling personal data also been indicated at the technical level? This might help to understand who saw what, perhaps through the SAP UI Logging tool (see next point)
  • Are there still some SAP_ALL lying around the system?

 

5 Controlling who sees what (Data Masking e Data Logging) and how to do it

Through a tool called SAP Field Masking it's possible to use two functionalities:

  • SAP UI Masking
  • SAP UI Logging

 

The first lets you mask or hide with * (asterisks) a certain field and the second lets you trace who has seen a certain information by indicating the transactions and the fields 

 

6 How are the test environments managed?

Usually in SAP landscapes there are at least three environments, which are divided in development, test and production environments.

 

More or less frequently the production system is copied in the test or pre-production system.

 

In these last two systems the profiling can be less stringent than in the production system, making the segregation in the production system useless if a user has more permissions in the test environment rather than in the production environment.

 

This is why it's necessary to evaluate if it's necessary to create a logic of data copying which takes into consideration:

  • Selectively copying data (maybe only the last year or only the data of a certain company)
  • Perform data scrambling activities. That is, during copying, go in and manually modify the data by making sure that the original data is no longer present. Ensuring, if possible, the consistency of the data itself. An example?

 

In the production system my user is called "Massimo Manara" in the test system, but once copied I will be called Renato Rossi. Beware, not by chance, I will always be male, this is to ensure for example the consistency of the data and population (in case we are talking about people).

Iscriviti al blog se ancora non lo hai fatto!

Topics: SAP audit, sap dati personali, DPO

Yes Subscribe!

Blog Aglea, what you could find out?

Every Friday a new post, interview or content related to SAP Security.

  • Tips on how to design SAP Security
  • How to
  • Checklist
  • Common error and pitfall on security SAP
  • Interview with experts
  • Who we are and Aglea vision on SAP Security

Recent Posts

Post By Topic

See all

SAP Security Blog AGLEA RSS Feed

Aglea s.r.l. - Subject to the management and coordination of Horsa S.p.A. - P. IVA: IT 03868780960 - 2024 | Privacy Policy - Cookie Policy