Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
Bedrock Managed Service
Scalable support and on-demand expertise that seamlessly integrates with your existing operations.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
10 August 2020

Ten things CISOs must know about SAP Cyber security

As the IT landscape gets more complex, the difficult job of a Chief Information Security Officer (CISO) is getting even more difficult. One of the challenges facing any CISO is to keep track of various technologies used by their organisation. CISOs for organisations using SAP face another big challenge – managing SAP security.

Traditionally, most CISOs relied on the SAP BASIS team to manage SAP security – using SAP GRC Access Control (or similar tools) to manage SAP Segregation of Duties (‘SoD’) and access issues within the SAP system. Occasional audits of SAP system covered the IT general controls sufficient to satisfy the financial auditors.


However, rapidly changing threat perception and SAP technology landscape is challenging this traditional model of managing SAP security. With our experience of working with multiple large and medium size organisations across industries, we have identified these ten things that will help a CISO navigate the increasingly complex SAP security challenges:

  1. First and foremost, SAP security is the responsibility of CISO and not just the SAP team!
  2. SAP security is more than SoD and authorisations – attackers can bypass the SoD and authorisations controls to gain privileged access to SAP.
  3. SAP is not secure by default (which application is?) – it needs to be hardened before being deployed. But unfortunately, there are no industry security benchmarks for SAP systems (e.g., NetWeaver ABAP, NetWeaver Java, SAP HANA, etc).
  4. SAP has many security vulnerabilities and new vulnerabilities are regularly identified – SAP security needs to be tested regularly to keep the set up secure.
  5. SAP can be hacked – SAP application testing and Vulnerability Assessment and Penetration Testing (‘VAPT’) should be regularly performed by competent testers.
  6. Security patching is important – annual system upgrades are not sufficient. SAP releases hundreds of monthly security patches and many of these patches are not included in the service pack upgrades.
  7. SAP network and communication security is complex and needs special attention to ensure sufficient security. Securing RFC connections, enforcing encryption, and managing 3rd party connections to SAP is not easy considering the enterprise-wide business impact of any disruption.
  8. Monitoring is important – integrate SAP security monitoring with the corporate SIEM solution.
  9. SAP BASIS is not same as SAP security and IT security teams are not always proficient with SAP cyber security. There is often a SAP security skills gap.
  10. Remember, SAP is your crown jewel – it needs the same, if not more, attention than other cyber security precautions.

A CISO of an organisation using SAP has the responsibility to protect its most important system – SAP ERP. An SAP security threat mapping is a good starting point to understand the specific challenges in the organisations.

Once the security risks and vulnerabilities are identified, come up with a roadmap to address these. Identify the ones with high impact but easy solutions – and go after them first. Have a time-bound and phased approach for the remaining. It is best to take some of the more complex areas as mini projects!