Contact: m.shea@sap.com

Motivation

Customers have complained that it is difficult to find our recommendations for the secure configuration of our products. In response, SAP Global Security has decided that all cloud-based lines-of-business must provide a list of security recommendations for configuration settings of their products and services. They have enshrined this requirement in the product security standard SEC-377.

For more information about the background of the project, see the Security PMO Security Configurations Guidelines.

Product owners get a separate set of instructions here.

Process

• You are contacted by a product owner for a particular service about the security recommendations.
• Together with the product owner and the security responsible for the service, you generate the list of security recommendations for the service.
• In the Ixiasoft DITA CMS, use the Copy with new LOIO command to create a copy of the object REFCONT: Template Security Recommendations (loiof28d4ae446044a318f1702d69b910190) in the appropriate container:
• In ODS_NEO for CF and Neo core services.
• In BTP_TOP for ABAP, Kyma, and other core services.
• In your own container under CP_TOP.
• In CP_TOP if your container is outside the CP_TOP dependency.
• Follow the instructions in the template. Keep your content profiled with the information_classification internal.
  Note: Neo services are placed in a separate buildable map. Refer to the template for more information.
• Review the content with your team.
• Your product owner has your content reviewed by the central security recommendations team.
• When ready, remove the profiling from your content and notify the central security recommendations team.
• The central team publishes the security recommendations with your content.