Security, Privacy, and Data Protection
Meeting Today’s Data Protection Challenges
Every day, organizations all around the world trust SAP with their data – either in their own premises, in the cloud, or on the move using mobile devices. Our customers need to know that we will keep that data safe, process it in a manner that complies with local legislation, and protect it from malicious use.
For this reason, data protection and security is of paramount importance to us. We have implemented safeguards to help enable the privacy rights of everyone whose data is processed by SAP, whether they are our customers, prospects, employees, or partners. In addition, we work towards compliance with all relevant legal requirements for data protection. Our global security officer and data protection and privacy officer report to our Executive Board and regularly monitor the compliance of all activities in these areas.
Facing Increasing Risks in IT Security
Safeguarding data is an increasingly challenging task today. Companies are collecting and storing more data than ever before from more and more sources. No longer is data locked away in an on-premise mainframe requiring physical security.
Data now proliferates outside the four walls of businesses with multiple endpoints exposed and vulnerable to attack. Moreover, the sheer number of and the sophistication of attacks facing businesses are at an all-time high. We are seeing the “commercialization of hacking” while new advanced persistent threats can bypass many traditional security protection techniques.
Establishing a Comprehensive Security Vision
At SAP, we want our customers and employees to be able to use our software and services anywhere, from any device, at any time, with confidence and trust. However, the growing risk and occurrence of cyberattacks reinforces the need to keep critical information systems secure.
Consequently, for SAP and for our customers, security means more than just meeting compliance demands. To secure the SAP software landscape, we offer a comprehensive portfolio of security products, services, and secure support as well as security consulting. They help our customers build security and privacy protection capabilities into their businesses.
Several of our security measures extend across all sectors of our company and thus to all of our products and services. These measures include, among other things, the regular training of employees on the subject of IT security and data protection, including the handling of confidential information and ensuring controlled and restrictive access to customer information. In addition, we have developed a three-pronged strategy focusing on the security of our products, operations, and organization:
Secure Products Strategy: Champion Product Security
Businesses use SAP applications to process mission-critical transactional data which can be highly attractive to cyber attackers. Our secure products strategy focuses on incorporating security features into our applications to minimize the risk of a security breach.
Our secure software development lifecycle is at the heart of this strategy. This provides a comprehensive methodological approach for incorporating security features into our applications. Before a release decision is made, our software is validated by independent IT security experts. This team then addresses any recommendations made before we release the application.
This approach conforms to the ISO/IEC 27034 standard for application security and is closely embedded into our ISO 9001-certified process framework for developing standard software.
Secure Operations Strategy: Running Secure Operations
Our secure operations strategy focuses on the security principles of “confidentiality, integrity, and availability” to ensure overall protection of our business, as well as our customers’ businesses. Our mission is to provide a comprehensive end-to-end cloud and IT operations security framework – from system and data access and system hardening to security patch management, security monitoring, and end-to-end incident handling. This involves the implementation of key security measures across all layers including physical assets as well as process-integrated controls.
Furthermore, our secure operations approach concentrates on the early identification of any deviations from the standards defined in our security framework. Deviations are identified through a combination of automated and manual reviews. Performed by third parties as well as by SAP colleagues, these reviews verify compliance with international standards and SAP global security standards.
Industry best-practice certifications are key success factors for our secure operations strategy. Many of our cloud solutions undergo Service Organization Control (SOC) audits ISAE3402, SSAE16 SOC I Type II, and SSAE16 SOC II Type II. The SOC standards are harmonized with a number of ISO certifications including ISO 9001, 27001, and 22301.
Secure Company Strategy: Taking a Holistic Approach to the Security of Our Business
At SAP, we take a holistic approach to the security of our company, encompassing processes, technology, and employees. At the heart of our secure company strategy is an efficient information security management system and a security governance model that brings together all of the different aspects of security. These include the following three main areas:
- Security culture: Awareness and compliance with our security policy and standards are fostered through regular mandatory training, assessments, and reporting.
- Secure environments: Comprehensive physical security measures are in place to ensure the security of our data centers and development sites so that we can protect buildings and facilities effectively.
- Business continuity: A corporate continuity framework aimed at having robust governance in place at all times is reviewed on an annual basis to adapt to new or changed business needs.
Complying with Data Protection and Privacy Legislation
When processing data about employees, applicants, customers, suppliers, and partners, SAP respects and protects their right to data protection and privacy while implementing appropriate security measures. We develop and support our data protection and privacy strategy in accordance with our business strategy.
We have also implemented a wide range of measures to protect data controlled by SAP and SAP customers from unauthorized access and processing, as well as from accidental loss or destruction. These include, among others, the implementation of our data protection management system in areas critical to data protection. This system is certified on a yearly basis by the British Standards Institute.
In 2016, SAP did not experience any significant incidents regarding breaches of customer privacy or losses of customer data. There were no incidents reported subject to the provisions of the German Federal Data Protection Act.