Establishing Company Security Policy

When establishing your company security policy, you need to decide what information or processes you consider critical. You need to decide what type of protection you need for this information.
Your security policy should at least encompass the following aspects such as:

** Authentication

It is important to only allow legitimate users access to your system and prevent users from being impersonated.

A basic, necessary security task is to make sure that users and information in a system are authentic.  You need to know that the users who operate within your system are known users and that they cannot be impersonated.

** Authorization

It is important that users can only perform tasks for which they are authorized.

It is important that users can only perform those tasks for which they are authorized. A typical company has various roles in its organization, and the personnel who fill these roles perform certain tasks. Data and processes should not be accessible by roles where they are not needed.

** Integrity

It is important that data cannot be changed without detection.

You need to protect the information that you process on a daily basis from unauthorized changes, either through error or deliberate acts. If a user processes a transaction (for example, makes a payment on an account), he or she needs to be sure that the information remains consistent throughout processing.

** Privacy

It is important to protect data or communications from unauthorized viewing or eavesdropping.

It has always been necessary to protect sensitive and private information from viewing by unauthorized parties. For example, when you exchange personal information, you mark it as "confidential". Employers are obligated to keep contracts and employee information secret.

** Obligation (non-repudiation)

It is important to be able to ensure liability and legal obligation.

The proof of obligation (non-repudiation) in reference to electronically saved or transmitted data is indispensable in electronic commerce. A message is considered obligatory if you can guarantee who the creator of the message is, as well as the correctness of the message. Only so can electronic commerce establish itself in today's business world.

** Auditing and Logging

It is important to record activities and events for future references (for example, audits).

It is also important to record events and activities for future reference. It is not only necessary to save certain information for legal purposes - logs and audits can also prove to be indispensable in monitoring the security of your system and tracking events in case of problems.

See Also
Security Audit Logs - Intentionally Blocked User

Get help for your Basis problems
Do you have a SAP Basis Question?

SAP Basis Admin Books
SAP System Administration, Security, Authorization, ALE, Performance Tuning Reference Books

SAP Basis Tips
SAP BC Tips and Basis Components Discussion Forum

Administration In SAP - Sapgui, Unix, SAP ITS, Router, Client Copy and IDES 

Main Index
SAP ERP Modules, Basis, ABAP and Other IMG Stuff

All the site contents are Copyright © and the content authors. All rights reserved.
All product names are trademarks of their respective companies.  The site is in no way affiliated with SAP AG. 
Every effort is made to ensure the content integrity.  Information used on this site is at your own risk. 
 The content on this site may not be reproduced or redistributed without the express written permission of or the content authors.