How is your organization tackling ever increasing cybersecurity threats? Do you have the proper structure and methods in place to effectively mitigate this constantly evolving risk? Get a sneak preview on how SAP is helping companies embrace the age of digital transformation while rethinking their security strategy, especially as it relates to protecting business applications and improving overarching risk and governance programs.

1. June 15, 2016
#askSAP GRC Innovations
Community Call:
Cybersecurity Risk and
Governance

2. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 2Customer
The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the
permission of SAP. This presentation is not subject to your license agreement or any other service or subscription
agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation
and SAP's strategy and possible future developments, products and or platforms directions and functionality are all
subject to change and may be changed by SAP at any time for any reason without notice. The information in this
document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This document
is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties
of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational purposes
and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document,
except if such damages were caused by SAP´s willful misconduct or gross negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements,
which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
Legal disclaimer

3. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 3Customer
SAP GRC Innovations
Community Call Series
3
• Webcast series for the GRC
community hosted by SAP Analytics
(View replays:
http://bit.ly/askSAP_Playlist)
• An opportunity for you to direct the
discussion, get your questions
answered, and end the session with
some useful advice
• Live and interactive 90 minutes
• Connect on topics before, during, and
after the call via twitter using #askSAP

4. Speakers
Michael Golz
CIO
Americas, SAP
@MikeGolz
Kevin McCollom
Group Vice President
SAP Solutions for Governance,
Risk and Compliance
@SAPTradeGeek
Erin Hughes
Head of Marketing
Greenlight Technologies
@greenlight_corp

5. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 5Customer
Agenda
 Welcome
 Gain an understanding of the state of cybersecurity threats and evolving security perspectives
 Get a preview of SAP’s security strategy
 Poll Question
 Q&A
 Get a closer look at SAP’s perspective on cyber risk and governance and business application security
 Solutions Overview
 Poll Question
 Q&A
 Demo
 Customer case study
 Final Q&A
 Resources and Closing

6. © 2016 SAP SE. All rights reserved.
The state of
cybersecurity

7. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 7Customer
Defining security risk
$2.8 trillion GDP
increase fromonline
dataflows
Dramatic Increase in Value of
Data
521.000 PB
of datastorage capacity
to be shippedby 2020
Exponential Volume of Data
21 billion
new devices
connectedby2020
Increasing Vulnerability of
Endpoints
65 percent
of companies surveyed
experienced more
Advanced Persistent
Threats (APT)/
targetedattacks
Greater Proliferation of
Attackers
Companies can think of the security risks to their business as being a product of 4 key components
related to one of a company’s most important assets - its data

8. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 8Customer
Growth of data breaches
World’s biggest databreaches
2004 2016
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

9. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 9Customer
Customer Experience
Omni-Channels
Workforce
Engagement
Big Data &
Internet of
Things
Supplier Collaboration
Business Networks
The age of digital business
DIGITAL CORE
Cybersecurity is a critical element in the Digital
Transformation journey
1. Customers and employees are hyper-connected,
always on, with seamless accessanywhereand
anytime
2. Cloud and hybrid cloud environments have
become the norm challenging traditional “protect
the 4 walls” security approaches
3. Digitally connected supply chains are based on
high trust and availability of all parties
4. The Internet of Things and Big Data bring
unprecedented data streams and volumes
5. Confidentiality, integrity andavailabilityof data
and systems is the basis for secure operations
and trusted relationships
Transactions and data must be securedthroughout the
entire end-2-endbusiness process
SAP®S/4HANA

10. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 10Customer
Cybersecurity is a top-of-mind boardroom discussion
Are external as well as internal threats
being addressed?
Are gaps identified
and addressed?
Do we have sufficient visibility
into the real threat?
How would a breach impact the
ability of the business to perform?
Do we have the right risk-based approach to
management and oversight?

11. © 2016 SAP SE. All rights reserved.
Evolving security
perspectives

12. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 12Customer
Evolving security perspectives
Historical IT
security perspectives
Today’s leading
cybersecurity insights
Scope of the Challenge
Limited to your “four walls”and extended to the
enterprise
Spans your interconnected globaland business
ecosystem
Ownership and Accountability IT ledand operated
Business-aligned and owned; CEO and board
accountable
Adversaries’
Characteristics
One-offand opportunistic; motivated by notoriety,
technical challenge and individual gain
Organized, funded and targeted; motivated by
economic, monetary and political gain
Information Asset Protection One-size-fits-allapproach Prioritize and protect the “crown jewels”
Defense Posture Protectthe perimeter; respond if attacked
Protectthe application and data
Plan for a breach, monitor and rapidly respond
Security Intelligence and
Information Sharing
Keep to yourself
Public/private partnerships; collaboration with industry
workinggroups

13. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 13Customer
Shifts in approach to security and spending
*IDC Future of Security Survey – Preliminary Results, sponsored by SAP, May 2016

14. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 14Customer
Next-generation Security
360-degree
correlation analytics
across network,
endpoints,
applications, and
data
Real-time incident
response and
forensics to accelerate
detection limiting
threat impact
CYBERSECURITY INNOVATIONS
Next-generation
context and
application-aware
firewalls to enhance
both protection and
performance
Deep learning
powered
cybersecurity
analytics able to
respond to threats in
an adaptive manner

15. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 15Customer
Next-generation Security

16. © 2016 SAP SE. All rights reserved.
SAP security
strategy

17. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 17Customer
SAP security vision
Defendable Application
• Identify and prevent attacks from within the application
Zero Knowledge
• Ability to store data in the cloud and protect it from outside control
Zero Vulnerability
• Minimize vulnerability to ensure maximum protection
Security by Default
• Building security into product right from the start
Transparency
• Full and pro-active transparency for the customer
SAP is in the
business of securing
our customer’s
business”
Justin Somaini - Chief
Security Officer (CSO)

18. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 18Customer
SAP security strategy
Secure Products and Services
• Driving security into the core of the application and services to provide depth
of visibility and control
Security Ecosystem Integration
• Enabling our customers’ to integrate SAP into their Security Ecosystem
SAP’s Security DNA
• Leveraging SAP’s long standing expertise in Analytics and Business Process
Management to help solve customers’ security challenges
SAP is in the
business of securing
our customer’s
business”
Justin Somaini - Chief
Security Officer (CSO)

19. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 19Customer
SAP secure software development lifecycle
At thecoreof SAP’sdevelopment processes is a comprehensivesecuritystrategybasedon
threepillars:Prevent > Detect > React
The secure software development lifecycle (secure SDL):
 Is a risk-based approach, which uses threat modeling
 ISO 27034 Compliance, ISO 9001 Certifications
More information: http://go.sap.com/solution/platform-technology/security.html

20. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 20Customer
Security is a shared responsibility
 Monitor configuration changes
 Check custom code
 Consistently apply patches and updates
 Review RFC connections and interfaces
 Monitor logs for anomalies and attacks
 Review critical access and relevant
transactions
 Govern access and manage identities
 Protect data inside / outside the application
 Ensure appropriate policies and training
Lifecycleof theapplication
Applica-
tion
1
Installation,
configuration,
customization
3
Patches and
updates
2
System access,
remote and mobile
4
Upgrades and
interfaces

21. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 21Customer
POLL QUESTION #1
QUESTION #1
How has the Security topic currently viewed within your organization?
a) Top of mind – sense of urgency
b) One of many strategic risks to manage
c) Some focus but not considered strategic

22. © 2016 SAP SE. All rights reserved.
Q&A

23. © 2016 SAP SE. All rights reserved.
Cyber risk and
governance; business
application security

24. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 24Customer
Business application security
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 24Customer
Consider what SAP can do to help you
strengthen your:
Help protect trade secrets, intellectual property, financials, and personal data
Cyber risk and governance

25. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 25Customer
Cyber risk and governance
What should we
be doing?
What are the gaps
comparedto what we’re
doing today?
Are our cybersecurity
practices effective?
How do we communicate
our vision and status with
stakeholders?
How do we benchmark
against best practices,
frameworks, and
regulations?
Are our security
processes centralized
and simplified?
What emerging threats
are we not considering
today?
Where should we be
investing further in
security?
Are we able to detect
breaches in a timely
manner?
Are our security
policies effective?
Is access secured?
Is our custom code
secure?
Where are our critical
business processes
exposed?
How protected are our
high-value assets?
Are we meeting our
KPIs?

26. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 26Customer
Business application security
How do we efficiently
support user on boarding
and off boarding?
Do we enable our end
users for self service?
How do we manage
the identities for our
customers and partners?
How do we engage in new
business models, yet
protect our IP?
How do we prevent loss
and leakage of our critical
data?
Can we enforce our
data and file sharing
policies?
How do we ensure that
users have the
appropriate system
assignments?
How do we apply
business rules and
processes?
How do we have the
appropriate auditing and
reporting for our business
applications?
Can we detect anomalies
and possible security
issues?
Can the security team
respond quickly to stop the
attack?
Are we managing users
across our processes?
How do we share
informationand data
securely?
Are the right users
involvedin critical
business processes?
Can we detect security
and anomalies in our
system?

27. © 2016 SAP SE. All rights reserved.
Solutions overview

28. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 28Customer
Solutions for GRC and security from SAP
Cybersecurity
risk and
governance
Identify and manage risks, regulations and
polices to minimize potential business impact
Cyber risk and governance
SAP Regulation Management by
Greenlight,cybergovernanceedition
SAP Audit Management
SAP Process ControlSAP RiskManagement
 Manage cyber-related regulatory
requirements and align with
internal controls
 Document and monitor security
risks as part of the enterprise risk
management program
 Continuously monitor critical
security configuration
 Establish security policies
 Test adherence and understanding
 Document and test response and
recovery plan
 Audit the security program to
provide independent assurance

29. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 29Customer
Solutions for GRC and security from SAP
Business application security
Protect data, manage access, and
detect threats
SAP Dynamic Authorization
Management by NextLabs
SAP EnterpriseThreat Detection
SAP Access Control
SAP SingleSign-On SAP IdentityManagement
 Monitor business applications
for anomalies and attacks
 Integrate with existing security
infrastructure
 Protect data with fine-grained
access and data protection
 Analyze access risk, define
roles, support emergency
access
 Manage identities and
administer users, employees,
and customers across business
applications
Cybersecurity
risk and
governance

30. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 30Customer
Solutions for GRC and security from SAP
 SAP secure functionality
 Security patches and updates
 Focused on custom code
 Find and fix unknown vulnerabilities
 Security services by SAP
Analyze Custom Code
Manage Software Updates
SAP Services
Leverage Standard Functionality
SAP Fortify by HPE
SAP NetWeaverApplicationServer, add-onfor code vulnerabilityanalysis
*
*
SAP

31. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 31Customer
Governance, Risk & Compliance portfolio
 SAP Access Control
 SAP Process Control
 SAP Risk Management
 SAP Audit Management
 SAP Fraud Management
 SAP Identity Analytics
 SAP Business Partner screening
 SAP Global Trade Services
 SAP Electronic Invoicing for Brazil
Security and Threat Intelligence
 SAP Identity Management
 SAP Cloud Identity service
 SAP Single Sign-On
 SAP Enterprise Threat Detection
 SAP Code Vulnerability Analysis
 SAP Fortify by HP
GRC Solution Extensions
 SAP Access Violation Management by Greenlight
 SAP Regulation Management by Greenlight (cyber
governance solution)
 SAP Dynamic Authorization Management by NextLabs
 SAP Technical Data Export Compliance application by
NextLabs
Secure Digital Business Transformation

32. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 32Customer
POLL QUESTION #2
QUESTION #2
Which of the following SAP offerings were you most familiar with prior to today’s
conversation?
a) SAP’s solutions related to traditional access management
b) SAP’s solution extensions
c) SAP’s solutions related to Identity Management and Single Sign On
d) SAP standard functionality to support security
e) I wasn’t really familiar with any of these areas

33. © 2016 SAP SE. All rights reserved.
Q&A

34. © 2016 SAP SE. All rights reserved.DEMO
Demo

44. © 2016 SAP SE. All rights reserved.
Case study

45. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 45Customer
Internal Control Design,
Financial or Operational Risk Mapping
Collect Evidence, Assess Financial
Impact of Risk & Non-Compliance
Prioritization, Impact Analysis,
Requirement Interpretation, Cataloguing
Regulatory
Intelligence
(applicable to
Orgs)
Multiple
regulations
Regulatory changes feeds &
Surveillance
New & Changing Regulations
Monitoring and Reporting
Governance
Dashboards
and reports
External Reporting
and “In Control”
Monitor Regulations
• Monitor GMP, Privacy, & Cybersecurity external requirements (300+)
Baseline Regulations
• Life Sciences & Pharma: FDA, ISO/IEC 27000, IEC/TR 62443 and 80001, NERC CIP,
SEC, GSA, DHHS and OIG, USDA, EPA, ICH, Europa, FCC, COSO, FTC, Eudralex,
EFPIA, PhRMA, EMEA, EFSA, ABPI, MHRA, Health Canada, DHAC of Australia, TGA
Catalog Requirements
• CGMP – Current Good Manufacturing Guidelines
• Cybersecurity – Cybersecurity Standards
Define & Reuse Controls mapped to Risks
• CSC4005— Ensure all windows registry entries are consistent across the domain.
Identify and configure key registry entries and monitor for any changes to those registry
entries
• CNC195— Windows server vulnerabilities are checked on a regular basis. Exception
reporting to alert administrators
• PM200— Password policy across Oracle databases is consistent and enforced
Collect & Report
• Regulatory Intelligence on changes to regulatory requirements and surveillance
• Exception reporting on automated controls
Database Windows LDAP
Improving Security Governance with Regulation Management

46. © 2016 SAP SE. All rights reserved.
Final Q&A

47. © 2016 SAP SE. All rights reserved.
Resources

48. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 48Customer
Need more information on SAP HANA security?
Read the SAP HANA security whitepaper! Want to know more? Check out the SAP HANA
security page: http://hana.sap.com/security

49. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 49Customer
Security patches
Keep up to date by installing the latest security patches
and monitoring SAP security notes
Security improvements/corrections ship with SAP HANA revisions
 Current SAP HANA version: SAP HANA SPS11, revisions 11x
 Installed using SAP HANA’s lifecycle management tools
 See also SAP Note 2021789 – SAP HANA revision und maintenance strategy
SAP security notes contain further information
 Affected SAP HANA application areas and specific measures that protect against the exploitation of
potential weaknesses
 Released as part of the monthly SAP Security Patch Day
 See also http://support.sap.com/securitynotes and SAP Security Notes – Frequently asked questions
Operating system patches
 Provided by the respective vendors SuSE/Redhat

50. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 50Customer
Security services by SAP
SAP offers a wide range of security tools and services
to ensure the smooth operation of your SAP solution
by taking action proactively, before security issues
occur
More information:
 SAP Support Portal - EarlyWatch Alert
 SAP Security Optimization Services

51. © 2016 SAP SE or an SAP affiliate company. All rights reserved. 51Customer
Solutions for GRC and security from SAP
• SAP Access Control - Productpage
• SAP Process Control - Product page
• SAP Risk Management - Product Page
• SAP Audit Management - Product page
• SAP Identity Management - Product Page
• SAP Single Sign-On - Product Page
• SAP Enterprise Threat Detection - ProductPage
• SAP Regulation Management by Greenlight, cyber governance edition - Product Page
• SAP Dynamic AuthorizationManagement by NextLabs - Product Page

52. Thank you