www.sapns2.com/cloud 1

Security available in the SAP NS2 SuccessFactors SaaS Deployments

SAP NS2 SECURE CLOUDSAP SuccessFactors Suite Security Services

SAP NS2 has established a partnership with AWS to

bring together the expertise needed for the delivery of

a FedRAMP compliant software-as-a-service (SaaS)

environment.

The function of the SAP NS2 Secure Cloud with

SuccessFactors Suite is exclusively delivered as a SaaS

offering, which conforms to the stringent guidelines and

requirements under the FedRAMP and DoD

FedRAMP+ programs.

The system is compliant with the NIST 800-53 rev 4 security

control requirements for a moderate level system; FedRAMP

security controls for a moderate level system; DoD SRG

requirements for an impact level 4 system; and the privacy

controls for PII data.

1. Compliance and AuthorizationsTHE FOLLOWING IS A SUMMARY OF THE MINIMUM SECURITY CONTROL FAMILIES:

• Access control (AC)

• Awareness and training (AT)

• Audit and accountability (AU)

• Security assessment and authorization (CA)

• Configuration management (CM)

• Contingency planning (CP)

• Identification and authorization (IA)

• Incident response (IR)

• Maintenance (MA)

• Media protection (MP)

• Physical and environmental protection (PE)

• Planning (PL)

• Personnel security (PS)

• Risk assessment (RA)

• System and services acquisition (SA)

• System and communications protection (SC)

• System and information integrity (SI)

• Privacy

Physical access to the data center is governed by the terms of access allowed by the underlying infrastructure provider as

defined in the FedRAMP authorization package.

AWS GovCloud is the SAP NS2 FedRAMP-approved Infrastructure as a Service (IAAS) provider.

2. Facilities: Physical Security Methods and Controls

www.sapns2.com/cloud 2

SAP NS2 Cloud: SAP SuccessFactors Suite Security

HCM software-as-a-service (SaaS) is designed, built, and

operated to provide high levels of SaaS security.

3. Secure Cloud SaaS Security

• Managed two-factor authentication (“MFA”) is in use for application systems.

• Secure operating system (OS) builds are hardened based on DoD Secure Technology Implementation Guide (STIG) guidelines and industry best practices.

• Patching for host servers, network devices,security devices, servers, and related services in all environments on a specified routine (bi-monthly), or when there is a CERT or other authorized source of patches that requires immediate attention.

• Managed IDS signatures are routinely updated and the logs are monitored.

• Anti-virus is implemented and managed on all management servers.

• Logging service of all servers, network devices, and security devices to a centralized log server system.

• Governance risk compliance: We use a complete toolset to monitor compliance and continuous monitoring to all of our supported compliance frameworks.

SECURITY SERVICES THAT ARE STANDARD COMPONENTS FOR HCM’S ENVIRONMENT ARE THE FOLLOWING:

4. Secure Cloud Continuous MonitoringInformation security is a dynamic process that must be effectively and proactively managed for an organization to identify

and respond to new vulnerabilities, evolving threats, and an organization’s constantly changing enterprise architectural and

operational environment.

To maintain an authorization that meets the FedRAMP requirements, our Cybersecurity team must monitor the security

controls, assess them on a regular basis, and demonstrate that the security posture of the service offering is continuously

acceptable.

The SAP NS2 Cybersecurity team collects and analyzes data regularly and as often as needed to manage risk. This process

involves the entire organization, from senior leaders providing governance and strategic vision to individuals developing,

implementing, and operating individual systems in support of our core mission and business processes.

All of our tools, processes, and personnel are designed to support the FedRAMP-required Continuous

Monitoring Requirements.

Continuous monitoring will entail different types of activities based on the nature of the object being monitored.

www.sapns2.com/cloud 3

SAP NS2 Cloud: SAP SuccessFactors Suite Security

THE TYPES OF MONITORING ACTIVITIES ARE AS FOLLOWS:

• Review documentation(policies, procedures, plans, etc.)

• Review / maintain user accounts

• Review software settings

• Review logs, alerts, records

• Remediate vulnerabilities and bugs

• Track vulnerabilities and remediation via POAMs

• Test written plans(create a test plan and execute the test)

• Review baseline images

• Perform business impact analysis and riskassessment(s)

• Assess security controls

• Test reliability of backups

• Train users on good security practices, policies,and protection of data to include PII

• Sign access agreement / rules of behavior

• Code of business conduct, including conflictsof interest, confidentiality, insider trading, gifts,bribery, and corruption policies

• Foreign travel

• Safeguarding PII, privacy, and data protection

SAP NS2 requires mandatory security and compliance training for all employees of the company.

IN ADDITION, ALL EMPLOYEES OF THE COMPANY RECEIVE MANDATORY COMPLIANCE TRAINING ANNUALLY WHICH ADDRESSES TOPICS SUCH AS:

5. Security Awareness and Training Programs

• U.S. export control laws and regulations

• U.S. regulatory compliance, including anti-corruptionand economic sanctions regulations

• Technology and electronic control policies

• Compliance and ethics incident reporting policies

In its commitment to cyber security, the SAP NS2 Cloud Executive and System Management have developed a security

awareness training program overseen by the SAP NS2 Cloud Information System Security Officer (ISSO). The program is

multi-tiered -- the first tier is for general users and the second tier is for privilege users and technical staff.

• Social engineering techniques

• Phishing emails

• Insider threat

• Mobile device security

THE SECOND TIER TRAINING FOR PRIVILEGE USERS AND TECHNICAL STAFF COVERS:

• NIST cybersecurity framework and SP 800-53 rev4

• Incident response training

BOTH TIERS COVER THE FOLLOWING AREAS:

• Data privacy and personal identifiable information(PII) data protections

• Precautions when engaging in social networks

• The dangers of public Wi-Fi connections

• Secure cloud policies and procedures

• Contingency planning training

• Role-specific training

SAP NS2 Cloud: SAP SuccessFactors Suite Security

The customer is responsible for providing documented privacy roles, responsibilities, and access requirements to contractors

and service providers such as cloud service providers who provide cloud-based information technology services.

6. Privacy Policy

Documentation for Assessments:

Security documentation is reviewed as a part of

the 3PAO assessment. Their findings from the

assessment of that documentation is generated

and can be found in the SAR.

THE FOLLOWING ARE EXAMPLES OF INTERNAL DOCUMENTATION THAT ARE ASSESSED:

SAP NS2 maintains all documentation for security and

compliance requirements within its document management

systems. Where appropriate, these documents are restricted

to specific roles and responsibilities.

THE FOLLOWING DOCUMENTS ARE INCLUDED:

7. Documentation

• System security plan (SSP)

• Information security policies

• Plans for configuration management, securityawareness and training, contingency planning,and incident response

• System assessment report (SAR)

• Rules of behavior, privacy impact assessmentand e-authentication, user guides

• Information security program plan

• Enterprise security architecture

• Standard operating procedures

• Information security procedures

SAP NS2 identifies and authenticates users for access to the environment based on their job duty, responsibilities, and

additional security requirements. SAP NS2 has implemented a least permissions policy for administrative access into the

environment. Only approved individuals will have full privilege access to the environment resources. The remaining staff will

have a reduced set of permissions for the daily administrative abilities. For any user to access the environment, SAP NS2

has implemented multifactor authentication through the use of PIV-II cards. In addition, the environment will authenticate

customer users through their preferred connection methods. In accordance with the government standard for cryptography, the

technologies within the Secure Cloud are FIPS 140-2 validated.

8. Identification, Authentication, and Encryption

info@sapns2.com

877-972-7672

www.sapns2.com

© 2018 SAP National Security Services, Inc. (SAP NS2®). All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express

permis sion of SAP NS2. The information contained herein may be changed without prior notice. SAP and other SAP

products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of

SAP SE in Germany and other countries. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark

for additional trademark information and notices.