Can you confirm the SAP ERP version you are currently using? Who provides your SAP Security, Authorisations and Role Design support? Can you please confirm if you currently use SAP Access Control? If you do use Access Control, what version is installed (options are v5.3, v10.0, v10.1 or v12.0)? Do you have a support contract with an external provider to support SAP Access Control install? Can you please confirm if you currently use SAP Process Control? If you do use Process Control, what version is installed (options are v5.3, v10.0, v10.1 or v12.0)? Do you have a support contract with an external provider to support SAP Process Control install? Can you please confirm if you currently use SAP Risk Management? If you do use Risk Management, what version is installed (options are v5.3, v10.0, v10.1 or v12.0)? Do you have a support contract with an external provider to support SAP Risk Management install? Can you confirm if you currently have any other SAP GRC software installed? List of SAP GRC software includes, but not exclusive to: i. Business Integrity Screening ii. Single Sign-On iii. Identity Management iv. Audit Management v. UI Masking vi. UI Logging vii. Read Access Logging viii. BusinessObjects Access Control ix. Versa GRC If you do not have any SAP GRC installed/utilised, are there any plans to purchase and install the GRC software? If you have implemented any of the aforementioned software and have a support contract what is the renewal date of that contract? Where is your SAP infrastructure located and in what format? When is the contract for third party support of your SAP infrastructure due for renewal? Where do you advertise any SAP related procurement opportunities?

---

Dear

TfL Ref: FOI-2173-1819

Thank you for your email received by Transport for London (TfL) on 19 November 2018.

Your request has been considered in accordance with the requirements of the Freedom of Information Act and our information access policy.  I can confirm we hold some of the information you require. You asked:

Can you confirm the SAP ERP version you are currently using?

ECC 6.05

Who provides your SAP Security, Authorisations and Role Design support?

This is done internally within TfL.

Can you please confirm if you currently use SAP Access Control?

Yes.

If you do use Access Control, what version is installed (options are v5.3, v10.0, v10.1 or v12.0)?

10.1

Do you have a support contract with an external provider to support SAP Access Control install?

No, it’s done internally.

Can you please confirm if you currently use SAP Process Control?

Yes.

If you do use Process Control, what version is installed (options are v5.3, v10.0, v10.1 or v12.0)?

10.1

Do you have a support contract with an external provider to support SAP Process Control install?

No.

Can you please confirm if you currently use SAP Risk Management?

We do not use it at the present time.

If you do use Risk Management, what version is installed (options are v5.3, v10.0, v10.1 or v12.0)?

n/a

Do you have a support contract with an external provider to support SAP Risk Management install?

n/a

Can you confirm if you currently have any other SAP GRC software installed?

Please see below.

List of SAP GRC software includes, but not exclusive to:

i. Business Integrity Screening - No

ii. Single Sign-On - No

iii. Identity Management - No

iv. Audit Management - No

v. UI Masking - no

vi. UI Logging - no

vii. Read Access Logging - no

viii. BusinessObjects Access Control – Yes

ix. Versa GRC – Yes

If you do not have any SAP GRC installed/utilised, are there any plans to purchase and install the GRC software?

N/a

If you have implemented any of the aforementioned software and have a support contract what is the renewal date of that contract?

N/a

Where is your SAP infrastructure located and in what format? 

In accordance with the FOI Act we are not obliged to supply you with the location of our SAP infrastructure as this information is subject to a statutory exemption to the right of access to information under section 24 (National security) and section 31(1) (Prevention and detection of crime).

In this instance the exemptions apply as disclosure of the information you have requested would potentially assist a person with malicious intentions to carry out a cyber or physical attack on our service network which would bring down our services. Release of information under the Freedom of Information Act is a release to the public both at home and abroad. Therefore we must consider how any potential recipient of the information might use it, rather than make assumptions about the intentions of the individual making the request.

The SAP system is a critical piece of our infrastructure and as such we employ rigorous safeguards to protect it from cyber or physical attack. Like other organisations we are subject to regular attempted cyber attacks. These attacks are unlawful under the Computer Misuse Act, and whilst the motive is not always apparent, we are aware of the risk to National Security that that may result from a successful attack.

The use of these exemptions is subject to an assessment of the public interest in relation to the disclosure of the information concerned.  We recognise the need for openness and transparency by public authorities, but in this instance we consider that there is greater public interest in safeguarding our information systems and protecting the integrity of the London transport network from the realistic possibility of attack.

When is the contract for third party support of your SAP infrastructure due for renewal?

The SAP managed service contract expires on 30 June 2021 (it includes option to extend for 2 years).

Where do you advertise any SAP related procurement opportunities?

We opt to use existing TfL or Public Sector Frameworks in the first instance; in these instances the opportunity will only be competed and therefore advertised to the framework suppliers. Where appropriate frameworks are not available, we will tender in line with EU Procurement Regulations; all OJEU opportunities are advertised via the stipulated methods using Prior Information Notices to the open market. Additionally, suppliers can register on the TfL e-tendering portal to see all open opportunities. Information is freely available on the TfL website via the following link: https://tfl.gov.uk/info-for/suppliers-and-contractors/opportunities

If this is not the information you are looking for, or if you are unable to access it for some reason, please do not hesitate to contact me.

Please see the attached information sheet for details of your right to appeal as well as information on copyright and what to do if you would like to re-use any of the information we have disclosed.

Yours sincerely

Eva Hextall

FOI Case Officer

FOI Case Management Team

General Counsel

Transport for London

  

Can you confirm the SAP ERP version you are currently using?

Who provides your SAP Security, Authorisations and Role Design support?

Can you please confirm if you currently use SAP Access Control?

If you do use Access Control, what version is installed (options are v5.3, v10.0, v10.1 or v12.0)?

Do you have a support contract with an external provider to support SAP Access Control install?

Can you please confirm if you currently use SAP Process Control?

If you do use Process Control, what version is installed (options are v5.3, v10.0, v10.1 or v12.0)?

Do you have a support contract with an external provider to support SAP Process Control install?

Can you please confirm if you currently use SAP Risk Management?

If you do use Risk Management, what version is installed (options are v5.3, v10.0, v10.1 or v12.0)?

Do you have a support contract with an external provider to support SAP Risk Management install?

Can you confirm if you currently have any other SAP GRC software installed?

List of SAP GRC software includes, but not exclusive to:

i. Business Integrity Screening

ii. Single Sign-On

iii. Identity Management

iv. Audit Management

v. UI Masking

vi. UI Logging

vii. Read Access Logging

viii. BusinessObjects Access Control

ix. Versa GRC

If you do not have any SAP GRC installed/utilised, are there any plans to purchase and install the GRC software?

If you have implemented any of the aforementioned software and have a support contract what is the renewal date of that contract?

Where is your SAP infrastructure located and in what format?

When is the contract for third party support of your SAP infrastructure due for renewal?

Where do you advertise any SAP related procurement opportunities?

Back to top

---