As a first source please have a look at the SAP Security Guide:
Please note that SAP Security is very complex topic. But for a first overview presentation this source would be helpful.
Furthermore your SAP security strategy has to be embedded in an overall security strategy depending on your (legal) requirements, e.g. SOX, data protection, and so on …