SlideShare une entreprise Scribd logo

Sap Access Risks Procedures

Télécharger en tant que DOC, PDF
Inprise Group
Inprise Group
Technologie
1  sur  16
AUDIT PLAN SAP User Access SAP Security and Access - Risk and Audit Procedures Matrix SECTION A: Security Administration Risk: Failure to implement adequate SAP security administration procedures could result in unauthorized access to sensitive data and programs, affecting the integrity, availability, or confidentiality of the system and its data. Internal Controls Audit Procedures Audit Observations Access to perform security administration functions including the profile generator should be restricted. This is controlled via the following authorization objects: • User master maintenance: User groups; • User master maintenance: Authorization profile; • User master maintenance: Authorizations; • Authorization check for transaction start. I1. Inquire of SAP Security Administration who has access to security administration functions and determine if they are adequately restricted. I2. Use the SAP Audit Information System (AIS) to review access to Basis Client levels. (000, 001). I3. Use the AIS to Identify users with access to other sensitive authorization objects. For proper segregation of duties for security administration of the Profile Generator, SAP recommends that following 3 roles be segregated: 1. User administrator (defines and maintains user master records) 2. Data administrator (creates/changes activity groups and authorizations) 3. Profile administrator (display activity groups and their data). Profile and Data administration should be performed in the development environment. Segregation of the Data and Profile roles provides a strong control over the accuracy and authorization of changes. I4. Inquire/Verify of SAP Security Administration who is performs the roles and determine if roles are adequately segregated. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 1
AUDIT PLAN SAP User Access Security administrators may grant themselves access to inappropriate transactions. They can be restricted from maintaining their own access rights but would still be able to create a new user master record which they could use to access the inappropriate transaction. Security administrator access can only be fully restricted if SAP Is linked to an external security system (SFCUDE or KERBEPOS). I5. Inquire of SAP Security Administration if SAP is linked to an external security system. If security is maintained in a decentralized manner, all users must be assigned to 'User groups' in order to confine decentralized user administrators to their own users. This prevents a user administrator from one group maintaining a user in another group. However, if a user is not assigned to a group, they can be maintained by a user administrator with access to any group. I6. Use the AIS to Identify users who are not assigned to User Groups. Follow up and assess for propriety. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 2
AUDIT PLAN SAP User Access SAP security administration procedures should be documented and include procedures to address the following tasks: • addition, change and deletion of user access privileges; • access to the SAP system which should be authorized and approved in writing by the relevant data or process owners; • removal of access (upon completion of assignment) for temporary staff (e.g. contractors). This can be achieved via the use of validity periods on the user master records; • deletion of users who have never logged in, have not logged in for a certain number of days or who have left the organization. Consideration should be given to locking out users who have not logged on in over 30 days; • automatic notification of security administration staff when staff leave the organization or are transferred to a new position, so that they may remove SAP access as well as access to other systems (e.g. operating system, local area network); I7. Obtain documented security procedures and assess appropriateness and completeness. I8. Use the AIS to identify users who have never logged on. I9. Audit a sample of access forms and profiles against authorization forms. An audit trail of security administration activity should be reviewed on a regular basis in order to detect any unusual activity. I10. Inquire of SAP Security Administration who reviews audit trail of administration activity. Obtain and review any recent reports. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 3
AUDIT PLAN SAP User Access SECTION B: SAP Security Parameters Risk: Unauthorized access due to inadequate password and control controls and conventions. Internal Controls Audit Procedures Audit Observations User master records should be locked after a certain number of unsuccessful attempts to log-in to the system with an incorrect password (e.g. three attempts). This protects against an unauthorized user continually attempting to guess another user's password. Locked user-ids are automatically unlocked at midnight and a daily review of locked users is therefore recommended. This can be achieved via review of the system log or a scheduled report of the locked users (run immediately prior to the automatic unlocking). J1. Inquire/verify of SAP Security Administration what controls are in place to identify unsuccessful log-ins. Do they use the Audit Security Log that comes standard with SAP? J2. Use AIS to Identify unauthorized access attempts. If the SAP* user master record is deleted, SAP* reverts to its original state with complete access and a default password. A system parameter can be set to prevent users from being able to log on as SAP* with the default password in the event that the SAP* user master record has been deleted. J3. Check system parameters regarding deletion of SAP* J4. Check history of any SAP* deletions. . Users should be forced to change their passwords at regular intervals (e.g. every 30 days). This reduces the likelihood of a third party gaining unauthorized access to the system. J5. Use AIS to review login and password parameters for compliance with corporate guidelines. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 4
AUDIT PLAN SAP User Access The minimum password length should be set to an appropriate value (e.g. six characters) to prevent passwords being guessed. The default system setting is three characters and the maximum length is eight characters. J6. Use AIS to examine password table (USR40) for invalid or inappropriate passwords. SAP should stop the current session after a certain number of unsuccessful attempts to log-in to the system (e.g. three attempts). This may deter an unauthorized user from attempting to guess another users password J7. Examine SAP Security Log for unsuccessful login attempts. Users should be logged off the system after a specified period of inactivity. This may prevent an unauthorized user from gaining access to an idle terminal if the workstation has been left unattended for an extended period of time. Time-out facilities at the local area network level should therefore also be utilized. J8. Use AIS to identify users who have never logged on or have not logged on after long periods of inactivity. It is possible to disable the systems check of a user’s authorization for a transaction code at the commencement of each transaction. This check is turned on by default and should not be deactivated. J9. Inquire/verify of SAP Security Administration whether this check is turned on. If the profile generator is activated it is possible to disable standard authorization checks. If used inappropriately this could create significant access exposures. This functionality should therefore be appropriately secured and changes closely scrutinized J10. Inquire/verify of SAP Security Administration whether standard authorization checks have been disabled. J11. Examine log or history files. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 5
AUDIT PLAN SAP User Access SECTION C: Restricting Access to Data/Programs Risk: Unauthorized access to SAP data and programs could result in unauthorized changes to system data including the processing of fraudulent transactions. Internal Controls Audit Procedures Audit Observations Any custom transactions or programs that are developed should follow a consistent naming standard which complies with SAP conventions. It should be ensured that custom transactions and programs have the necessary access control checks included within them. K1. Inquire/verify of SAP Security Administration whether standard naming conventions are used. K2. Determine whether necessary access controls are in place. SAP supplied user master records are very powerful and are delivered with default passwords. These passwords are well known and should be changed immediately to ensure the system is protected from unauthorized access attempts. These user-ids are the first to be attempted by unauthorized users, such as hackers, trying to break into an SAP system. K3. Inquire/verify of SAP Security Administration whether default passwords have been changed for SAP supplied user master records. K4. Check passwords for SAP* and DDIC. There is a standard SAP program which allows the user to access the operating system command line. This enables the user to perform operating system commands from within SAP using the powerful access rights of the SAP user-id in the operating system. There is also a standard transaction which allows access to perform a pre-defined set of operating system commands as well as creating and executing new commands. Access to these utilities should be restricted from all users in the production environment. Operating system access should be administered via the operating system itself and not from within SAP. K5. Inquire of SAP Security Administration whether access to these utilities is appropriately restricted from users in the production environment. K6. Use the AIS to Identify SAP programs (ABAP) that are not placed in an authorization group. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 6
AUDIT PLAN SAP User Access Adequate security guidelines should be in place to ensure that users and IT staff are prevented from accessing programs and data. This security policy should be enforced by appropriate consistent security settings across all IT environments (database management system, operating system and local area network). K7. Review and assess existing security guidelines re user and IT access to programs and data. There should be clearly defined emergency access procedures for the production SAP system. This should include monitoring of all activity performed while emergency access is granted to ensure that unauthorized or incorrect changes to data or programs are detected. K8. Review and assess emergency access procedures for the production SAP system. Any sensitive transactions that are not used can be locked in the system to prevent intentional or unintentional use. K9. Review and assess existing procedures for locking sensitive transactions. Use AIS to identify locked transactions. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 7
AUDIT PLAN SAP User Access SECTION D: Restricting Access to Powerful System Functions Risk: Failure to adequately restrict profiles and authorizations to the appropriate users will result in unauthorized access to various functions within the system. This could result in unauthorized or even fraudulent transactions being processed and could threaten the integrity of data in the system. Internal Controls Audit Procedures Audit Observations SAP comes with a number of standard profiles and authorizations which can be used by the organization. These standard profiles and authorizations should not be used in production because they provide very generic access and generally do not adequately address segregation of duty issues. These standard profiles and authorizations are also subject to changes in future releases of SAP which may result in changes to user access rights after the software is upgraded. L1.Inquire of SAP Security Administration whether these profiles are used in production. L2.Use AIS to identify users who can execute all SAP transactions. Users should be restricted from executing ABAP programs in the production environment. There are many powerful ABAP programs in the system which perform sensitive functions (e.g. deleting master data) that do not incorporate any security checks. Access to the transactions used to nominate then execute ABAP programs (including report painter) should be restricted. All ABAP reports that need to be executed should be attached to info system report trees. In order to totally secure ABAP programs from unauthorized use, all programs can be assigned to an authorization group and access restricted via authorization group using the authorization object ‘ABAP/4: Program run checks’. L3.Inquire/verify of SAP Security Administration whether ABAP programs can be executed in the production environment, review access to ABAP programs. L4.Inquire/verify of SAP Security Administration whether all reports are attached to report trees. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 8
AUDIT PLAN SAP User Access Access to development functions including the ability to maintain ABAP programs should be totally restricted in the production environment. This is controlled via the authorization object ‘ABAP/4 Development workbench' which (apart from display access) should not be allocated in production L5.Inquire of SAP Security Administration whether these profiles are used in production. L6.Use AIS to identify users who have ability to execute UNIX commands. L7.Use AIS to review authorizations granted to developers. There are various powerful standard profiles in the system which should not be granted to users including: • ‘All authorizations for the R/3 system' (SAP_ALL): this Profile allows the user to perform all functions in the system and is especially powerful. It should not be granted to any users in the production environment • ‘All authorizations for newly created objects' (SAP_NEW): this profile provides general access to any new profiles and authorizations which are included in a new release of SAP. These may provide access to inappropriate functions. This profile should not be allocated to any users in production. L8.Use Audit System Log to identify users with SAP_ALL and SAP_NEW profiles, ensure that they do not have access to the production environment. Debug access should not be provided to any users in the production environment. This could allow a user to bypass the authority checks included in ABAP programs/transactions. L9.Inquire of SAP Security Administration whether debug access is used in production. L10. Examine any history or log files. Access to perform corrections and transports should be restricted in all environments. This access is provided by the authorization object 'Workbench organizer and transport system' which should be granted to authorized users only. L11. Use AIS to identify users with correction and transport capabilities and determine appropriateness. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 9
AUDIT PLAN SAP User Access Access to the 'System Administration Functions' authorization object should be restricted as this provides users with access to powerful systems administration functions including the following: creating new clients: locking/unlocking transactions; controlling others spool (print) requests; and deleting data without archiving. L12. Inquire of SAP Security Administration as to who has this capability and determine appropriateness. L13. Use AIS to review production and acceptance settings to ensure direct changes cannot be made. Access to the batch processing authorization objects should be restricted, as these provide access to background job administration functions. These functions should be restricted to authorized users only. L14. Inquire/verify of SAP Security Administration whether batch processing authorization objects are restricted. Access to maintain ABAP program attributes and copy or delete programs should also be restricted from unauthorized users via the authorization object ABAP/4: Program run checks.' L15. Inquire of SAP Security Administration who has access to maintain ABAP program attributes. L16. Use AIS to review program changes and evaluate whether the changes were authorized. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 10
AUDIT PLAN SAP User Access SECTION E: System ‘Super Users’ Risk: Super users have powerful system access rights and should be adequately protected to ensure that unauthorized access to the system is prevented. If access is gained to super user accounts it could result in unauthorized transactions being processed and the integrity of system data being compromised. Internal Controls Audit Procedures Audit Observations The SAP* user is delivered as the standard super user with the System. It should not be deleted because it will be reinstated by the System with a default password which is widely known and easily guessed. SAP recommends that the SAP* user be copied to another user master record (this will become the super user to provide emergency access privileges), and the profiles allocated to SAP* removed to reduce further the likelihood of unauthorized access. M1. Inquire of SAP Security Administration if SAP* has been deleted from access profiles and whether or not it has been copied to another user. M2. Examine profiles attached to SAP* and assess appropriateness Default passwords for the standard SAP* delivered user master records should be changed to prevent unauthorized access to the system. M3. Inquire of SAP Security Administration if SAP* passwords for user master records have been changed The combination of powerful profiles which are assigned to SAP* should not be assigned to any other single user master record with the exception of the user created to replace the SAP* user master record. M4. Use AIS to check users with profiles similar to SAP* sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 11
AUDIT PLAN SAP User Access Policies and procedures should be developed to ensure access to 'super users' is adequately restricted, Procedures should include the storage of super user account passwords in a secured location (e.g. a safe) and processes to require the changing of the password after each use. The activity of super user accounts should also be monitored to ensure that access is used only for appropriate purposes. M5. Inquire of SAP Security Administration of Policies and Procedures for restricting and monitoring access to super user profiles. M6. Use AIS to review access, use and passwords of restricted profiles. The SAP system is delivered with a standard user master record called 'EARLYWATCH' which is used by SAP to provide an optional online support service. This user is assigned all authorizations for the SAP system which is an inappropriate level of access to the organization’s programs and sensitive data. This user and any other user master record accessed by SAP should be restricted to required functions only. M7. Inquire/verify of SAP Security Administration if ‘EARLYWATCH’ is used. If so ensure access is restricted. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 12
AUDIT PLAN SAP User Access SECTION F: Restricting Access to System Tables Risk: Unauthorized access to the table maintenance function could result in system data and configuration settings being corrupted. Internal Controls Audit Procedures Audit Observations Specific transactions exist which allow direct updating of tables. Access to such transactions must be restricted only to authorized users through the authorization object ‘TabIe maintenance’. N1. Inquire of SAP Security Administration whether access to ‘Table Maintenance’ is restricted. N2. Use AIS to identify users who have table maintenance capabilities. Some tables are client-independent which means that if they are updated in one client this affects all SAP clients in the same environment (system). Access to maintain client-independent tables for non-production clients which reside on the production client machine should be restricted. Access to maintain client-independent tables is provided by the authorization object 'Maintenance of client independent’ tables. N3. Inquire/verify of SAP Security Administration whether access to ‘Maintenance of client independent’ authorization is restricted. All system tables are delivered with a 'table class' assigned. All users with table maintenance responsibilities should be restricted to the appropriate table class, and care should he taken when assigning access to maintain tables in the class 'w/o auth group' (tables that are not assigned a specific class). Access to display tables should also be restricted as many tables contain sensitive information. This access should be restricted by table class. N4. Inquire of SAP Security Administration whether table maintenance access is matched to appropriate table class. N5. Use AIS to identify tables that are not placed in Authorization groups and assess appropriateness. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 13
AUDIT PLAN SAP User Access Access to data dictionary (system tables) transactions should be adequately restricted in all clients in the production system. These transactions include the ability to maintain and display data dictionary tables as well as maintaining technical settings and running utilities for system tables. N6. Inquire/verify of SAP Security Administration whether access to data dictionary transactions is restricted. Changes to sensitive system customizing tables (including CTS tables) should he logged in both the development and production environments and the report 'Analysis of table log database' reviewed on a regular basis to ensure that any unauthorized table changes are detected. N7. Inquire/verify of SAP Security Administration whether logging and report reviewing is done. N8. Use AIS to review changes to Critical System tables. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 14
AUDIT PLAN SAP User Access SECTION G: Segregation of Duties Risk: Certain combinations of roles within a user master record may allow a user to process transactions which, in combination, result in a compromise of segregation of duties. Internal Controls Audit Procedures Audit Observations As part of the security implementation project, the profiles being designed should be assessed to determine whether they provide access to conflicting duties in the system. Care should be taken to ensure that the activity groups/profiles created provide only the level of access which is intended by management. A job roles matrix should be developed as a part of the security implementation strategy to ensure that the roles assigned to each 'job' or ‘position' in the SAP system are clearly defined and justified. O1. Inquire of SAP Security Administration whether segregation of duties issues were addressed. O2. Obtain job roles matrix and review for conflicting duties. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 15
AUDIT PLAN SAP User Access Procedures should be developed for user administration to ensure that segregation of duties issues are considered. These procedures should ensure that: • new users are not granted any combination of profiles/activity groups that would result in them having access to perform functions which are not consistent with their job role or position in the organization (e.g. a materials management specialist) having the ability to post an invoice); • the access rights of existing users are assessed prior to new profiles/activity/ groups being included in their user master records. The allocation of a new profile/activity group could result in the user having inappropriate access to functions which are inconsistent with their job role. It may be necessary to remove existing profiles/activity groups from the user master record. O3. Inquire/verify of SAP Security Administration of Policies and Procedures in place for ensuring that segregation of duties issues are addressed. A periodic review should be performed to evaluate the levels of access that have been granted to system users This may be performed manually or with the aid of third party software tools. The aim of the review should be to identify any potential conflicts in the users' access rights and to ensure that these are corrected O4. Use AIS to review any existing incompatible functions as defined by transaction starts in function table (SUKRI). sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 16

Recommandé

Sap audit programs_and_ic_qs
Sap audit programs_and_ic_qsSap audit programs_and_ic_qs
Sap audit programs_and_ic_qsPhong Ho
 
SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC FrameworkHarish Sharma
 
SAP Security important Questions
SAP Security important QuestionsSAP Security important Questions
SAP Security important QuestionsRagu M
 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security conceptsSiva Pradeep Bolisetti
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questionsSiva Pradeep Bolisetti
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grchkodali
 
Sap security interview question & answers
Sap security interview question & answersSap security interview question & answers
Sap security interview question & answersNancy Nelida
 
Day5 R3 Basis Security
Day5 R3 Basis SecurityDay5 R3 Basis Security
Day5 R3 Basis SecurityGuang Ying Yuan
 

Recommandé

Sap audit programs_and_ic_qs
Sap audit programs_and_ic_qsSap audit programs_and_ic_qs
Sap audit programs_and_ic_qsPhong Ho
 
SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC FrameworkHarish Sharma
 
SAP Security important Questions
SAP Security important QuestionsSAP Security important Questions
SAP Security important QuestionsRagu M
 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security conceptsSiva Pradeep Bolisetti
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questionsSiva Pradeep Bolisetti
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grchkodali
 
Sap security interview question & answers
Sap security interview question & answersSap security interview question & answers
Sap security interview question & answersNancy Nelida
 
Day5 R3 Basis Security
Day5 R3 Basis SecurityDay5 R3 Basis Security
Day5 R3 Basis SecurityGuang Ying Yuan
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsTL Technologies - Thoughts Become Things
 
What is sap security
What is sap securityWhat is sap security
What is sap securitygrconlinetraining
 
Sap security tasks
Sap security tasksSap security tasks
Sap security tasksSiva Pradeep Bolisetti
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online traininggrconlinetraining
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administrationnanda nanda
 
Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshoplarrymcc
 
Sap Security
Sap SecuritySap Security
Sap Securitytechgurusuresh
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questionssumitmsn2
 
Sap BPC concepts
Sap BPC conceptsSap BPC concepts
Sap BPC conceptsVerity Solutions
 
Technical Overview of CDS View - SAP HANA Part II
Technical Overview of CDS View - SAP HANA Part IITechnical Overview of CDS View - SAP HANA Part II
Technical Overview of CDS View - SAP HANA Part IIAshish Saxena
 
Authorisations in SAP: best practices
Authorisations in SAP: best practicesAuthorisations in SAP: best practices
Authorisations in SAP: best practicesJonathan Eemans
 
Anil kumar sap security & GRC
Anil kumar sap security & GRCAnil kumar sap security & GRC
Anil kumar sap security & GRCAnil Kumar
 
SAP SECURITY GRC
SAP SECURITY GRCSAP SECURITY GRC
SAP SECURITY GRCtechgurusuresh
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsRohan Andrews
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access ControlNasir Gondal
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP SecurityNasir Gondal
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...akquinet enterprise solutions GmbH
 
Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 trainingsuresh
 
Sap solution manager
Sap solution managerSap solution manager
Sap solution managerBala Venkata Raju P
 
Sap s 4 hana client strategy
Sap s 4 hana client strategySap s 4 hana client strategy
Sap s 4 hana client strategyssuser017e8f
 
Chapter 3
Chapter 3Chapter 3
Chapter 3Nur Dalila Zamri
 
Audit programme
Audit programmeAudit programme
Audit programmeKumandan
 

Contenu connexe

Tendances

Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online traininggrconlinetraining
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administrationnanda nanda
 
Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshoplarrymcc
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questionssumitmsn2
 
Technical Overview of CDS View - SAP HANA Part II
Technical Overview of CDS View - SAP HANA Part IITechnical Overview of CDS View - SAP HANA Part II
Technical Overview of CDS View - SAP HANA Part IIAshish Saxena
 
Authorisations in SAP: best practices
Authorisations in SAP: best practicesAuthorisations in SAP: best practices
Authorisations in SAP: best practicesJonathan Eemans
 
Anil kumar sap security & GRC
Anil kumar sap security & GRCAnil kumar sap security & GRC
Anil kumar sap security & GRCAnil Kumar
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsRohan Andrews
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access ControlNasir Gondal
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP SecurityNasir Gondal
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...akquinet enterprise solutions GmbH
 
Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 trainingsuresh
 
Sap s 4 hana client strategy
Sap s 4 hana client strategySap s 4 hana client strategy
Sap s 4 hana client strategyssuser017e8f
 

Tendances (20)

How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systems
 
What is sap security
What is sap securityWhat is sap security
What is sap security
 
Sap security tasks
Sap security tasksSap security tasks
Sap security tasks
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online training
 
Sap security-administration
Sap security-administrationSap security-administration
Sap security-administration
 
Sap Security Workshop
Sap Security WorkshopSap Security Workshop
Sap Security Workshop
 
Sap Security
Sap SecuritySap Security
Sap Security
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questions
 
Sap BPC concepts
Sap BPC conceptsSap BPC concepts
Sap BPC concepts
 
Technical Overview of CDS View - SAP HANA Part II
Technical Overview of CDS View - SAP HANA Part IITechnical Overview of CDS View - SAP HANA Part II
Technical Overview of CDS View - SAP HANA Part II
 
Authorisations in SAP: best practices
Authorisations in SAP: best practicesAuthorisations in SAP: best practices
Authorisations in SAP: best practices
 
Anil kumar sap security & GRC
Anil kumar sap security & GRCAnil kumar sap security & GRC
Anil kumar sap security & GRC
 
SAP SECURITY GRC
SAP SECURITY GRCSAP SECURITY GRC
SAP SECURITY GRC
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM Workflows
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access Control
 
Introduction to SAP Security
Introduction to SAP SecurityIntroduction to SAP Security
Introduction to SAP Security
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
 
Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 training
 
Sap solution manager
Sap solution managerSap solution manager
Sap solution manager
 
Sap s 4 hana client strategy
Sap s 4 hana client strategySap s 4 hana client strategy
Sap s 4 hana client strategy
 

En vedette

Audit programme
Audit programmeAudit programme
Audit programmeKumandan
 
BMC Remedy ITSM 8.0 What's New
BMC Remedy ITSM 8.0 What's NewBMC Remedy ITSM 8.0 What's New
BMC Remedy ITSM 8.0 What's NewBMC Software
 
Topic 4 internal control system (ics)
Topic 4 internal control system (ics)Topic 4 internal control system (ics)
Topic 4 internal control system (ics)sakura rena
 
Topic 2 objectives and scope of financial statement audit
Topic 2 objectives and scope of financial statement auditTopic 2 objectives and scope of financial statement audit
Topic 2 objectives and scope of financial statement auditsakura rena
 
Topik 8 Audit Sampling
Topik 8 Audit SamplingTopik 8 Audit Sampling
Topik 8 Audit SamplingDania Johan
 
management letter
management lettermanagement letter
management letter19970116
 
audit sampling notes
audit sampling notesaudit sampling notes
audit sampling notesstudent
 
Audit Programme: Concept, Types, Functions, Advantages & Disadvantages
Audit Programme: Concept, Types, Functions, Advantages & DisadvantagesAudit Programme: Concept, Types, Functions, Advantages & Disadvantages
Audit Programme: Concept, Types, Functions, Advantages & DisadvantagesJagriti Gupta
 
Topic 6 audit documentation
Topic 6 audit documentationTopic 6 audit documentation
Topic 6 audit documentationsakura rena
 
Internal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo WachiraInternal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo WachiraJenard Wachira
 
The 7 Keys to an Effective Audit Programme
The 7 Keys to an Effective Audit ProgrammeThe 7 Keys to an Effective Audit Programme
The 7 Keys to an Effective Audit ProgrammeCraig Thornton
 
External audit plan
External audit planExternal audit plan
External audit planaleja234
 
Audit planning- Review Questionnaire.
Audit planning- Review Questionnaire.Audit planning- Review Questionnaire.
Audit planning- Review Questionnaire.Magnolia Raz
 

En vedette (20)

Chapter 3
Chapter 3Chapter 3
Chapter 3
 
Audit programme
Audit programmeAudit programme
Audit programme
 
BMC Remedy ITSM 8.0 What's New
BMC Remedy ITSM 8.0 What's NewBMC Remedy ITSM 8.0 What's New
BMC Remedy ITSM 8.0 What's New
 
Topic 4 internal control system (ics)
Topic 4 internal control system (ics)Topic 4 internal control system (ics)
Topic 4 internal control system (ics)
 
Audit procedures
Audit proceduresAudit procedures
Audit procedures
 
04 Audit documentation
04 Audit documentation 04 Audit documentation
04 Audit documentation
 
Topic 2 objectives and scope of financial statement audit
Topic 2 objectives and scope of financial statement auditTopic 2 objectives and scope of financial statement audit
Topic 2 objectives and scope of financial statement audit
 
Bmc presentation
Bmc presentationBmc presentation
Bmc presentation
 
Topik 8 Audit Sampling
Topik 8 Audit SamplingTopik 8 Audit Sampling
Topik 8 Audit Sampling
 
management letter
management lettermanagement letter
management letter
 
audit sampling notes
audit sampling notesaudit sampling notes
audit sampling notes
 
Audit procedures
Audit proceduresAudit procedures
Audit procedures
 
Audit documentation
Audit documentationAudit documentation
Audit documentation
 
Audit Programme: Concept, Types, Functions, Advantages & Disadvantages
Audit Programme: Concept, Types, Functions, Advantages & DisadvantagesAudit Programme: Concept, Types, Functions, Advantages & Disadvantages
Audit Programme: Concept, Types, Functions, Advantages & Disadvantages
 
Topic 6 audit documentation
Topic 6 audit documentationTopic 6 audit documentation
Topic 6 audit documentation
 
Internal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo WachiraInternal Audit And Internal Control Presentation Leo Wachira
Internal Audit And Internal Control Presentation Leo Wachira
 
The 7 Keys to an Effective Audit Programme
The 7 Keys to an Effective Audit ProgrammeThe 7 Keys to an Effective Audit Programme
The 7 Keys to an Effective Audit Programme
 
Workshop presentation on internal control and internal audit by Jose Viegas R...
Workshop presentation on internal control and internal audit by Jose Viegas R...Workshop presentation on internal control and internal audit by Jose Viegas R...
Workshop presentation on internal control and internal audit by Jose Viegas R...
 
External audit plan
External audit planExternal audit plan
External audit plan
 
Audit planning- Review Questionnaire.
Audit planning- Review Questionnaire.Audit planning- Review Questionnaire.
Audit planning- Review Questionnaire.
 

Similaire à Sap Access Risks Procedures

5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business Accounts5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business AccountsAnayaGrewal
 
8 must dos for a perfect privileged account management strategy
8 must dos for a perfect privileged account management strategy8 must dos for a perfect privileged account management strategy
8 must dos for a perfect privileged account management strategyManageEngine
 
Dynamics - Administre sus usuarios, roles y perfiles en SAP
Dynamics - Administre sus usuarios, roles y perfiles en SAPDynamics - Administre sus usuarios, roles y perfiles en SAP
Dynamics - Administre sus usuarios, roles y perfiles en SAPTomas Martinez
 
How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]akquinet enterprise solutions GmbH
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5Lisa Niles
 
Sap Security Assessment V3 English
Sap Security Assessment V3 EnglishSap Security Assessment V3 English
Sap Security Assessment V3 Englishguest5bd7a1
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Richard Sullivan
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019Fahad Al-Hasan
 
The Dark Side of Powerful Users
The Dark Side of Powerful UsersThe Dark Side of Powerful Users
The Dark Side of Powerful UsersHelpSystems
 
Access Control Fundamentals
Access Control FundamentalsAccess Control Fundamentals
Access Control FundamentalsSetiya Nugroho
 
Attachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseAttachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseHai Nguyen
 
Privleged Access Management
Privleged Access ManagementPrivleged Access Management
Privleged Access ManagementLance Peterman
 

Similaire à Sap Access Risks Procedures (20)

5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business Accounts5 Reasons to Always Keep an Eye on Privileged Business Accounts
5 Reasons to Always Keep an Eye on Privileged Business Accounts
 
Sap
SapSap
Sap
 
Security
SecuritySecurity
Security
 
8 must dos for a perfect privileged account management strategy
8 must dos for a perfect privileged account management strategy8 must dos for a perfect privileged account management strategy
8 must dos for a perfect privileged account management strategy
 
Dynamics - Administre sus usuarios, roles y perfiles en SAP
Dynamics - Administre sus usuarios, roles y perfiles en SAPDynamics - Administre sus usuarios, roles y perfiles en SAP
Dynamics - Administre sus usuarios, roles y perfiles en SAP
 
How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
 
Sap Security Assessment V3 English
Sap Security Assessment V3 EnglishSap Security Assessment V3 English
Sap Security Assessment V3 English
 
Chapter 7
Chapter 7Chapter 7
Chapter 7
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01
 
Privileged Access Manager Product Q&A
Privileged Access Manager Product Q&APrivileged Access Manager Product Q&A
Privileged Access Manager Product Q&A
 
Password policy template
Password policy templatePassword policy template
Password policy template
 
CyberArk
CyberArkCyberArk
CyberArk
 
SAP License Audit Tips
SAP License Audit TipsSAP License Audit Tips
SAP License Audit Tips
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019
 
The Dark Side of Powerful Users
The Dark Side of Powerful UsersThe Dark Side of Powerful Users
The Dark Side of Powerful Users
 
Access Control Fundamentals
Access Control FundamentalsAccess Control Fundamentals
Access Control Fundamentals
 
Attachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseAttachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromise
 
Privleged Access Management
Privleged Access ManagementPrivleged Access Management
Privleged Access Management
 

Plus de Inprise Group

Red Hat Enterprise Linux 6 Benchmark v1.3.0
Red Hat Enterprise Linux 6 Benchmark v1.3.0Red Hat Enterprise Linux 6 Benchmark v1.3.0
Red Hat Enterprise Linux 6 Benchmark v1.3.0Inprise Group
 
Securing Oracle Database 12c
Securing Oracle Database 12cSecuring Oracle Database 12c
Securing Oracle Database 12cInprise Group
 
Develop Oracle Virtual Box and deploy to Cloud
Develop Oracle Virtual Box and deploy to CloudDevelop Oracle Virtual Box and deploy to Cloud
Develop Oracle Virtual Box and deploy to CloudInprise Group
 
Oracle OCP Backup Exam
Oracle OCP Backup ExamOracle OCP Backup Exam
Oracle OCP Backup ExamInprise Group
 

Plus de Inprise Group (7)

Red Hat Enterprise Linux 6 Benchmark v1.3.0
Red Hat Enterprise Linux 6 Benchmark v1.3.0Red Hat Enterprise Linux 6 Benchmark v1.3.0
Red Hat Enterprise Linux 6 Benchmark v1.3.0
 
Securing Oracle Database 12c
Securing Oracle Database 12cSecuring Oracle Database 12c
Securing Oracle Database 12c
 
Develop Oracle Virtual Box and deploy to Cloud
Develop Oracle Virtual Box and deploy to CloudDevelop Oracle Virtual Box and deploy to Cloud
Develop Oracle Virtual Box and deploy to Cloud
 
Oracle Data Masking
Oracle Data MaskingOracle Data Masking
Oracle Data Masking
 
Oracle Cloud Backup
Oracle Cloud BackupOracle Cloud Backup
Oracle Cloud Backup
 
Oracle11g Security
Oracle11g SecurityOracle11g Security
Oracle11g Security
 
Oracle OCP Backup Exam
Oracle OCP Backup ExamOracle OCP Backup Exam
Oracle OCP Backup Exam
 

Dernier

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 

Dernier (20)

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 

Sap Access Risks Procedures

  • 1. AUDIT PLAN SAP User Access SAP Security and Access - Risk and Audit Procedures Matrix SECTION A: Security Administration Risk: Failure to implement adequate SAP security administration procedures could result in unauthorized access to sensitive data and programs, affecting the integrity, availability, or confidentiality of the system and its data. Internal Controls Audit Procedures Audit Observations Access to perform security administration functions including the profile generator should be restricted. This is controlled via the following authorization objects: • User master maintenance: User groups; • User master maintenance: Authorization profile; • User master maintenance: Authorizations; • Authorization check for transaction start. I1. Inquire of SAP Security Administration who has access to security administration functions and determine if they are adequately restricted. I2. Use the SAP Audit Information System (AIS) to review access to Basis Client levels. (000, 001). I3. Use the AIS to Identify users with access to other sensitive authorization objects. For proper segregation of duties for security administration of the Profile Generator, SAP recommends that following 3 roles be segregated: 1. User administrator (defines and maintains user master records) 2. Data administrator (creates/changes activity groups and authorizations) 3. Profile administrator (display activity groups and their data). Profile and Data administration should be performed in the development environment. Segregation of the Data and Profile roles provides a strong control over the accuracy and authorization of changes. I4. Inquire/Verify of SAP Security Administration who is performs the roles and determine if roles are adequately segregated. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 1
  • 2. AUDIT PLAN SAP User Access Security administrators may grant themselves access to inappropriate transactions. They can be restricted from maintaining their own access rights but would still be able to create a new user master record which they could use to access the inappropriate transaction. Security administrator access can only be fully restricted if SAP Is linked to an external security system (SFCUDE or KERBEPOS). I5. Inquire of SAP Security Administration if SAP is linked to an external security system. If security is maintained in a decentralized manner, all users must be assigned to 'User groups' in order to confine decentralized user administrators to their own users. This prevents a user administrator from one group maintaining a user in another group. However, if a user is not assigned to a group, they can be maintained by a user administrator with access to any group. I6. Use the AIS to Identify users who are not assigned to User Groups. Follow up and assess for propriety. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 2
  • 3. AUDIT PLAN SAP User Access SAP security administration procedures should be documented and include procedures to address the following tasks: • addition, change and deletion of user access privileges; • access to the SAP system which should be authorized and approved in writing by the relevant data or process owners; • removal of access (upon completion of assignment) for temporary staff (e.g. contractors). This can be achieved via the use of validity periods on the user master records; • deletion of users who have never logged in, have not logged in for a certain number of days or who have left the organization. Consideration should be given to locking out users who have not logged on in over 30 days; • automatic notification of security administration staff when staff leave the organization or are transferred to a new position, so that they may remove SAP access as well as access to other systems (e.g. operating system, local area network); I7. Obtain documented security procedures and assess appropriateness and completeness. I8. Use the AIS to identify users who have never logged on. I9. Audit a sample of access forms and profiles against authorization forms. An audit trail of security administration activity should be reviewed on a regular basis in order to detect any unusual activity. I10. Inquire of SAP Security Administration who reviews audit trail of administration activity. Obtain and review any recent reports. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 3
  • 4. AUDIT PLAN SAP User Access SECTION B: SAP Security Parameters Risk: Unauthorized access due to inadequate password and control controls and conventions. Internal Controls Audit Procedures Audit Observations User master records should be locked after a certain number of unsuccessful attempts to log-in to the system with an incorrect password (e.g. three attempts). This protects against an unauthorized user continually attempting to guess another user's password. Locked user-ids are automatically unlocked at midnight and a daily review of locked users is therefore recommended. This can be achieved via review of the system log or a scheduled report of the locked users (run immediately prior to the automatic unlocking). J1. Inquire/verify of SAP Security Administration what controls are in place to identify unsuccessful log-ins. Do they use the Audit Security Log that comes standard with SAP? J2. Use AIS to Identify unauthorized access attempts. If the SAP* user master record is deleted, SAP* reverts to its original state with complete access and a default password. A system parameter can be set to prevent users from being able to log on as SAP* with the default password in the event that the SAP* user master record has been deleted. J3. Check system parameters regarding deletion of SAP* J4. Check history of any SAP* deletions. . Users should be forced to change their passwords at regular intervals (e.g. every 30 days). This reduces the likelihood of a third party gaining unauthorized access to the system. J5. Use AIS to review login and password parameters for compliance with corporate guidelines. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 4
  • 5. AUDIT PLAN SAP User Access The minimum password length should be set to an appropriate value (e.g. six characters) to prevent passwords being guessed. The default system setting is three characters and the maximum length is eight characters. J6. Use AIS to examine password table (USR40) for invalid or inappropriate passwords. SAP should stop the current session after a certain number of unsuccessful attempts to log-in to the system (e.g. three attempts). This may deter an unauthorized user from attempting to guess another users password J7. Examine SAP Security Log for unsuccessful login attempts. Users should be logged off the system after a specified period of inactivity. This may prevent an unauthorized user from gaining access to an idle terminal if the workstation has been left unattended for an extended period of time. Time-out facilities at the local area network level should therefore also be utilized. J8. Use AIS to identify users who have never logged on or have not logged on after long periods of inactivity. It is possible to disable the systems check of a user’s authorization for a transaction code at the commencement of each transaction. This check is turned on by default and should not be deactivated. J9. Inquire/verify of SAP Security Administration whether this check is turned on. If the profile generator is activated it is possible to disable standard authorization checks. If used inappropriately this could create significant access exposures. This functionality should therefore be appropriately secured and changes closely scrutinized J10. Inquire/verify of SAP Security Administration whether standard authorization checks have been disabled. J11. Examine log or history files. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 5
  • 6. AUDIT PLAN SAP User Access SECTION C: Restricting Access to Data/Programs Risk: Unauthorized access to SAP data and programs could result in unauthorized changes to system data including the processing of fraudulent transactions. Internal Controls Audit Procedures Audit Observations Any custom transactions or programs that are developed should follow a consistent naming standard which complies with SAP conventions. It should be ensured that custom transactions and programs have the necessary access control checks included within them. K1. Inquire/verify of SAP Security Administration whether standard naming conventions are used. K2. Determine whether necessary access controls are in place. SAP supplied user master records are very powerful and are delivered with default passwords. These passwords are well known and should be changed immediately to ensure the system is protected from unauthorized access attempts. These user-ids are the first to be attempted by unauthorized users, such as hackers, trying to break into an SAP system. K3. Inquire/verify of SAP Security Administration whether default passwords have been changed for SAP supplied user master records. K4. Check passwords for SAP* and DDIC. There is a standard SAP program which allows the user to access the operating system command line. This enables the user to perform operating system commands from within SAP using the powerful access rights of the SAP user-id in the operating system. There is also a standard transaction which allows access to perform a pre-defined set of operating system commands as well as creating and executing new commands. Access to these utilities should be restricted from all users in the production environment. Operating system access should be administered via the operating system itself and not from within SAP. K5. Inquire of SAP Security Administration whether access to these utilities is appropriately restricted from users in the production environment. K6. Use the AIS to Identify SAP programs (ABAP) that are not placed in an authorization group. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 6
  • 7. AUDIT PLAN SAP User Access Adequate security guidelines should be in place to ensure that users and IT staff are prevented from accessing programs and data. This security policy should be enforced by appropriate consistent security settings across all IT environments (database management system, operating system and local area network). K7. Review and assess existing security guidelines re user and IT access to programs and data. There should be clearly defined emergency access procedures for the production SAP system. This should include monitoring of all activity performed while emergency access is granted to ensure that unauthorized or incorrect changes to data or programs are detected. K8. Review and assess emergency access procedures for the production SAP system. Any sensitive transactions that are not used can be locked in the system to prevent intentional or unintentional use. K9. Review and assess existing procedures for locking sensitive transactions. Use AIS to identify locked transactions. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 7
  • 8. AUDIT PLAN SAP User Access SECTION D: Restricting Access to Powerful System Functions Risk: Failure to adequately restrict profiles and authorizations to the appropriate users will result in unauthorized access to various functions within the system. This could result in unauthorized or even fraudulent transactions being processed and could threaten the integrity of data in the system. Internal Controls Audit Procedures Audit Observations SAP comes with a number of standard profiles and authorizations which can be used by the organization. These standard profiles and authorizations should not be used in production because they provide very generic access and generally do not adequately address segregation of duty issues. These standard profiles and authorizations are also subject to changes in future releases of SAP which may result in changes to user access rights after the software is upgraded. L1.Inquire of SAP Security Administration whether these profiles are used in production. L2.Use AIS to identify users who can execute all SAP transactions. Users should be restricted from executing ABAP programs in the production environment. There are many powerful ABAP programs in the system which perform sensitive functions (e.g. deleting master data) that do not incorporate any security checks. Access to the transactions used to nominate then execute ABAP programs (including report painter) should be restricted. All ABAP reports that need to be executed should be attached to info system report trees. In order to totally secure ABAP programs from unauthorized use, all programs can be assigned to an authorization group and access restricted via authorization group using the authorization object ‘ABAP/4: Program run checks’. L3.Inquire/verify of SAP Security Administration whether ABAP programs can be executed in the production environment, review access to ABAP programs. L4.Inquire/verify of SAP Security Administration whether all reports are attached to report trees. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 8
  • 9. AUDIT PLAN SAP User Access Access to development functions including the ability to maintain ABAP programs should be totally restricted in the production environment. This is controlled via the authorization object ‘ABAP/4 Development workbench' which (apart from display access) should not be allocated in production L5.Inquire of SAP Security Administration whether these profiles are used in production. L6.Use AIS to identify users who have ability to execute UNIX commands. L7.Use AIS to review authorizations granted to developers. There are various powerful standard profiles in the system which should not be granted to users including: • ‘All authorizations for the R/3 system' (SAP_ALL): this Profile allows the user to perform all functions in the system and is especially powerful. It should not be granted to any users in the production environment • ‘All authorizations for newly created objects' (SAP_NEW): this profile provides general access to any new profiles and authorizations which are included in a new release of SAP. These may provide access to inappropriate functions. This profile should not be allocated to any users in production. L8.Use Audit System Log to identify users with SAP_ALL and SAP_NEW profiles, ensure that they do not have access to the production environment. Debug access should not be provided to any users in the production environment. This could allow a user to bypass the authority checks included in ABAP programs/transactions. L9.Inquire of SAP Security Administration whether debug access is used in production. L10. Examine any history or log files. Access to perform corrections and transports should be restricted in all environments. This access is provided by the authorization object 'Workbench organizer and transport system' which should be granted to authorized users only. L11. Use AIS to identify users with correction and transport capabilities and determine appropriateness. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 9
  • 10. AUDIT PLAN SAP User Access Access to the 'System Administration Functions' authorization object should be restricted as this provides users with access to powerful systems administration functions including the following: creating new clients: locking/unlocking transactions; controlling others spool (print) requests; and deleting data without archiving. L12. Inquire of SAP Security Administration as to who has this capability and determine appropriateness. L13. Use AIS to review production and acceptance settings to ensure direct changes cannot be made. Access to the batch processing authorization objects should be restricted, as these provide access to background job administration functions. These functions should be restricted to authorized users only. L14. Inquire/verify of SAP Security Administration whether batch processing authorization objects are restricted. Access to maintain ABAP program attributes and copy or delete programs should also be restricted from unauthorized users via the authorization object ABAP/4: Program run checks.' L15. Inquire of SAP Security Administration who has access to maintain ABAP program attributes. L16. Use AIS to review program changes and evaluate whether the changes were authorized. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 10
  • 11. AUDIT PLAN SAP User Access SECTION E: System ‘Super Users’ Risk: Super users have powerful system access rights and should be adequately protected to ensure that unauthorized access to the system is prevented. If access is gained to super user accounts it could result in unauthorized transactions being processed and the integrity of system data being compromised. Internal Controls Audit Procedures Audit Observations The SAP* user is delivered as the standard super user with the System. It should not be deleted because it will be reinstated by the System with a default password which is widely known and easily guessed. SAP recommends that the SAP* user be copied to another user master record (this will become the super user to provide emergency access privileges), and the profiles allocated to SAP* removed to reduce further the likelihood of unauthorized access. M1. Inquire of SAP Security Administration if SAP* has been deleted from access profiles and whether or not it has been copied to another user. M2. Examine profiles attached to SAP* and assess appropriateness Default passwords for the standard SAP* delivered user master records should be changed to prevent unauthorized access to the system. M3. Inquire of SAP Security Administration if SAP* passwords for user master records have been changed The combination of powerful profiles which are assigned to SAP* should not be assigned to any other single user master record with the exception of the user created to replace the SAP* user master record. M4. Use AIS to check users with profiles similar to SAP* sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 11
  • 12. AUDIT PLAN SAP User Access Policies and procedures should be developed to ensure access to 'super users' is adequately restricted, Procedures should include the storage of super user account passwords in a secured location (e.g. a safe) and processes to require the changing of the password after each use. The activity of super user accounts should also be monitored to ensure that access is used only for appropriate purposes. M5. Inquire of SAP Security Administration of Policies and Procedures for restricting and monitoring access to super user profiles. M6. Use AIS to review access, use and passwords of restricted profiles. The SAP system is delivered with a standard user master record called 'EARLYWATCH' which is used by SAP to provide an optional online support service. This user is assigned all authorizations for the SAP system which is an inappropriate level of access to the organization’s programs and sensitive data. This user and any other user master record accessed by SAP should be restricted to required functions only. M7. Inquire/verify of SAP Security Administration if ‘EARLYWATCH’ is used. If so ensure access is restricted. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 12
  • 13. AUDIT PLAN SAP User Access SECTION F: Restricting Access to System Tables Risk: Unauthorized access to the table maintenance function could result in system data and configuration settings being corrupted. Internal Controls Audit Procedures Audit Observations Specific transactions exist which allow direct updating of tables. Access to such transactions must be restricted only to authorized users through the authorization object ‘TabIe maintenance’. N1. Inquire of SAP Security Administration whether access to ‘Table Maintenance’ is restricted. N2. Use AIS to identify users who have table maintenance capabilities. Some tables are client-independent which means that if they are updated in one client this affects all SAP clients in the same environment (system). Access to maintain client-independent tables for non-production clients which reside on the production client machine should be restricted. Access to maintain client-independent tables is provided by the authorization object 'Maintenance of client independent’ tables. N3. Inquire/verify of SAP Security Administration whether access to ‘Maintenance of client independent’ authorization is restricted. All system tables are delivered with a 'table class' assigned. All users with table maintenance responsibilities should be restricted to the appropriate table class, and care should he taken when assigning access to maintain tables in the class 'w/o auth group' (tables that are not assigned a specific class). Access to display tables should also be restricted as many tables contain sensitive information. This access should be restricted by table class. N4. Inquire of SAP Security Administration whether table maintenance access is matched to appropriate table class. N5. Use AIS to identify tables that are not placed in Authorization groups and assess appropriateness. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 13
  • 14. AUDIT PLAN SAP User Access Access to data dictionary (system tables) transactions should be adequately restricted in all clients in the production system. These transactions include the ability to maintain and display data dictionary tables as well as maintaining technical settings and running utilities for system tables. N6. Inquire/verify of SAP Security Administration whether access to data dictionary transactions is restricted. Changes to sensitive system customizing tables (including CTS tables) should he logged in both the development and production environments and the report 'Analysis of table log database' reviewed on a regular basis to ensure that any unauthorized table changes are detected. N7. Inquire/verify of SAP Security Administration whether logging and report reviewing is done. N8. Use AIS to review changes to Critical System tables. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 14
  • 15. AUDIT PLAN SAP User Access SECTION G: Segregation of Duties Risk: Certain combinations of roles within a user master record may allow a user to process transactions which, in combination, result in a compromise of segregation of duties. Internal Controls Audit Procedures Audit Observations As part of the security implementation project, the profiles being designed should be assessed to determine whether they provide access to conflicting duties in the system. Care should be taken to ensure that the activity groups/profiles created provide only the level of access which is intended by management. A job roles matrix should be developed as a part of the security implementation strategy to ensure that the roles assigned to each 'job' or ‘position' in the SAP system are clearly defined and justified. O1. Inquire of SAP Security Administration whether segregation of duties issues were addressed. O2. Obtain job roles matrix and review for conflicting duties. sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 15
  • 16. AUDIT PLAN SAP User Access Procedures should be developed for user administration to ensure that segregation of duties issues are considered. These procedures should ensure that: • new users are not granted any combination of profiles/activity groups that would result in them having access to perform functions which are not consistent with their job role or position in the organization (e.g. a materials management specialist) having the ability to post an invoice); • the access rights of existing users are assessed prior to new profiles/activity/ groups being included in their user master records. The allocation of a new profile/activity group could result in the user having inappropriate access to functions which are inconsistent with their job role. It may be necessary to remove existing profiles/activity groups from the user master record. O3. Inquire/verify of SAP Security Administration of Policies and Procedures in place for ensuring that segregation of duties issues are addressed. A periodic review should be performed to evaluate the levels of access that have been granted to system users This may be performed manually or with the aid of third party software tools. The aim of the review should be to identify any potential conflicts in the users' access rights and to ensure that these are corrected O4. Use AIS to review any existing incompatible functions as defined by transaction starts in function table (SUKRI). sapaccessrisksprocedures-124077577723-phpapp01.doc 01/30/15 16