SAPience.be User Day ’13                March 21, 2013How to perform a security review on yourSAP systems in order to get ...
Agenda                                              Your logo Introduction Expertum User Access Audit Level 1 : Getting in...
Introduction Expertum                                                             Your logoFacts• Founded in April 2006 by...
Expertum Competence Areas                                           Your logo                      Project                ...
User Access Audit                                  Your logo Security Risk Why auditing user access? Who‟s auditing Intern...
Security risk                                                                          Your logo External Threats         ...
Security risk                                  Your logo Internal Threats                         SAP                    S...
Security risk                                                       Your logo Compliancy Needs                    Basel II...
Why auditing User Access?                                                                                 Your logoSegrega...
Who’s Auditing                                            Your logo In view of the financial audits companies need to comp...
Internal Threats: The main                                                      Your logoissuesTodays SAP environments oft...
User Access Risk                                   Your logo Level 1: Getting into SAP Level 2: Getting around in SAP Leve...
Level 1: Getting into SAP                              Your logo Identification: User IDs  • unique & identifiable -> acco...
Level 1: Getting into SAP                         Your logo Special SAP Users  •   SAP*  •   DDIC  •   SAPCPIC  •   Early ...
Level 1: Getting into SAP                                Your logo Password Settings  •   Validity initial/reset password ...
Level 2: Getting around in                  Your logoSAP            WHAT did they do WHERE?                 SAPience.be Us...
Level 2: Getting around in                                  Your logoSAPSegregation of Duties    Sensitive Access         ...
Level 2: Getting around in                                 Your logoSAP Segregation of Duties: preventing fraud/errors to ...
Level 2: Getting around in                                 Your logoSAP Sensitive Access: Business and IT processes that s...
Level 2: Getting around in                            Your logoSAP Occurrence of issues at                                ...
Level 2: Getting around in                                      Your logoSAP Role Level  ? Does the description fit the bi...
Level 2: Getting around in                                    Your logoSAP SAP Security Notes: ABAP and Kernel Software Co...
Level 3: User Access                                     Your logoManagement Key Elements to controlled User Access       ...
Level 3: User Access                                  Your logoManagement User Access Management Processes:  • User creati...
Level 3: User Access                                    Your logoManagement Organization: Business ownership over business...
Level 3: User Access                       Your logoManagement Reporting                SAPience.be User Day „13        26
Getting Support                                                     Your logo                                  AUTOMATION ...
GRC Access Control                                                             Your logoAccurately identify and analyze ac...
Access Control : Value                                                                  Your logo  IT costs are reduced th...
Recap                                                                        Your logo “35% of respondents report that exc...
Get Inspired.    Stay Connected.Achieve Business Agility.    Thank you!            Your logo        SAPience.be User Day „...
Upcoming SlideShare
Loading in …5
×

How to perform a security review on your sap systems in order to get a thumbs-up audit report

1,805 views
1,502 views

Published on

This presentation will explain what the key security elements are regarding User Access and how to manage them. This will allow you to incorporate these elements into your system and prepare for an SAP Audit.

SAPience User Day, March 21, 2013

Published in: Technology
1 Comment
0 Likes
Statistics
Notes
  • More than 5000 registered SAP consultants.Search for SAP online training Providers at http://www.todaycourses.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Views
Total views
1,805
On SlideShare
0
From Embeds
0
Number of Embeds
177
Actions
Shares
0
Downloads
54
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide
  • Sensitive access: business or IT processes that need to be performed & managed by selected peopleSystem loads, privacy, company assets, …
  • Sensitive access: business or IT processes that need to be performed & managed by selected peopleSystem loads, privacy, company assets, …
  • A lot has to do with the rule structure
  • An automated solution offers centralized, workflow-driven processes that not only reduce costs associated with managing access risk on a daily basis, but also save time and money through the audit process.The first step in evaluating a company’s readiness for an automated solution is to engage in an honest assessment of whether the current access risk management programs meets the company’s standards for risk tolerance. Next, conduct a thorough accounting of the total cost of ownership of the current solution — including all software license costs and resource requirements, taking into consideration the cost of unidentified risk — and compare that TCO against a fully automated replacement. Many companies have found, through very similar analysis, the value of an automated access risk solution is worth more than the cost.Every company is unique, but several SAP customers have reported dramatic improvements in efficiency and cost reductions since moving from manual processes to SAP BusinessObjects Access Control. Some have enjoyed significant reductions in the time required to provision user access, eliminating a backlog of requests. Others have reported time savings thanks to elimination of human error in provisioning, reporting, and other activities. For these reasons and more, companies should ask themselves whether their current solution for managing access risk is really the solution they want to use to prevent errors and even fraud moving forward.
  • How to perform a security review on your sap systems in order to get a thumbs-up audit report

    1. 1. SAPience.be User Day ’13 March 21, 2013How to perform a security review on yourSAP systems in order to get a "thumbs-up" audit report Your logo Melissa Dielman SAPience.be User Day „13 1
    2. 2. Agenda Your logo Introduction Expertum User Access Audit Level 1 : Getting into SAP Level 2 : Getting around within SAP Level 3 : Managing the User Access Getting support SAPience.be User Day „13 2
    3. 3. Introduction Expertum Your logoFacts• Founded in April 2006 by 2 ex-SAP Belux employees• Team of 50+ SAP Experts and Project Managers• Partnerships GoldMission• Exceed client expectations by providing top-quality expertise• Provide our people a safe environment for personal and professional growthStrength• Highly skilled & experienced SAP consultants in all SAP areas, combined with a wide industry knowledge in several domains• First (and still only) IT services provider on the Belgian market to receive coveted SAP certificate for quality management (AQM) SAPience.be User Day „13 3
    4. 4. Expertum Competence Areas Your logo Project Management Focus GRC team (PM) Finance & Supply Chain Controlling Management • SAP Authorization Health (FI/CO) (SCM) Check Knowledge Management • SAP Authorization - Concept (re)Design Business Product & Product Lifecycle • SOD conflict Remediation Intelligence Service(BI: BW + BO) Development Management • SAP Security Framework (PLM) design Governance, Application • SAP GRC Toolbox - GRC Risk, and Lifecycle Compliance Management RDS Certified (GRC) (SolMan • SAP IDM +NW) • Day to Day support
    5. 5. User Access Audit Your logo Security Risk Why auditing user access? Who‟s auditing Internal Threats: The main issues SAPience.be User Day „13 5
    6. 6. Security risk Your logo External Threats Routers Firewalls SAP Web servers Proxy servers Security incident & Event Monitoring SAPience.be User Day „13 6
    7. 7. Security risk Your logo Internal Threats SAP SAPience.be User Day „13 7
    8. 8. Security risk Your logo Compliancy Needs Basel II FDA EU Privacy SOX Directives SAP Good Governance J-SOX … OECD SAPience.be User Day „13 8
    9. 9. Why auditing User Access? Your logoSegregation of Duties continues to be a top contributor in fraud activities “A lack of internal controls, such as segregation of duties, was cited as the biggest deficiency” Control Weaknesses That Contributed to Fraud - Report to the Nations on Occupational Fraud and Abuse, 2010, ACFEDeloitte, 2010 TMT Global Security Study: “35% of respondents report that excessiveaccess rights is the number one problem identified by internal and external andexternal security audits” Top Audit findings by SectorTop 3 areas of internal/external audit findings: • Excessive Access rights • Audit trails and logging issues • Lack of sufficient segregation of dutiesAs a consequence “Organizations rate Identity and access management as oneof their top 3 security initiatives for 2010” SAPience.be User Day „13 9
    10. 10. Who’s Auditing Your logo In view of the financial audits companies need to comply with, the platform that contains, handles & reports on financial data is audited as well as the processes. • External/ Internal Audit • Security Office • Compliancy Board • Auditing checklists • Automated reviews • Early Watch Reports • Red lights are often recurring issues. SAPience.be User Day „13 10
    11. 11. Internal Threats: The main Your logoissuesTodays SAP environments often lack appropriate security andcontrols mechanisms which is demonstrated by the following facts: Lack of Fragmented Bad practices business & IT approach to in user communica- access control management tion Excessive time Inability to & cost of prevent analysis & access risk audit SAPience.be User Day „13 11
    12. 12. User Access Risk Your logo Level 1: Getting into SAP Level 2: Getting around in SAP Level 3: User Access Management SAPience.be User Day „13 12
    13. 13. Level 1: Getting into SAP Your logo Identification: User IDs • unique & identifiable -> accountability Authentication: Passwords • are you who you claim you are • Tools: • Password Parameter settings • Multiple Logon Parameter settings • Auto log-off • User Locks • HR triggers SAPience.be User Day „13 13
    14. 14. Level 1: Getting into SAP Your logo Special SAP Users • SAP* • DDIC • SAPCPIC • Early Watch • Action • Change generally known password • Do not delete user • Lock • Remove Access rights SAPience.be User Day „13 14
    15. 15. Level 1: Getting into SAP Your logo Password Settings • Validity initial/reset password • Password changes • Complexity • Prohibited patterns SAPience.be User Day „13 15
    16. 16. Level 2: Getting around in Your logoSAP WHAT did they do WHERE? SAPience.be User Day „13 16
    17. 17. Level 2: Getting around in Your logoSAPSegregation of Duties Sensitive Access Process & Organizational relevance SAPience.be User Day „13 17
    18. 18. Level 2: Getting around in Your logoSAP Segregation of Duties: preventing fraud/errors to disrupt process chains and the achievement of company targets, by spreading a task/process over different persons. Rule definition • Responsive to audit comments • Purchased rulesets • Standard Ruleset delivered with compliance software • Company specific rules ! Restrict to a realistic number SAPience.be User Day „13 18
    19. 19. Level 2: Getting around in Your logoSAP Sensitive Access: Business and IT processes that should be restricted to specific users for system protection, data protection, data privacy,… Process & Organizational relevance Access should be restricted to the processes relevant to the users (RACI) SAPience.be User Day „13 19
    20. 20. Level 2: Getting around in Your logoSAP Occurrence of issues at User Position Composite Role Single Role SAPience.be User Day „13 20
    21. 21. Level 2: Getting around in Your logoSAP Role Level ? Does the description fit the bill? Process & organization ? Is the role level granular enough? ! Avoid using wildcards ! Enjoy transactions ! Be critical about default SU24 values ! Avoid manually inserted objects ! Ensure Consistency (masters & deriveds) SAPience.be User Day „13 21
    22. 22. Level 2: Getting around in Your logoSAP SAP Security Notes: ABAP and Kernel Software Corrections • Transaction ST13, tool RSECNOTE • https://service.sap.com/security indicates which are monitored for EWA • SAP Note 888889 SAPience.be User Day „13 22
    23. 23. Level 3: User Access Your logoManagement Key Elements to controlled User Access PROCESS ORGANIZATION DOCUMENTATION REPORTING SAPience.be User Day „13 23
    24. 24. Level 3: User Access Your logoManagement User Access Management Processes: • User creation • User Lock • User Termination • Additional User Access Request • User Access Change: revoke old access rights! ! Preventive SOD check ! Business Governance ! Documentation SAPience.be User Day „13 24
    25. 25. Level 3: User Access Your logoManagement Organization: Business ownership over business data! • Who can request • Who approves (1-2-3 levels) • Who reviews Define & Control Empower Inform & Monitor Document SAPience.be User Day „13 25
    26. 26. Level 3: User Access Your logoManagement Reporting SAPience.be User Day „13 26
    27. 27. Getting Support Your logo AUTOMATION COST EXPERTISE EFFICIENCY SUSTAINABILITY INFORMATION SAPience.be User Day „13 27
    28. 28. GRC Access Control Your logoAccurately identify and analyze access Self service emergency accessrisk violations in real-time activationRemediate and mitigate conflicts for Centrally approve and manageusers and roles emergency access or all SAP systemsContinuously monitor access risks and Detailed usage logs for comprehensiveuser assignments across the enterprise emergency access reviews Analyze & Emergency Manage Risks Access Management (AMR) (EAM) Business Role Provision & Management Manage Users (BRM) (PMU)Centralized business role management Self service user access requestEnforced compliancy to format & SOD processrules Preventive risk analysis in userAutomated role governance process provisioninginvolving business & technical owners Automated workflow for efficiently approving requests Streamline and automate reviews of user access 28
    29. 29. Access Control : Value Your logo IT costs are reduced through • Self service password reset • Automated user access requests • Automated periodic certification reviews • Preventive impact simulation of planned actions & access requests • Automated root cause analysis of issues • Integration with IDM solutions to ensure consistency and compliance across the enterprise Operational costs are reduced through • Increased response times at access requests • Reduced response time to business emergencies through Emergency Access • Reduced penalties for Risk & compliance violations Audit costs are reduced through • Automated audit trail of changes to rules, access approval & risk mitigation • Automated reporting & centralized location reducing analysis time for internal & external auditors • Automated process reducing audit analysis from full data & process testing to tool testing 29
    30. 30. Recap Your logo “35% of respondents report that excessive access rights is the number one problem identified by internal and external and external security audits” Level 1: Getting into SAP: Users & Passwords Level 2: Getting around in SAP: SOD, Critical access, process & organizational access Level 3: User Access Management: Processes & Organization Support: Sustainability, Expertise & Tooling SAPience.be User Day „13 30
    31. 31. Get Inspired. Stay Connected.Achieve Business Agility. Thank you! Your logo SAPience.be User Day „13 31

    ×