How to perform a security review on your sap systems in order to get a thumbs-up audit report
Upcoming SlideShare
Loading in...5
×
 

How to perform a security review on your sap systems in order to get a thumbs-up audit report

on

  • 540 views

This presentation will explain what the key security elements are regarding User Access and how to manage them. This will allow you to incorporate these elements into your system and prepare for an ...

This presentation will explain what the key security elements are regarding User Access and how to manage them. This will allow you to incorporate these elements into your system and prepare for an SAP Audit.

SAPience User Day, March 21, 2013

Statistics

Views

Total Views
540
Views on SlideShare
392
Embed Views
148

Actions

Likes
0
Downloads
9
Comments
0

3 Embeds 148

http://www.expertum.net 146
http://dev.expertum.net 1
http://192.168.20.100 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Sensitive access: business or IT processes that need to be performed & managed by selected peopleSystem loads, privacy, company assets, …
  • Sensitive access: business or IT processes that need to be performed & managed by selected peopleSystem loads, privacy, company assets, …
  • A lot has to do with the rule structure
  • An automated solution offers centralized, workflow-driven processes that not only reduce costs associated with managing access risk on a daily basis, but also save time and money through the audit process.The first step in evaluating a company’s readiness for an automated solution is to engage in an honest assessment of whether the current access risk management programs meets the company’s standards for risk tolerance. Next, conduct a thorough accounting of the total cost of ownership of the current solution — including all software license costs and resource requirements, taking into consideration the cost of unidentified risk — and compare that TCO against a fully automated replacement. Many companies have found, through very similar analysis, the value of an automated access risk solution is worth more than the cost.Every company is unique, but several SAP customers have reported dramatic improvements in efficiency and cost reductions since moving from manual processes to SAP BusinessObjects Access Control. Some have enjoyed significant reductions in the time required to provision user access, eliminating a backlog of requests. Others have reported time savings thanks to elimination of human error in provisioning, reporting, and other activities. For these reasons and more, companies should ask themselves whether their current solution for managing access risk is really the solution they want to use to prevent errors and even fraud moving forward.

How to perform a security review on your sap systems in order to get a thumbs-up audit report How to perform a security review on your sap systems in order to get a thumbs-up audit report Presentation Transcript

  • SAPience.be User Day ’13 March 21, 2013How to perform a security review on yourSAP systems in order to get a "thumbs-up" audit report Your logo Melissa Dielman SAPience.be User Day „13 1
  • Agenda Your logo Introduction Expertum User Access Audit Level 1 : Getting into SAP Level 2 : Getting around within SAP Level 3 : Managing the User Access Getting support SAPience.be User Day „13 2
  • Introduction Expertum Your logoFacts• Founded in April 2006 by 2 ex-SAP Belux employees• Team of 50+ SAP Experts and Project Managers• Partnerships GoldMission• Exceed client expectations by providing top-quality expertise• Provide our people a safe environment for personal and professional growthStrength• Highly skilled & experienced SAP consultants in all SAP areas, combined with a wide industry knowledge in several domains• First (and still only) IT services provider on the Belgian market to receive coveted SAP certificate for quality management (AQM) SAPience.be User Day „13 3
  • Expertum Competence Areas Your logo Project Management Focus GRC team (PM) Finance & Supply Chain Controlling Management • SAP Authorization Health (FI/CO) (SCM) Check Knowledge Management • SAP Authorization - Concept (re)Design Business Product & Product Lifecycle • SOD conflict Remediation Intelligence Service(BI: BW + BO) Development Management • SAP Security Framework (PLM) design Governance, Application • SAP GRC Toolbox - GRC Risk, and Lifecycle Compliance Management RDS Certified (GRC) (SolMan • SAP IDM +NW) • Day to Day support
  • User Access Audit Your logo Security Risk Why auditing user access? Who‟s auditing Internal Threats: The main issues SAPience.be User Day „13 5
  • Security risk Your logo External Threats Routers Firewalls SAP Web servers Proxy servers Security incident & Event Monitoring SAPience.be User Day „13 6
  • Security risk Your logo Internal Threats SAP SAPience.be User Day „13 7
  • Security risk Your logo Compliancy Needs Basel II FDA EU Privacy SOX Directives SAP Good Governance J-SOX … OECD SAPience.be User Day „13 8
  • Why auditing User Access? Your logoSegregation of Duties continues to be a top contributor in fraud activities “A lack of internal controls, such as segregation of duties, was cited as the biggest deficiency” Control Weaknesses That Contributed to Fraud - Report to the Nations on Occupational Fraud and Abuse, 2010, ACFEDeloitte, 2010 TMT Global Security Study: “35% of respondents report that excessiveaccess rights is the number one problem identified by internal and external andexternal security audits” Top Audit findings by SectorTop 3 areas of internal/external audit findings: • Excessive Access rights • Audit trails and logging issues • Lack of sufficient segregation of dutiesAs a consequence “Organizations rate Identity and access management as oneof their top 3 security initiatives for 2010” SAPience.be User Day „13 9
  • Who’s Auditing Your logo In view of the financial audits companies need to comply with, the platform that contains, handles & reports on financial data is audited as well as the processes. • External/ Internal Audit • Security Office • Compliancy Board • Auditing checklists • Automated reviews • Early Watch Reports • Red lights are often recurring issues. SAPience.be User Day „13 10
  • Internal Threats: The main Your logoissuesTodays SAP environments often lack appropriate security andcontrols mechanisms which is demonstrated by the following facts: Lack of Fragmented Bad practices business & IT approach to in user communica- access control management tion Excessive time Inability to & cost of prevent analysis & access risk audit SAPience.be User Day „13 11
  • User Access Risk Your logo Level 1: Getting into SAP Level 2: Getting around in SAP Level 3: User Access Management SAPience.be User Day „13 12
  • Level 1: Getting into SAP Your logo Identification: User IDs • unique & identifiable -> accountability Authentication: Passwords • are you who you claim you are • Tools: • Password Parameter settings • Multiple Logon Parameter settings • Auto log-off • User Locks • HR triggers SAPience.be User Day „13 13
  • Level 1: Getting into SAP Your logo Special SAP Users • SAP* • DDIC • SAPCPIC • Early Watch • Action • Change generally known password • Do not delete user • Lock • Remove Access rights SAPience.be User Day „13 14
  • Level 1: Getting into SAP Your logo Password Settings • Validity initial/reset password • Password changes • Complexity • Prohibited patterns SAPience.be User Day „13 15
  • Level 2: Getting around in Your logoSAP WHAT did they do WHERE? SAPience.be User Day „13 16
  • Level 2: Getting around in Your logoSAPSegregation of Duties Sensitive Access Process & Organizational relevance SAPience.be User Day „13 17
  • Level 2: Getting around in Your logoSAP Segregation of Duties: preventing fraud/errors to disrupt process chains and the achievement of company targets, by spreading a task/process over different persons. Rule definition • Responsive to audit comments • Purchased rulesets • Standard Ruleset delivered with compliance software • Company specific rules ! Restrict to a realistic number SAPience.be User Day „13 18
  • Level 2: Getting around in Your logoSAP Sensitive Access: Business and IT processes that should be restricted to specific users for system protection, data protection, data privacy,… Process & Organizational relevance Access should be restricted to the processes relevant to the users (RACI) SAPience.be User Day „13 19
  • Level 2: Getting around in Your logoSAP Occurrence of issues at User Position Composite Role Single Role SAPience.be User Day „13 20
  • Level 2: Getting around in Your logoSAP Role Level ? Does the description fit the bill? Process & organization ? Is the role level granular enough? ! Avoid using wildcards ! Enjoy transactions ! Be critical about default SU24 values ! Avoid manually inserted objects ! Ensure Consistency (masters & deriveds) SAPience.be User Day „13 21
  • Level 2: Getting around in Your logoSAP SAP Security Notes: ABAP and Kernel Software Corrections • Transaction ST13, tool RSECNOTE • https://service.sap.com/security indicates which are monitored for EWA • SAP Note 888889 SAPience.be User Day „13 22
  • Level 3: User Access Your logoManagement Key Elements to controlled User Access PROCESS ORGANIZATION DOCUMENTATION REPORTING SAPience.be User Day „13 23
  • Level 3: User Access Your logoManagement User Access Management Processes: • User creation • User Lock • User Termination • Additional User Access Request • User Access Change: revoke old access rights! ! Preventive SOD check ! Business Governance ! Documentation SAPience.be User Day „13 24
  • Level 3: User Access Your logoManagement Organization: Business ownership over business data! • Who can request • Who approves (1-2-3 levels) • Who reviews Define & Control Empower Inform & Monitor Document SAPience.be User Day „13 25
  • Level 3: User Access Your logoManagement Reporting SAPience.be User Day „13 26
  • Getting Support Your logo AUTOMATION COST EXPERTISE EFFICIENCY SUSTAINABILITY INFORMATION SAPience.be User Day „13 27
  • GRC Access Control Your logoAccurately identify and analyze access Self service emergency accessrisk violations in real-time activationRemediate and mitigate conflicts for Centrally approve and manageusers and roles emergency access or all SAP systemsContinuously monitor access risks and Detailed usage logs for comprehensiveuser assignments across the enterprise emergency access reviews Analyze & Emergency Manage Risks Access Management (AMR) (EAM) Business Role Provision & Management Manage Users (BRM) (PMU)Centralized business role management Self service user access requestEnforced compliancy to format & SOD processrules Preventive risk analysis in userAutomated role governance process provisioninginvolving business & technical owners Automated workflow for efficiently approving requests Streamline and automate reviews of user access 28
  • Access Control : Value Your logo IT costs are reduced through • Self service password reset • Automated user access requests • Automated periodic certification reviews • Preventive impact simulation of planned actions & access requests • Automated root cause analysis of issues • Integration with IDM solutions to ensure consistency and compliance across the enterprise Operational costs are reduced through • Increased response times at access requests • Reduced response time to business emergencies through Emergency Access • Reduced penalties for Risk & compliance violations Audit costs are reduced through • Automated audit trail of changes to rules, access approval & risk mitigation • Automated reporting & centralized location reducing analysis time for internal & external auditors • Automated process reducing audit analysis from full data & process testing to tool testing 29
  • Recap Your logo “35% of respondents report that excessive access rights is the number one problem identified by internal and external and external security audits” Level 1: Getting into SAP: Users & Passwords Level 2: Getting around in SAP: SOD, Critical access, process & organizational access Level 3: User Access Management: Processes & Organization Support: Sustainability, Expertise & Tooling SAPience.be User Day „13 30
  • Get Inspired. Stay Connected.Achieve Business Agility. Thank you! Your logo SAPience.be User Day „13 31