Downloaded 19 times
Uploaded byPennonSoft
Sap security compliance tools_PennonSoft
The document discusses using security compliance tools to detect and prevent security and controls violations in SAP systems. It outlines increased regulatory focus on security, risks like access control and segregation of duties issues, and how tools can help with real-time monitoring, resolving segregation of duties issues, and providing automated analysis and monitoring to assess authorization compliance. The benefits of these tools are that they can run with SAP, automate separation of duties analysis and monitoring of critical transactions, and provide quick assessments to business users, auditors, and security staff while avoiding manual analysis and false positives.
More Related Content
Similar to Sap security compliance tools_PennonSoft
Sap security compliance tools_PennonSoft
- 1. 1 SAP Security andControls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations
- 2. 2 Agenda • Increased Focuson Security & Controls • SAP R/3 Security Risks & Controls • Security Management • Security Compliance Tools • Questions
- 3. 3 Increased Focus onSecurity and Controls • Fraud (Barings Bank,WorldCom, Enron,...) • Security Breaches (UCs, BC, Stanford...) • Regulatory Compliance • Sarbanes-Oxley (SOX) • Family Educational Rights and Privacy Act (FERPA) • Gramm-Leach-Bliley Act (GLBA) • Health Insurance Portability and Accountability Act (HIPAA)
- 4. 4 Security Risks • AccessControl • Do some users have too much access? • Sufficient access restrictions to private information? • Segregation of Duties (SoD)
- 5. 5 Security Compliance Tools– Internal Controls • “Internal Controls are processes designed by management to provide reasonable assurance that the Institute will achieve its objectives” (From MIT’s Guidelines For Financial Review and Control) • Cost of implementing control should not exceed the expected benefit of the control • “Security is a process not a product”
- 6. 6 Security Compliance Tools Whohas access to sensitive transactions? Are there any SoD violations? • Real-Time Monitoring • Remove access or assign mitigating controls • Reduce time and effort when providing information to auditors
- 7. 7 SoD Rules Matrix •Predefined SoD Rule Set • Can Add Custom Transactions to Rule Set
- 8.
- 9.
- 10. 10 Virsa-Compliance Calibrator • ResolveSoD Issues
- 11. 11 Security Compliance Software Vendors •Virsa • Approva • Oversight Systems • Big 4 (E&Y, PwC, KPMG, Deloitte)
- 12. 12 Benefits of SecurityCompliance Tools - Summary • Run with SAP R/3 • Automate SoD analysis • Automate monitoring of critical transactions • Quick assessment of authorization compliance for business users, auditors, and IT security staff • Used during development/project efforts • Avoid manual analysis and false positives
- 13. 13 CONTACT Mail :Mail :info@pennonsoft.cominfo@pennonsoft.com Phone :Phone : (414) 433-4823 Website :Website : www.pennonsoft.com
Editor's Notes
- #4 Barings Bank (UK's oldest merchant bank) represented a segregation of duties issue (mid 90’s) Rogue trader Nick Leeson was general manager, head trader and back office manager(segregation of duties conflict) in Singapore Leeson effectively controlled the front and back offices WorldCom Cooked the books to overstate revenues, e.g. CFO told key staff members to mark operating costs as long term investments WorldCom filed for bankruptcy in July 2002., which was the largest bankruptcy in American History SEC has accused the company of misrepresented earnings to the tune of $11 billion Investors lost billions of dollars as a direct result of the bankruptcy Former WorldCom CEO sentenced to 25 years Enron Inflated their profits, since many of the losses that Enron suffered were not reported in its financial statements Bankruptcy resulted in thousands of employees being laid off, loss of retirement benefits and savings for thousands more, and substantial losses for shareholders, creditors, and suppliers Fall of Arthur Andersen, which at the time was the largest accounting firm in the world Security Breaches Data breaches include data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers Several University of California Universities have had their systems hacked into Boston College there was a hacking incident in which 120,000 records were compromised ChoicePoint where Bogus accounts were established by ID thieves, and records on thousands of Americans were sold to identity thieves. In particular, it sold significant amounts of personal information on 145,000 consumers to a group of identity thieves in California, resulting in at least 700 known cases of fraud and identity theft. The information turned over to the thieves included names, addresses, Social Security numbers and credit reports. Regulations Sarbanes-Oxley: signed into law shortly after Enron’s collapse and basically requires publicly traded companies to assess the effectiveness of their controls, and have those controls attested by an outside auditor. SOX 404 requires management to evaluate the effectiveness of internal controls on a quarterly basis. FERPA: is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds from the U.S. Department of Education Since 2003, California Security Breach Notification Law, which requires state government agencies as well as companies and nonprofit organizations regardless of geographic location to notify California customers if their personal information maintained in computerized data files have been compromised by unauthorized access. California consumers must be notified when their name is illegitimately obtained from a server or database with other personal information such as their Social Security number, driver's license number, account number, credit or debit card number, or security code or password for accessing their financial account HIPPA: Since we have a medical center on campus this law applies to us, and in general the provisions address the security and privacy of health data. Gramm-Leach-Bliley Act (GLB): requires financial institutions to take steps to ensure the security and confidentiality of customer records such as names, addresses, phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers. MIT is considered a financial institution since it participates in financial activities, such as making Federal Perkins Loans, and FTC regulations consider MIT financial institutions for GLB Act purposes. FTC has indicated that colleges and universities will be deemed to be in compliance with the privacy provisions of GLBA if they are in compliance with FERPA. California Security Breach Notification Law-Requires organizations that have had a breach of security related to personal information to inform the people who’s personal information may have been compromised. Keep in mind that there are also penalties for violations regarding each of these laws: FERPA: violations can lead to the termination of federal funding GLP: violations can lead to civil penalties of more than 100,000 for each violation
- #5 There are several access-related factors that auditors must be aware of during an application audit. First, is the varying levels of user access and their respective responsibilities. There are system administrators with significant privileges, and it is important that they not be given access to transactional processes. Next are super-users with a high degree of access to their particular module and the ability to over-ride controls, and finally standard users with control over specific functions. For the latter two user types, it is important to ensure adequate segregation of duties and that there are no conflicts. For example, no one person must have the ability to both raise a purchase order and to approve an invoice. One problem with such analysis of access is that it is usually done on a ‘point in time’ basis. If possible, organizations should put in place a system to monitor these functions continuously. Security often implemented as an afterthought with few SOD rules/controls External/internal auditors report SOD issues with false positives (SUIM) Security team may spend a lot of time proving that reported SOD violations do not exist after drilling down at object level Users “I need access to XK01 (create vendor)” External Auditors “Show me evidence that segregation of duties issues do not exist or have been mitigated” Management “Who has access to sensitive data?”
- #6 Goal is to achieve an appropriate balance between cost and control Products provide some protection, but the only way to effectively do business is an insecure world is to put processes in place that recognize the inherent insecurity in the products. The trick is to reduce our risk of exposure regardless of the products.
- #7 Run with SAP R/3 Automated SOD analysis and monitoring of critical transactions Quick assessment of authorization compliance for business users, auditors, and IT security staff Blocking of violations before committing to production Avoidance of manual analysis and false positives Can be used with SAP R/3, Oracle, Peoplesoft, and Hyperion
- #9 In March of last year Virsa signed a 3 year deal with SAP which will exclusively resell the SAP version of Compliance Calibrator. Compliance Calibrator run on the same servers that run SAP, and access the most current data with hopefully no performance issues.
- #12 In March of last year Virsa signed a 3 year deal with SAP which will exclusively resell the SAP version of Compliance Calibrator.
- #13 Prevent Segregation of duties issues Define set of SOD rules - include "Z" transactions Create SOD rules at object level Define mitigating controls and approvals Involvement from security team, primary authorizers, auditors Identify users with access to sensitive data Define classification of sensitive data Determination of sensitive data within R/3 Identification of user access to sensitive data/critical transactions