n Learn where to go to get the best security-related advice and perform additional research on other technical basis-related topics.n Review the ‘system hardening’ guidelines provided by

SAP related to common attack scenarios in SAP ABAP as well as the JAVA layer, and how proper system settings and coding techniques can prevent exposure to common attacks (such as SQL injection and man-in-the-middle attacks).

n Have a first-hand look at some largely-unpublished risks within SAP, including an example where a user may look via standard SAP security reporting as having innocuous access when in reality they have SAP_ALL-type privileges, and learn how to see if these risks affect your installation.

n You will learn how to design effective strategies and programs to ensure sustainable results.

Internal Audit

5 Day Course:

24-28 May 2015 Dubai

7-11 September 2015 London

Course Director: Steve Biskie Author of the only book published by SAP Press related to auditing SAP, Steve is one of the most sought-after trainers in the world when it comes to the topic of an SAP audit.

Why Attend This Course? Auditing and Securing Sap ERP Central Component (ECC) and SAP R/3You will learn how to:n An SAP instancen Transactionsn Programn Objects and reportsn Tables in the databasen Files in the operating systemn Vertical application modulesn Cross applicationsn Changes from SAP R/3 to the latest ERP release n NetWeaver and supporting security settingsn Infrastructure supporting components Advanced Technical SAP Audit You will learn how to: n Practice techniques discussed on a sandbox SAP system, and get

the chance to perform a quick end-to-end security assessment.n Review the additional security risks posed by the SAP Netweaver

components, and the transactions within SAP for understanding key settings.

n Explore the various table types within SAP, and practice some basic data interrogation techniques using SAP Query tools embedded within the application.

TRAINING WEEK To find out more information about training weeks, visit: www.mistieurope.com/trainingweeks

TW

The Global Leader In Audit and Information Security Training

AUDITING AND SECURING SAP TRAINING WEEKAuditing and Securing SAP ERP Central Component (ECC) and SAP R/3 and Advanced Technical SAP Audit

Register online at: www.misti.com

INHOUSETRAININGSave up to 50%

with In-House Training

emea.misti.com/in-house-training

AUDITING AND SECURING SAP TRAINING WEEKAuditing and Securing SAP ERP Central Component (ECC) and SAP R/3 and Advanced Technical SAP Audit

Course Director: Steve Biskie

Steve Biskie is co–founder of High Water Advisors, a consultancy that helps organizations improve governance, risk management, compliance (GRC) and audit processes. He specializes in transforming inefficient, outdated, and compartmentalized processes and technologies to optimize GRC and audit performance and generate tangible value. A leader in the audit and compliance space for more than 20 years, Mr. Biskie has become most well–known for his work helping Fortune Global 500 organizations understand and manage the risks within complex ERP systems such as SAP and Oracle. Additionally, he is a thought leader and strategic expert on implementing high–value, sustainable analytics and continuous auditing program.

Course Focus And Features

Continuous AuditingThis three day seminar introduces new internal auditors to their role and responsibilities. The role of the internal audit department is explained within the broader context of assurance provision highlighting the profession’s current challenges and reviewing some of the events that have led to the current emphasis on auditing and assurance. The seminar teaches the basic tools and techniques necessary to carry out audit assignments together with accepted best practice approaches and provides a safe and comfortable environment in which to practice with specifically designed exercises and case studies. The IIA Performance standards are referenced throughout the course.

Successful Data Analytics for Internal AuditorsThis two day course will guide delegates through the basic elements of the report writing process from thinking about the needs of their readers, to selecting the most appropriate style and tone and writing with clarity to get results. Delegates will have the opportunity to bring extracts of their own reports with them to work on and review in the context of the ideas presented. Exercises will be provided in each session as appropriate.

Who Should Attend

Internal, financial, operational and information technology auditors; security professionals, auditors, quality assurance personnel and anyone with responsibility for audit reporting who wishes to improve the reports that they produce or review.

Advanced Preparation: Basic Auditing Experience

Training Type: Group-Live

Learning Level: Basic

CPEs: 39

Price: GBP £3,483+VAT**Delegates may be able to claim back VAT. Visit www.mistieurope.com/VAT for more information.

“Excellent instructor, good knowledge of subject matter and a high ability to co-ordinate the class”Head of Internal Audit, National Bank of Oman

Telephone: +44 (0)20 3819 0800 Email: misti@misti.com

Training Weeks represent a saving

of 10% over shorter courses (usually

£3,870)

“Good course, clear structure and examples, applicable and valuable for attendees”Nokia

DayTwo:

Session 1:Security architecture• NetWeaver• ERP roles as defined in the SAP/R/3 system• Portal roles as defined in the ERP ECC 6.0 environment• Services

Session 2:Application architecture• MySAP and GUI application suites• Web/portal control• NetWeaver

Session 3:Business process reviews• Key transaction and tables• Audit and security risks and controls• Order to cash: SD module; pipeline performance management• Procurement to pay: MM module• Supplier integration: mySAP SRM• Customer integration: CRM module• Inventory management: mySAP SCM• Production planning and management: PP module• Financial reporting: FI/CO module• Self-service• Management of human capital: HCM module• Project systems: PS• Asset management: FI• Quality management: QM• Product lifecycle management – mySAP PLM• Scenarios

Agenda

Day One:

Session 1:What you will learn the SAP ERP architecture• An SAP instance• Transactions• Program• Objects and reports• Tables in the database• Files in the operating system• Vertical application modules• Cross applications• Changes from SAP R/3 to the latest ERP release• NetWeaver and supporting security settings• Infrastructure supporting components Session 2: Top audit risks and controls for ERP ECC and SAP R/3• Default IDs• Critical application transactions• Segregation of duties issues • Authorizations• Change control and system locks• Security reports and transactions• Emergency fixes• Network security

Session 3: Navigation techniques• Obtaining necessary data• Parameters on the security settings• Tables that relate to key critical transactions• Finding key users, transactions, and roles

Telephone: +44 (0)20 3819 0800 Email: misti@misti.com

The agenda continues on the following page

Group Booking Discount**

3 delegates -

10% discount

2 delegates -

5% discount

4 delegates -

12% discount

5 delegates -

15% discount

**Available for delegates from one organisation attending the same course

Day Four:

Session 1: Reviewing the Basics• System Parameters• Key Security Settings• Most Critical Basis and Security Risks Session 2:SAP System Settings• Multiple Logons• Single Sign-on• Database & Operating System Parameters

Session 3: Advanced SAP Basis Security• Securing direct access to tables• Securing access to ABAP programs• Controlling administrator access• Central User Administration (CUA) considerations• Protecting security-critical objects and tables

Session 4: Controlling Non-Dialog User Types• System users• Communication users• Service Users• Reference Users Session 5: Special Considerations• Defining the Superuser to replace SAP*• Global deactivation of authorization objects• Remote Function Calls (RFC)• TMS Trusted Services• Virus Protection• SAP GUI Integrity Checks

Agenda (continued)

Day Three:

Session 1:Business rule settings for maintaining transaction integrity• Implementation guide (IMG) key settings• Key tables• Audit Information System (AIS)• Audit and security reports • Audit and security transactions• System auditing• Business auditing

Session 2: Change control• Transport Management System (TMS)• Content Management System (CMS)• Quality assurance• System locks Session 3: Business warehouse• Instance risks and controls• Authorization• Information cubes• On-line analytical processing (OLAP)• Using with NetWeaver

Session 4: Governance, risk, and control (GRC) • S-OX process control• HIPAA, GLBA, FFIEC• Compliance controls and visual presentations

Session 5: Tools• Compliance calibrator• Versa emergency ID• ACL direct• Security Weaver • Approva• CSI• RiskWatch• Visual Composer and NetWeaver

Tying it all together

Telephone: +44 (0)20 3819 0800 Email: misti@misti.com

The agenda continues on the following page

Session 4: Advanced SAP Change & Transport System (CTS)• TMS QA Approval Procedure• Defining Approval Steps• Tips for reconciling to change request systems• Using SE03 Transport Organizer Tools

Session 5: Batch Input• Protecting Batch Input Sessions• Protecting the SAPconnect RFC User• Controlling List Downloads• Internet Graphics List Security

Session 6: Analyzing Sap Tables• Key configuration tables• Using the SQ01 Query Builder• Data access with ACL / IDEA

Agenda (continued)

Day Five:

Session 1:SAP Authentication Issues• Secure Network Communications (SNC)• X.509 Client Certificates• SAP Logon Tickets• Pluggable Authentication Services

Session 2: Netweaver Security• Network security for the SAP Web AS ABAP• Secure Store & Forward (SSF)• Digital Signatures & Protecting Keys

Session 3: Advanced Auditing of SAP Customizations• Reviewing ABAP code• Including custom tables in change document reports

Register online at: www.misti.com

TAILORED AND PERSONALISED IN-HOUSE TRAINING Why Choose In-House Training?Savings - Running an in-house course in your offices will ensure you avoid the costs of travel and accommodation. Plus we charge per day not per delegate. You can train six or sixteen people for the same price! Convenience - We can arrange a course that fits your team’s schedule. Any dates, any location, simply tell us what works best for you. Avoid the hassle of coordinating travel arrangements and accommodation for your staff Tailored training - We have over 150 existing training courses you can mould to fit your exact requirements or if you prefer we can just create a new agenda. You will have complete control over the course content Confidentiality - You can focus on potentially thorny issues that may be specific to your organization which are best resolved in private with the expert guidance of your course director

Some Of The Companies We Have Worked With:PwC • International Labour Office • Barclays • Capital One • Legal and General • Deloitte • European Court of Auditors • Lukoil • Credit Suisse AG • Euroclear • AIB • U.S. Steel, Corp. • Novartis • National Commercial Bank • Qatar National Bank

Visit emea.misti.com/in-house-trainingCall us on 020 3819 0800Email mis@misti.com

INHOUSETRAININGSave up to 50%

with In-House Training