SAPience.be User Day ’13March 21, 2013

Your logo

1

How to perform a security review on your SAP systems in order to get a

"thumbs-up" audit report

Melissa Dielman

SAPience.be User Day ‘13

Your logo

2

Agenda

Introduction Expertum

User Access Audit

Level 1 : Getting into SAP

Level 2 : Getting around within SAP

Level 3 : Managing the User Access

Getting support

SAPience.be User Day ‘13

Your logo

3

Introduction Expertum

SAPience.be User Day ‘13

Facts• Founded in April 2006 by 2 ex-SAP Belux employees• Team of 50+ SAP Experts and Project Managers• Partnerships

Mission• Exceed client expectations by providing top-quality expertise• Provide our people a safe environment for personal and professional growth

Strength• Highly skilled & experienced SAP consultants in all SAP areas, combined with a wide industry knowledge in several domains• First (and still only) IT services provider on the Belgian market to receive coveted SAP certificate for quality management (AQM)

Gold

Your logo

Knowledge Management

-Product &

Service Development

Project Management

(PM)Supply Chain Management

(SCM)

Product Lifecycle

Management (PLM)

Application Lifecycle

Management (SolMan

+NW)

Governance, Risk, and

Compliance (GRC)

Business Intelligence

(BI: BW + BO)

Finance & Controlling

(FI/CO)

Focus GRC team

• SAP Authorization Health Check

• SAP Authorization Concept (re)Design

• SOD conflict Remediation• SAP Security Framework

design

• SAP GRC Toolbox - GRC RDS Certified

• SAP IDM

• Day to Day support

Expertum Competence Areas

Your logo

5

User Access Audit

Security Risk

Why auditing user access?

Who’s auditing

Internal Threats: The main issues

SAPience.be User Day ‘13

Your logo

6

SAP

Security risk

External Threats

SAPience.be User Day ‘13

RoutersFirewalls

Security incident & Event Monitoring

Proxy serversWeb servers

Your logo

7

Security risk

Internal Threats

SAPience.be User Day ‘13

SAP

Your logo

8

…

EU Privacy Directives

Security risk

Compliancy Needs

SAPience.be User Day ‘13

SAPSOX

Basel II

J-SOX

FDA

Good Governance

OECD

Your logo

9

Why auditing User Access?

Segregation of Duties continues to be a top contributor in fraud activities

“A lack of internal controls, such as segregation of duties, was cited as the biggest deficiency” Control Weaknesses That Contributed to Fraud -

Report to the Nations on Occupational Fraud and Abuse, 2010, ACFE

Deloitte, 2010 TMT Global Security Study: “35% of respondents report that excessive access rights is the number one problem identified by internal and external and external security audits”

Top 3 areas of internal/external audit findings:

• Excessive Access rights

• Audit trails and logging issues

• Lack of sufficient segregation of duties

As a consequence “Organizations rate Identity and access management as one of their top 3 security initiatives for 2010”

SAPience.be User Day ‘13

Top Audit findings by Sector

Your logo

10

Who’s Auditing

In view of the financial audits companies need to comply with, the platform that contains, handles & reports on financial data is audited as well as the processes.

• External/ Internal Audit

• Security Office

• Compliancy Board

• Auditing checklists

• Automated reviews

• Early Watch Reports

• Red lights are often recurring issues.

SAPience.be User Day ‘13

Your logo

11

Internal Threats: The main issues

SAPience.be User Day ‘13

Today's SAP environments often lack appropriate security and controls mechanisms which is demonstrated by the following facts:

Lack of business &

IT communic

a-tion

Fragmented

approach to access control

Inability to prevent

access risk

Bad practices in user

management

Your logo

12

User Access Risk

Level 1: Getting into SAP

Level 2: Getting around in SAP

Level 3: User Access Management

SAPience.be User Day ‘13

Your logo

13

Level 1: Getting into SAP

Identification: User IDs• unique & identifiable -> accountability

Authentication: Passwords• are you who you claim you are

• Tools:

• Password Parameter settings

• Multiple Logon Parameter settings

• Auto log-off

• User Locks

• HR triggers

SAPience.be User Day ‘13

Your logo

14

Level 1: Getting into SAP

Special SAP Users• SAP*

• DDIC

• SAPCPIC

• Early Watch

• Action

• Change generally known password

• Do not delete user

• Lock

• Remove Access rights

SAPience.be User Day ‘13

Your logo

15

Level 1: Getting into SAP

Password Settings

• Validity initial/reset password

• Password changes

• Complexity

• Prohibited patterns

SAPience.be User Day ‘13

Your logo

16

Level 2: Getting around in SAP

SAPience.be User Day ‘13

WHAT did they do WHERE?

Your logo

17

Level 2: Getting around in SAP

Sensitive Access

SAPience.be User Day ‘13

Segregation of Duties Process & Organizational relevance

Your logo

18

Level 2: Getting around in SAP

Segregation of Duties: preventing fraud/errors to disrupt process chains and the achievement of company targets, by spreading a task/process over different persons.

Rule definition• Responsive to audit comments

• Purchased rulesets

• Standard Ruleset delivered with compliance software

• Company specific rules

! Restrict to a realistic number

SAPience.be User Day ‘13

Your logo

19

Level 2: Getting around in SAP

Sensitive Access:Business and IT processes that should be restricted to specific users for system protection, data protection, data privacy,…

Process & Organizational relevanceAccess should be restricted to the processes relevant to the users (RACI)

SAPience.be User Day ‘13

Your logo

20

Level 2: Getting around in SAP

Occurrence of issues at

SAPience.be User Day ‘13

User

Position

Composite Role

Single Role

Your logo

21

Level 2: Getting around in SAP

Role Level? Does the description fit the bill? Process & organization

? Is the role level granular enough?

! Avoid using wildcards

! Enjoy transactions

! Be critical about default SU24 values

! Avoid manually inserted objects

! Ensure Consistency (masters & deriveds)

SAPience.be User Day ‘13

Your logo

22

Level 2: Getting around in SAP

SAP Security Notes: ABAP and Kernel Software Corrections

• Transaction ST13, tool RSECNOTE

• https://service.sap.com/security indicates which are monitored for EWA

• SAP Note 888889

SAPience.be User Day ‘13

Your logo

23

Level 3: User Access Management

Key Elements to controlled User Access

SAPience.be User Day ‘13

PROCESS ORGANIZATION

DOCUMENTATION REPORTING

Your logo

24

Level 3: User Access Management

User Access Management Processes:

• User creation

• User Lock

• User Termination

• Additional User Access Request

• User Access Change: revoke old access rights!

! Preventive SOD check

! Business Governance

! Documentation

SAPience.be User Day ‘13

Your logo

25

Level 3: User Access Management

Organization: Business ownership over business data!

• Who can request

• Who approves (1-2-3 levels)

• Who reviews

SAPience.be User Day ‘13

Define & Control

Empower

Inform & Monitor

Document

Your logo

26

Level 3: User Access Management

Reporting

SAPience.be User Day ‘13

Your logo

27

Getting Support

SAPience.be User Day ‘13

AUTOMATION

EXPERTISE

INFORMATION

SUSTAINABILITY

COST EFFICIENCY

Your logo

28

GRC Access Control

Emergency Access

Management (EAM)

Provision & Manage Users

(PMU)

Business Role Management

(BRM)

Analyze & Manage Risks

(AMR)

Accurately identify and analyze access risk violations in real-timeRemediate and mitigate conflicts for users and rolesContinuously monitor access risks and user assignments across the enterprise

Self service emergency access activationCentrally approve and manage emergency access or all SAP systemsDetailed usage logs for comprehensive emergency access reviews

Centralized business role managementEnforced compliancy to format & SOD rulesAutomated role governance process involving business & technical owners

Self service user access request processPreventive risk analysis in user provisioningAutomated workflow for efficiently approving requestsStreamline and automate reviews of user access

Your logo

29

IT costs are reduced through• Self service password reset

• Automated user access requests

• Automated periodic certification reviews

• Preventive impact simulation of planned actions & access requests

• Automated root cause analysis of issues

• Integration with IDM solutions to ensure consistency and compliance across the enterprise

Operational costs are reduced through• Increased response times at access requests

• Reduced response time to business emergencies through Emergency Access

• Reduced penalties for Risk & compliance violations

Audit costs are reduced through• Automated audit trail of changes to rules, access approval & risk mitigation

• Automated reporting & centralized location reducing analysis time for internal & external auditors

• Automated process reducing audit analysis from full data & process testing to tool testing

Access Control : Value

Your logo

30

Recap

“35% of respondents report that excessive access rights is the number one problem identified by internal and external and external security audits”

Level 1: Getting into SAP: Users & Passwords

Level 2: Getting around in SAP: SOD, Critical access, process & organizational access

Level 3: User Access Management: Processes & Organization

Support: Sustainability, Expertise & Tooling

SAPience.be User Day ‘13

Thank you!

Your logo

Get Inspired.Stay Connected.

Achieve Business Agility.

31SAPience.be User Day ‘13