THE PUBLIC SPHERE Active Participation Review Thumbs Up=Yes Thumbs Down=No.
How to perform a security review on your sap systems in order to get a thumbs-up audit report
-
Upload
expertum-consulting-excellence -
Category
Technology
-
view
511 -
download
9
description
Transcript of How to perform a security review on your sap systems in order to get a thumbs-up audit report
SAPience.be User Day ’13March 21, 2013
Your logo
1
How to perform a security review on your SAP systems in order to get a
"thumbs-up" audit report
Melissa Dielman
SAPience.be User Day ‘13
Your logo
2
Agenda
Introduction Expertum
User Access Audit
Level 1 : Getting into SAP
Level 2 : Getting around within SAP
Level 3 : Managing the User Access
Getting support
SAPience.be User Day ‘13
Your logo
3
Introduction Expertum
SAPience.be User Day ‘13
Facts• Founded in April 2006 by 2 ex-SAP Belux employees• Team of 50+ SAP Experts and Project Managers• Partnerships
Mission• Exceed client expectations by providing top-quality expertise• Provide our people a safe environment for personal and professional growth
Strength• Highly skilled & experienced SAP consultants in all SAP areas, combined with a wide industry knowledge in several domains• First (and still only) IT services provider on the Belgian market to receive coveted SAP certificate for quality management (AQM)
Gold
Your logo
Knowledge Management
-Product &
Service Development
Project Management
(PM)Supply Chain Management
(SCM)
Product Lifecycle
Management (PLM)
Application Lifecycle
Management (SolMan
+NW)
Governance, Risk, and
Compliance (GRC)
Business Intelligence
(BI: BW + BO)
Finance & Controlling
(FI/CO)
Focus GRC team
• SAP Authorization Health Check
• SAP Authorization Concept (re)Design
• SOD conflict Remediation• SAP Security Framework
design
• SAP GRC Toolbox - GRC RDS Certified
• SAP IDM
• Day to Day support
Expertum Competence Areas
Your logo
5
User Access Audit
Security Risk
Why auditing user access?
Who’s auditing
Internal Threats: The main issues
SAPience.be User Day ‘13
Your logo
6
SAP
Security risk
External Threats
SAPience.be User Day ‘13
RoutersFirewalls
Security incident & Event Monitoring
Proxy serversWeb servers
Your logo
7
Security risk
Internal Threats
SAPience.be User Day ‘13
SAP
Your logo
8
…
EU Privacy Directives
Security risk
Compliancy Needs
SAPience.be User Day ‘13
SAPSOX
Basel II
J-SOX
FDA
Good Governance
OECD
Your logo
9
Why auditing User Access?
Segregation of Duties continues to be a top contributor in fraud activities
“A lack of internal controls, such as segregation of duties, was cited as the biggest deficiency” Control Weaknesses That Contributed to Fraud -
Report to the Nations on Occupational Fraud and Abuse, 2010, ACFE
Deloitte, 2010 TMT Global Security Study: “35% of respondents report that excessive access rights is the number one problem identified by internal and external and external security audits”
Top 3 areas of internal/external audit findings:
• Excessive Access rights
• Audit trails and logging issues
• Lack of sufficient segregation of duties
As a consequence “Organizations rate Identity and access management as one of their top 3 security initiatives for 2010”
SAPience.be User Day ‘13
Top Audit findings by Sector
Your logo
10
Who’s Auditing
In view of the financial audits companies need to comply with, the platform that contains, handles & reports on financial data is audited as well as the processes.
• External/ Internal Audit
• Security Office
• Compliancy Board
• Auditing checklists
• Automated reviews
• Early Watch Reports
• Red lights are often recurring issues.
SAPience.be User Day ‘13
Your logo
11
Internal Threats: The main issues
SAPience.be User Day ‘13
Today's SAP environments often lack appropriate security and controls mechanisms which is demonstrated by the following facts:
Lack of business &
IT communic
a-tion
Fragmented
approach to access control
Inability to prevent
access risk
Bad practices in user
management
Your logo
12
User Access Risk
Level 1: Getting into SAP
Level 2: Getting around in SAP
Level 3: User Access Management
SAPience.be User Day ‘13
Your logo
13
Level 1: Getting into SAP
Identification: User IDs• unique & identifiable -> accountability
Authentication: Passwords• are you who you claim you are
• Tools:
• Password Parameter settings
• Multiple Logon Parameter settings
• Auto log-off
• User Locks
• HR triggers
SAPience.be User Day ‘13
Your logo
14
Level 1: Getting into SAP
Special SAP Users• SAP*
• DDIC
• SAPCPIC
• Early Watch
• Action
• Change generally known password
• Do not delete user
• Lock
• Remove Access rights
SAPience.be User Day ‘13
Your logo
15
Level 1: Getting into SAP
Password Settings
• Validity initial/reset password
• Password changes
• Complexity
• Prohibited patterns
SAPience.be User Day ‘13
Your logo
16
Level 2: Getting around in SAP
SAPience.be User Day ‘13
WHAT did they do WHERE?
Your logo
17
Level 2: Getting around in SAP
Sensitive Access
SAPience.be User Day ‘13
Segregation of Duties Process & Organizational relevance
Your logo
18
Level 2: Getting around in SAP
Segregation of Duties: preventing fraud/errors to disrupt process chains and the achievement of company targets, by spreading a task/process over different persons.
Rule definition• Responsive to audit comments
• Purchased rulesets
• Standard Ruleset delivered with compliance software
• Company specific rules
! Restrict to a realistic number
SAPience.be User Day ‘13
Your logo
19
Level 2: Getting around in SAP
Sensitive Access:Business and IT processes that should be restricted to specific users for system protection, data protection, data privacy,…
Process & Organizational relevanceAccess should be restricted to the processes relevant to the users (RACI)
SAPience.be User Day ‘13
Your logo
20
Level 2: Getting around in SAP
Occurrence of issues at
SAPience.be User Day ‘13
User
Position
Composite Role
Single Role
Your logo
21
Level 2: Getting around in SAP
Role Level? Does the description fit the bill? Process & organization
? Is the role level granular enough?
! Avoid using wildcards
! Enjoy transactions
! Be critical about default SU24 values
! Avoid manually inserted objects
! Ensure Consistency (masters & deriveds)
SAPience.be User Day ‘13
Your logo
22
Level 2: Getting around in SAP
SAP Security Notes: ABAP and Kernel Software Corrections
• Transaction ST13, tool RSECNOTE
• https://service.sap.com/security indicates which are monitored for EWA
• SAP Note 888889
SAPience.be User Day ‘13
Your logo
23
Level 3: User Access Management
Key Elements to controlled User Access
SAPience.be User Day ‘13
PROCESS ORGANIZATION
DOCUMENTATION REPORTING
Your logo
24
Level 3: User Access Management
User Access Management Processes:
• User creation
• User Lock
• User Termination
• Additional User Access Request
• User Access Change: revoke old access rights!
! Preventive SOD check
! Business Governance
! Documentation
SAPience.be User Day ‘13
Your logo
25
Level 3: User Access Management
Organization: Business ownership over business data!
• Who can request
• Who approves (1-2-3 levels)
• Who reviews
SAPience.be User Day ‘13
Define & Control
Empower
Inform & Monitor
Document
Your logo
26
Level 3: User Access Management
Reporting
SAPience.be User Day ‘13
Your logo
27
Getting Support
SAPience.be User Day ‘13
AUTOMATION
EXPERTISE
INFORMATION
SUSTAINABILITY
COST EFFICIENCY
Your logo
28
GRC Access Control
Emergency Access
Management (EAM)
Provision & Manage Users
(PMU)
Business Role Management
(BRM)
Analyze & Manage Risks
(AMR)
Accurately identify and analyze access risk violations in real-timeRemediate and mitigate conflicts for users and rolesContinuously monitor access risks and user assignments across the enterprise
Self service emergency access activationCentrally approve and manage emergency access or all SAP systemsDetailed usage logs for comprehensive emergency access reviews
Centralized business role managementEnforced compliancy to format & SOD rulesAutomated role governance process involving business & technical owners
Self service user access request processPreventive risk analysis in user provisioningAutomated workflow for efficiently approving requestsStreamline and automate reviews of user access
Your logo
29
IT costs are reduced through• Self service password reset
• Automated user access requests
• Automated periodic certification reviews
• Preventive impact simulation of planned actions & access requests
• Automated root cause analysis of issues
• Integration with IDM solutions to ensure consistency and compliance across the enterprise
Operational costs are reduced through• Increased response times at access requests
• Reduced response time to business emergencies through Emergency Access
• Reduced penalties for Risk & compliance violations
Audit costs are reduced through• Automated audit trail of changes to rules, access approval & risk mitigation
• Automated reporting & centralized location reducing analysis time for internal & external auditors
• Automated process reducing audit analysis from full data & process testing to tool testing
Access Control : Value
Your logo
30
Recap
“35% of respondents report that excessive access rights is the number one problem identified by internal and external and external security audits”
Level 1: Getting into SAP: Users & Passwords
Level 2: Getting around in SAP: SOD, Critical access, process & organizational access
Level 3: User Access Management: Processes & Organization
Support: Sustainability, Expertise & Tooling
SAPience.be User Day ‘13
Thank you!
Your logo
Get Inspired.Stay Connected.
Achieve Business Agility.
31SAPience.be User Day ‘13