SAP Security weekly, Monthly, Yearly Activities

Former Member · ‎02-26-2015

Dear Experts,

As a SAP Security Consultant,

what are the list of SAP recommended activities to be performed in Production environment to well maintain the system.

can you please provide me list o SAP recommended weekly, monthly and yearly activites and why it needs to be performed.

Thanks and Regards

Sanyukta

Private_Member_69416 · ‎02-27-2015

Hi

For beginning:

yearly

Do upgrades/updates to highest available stable version of your products. The best if you can do it more than once. It will help you to cover not published security corrections and prepare for implementation new ones
Do external security audit of your environment - helps to find ways for braking your SAP without even touching the system

monthly

Implement notes released for the second Tuesday of every month - SAP Security Patch Day.

ongoing :

monitor system/security logs
monitor system health e.g with solution manager technical monitoring
monitor system changes (parameters, services, defined connections...) e.g with solution manager RCA Change Analysis

Regards

Przemek

dsanpor · ‎02-27-2015

Hello,

It is too generic question. You want to establish a bussiness plan preventive safety of security forensics. For what? User, system, servers, communicacions, Data Base.

I think that you need to identify your target.

Best regards David.

Former Member · ‎02-27-2015

Dear Experts,

yes the question became very generic, i will try to give some details.

My client is using SAP for a quite long time but they could not able to maintain good security measures

by seeing the system i analysed some issues as below.

- Secure password policy is not sufficiently enforced.

- A high number of users has critical authorizations

- Standard users including SAP* or DDIC are having default passwords.

- Dialog users are having access to Powerful profiles like SAP_ALL.

- Changes are carried out directly in Production like tables, roles, configuration changes .

- Many users are part of “SUPER” user group

- User master records are not updated with required details.

- User changes are made by SAP* in production.

So i want to suggest some audit activities which can be carried out weekly, monthly, quartly

so that there will be a systematic process to check security of the production ion system.

and there will be no rush and mass changes before the Yearly Audit.

Please advise.

Regards

Sanyukta

former_member184362 · ‎03-09-2015

Hi Sanyukta,

Are you serious about what you have mentioned above, It is hard to believe your statements in a production environment. or is this your lab environment you are talking about

Cheers

Shyam

Former Member · ‎03-10-2015

Hi,

You are right to be concerned. What you are describing falls under IT General Controls (ITGC's) and I would expect all of the above to be covered by monitoring once fixed. Most importantly is that there are penalties for non-compliance. Speak to your clients infosec team. Often they are not aware of SAP and how SAP teams ignore their rules (SAP teams like to pretend they are special and the rules don't apply because SAP is "different". Simply not true!).

For all of these I would expect monthly monitoring at a minimum, although Solution Manager can do most of the reporting for you through configuration validation and SOS. Your auditors should be able to provide a full ITGC checklist, alternatively there are resources available on auditnet and the IIA.

Your list isn't surprising for smaller companies with no regulatory requirements & poor change control. I have put some comments against each one - with the exception of change management (updates in prod) they should be easy fixes.

- Secure password policy is not sufficiently enforced. (control through password complexity parameters, monitor parameters on a monthly basis, restrict access to change parameters)

- A high number of users has critical authorizations (cleanup & put in process to stop this from happening. Consider use of tooling e.g. SAP GRC or even just RSUSR008_009_NEW to monitor on an ongoing basis)

- Standard users including SAP* or DDIC are having default passwords. (one time cleanup/fix. there is lots of guidance on recommended settings. Monthly monitoring).

- Dialog users are having access to Powerful profiles like SAP_ALL. (cleanup, put in policy to prohibit, put in process to prevent assignment, monitor monthly).

- Changes are carried out directly in Production like tables, roles, configuration changes. (remove production access, monitor changes monthly, implement proper change management process).

- Many users are part of “SUPER” user group (reassign to more appropriate group).

- User master records are not updated with required details. (cleanup, fix process, monitor monthly)..

- User changes are made by SAP* in production. (Remove access to SAP* as part of the lock down activity).

Good luck.

Former Member · ‎03-10-2015

Thank you Sam.

I was seeking for some in depth information which can be a proposed as a weekly, monthly, Quarterly and yearly audit tasks.

like

RSUSR003 Check the Passwords of Users SAP* and DDIC in All Clients

RSUSR004 Restrict User Values to the Following Simple Profiles and Auth. Ob

RSUSR005 List of Users With Critical Authorizations

RSUSR006 Locked Users and Users with Incorrect Logons

RSUSR007 Display Users with Incomplete Address Data

i could not able to suggest them in a best sequence.

Regrds

Sanyu...