02-26-2015 10:47 AM
Dear Experts,
As a SAP Security Consultant,
what are the list of SAP recommended activities to be performed in Production environment to well maintain the system.
can you please provide me list o SAP recommended weekly, monthly and yearly activites and why it needs to be performed.
Thanks and Regards
Sanyukta
02-27-2015 8:16 AM
Hi
For beginning:
yearly
monthly
ongoing :
Regards
Przemek
02-27-2015 8:17 AM
Hello,
It is too generic question. You want to establish a bussiness plan preventive safety of security forensics. For what? User, system, servers, communicacions, Data Base.
I think that you need to identify your target.
Best regards David.
02-27-2015 7:15 PM
Dear Experts,
yes the question became very generic, i will try to give some details.
My client is using SAP for a quite long time but they could not able to maintain good security measures
by seeing the system i analysed some issues as below.
- Secure password policy is not sufficiently enforced.
- A high number of users has critical authorizations
- Standard users including SAP* or DDIC are having default passwords.
- Dialog users are having access to Powerful profiles like SAP_ALL.
- Changes are carried out directly in Production like tables, roles, configuration changes .
- Many users are part of “SUPER” user group
- User master records are not updated with required details.
- User changes are made by SAP* in production.
So i want to suggest some audit activities which can be carried out weekly, monthly, quartly
so that there will be a systematic process to check security of the production ion system.
and there will be no rush and mass changes before the Yearly Audit.
Please advise.
Regards
Sanyukta
03-09-2015 2:35 AM
Hi Sanyukta,
Are you serious about what you have mentioned above, It is hard to believe your statements in a production environment. or is this your lab environment you are talking about
Cheers
Shyam
03-10-2015 12:25 AM
Hi,
You are right to be concerned. What you are describing falls under IT General Controls (ITGC's) and I would expect all of the above to be covered by monitoring once fixed. Most importantly is that there are penalties for non-compliance. Speak to your clients infosec team. Often they are not aware of SAP and how SAP teams ignore their rules (SAP teams like to pretend they are special and the rules don't apply because SAP is "different". Simply not true!).
For all of these I would expect monthly monitoring at a minimum, although Solution Manager can do most of the reporting for you through configuration validation and SOS. Your auditors should be able to provide a full ITGC checklist, alternatively there are resources available on auditnet and the IIA.
Your list isn't surprising for smaller companies with no regulatory requirements & poor change control. I have put some comments against each one - with the exception of change management (updates in prod) they should be easy fixes.
- Secure password policy is not sufficiently enforced. (control through password complexity parameters, monitor parameters on a monthly basis, restrict access to change parameters)
- A high number of users has critical authorizations (cleanup & put in process to stop this from happening. Consider use of tooling e.g. SAP GRC or even just RSUSR008_009_NEW to monitor on an ongoing basis)
- Standard users including SAP* or DDIC are having default passwords. (one time cleanup/fix. there is lots of guidance on recommended settings. Monthly monitoring).
- Dialog users are having access to Powerful profiles like SAP_ALL. (cleanup, put in policy to prohibit, put in process to prevent assignment, monitor monthly).
- Changes are carried out directly in Production like tables, roles, configuration changes. (remove production access, monitor changes monthly, implement proper change management process).
- Many users are part of “SUPER” user group (reassign to more appropriate group).
- User master records are not updated with required details. (cleanup, fix process, monitor monthly)..
- User changes are made by SAP* in production. (Remove access to SAP* as part of the lock down activity).
Good luck.
03-10-2015 2:58 PM
Thank you Sam.
I was seeking for some in depth information which can be a proposed as a weekly, monthly, Quarterly and yearly audit tasks.
like
RSUSR003 Check the Passwords of Users SAP* and DDIC in All Clients
RSUSR004 Restrict User Values to the Following Simple Profiles and Auth. Ob
RSUSR005 List of Users With Critical Authorizations
RSUSR006 Locked Users and Users with Incorrect Logons
RSUSR007 Display Users with Incomplete Address Data
i could not able to suggest them in a best sequence.
Regrds
Sanyu...