GRCSing2015_Kumar_Howtoperformasystem

Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2015 Wellesley Information Services. All rights reserved.

How to Perform a System Audit and Technical Review of SAP Access Control

Barun Kumar Turnkey Consulting

1

In This Session

• Learn about:

Important audit concerns in an SAP Access Control environment

Control objectives of auditing SAP Access Control

• Gain an understanding of:

Major risks associated with the identified control weaknesses

Preventative measures to remediate identified risks and possible issues

• Learn how to implement and operate an audit-compliant SAP Access Control system

2

What We’ll Cover

• Why, when, and what of an SAP Access Control audit

• Technical and system information

• Workflow and authorizations

• Time zone and documentation

• Archiving and disaster recovery

• Wrap-up

3

The Big Picture – System Architecture

Source: SAP Access Control sizing guide

4

Why Audit SAP Access Control?

• A system audit is an exercise performed to gain assurance that defined controls work as

intended, thereby eliminating the likelihood of fraudulent or malicious activities

It involves the verification of conformance to policies and procedures through acute

review of objective and empirical evidence

• SAP Access Control is the compliance tool in the SAP system landscape; hence, it needs

to be self-compliant

Compromise of the tool can mean compromise of the entire system (SAP and non-SAP)

in the landscape

• Evaluation of the organization’s internal control design

• Gain assurance on the operating effectiveness of defined controls

5

When to Audit

• Review of the SAP Access Control system should be performed:

Pre-go-live

Post-go-live

On an ongoing basis

• Irrespective of the timing, you should check the controls defined in the system against

what is defined in the security policies of the organization

6

What to Audit

• Technical Infrastructure

Hardware – Memory, CPU, etc.

Software – SAP component, databases, operating system

Network

• Processes

• Master data

• Internal controls and policies

• Customization settings

• Documentation

7

What Happens If You Do Not Audit

• Business implications

Possible compromise of the compliance tool

Loss of goodwill for the organization

Payment of huge fines

Inability of the business to continue to operate, in extreme cases

• Technical implications

System performance degradation

Knowledge transfer gaps

Error-prone system

System unavailability

Obsolete functionalities

8

What We’ll Cover






• Wrap-up

9

Technical and System Information

• Technical installation validation

• Activation of Internet Communication Framework (ICF) Services

• Background jobs administration and monitoring

• Integration with back-end systems

• Performance optimization

10

Technical Installation Validation

• Installation of SAP Access Control requires installation of:

SAP

Database

Operating system

• Major risk

The system might be:

Error prone

Unusable

Missing functionalities

• Preventative measures

Ensure that the systems run the required, correct, and current software components

and products

11

Technical Installation Validation (cont.)

• SAP Access Control 10.x requires the following GRC software components and other

dependent components:

GRCFND_A — Mandatorily installed on the GRC server

GRCPINW — Mandatorily installed on the back-end system

GRCPIERP — Optionally installed on the back-end system

Confirm GRCPIERP is installed if you need specific functionalities like HR triggers

Requires SAP_ABA and SAP_HR software components

• Gain assurance about the consistency and synchronization requirement with the support

package (SP) levels of the foundation and plug-in components

For SAP GRC 10.0 (prior to SP10), the version of the SP GRC foundation component

and the plug-in must be the same

12

Technical Installation Validation (cont.)

• Auditors must be assured that all required software components are installed

Setup of Adobe Document Services (which requires a Java instance) is required for

PDF reports

Crystal Reports ALV adapter is required for generating Crystal Report-based reports

• The technical review should evaluate the currency of software components

Current support package is implemented

Kernel is upgraded to the current patch level

Important SAP Notes are implemented (e.g., SAP Note 1545511)

Current operating system and database patches are deployed

13







14

Activation of ICF Services

• ICF supports the processing of HTTP, HTTPS, or SMTP requests in the ABAP work

processes of an SAP system

• As part of the post-installation activities, you need to activate a number of ICF services

• Major risk

The system might be vulnerable to Internet (external) browser-based attacks

• Preventative measure

Enforce control in the activation of ICF services

Only activate ICF services on a need-to-do basis

15

Activation of ICF Services (cont.)

• It is possible to explicitly assign a user to an ICF service

This is commonplace when end-user log-on functionality is implemented

The authorization assigned to the user in the system must be adequately controlled

• Check that ICF services are prevented from using functions that present a risk

Confirm that the following administrator settings are configured (Transaction code

SICF Go to Settings):

Do not allow recording function

Do not allow trace function

Do not allow debugging function

Do not allow runtime analysis function

16







17

Background Jobs Administration and Monitoring

• Background jobs are programs or a collection of programs that can be executed by

background work processes

• Different background jobs are normally scheduled in the system to ensure that activities

are performed properly

• Major risk

Data inconsistencies between the SAP GRC system and the satellite system

Smooth running of the system might be impacted if administrative background jobs are

not scheduled and executed successfully


Schedule (in the correct order) and monitor background jobs for successful completion

18

Background Jobs Administration and Monitoring (cont.)

• Important to have a meaningful job-naming convention to find correct and appropriate

application knowledge for quick support

• Recommendation for a background job name (e.g.,

(S_PRD100_UK_SPM_WORKFLOWSYNC_H)

Prefix: Indicate if the job contains customer coding (Z) or SAP standard coding (S)

System/client: Indicate the involved system/client combination (e.g., PRD100)

Organization: Indicate the involved organizational information (e.g., abbreviations for

regions or countries [US, DE, FR])

Component: Involved component/application area such as ARA, SPM, CUP, and BRM

Job description: Specify a speaking name for the job (e.g., SPM_WORKFLOWSYNC)

Frequency: Job frequency (e.g., Hourly [H], Daily [D], Weekly [W])

19


• Ensuring data currency and consistency

Schedule standard background jobs in SAP Access Control to synchronize data

between the GRC system and satellite systems

• Major master data elements that need to be synchronized in the access control system

PFCG authorization

Profile

Roles

Users

Action usage

Role usage

EAM master data

20


• The implication of failed synchronization jobs can be grave because outdated data can

expose the system to fraudulent activities. For example:

Access request might be routed to incorrect approver who might approve it based on

inadequate knowledge of the risk exposure

This can happen because data source information for approver determination is

unsynchronized

Detective control associated with the review of firefighter logs can be impaired

This can happen if the background job responsible for collecting firefighting session

logs and sending same to the controller fails to execute successfully

21


• An auditor will be interested in ascertaining that the background jobs that drive data

synchronization are always executed successfully as scheduled

• Sequence of execution of these background jobs is also an important consideration

during a technical review

• Recommended sequence for background job execution:

1. Program GRAC_PFCG_AUTHORIZATION_SYNC

2. Program GRAC_REPOSITORY_OBJECT_SYNC

3. Program GRAC_ACTION_USAGE_SYNC

4. Program GRAC_ROLE_USAGE_SYNC

22


• Other programs that should be reviewed to ensure they are properly scheduled include:

Batch risk analysis: Program GRAC_BATCH_RISK_ANALYSIS

Firefighter logs collection: Program GRAC_SPM_LOG_SYNC_UPDATE

Firefighter workflow synchronization: Program GRAC_SPM_WORKFLOW_SYNC

IDM schema update: Program GRAC_SCHEMA_UPDATE

• Check the status of background jobs via transaction SM37

23


• A technical system auditor should be abreast of required background jobs that should be

scheduled for different underlying databases

• For example, the following database management-related background jobs should be

executed for a Microsoft SQL Server database:

CCMS Blocking Database Locks Statistics

CCMS Check Database (DBCC – Database Consistency Checker)

CCMS Update Table Statistics

MSSQL COLLECTOR

• Also, review the successful execution of administrative background jobs, such as report

RSBTCDEL (Delete Batch Job)

24


• Variants are used to eliminate the need to define same values in selection criteria fields

every time you need to execute a report

• This functionality is designed to reduce both data entry time and processing time of the

system, which makes it commonplace in every SAP system environment

• Variants should be reviewed for correctness and currency

• Ideally, variants that are no longer relevant in the system should be discontinued or

adjusted accordingly to avoid the chances of using them unknowingly

• You can review the entries in table TBTCP to access the currency and relevance of

defined variants

25







26

Integration with Back-End Systems

• Typical SAP GRC system is made up of more than just the GRC box

It also contains other back-end systems, such as SAP ERP, SAP Enterprise Portal, or

Microsoft Active Directory

• GRC system is used to provision access to the back-end system

Or the back-end system is used as the data source for user authentication and user

details in the SAP Access Control system

• Major risk

Vulnerabilities and data inaccuracy in the back-end system can impact the operation of

the GRC system


Ensure appropriate security and data accuracy is enforced in the satellite systems

27

Integration with Back-End Systems (cont.)

• System review of back-end systems is just as important as system review of SAP Access

Control

• Security breaches in any dependent back-end system can impact the integrity of the

access control system

For example, if the HR system is designed as the source of user details (e.g., Personnel

Area drives the assignment of approval agent) and data maintained in the HR system is

not accurate, an access request can be incorrectly routed

• System auditor needs to be assured that systems connected to the GRC system are

performing their intended roles in terms of:

Functionality delivery

Data accuracy

System availability

28







29

Performance Optimization

• Performance of the SAP Access Control system is dependent on the following:

Master data volume

Transaction data volume

Configuration settings (customizing)

Number of concurrent users

Size of the system landscape (number of systems and available system resources)

• Major risk

Slowness or unavailability of the system


Optimal preliminary sizing, appropriate configuration settings, efficient

parameterization, and adequate capacity planning

30

Performance Optimization (cont.)

• If system performance is degraded, it can lead to unavailability of the access control

system and consequently affect functional use of the application

• Audit should be focused on data maintenance strategies such as:

Data prevention

Data deletion

Table indexing and data reorganization

• An auditor should review performance-centric customizing settings such as:

Indexing of tables

Profile parameter settings

Parameterization in IMG (configuration settings)

31


• Indexing of tables

Fields MANDANT, UTIME, UDATE, USERNAME in table CDHDR (SAP Note 1039144)

Fields MANDT, LANGU, and FIELD in table GRACFLDSYST (SAP Note 1866822)

• Profile parameters

abap/heap_area_dia (limit of heap memory per dialog work process)

abap/heap_area_nondia (limit of heap memory per non-dialog work process)

abap/heap_area_total (limit of heap on application server)

em/initial_size_MB (initial size of extended memory pool)

abap/buffersize (program buffer size)

32


• Parameterization in IMG

Default user type for risk analysis (Parameter 1026) set to DIALOG

Include locked users (Parameter 1031) set to No

Include expired users (Parameter 1028) set to No

Include mitigated risks (Parameter 1030) set to No

Ignore critical roles and profiles (Parameter 1031) set to Yes

Batch size for batch risk analysis (Parameter 1120)

Batch size for user sync (Parameter 1121)

Batch size for role sync (Parameter 1122)

Batch size for profile sync (Parameter 1123)

33

What We’ll Cover






• Wrap-up

34

Workflow and Authorizations

• Definition and maintenance of rule set

• Workflow maintenance

• Change management

• Authorization management of technical users

• Firefighter ID login prohibition

• Segregation of duties

35

Definition and Maintenance of Rule Set

• Rule set is a group of data elements that collectively form the segregation of duties risks

and sensitive access risks in an enterprise

• Validation of the rule set normally involves the review of dependent master data elements

of a rule set, such as Risks and Functions (Actions and Permissions)

• Major risk

Access risk violations might be under-reported or over-reported


Ensure that SoD and sensitive access rules reflect the approved risk perception of the

enterprise

36

Definition and Maintenance of Rule Set (cont.)

• The review of the content of a rule set needs to be detailed

For example, the correctness of the absolute value defined for the corresponding

authorization objects

Authorization object value :- 1 is not synonymous to 01 and “*” is not “any value”

• Check via transaction SCPR20 that SoD ruleset-related BC sets were activated without

errors

• Check that the operators (AND, OR, and NOT) used in the rule set definition are properly

defined

• Validate the access risk level to ensure correct master data attributes (e.g., risk levels)

are maintained

• Review the SoD rule set for completeness

Inclusion of custom transaction codes and sensitive access

37


• Check for the existence of effective policies and procedures aimed at ensuring changes

to the rule set are made in a controlled manner

Transport changes to ruleset via IMG

Activate change log functionality so audit trail is available for an auditor to review

changes made to the elements of the rule set

38


• Parameterization for ruleset changes – workflow

Parameter 1062: Risk Maintenance

Parameter 1064: Function Maintenance

Parameter 1101: Create Request for Risk Approval

Parameter 1102: Update Request for Risk Approval

Parameter 1103: Delete Request for Risk Approval

Parameter 1104: Create Request for Function Approval

Parameter 1105: Update Request for Function Approval

Parameter 1106: Delete Request for Function Approval

39








40

Workflow Maintenance

• Workflow is designed to ensure that activities within the system are properly reviewed

and approved by designated individuals before changes are made to specific information

or processes

This can include the provision of access to users or changes to master data, such as

functions or assignment of mitigating controls to users and roles

• Major risk

Approval request might not be treated in a timely manner and by the correct approver


Ensure the workflow mechanism is properly configured and the approver (agent)

master data is properly maintained

41

Workflow Maintenance (cont.)

• Approver delegation table should be reviewed to gain assurance that every approval

delegation entry is justifiable

• Review the status of email messages generated in the system over a period of time via

transaction SOST to ensure messages are not being trapped unnoticed

• Check that all users have their email addresses correctly maintained

42

Workflow Maintenance (cont.)

• Gain preliminary assurance that the workflow engine is working properly via transaction

SWU3

• An audit interest in a workflow process is who the actor (approver) is

The approver must be reviewed for correctness and currency at defined intervals

• Review the agent master data to ensure the workflow approval requests are routed to the

appropriate approvers and that approval requests are attended to promptly

Review Service Level Agreement (SLA) report if configured

43








44

Change Management

• The system landscape must be configured to adhere to at least the three-system

landscape, typically made up of the development, quality assurance, and production

systems

• Major risk

Data and customization setting inconsistencies, thus making the system error prone


Enforce control in the promotion of changed data or customizations across the system

landscape by avoiding performing customizing activities directly in production system

45

Change Management (cont.)

• System settings are designed to prevent the ability to make changes to client-

independent objects in non-development systems

SE06 – Should be set to “Not modifiable”

• Production client settings should be reviewed for appropriateness via transaction SCC4

Recommended production client settings

Client-specific changes/transports – No Changes allowed

Cross-client object changes – No change to repository and cross-client customizing

objects

Protection: Client Copier and Comparison Tool – Protection level 2: No overwriting

and no external availability

CATT and eCATT restriction – CATT and eCATT not allowed

46


• Ascertain that all configuration changes, including master data (BRFplus rules [such as

logic and master data, approvers, or user defaults]), are tested before the changes are

promoted to destination/subsequent systems in the landscape

• For BRFplus objects – Local object vs. transportable object

47


• A number of master data items cannot be transported in SAP Access Control

These include reason codes, access control owner’s definition, coordinators, and

firefighter master data

• The authorization concept in conjunction with the SoD concept should be used to enforce

control in the management of the non-transportable master data

• Development and quality assurance systems also need to be secured appropriately

Defined security policy should address access rights, modification, and data

composition of the non-production systems

48








49

Authorization Management of Technical Users

• To operate the SAP Access Control system normally, some system users need to be

created and assigned specific authorizations

• Examples of these technical users are:

Remote Function Call (RFC) users

WF-BATCH users

• Major risk

The technical user account might be used for malicious activities in the system


Enforce control in the authorization assignment of technical users

50

Authorization Management of Technical Users (cont.)

• SAP recommends that the following authorization objects and values be assigned to the

RFC user for SAP Access Control:

ACTVT: 16

RFC_NAME: /GRCPI/GRIA, BAPT, RFC1, SDIF, SDIFRUNTIME, SDTX, SUSR, SUUS,

SU_USER, SYST, SYSU

RFC_TYPE: FUGR

• WF-BATCH user is a communication user that is required to run the workflow engine

• Authorization assigned to these users must be well controlled

Check that SAP_ALL is not assigned to this user

Consult SAP Note 1251255 for WF-BATCH user authorization management

Don’t forget standard SAP users – SAP*, DDIC, SAPCPIC, etc.

51








52

Firefighter ID Login Prohibition

• Firefighting is an act of using privileged user accounts in times of emergency

• Because the firefighter ID possesses elevated privileges, it should not be directly used in

the back-end system

• Instead, it should be used via the assigned firefighter user on the SPM log-on pad

• Major risk

The firefighter ID (with privileged authorization) might be used to log on directly to the

back-end system to perform malicious activities and the logs will not be captured


Implement the user exit as described in SAP Note 1545511

53

Firefighter ID Login Prohibition (cont.)

• To enforce control around the use of the firefighter ID directly in the back-end system,

implement a user exit in the back-end system where the firefighter ID resides

• Check whether or not report ZXUSRU01 exists in the back-end system containing the

include /GRCPI/GRIA_USEREXIT (SAP Note 1545511)

• To further review if the user exit has been implemented, attempt to log on directly to the

back-end system using a firefighter ID

The action should trigger the display of a dialog box confirming you are not authorized

to directly log on

54








55

Segregation of Duties

• SoD forms part of the requirements of many regulations, including Sarbanes-Oxley

• The idea is to prevent the concentration of authority from carrying out critical activities in

the system with specific users

• Major risk

Perpetration of malicious activities as a result of the possession of excessive

authorization


Employ the principle of “least privilege” in authorization assignment and grant

authorization on a “need-to-know” basis

56

Segregation of Duties (cont.)

• Check if a set of incompatible SoD matrices for the SAP Access Control system exist

For example, the person who creates a mitigating control should not be able to

maintain or assign the mitigating control

• A technical review should establish that the authorizations assigned to specific job roles

are optimal and do not create a mitigating conflict

• SoD-centric configuration settings, such as the ones below, should be reviewed for

correctness and appropriateness:

Approver cannot approve his own request (EUP settings)

Firefighter ID owner can submit request for firefighter ID owned (Parameter 4013)

Firefighter ID controller can submit request for firefighter ID controlled (Parameter

4014)

57

What We’ll Cover






• Wrap-up

58

Time Zone and Documentation

• Time zone setting

• Documentation

59

Time Zone Setting

• Output of some log reports generated for Emergency Access Management is based on

input in transaction STAD (SAP Workload: Business Transaction Analysis) in the plug-in

system

Reports in transaction STAD are based on operating system time

• Major risk

The difference in time zone is capable of impacting log collection, which will

consequently impact correct reporting of firefighting session activities in the satellite

system

This situation erodes the detective control capability of firefighter log review


Ensure the time zone of the operating system and the SAP NetWeaver® engine are in

sync in the SAP Access Control system and the satellite systems

60

Time Zone Setting (cont.)

• An auditor should ensure the appropriate operating system time zone setting is

maintained in the SAP Access Control system and the back-end system

It is best practice to have the same setting for:

The time zone of the operating system and the SAP NetWeaver system in the GRC

system

The time zone of the operating system and the SAP NetWeaver system in the plug-in

system (e.g., SAP ERP system)

• However, the time zone setting of the GRC system and the plug-in system need not

necessarily be the same

• The time zone setting of the SAP NetWeaver system can be checked via report

TZONECHECK (Check Time Zone Data for Consistency)

• More information in SAP Notes 1430336, 198411, and 481835

61

Time Zone and Documentation

• Time zone setting

• Documentation

62

Documentation

• Documentation is an integral part of any business solution delivery project, and serves as

part of the knowledge transfer requirement

• Major risk

Knowledge gap may exist as it relates to the system design, configuration, and

operational activities, which can consequently impact the optimal support of the

system


Ensure documentation deliverables are agreed upon at project inception and

consequently approved by senior management

63

Documentation (cont.)

• Documentation related to the project should be assessed for completeness and

correctness and cover the following:

Technical installation, blueprint and system design, support and operation guide,

security and authorization design, testing materials, and users’ guide

• Documentation must be approved by designated individuals with at least one

representative from senior management or the project steering committee

• Changes to documentation need to be approved and versioned

• Security of where documents are stored needs to be reviewed to ensure they cannot be

tampered with or manipulated

• You can use SAP Solution Manager for document management

64

What We’ll Cover






• Wrap-up

65

Archiving and Disaster Recovery

• Data archiving

• Business continuity and disaster recovery

66

Data Archiving

• Aside from business requirements and corporate policies, prevailing legal and regulation

requirements influence data retention strategies adopted by an enterprise

• Data archiving has a laudable implication, as it relates to enhancing system performance

• Major risk

System performance might be impaired and data retention policies might be flaunted


Archive data at defined intervals and based on corresponding local and global

regulations

67

Data Archiving (cont.)

• Gain an understanding of the archiving strategy of an organization and apply that in

ensuring data is properly archived as scheduled using the appropriate tools

• The following archiving objects are available to archive access control-specific data via

transaction SARA:

GRFNMSMP – Archiving for GRC AC 2010 Requests

SPM_AU_LOG – SPM Audit Log Archive

SPM_CH_LOG – Change Log Archive

SPM_LOG – Archiving for SPM Log Reporting

SPM_OC_LOG – SPM OS Command Log Archiving

SPM_SY_LOG – SPM System Log Archival

• Check the integrity of the storage location of the archived data

68

Archiving and Disaster Recovery

• Data archiving

• Business continuity and disaster recovery

69

Business Continuity and Disaster Recovery

• Impact of the unavailability of the SAP Access Control system should be analyzed and

documented

• System unavailability might present a window to perpetrate malicious activities,

especially when there are no tested procedures to address such business events or

scenarios

• Major risk

Data loss or inability to continue business operation in the event of a disaster


Ensure that appropriate business continuity plan and disaster recovery plans exist and

are tested at defined intervals

70

Business Continuity and Disaster Recovery (cont.)

• Check to ensure there are adequate processes and controls in place to address the

challenges that come with system unavailability or downtime (both planned and

unplanned)

• Gain assurance that business impact analysis has been performed

• Confirm that adequate and effective back-up and restore strategies exist

• Obtain test evidence of back-up and disaster recovery tests

Reviewing back-up log directly in the system via transaction DB12

• Technical review should also cover storage of back-up media and other back-up and

recovery conventional audit concerns, such as back-up frequency

71

What We’ll Cover






• Wrap-up

72

Where to Find More Information

• Kehinde Eseyin, “How to Prepare for a Comprehensive System Audit and Technical

Review of SAP Access Control 10.0” (SAP Professional Journal, October 2013).

http://bit.ly/1G5aZzF

• SAP Access Control 10.1 Security Guide

http://bit.ly/15aAAq2 *

• Kehinde Eseyin, “10 Best Practices for Enforcing Data Security, Control, and Consistency

in the Software Logistics Process” (Financials Expert, March 2010).

http://bit.ly/1yp2ieD

• Kehinde Eseyin, “Combat Chaos with a Lock-Down Security Policy in 12 Key Areas of

Your SAP Environment” (Financials Expert, June 2009).

http://bit.ly/1x8phG9

* Requires login credentials to the SAP Service Marketplace

73

7 Key Points to Take Home

• Set the recommended administrator security-centric settings for ICF services

• Archiving objects relevant to SAP Access Control objects

• Implement workflow verification using transaction SWU3

• Know specific authorizations to assign to RFC technical users

• Enhance system performance by using specific configuration and profile parameters

• Enhance system performance for derived role import and firefighter log collection by

indexing tables GRACFLDSYST and CDHDR respectively

• Use report TZONECHECK to check time zone settings for data consistency

74

Your Turn!

How to contact me:

Barun Kumar

[email protected]

Please remember to complete your session evaluation

75

Disclaimer

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other

countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.

Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026 Copyright © 2015 Wellesley Information Services. All rights reserved.

GRCSing2015_Kumar_Howtoperformasystem

Documents