Re: [sap-security] SAP SOD AUDIT REMEDIATION
Posted by
Admin at
|
Share this post:
|
|
0 Comments
 | Posted by Donald Lee on Apr 26 at 11:55 AM |  Mark as helpful |
I found this whitepaper out on IT Tool box http://hosteddocs.ittoolbox.com/sensagesapwpfeb.pdf
It appears that this tool will collect from SAP and correlated that information (single view of a comination of composite roles) and that addtional non-SAP data can also be imported, such as your client-side rule set and provide correlated reporting with your rule-set as well.
On further reading it appears that you can scenario thresholds (audit rules) for alerting as the data is loaded. If the transaction, user and rule-set does not match you would be alerted. Which would seem to be a heck of a time saver vs. manual analysis.
Anyway it seemed pretty interesting and might be worth a look.
dl
From: Alex Ayers via sap-security <sap-security@Groups.ITtoolbox.com>
To: Donald Lee <donwoerner@yahoo.com>
Sent: Mon, April 26, 2010 5:32:05 AM
Subject: Re: [sap-security] SAP SOD AUDIT REMEDIATION
Posted by Alex Ayers (Director of Operations)
on Apr 26 at 6:30 AM Mark as helpful
Hi Richard,
I can only reiterate what others have said, to do this really effectively
you should invest in a tool that will do the SOD checking for you.
My understanding of EQSmart is that it can be run on actual roles or users
but the modelling of different situations is lacking. As an auditing tool I
can understand why this was left out. The various techniques described by
the other guys are valid & effective, albeit taking a long time to do
manually. One big consideration with conflict lists is that they are static
checks and changes to composite role contents should lead to re-evaluation
of the list.
If you do want to automate (and I would recommend it) then there are a whole
host of solutions out there by a variety of vendors. The tools all have
their strengths, weaknesses and costs. A few that I have used or spent a
fair bit of time researching & talking with the teams are:
The "big guys" in terms of functionality & cost:
SAP GRC Access Controls
Approva Bizrights
Smaller companies that offer comprehensive solutions:
ControlPanel GRC
SecurityWeaver
Niche Products (smaller functionality sets):
CSI Authorization Auditor (declaration: my company uses this for performing
audit work at clients)
Xpandion ProfileTailor
Free:
SAP report RSUSR008_009_NEW (free but you need to account for cost of
developing and implementing ruleset).
Hope that helps
Cheers
Alex
On 24 April 2010 23:19, Richard Cunnings via sap-security <
sap-security@groups.ittoolbox.com> wrote:
> Posted by Richard Cunnings
> on Apr 24 at 7:20 PM
> Hi Guys
>
> A big thanks to Donn,Alex,Lee, bpoulos,& Chris , i really appreciate
> excellent input .
>
> This is how the Audit was run by Deloitte they basically had a test user
> per Composite role, so our report has SOD's for each Composite,unfortunately
> they can not run it via a combination of Composite roles as this is some
> thing their tool can not do:-)
>
> What would you guys advise regarding this matter? We need to know the risks
> via a combination of Composites as we do assign more than 1 Composite to
> some users.
>
> Once again thanks Guys.
> Richard
>
>
>
>
>
>
>
>
>
>
>
> ---------------Original Message---------------
> From: Richard Cunnings
> Sent: Friday, April 23, 2010 10:38 AM
> Subject: SAP SOD AUDIT REMEDIATION
>
> > Hi Guys
> >
> > We have just been audited by Deloitte via their EQsmart tool, we now have
> a spreadsheet with all the conflicts down to detailed level & T code, this
> spreadsheet needs to go out to the business but here are the problems;
> >
> > 1. Internal Auditors do not have much SAP Knowledge, what should we do?
> > 2. How do we make the spreadsheet more comprehensible to the Business
> what do they just need to see?
> > 3. Also the business & Internal Audit will find it difficult to label
> risks e.g. Low, High,, & Critical, any ideas ?
> > 4. How should we record the role changes that wil be made via
> remediation?
> >
> > Cheers
> > Richard C
__.____._ It appears that this tool will collect from SAP and correlated that information (single view of a comination of composite roles) and that addtional non-SAP data can also be imported, such as your client-side rule set and provide correlated reporting with your rule-set as well.
On further reading it appears that you can scenario thresholds (audit rules) for alerting as the data is loaded. If the transaction, user and rule-set does not match you would be alerted. Which would seem to be a heck of a time saver vs. manual analysis.
Anyway it seemed pretty interesting and might be worth a look.
dl
From: Alex Ayers via sap-security <sap-security@Groups.ITtoolbox.com>
To: Donald Lee <donwoerner@yahoo.com>
Sent: Mon, April 26, 2010 5:32:05 AM
Subject: Re: [sap-security] SAP SOD AUDIT REMEDIATION
Posted by Alex Ayers (Director of Operations)
on Apr 26 at 6:30 AM Mark as helpful
Hi Richard,
I can only reiterate what others have said, to do this really effectively
you should invest in a tool that will do the SOD checking for you.
My understanding of EQSmart is that it can be run on actual roles or users
but the modelling of different situations is lacking. As an auditing tool I
can understand why this was left out. The various techniques described by
the other guys are valid & effective, albeit taking a long time to do
manually. One big consideration with conflict lists is that they are static
checks and changes to composite role contents should lead to re-evaluation
of the list.
If you do want to automate (and I would recommend it) then there are a whole
host of solutions out there by a variety of vendors. The tools all have
their strengths, weaknesses and costs. A few that I have used or spent a
fair bit of time researching & talking with the teams are:
The "big guys" in terms of functionality & cost:
SAP GRC Access Controls
Approva Bizrights
Smaller companies that offer comprehensive solutions:
ControlPanel GRC
SecurityWeaver
Niche Products (smaller functionality sets):
CSI Authorization Auditor (declaration: my company uses this for performing
audit work at clients)
Xpandion ProfileTailor
Free:
SAP report RSUSR008_009_NEW (free but you need to account for cost of
developing and implementing ruleset).
Hope that helps
Cheers
Alex
On 24 April 2010 23:19, Richard Cunnings via sap-security <
sap-security@groups.ittoolbox.com> wrote:
> Posted by Richard Cunnings
> on Apr 24 at 7:20 PM
> Hi Guys
>
> A big thanks to Donn,Alex,Lee, bpoulos,& Chris , i really appreciate
> excellent input .
>
> This is how the Audit was run by Deloitte they basically had a test user
> per Composite role, so our report has SOD's for each Composite,unfortunately
> they can not run it via a combination of Composite roles as this is some
> thing their tool can not do:-)
>
> What would you guys advise regarding this matter? We need to know the risks
> via a combination of Composites as we do assign more than 1 Composite to
> some users.
>
> Once again thanks Guys.
> Richard
>
>
>
>
>
>
>
>
>
>
>
> ---------------Original Message---------------
> From: Richard Cunnings
> Sent: Friday, April 23, 2010 10:38 AM
> Subject: SAP SOD AUDIT REMEDIATION
>
> > Hi Guys
> >
> > We have just been audited by Deloitte via their EQsmart tool, we now have
> a spreadsheet with all the conflicts down to detailed level & T code, this
> spreadsheet needs to go out to the business but here are the problems;
> >
> > 1. Internal Auditors do not have much SAP Knowledge, what should we do?
> > 2. How do we make the spreadsheet more comprehensible to the Business
> what do they just need to see?
> > 3. Also the business & Internal Audit will find it difficult to label
> risks e.g. Low, High,, & Critical, any ideas ?
> > 4. How should we record the role changes that wil be made via
> remediation?
> >
> > Cheers
> > Richard C
Copyright © 2010 Toolbox.com and message author.
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Related Content
In the Spotlight
White Papers
In the Spotlight
Toolbox.com for iPhone: Ask Questions & Get Answers Anywhere. Use the New iPhone App
View this thread online
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
