Re: [sap-security] GRC - Compliance Calibrator
Posted by
Admin at
|
Share this post:
|
|
0 Comments
 | Posted by sapvish (SQA) on Mar 30 at 9:17 PM |  Mark as helpful |
Hello Chris
Going through your reply to Mark's query , i found it very educating .
Can you please help me with undestanding that how SM20 log can be used to
trace the activities in CC .
Hi Mark
I don't know how well it meets you requirement , bt CC comes with a ABAP
based utility called RT (Rsik Terminator) which is kick started when any
violation is found during changing a role or doing user assignment of
violating roles.
Regards,
Vishal
On Wed, Mar 31, 2010 at 8:24 AM, chris_van_schijndel via sap-security <
sap-security@groups.ittoolbox.com> wrote:
> Posted by chris_van_schijndel(SAP Security Manager)
> on Mar 30 at 5:26 PM
> Hi Mark,
>
> There is no functionality like this that I'm aware of - certainly on our
> older release. I think you might have to approach this from an alternative
> angle. Here are some options.
>
> 1) If you're performing up-front analysis I'm thinking you may well be
> getting sign-off before assigning conflicting access. If that's the case
> you're all good - the auditors will simply take a sample of users with
> conflicts currently and ask for the evidence that the sign-off of the review
> was obtained. This is essentially what we do - get the conflict and
> compensating control signed-off up front. We don't store evidence of "clean"
> simulations or analyses.
>
> 2) If you haven't been doing that then you may still have been applying
> mitigating controls to your risks. If that's the case you can demonstrate
> that all risks have mitigations and therefore are detected up-front and thus
> the control is effective, even though you don't have evidence of the
> up-front reviews as per (1) for the past. Not ideal, but better than
> nothing.
>
> 3) If you really want to show that the analysis was run, and assuming it's
> run at pretty much the same time as you assign the access, then of course
> you could attempt to map the date/time stamp of role assingment changes from
> change history to an SM20 audit log of who ran the CC. Crude and cumbersome
> but possible. Of course you don't get any joy from new conflicts resulting
> from transported role changes either.
>
> Honestly speaking, the fact that you run the analysis is neither here nor
> there in of itself. The auditor is wanting to see what you do with it once
> you have the visibility. If you just go ahead and assign the access that's
> no control at all and obviously adds no value. It's the risk acceptance or
> provision of compensating controls from the business before conflicting
> access is assinged that the auditors are going to want to see so I'd say
> option 1) or worst case a retro-fit to achieve option 2) are your best ways
> forward.
>
> Cheers
> Chris v S
>
>
> ---------------Original Message---------------
> From: mpires100
> Sent: Tuesday, March 30, 2010 3:03 PM
> Subject: GRC - Compliance Calibrator
>
> > Do you know of a report in Compliance Calibrator that can be run to show
> whether or not a risk analysis was run for SAP User changes? I am looking
> for proof that a risk analysis for SOD conflicts were performed and to be
> used as documentation in the event PWC request this info during the audit.
__.____._ Going through your reply to Mark's query , i found it very educating .
Can you please help me with undestanding that how SM20 log can be used to
trace the activities in CC .
Hi Mark
I don't know how well it meets you requirement , bt CC comes with a ABAP
based utility called RT (Rsik Terminator) which is kick started when any
violation is found during changing a role or doing user assignment of
violating roles.
Regards,
Vishal
On Wed, Mar 31, 2010 at 8:24 AM, chris_van_schijndel via sap-security <
sap-security@groups.ittoolbox.com> wrote:
> Posted by chris_van_schijndel(SAP Security Manager)
> on Mar 30 at 5:26 PM
> Hi Mark,
>
> There is no functionality like this that I'm aware of - certainly on our
> older release. I think you might have to approach this from an alternative
> angle. Here are some options.
>
> 1) If you're performing up-front analysis I'm thinking you may well be
> getting sign-off before assigning conflicting access. If that's the case
> you're all good - the auditors will simply take a sample of users with
> conflicts currently and ask for the evidence that the sign-off of the review
> was obtained. This is essentially what we do - get the conflict and
> compensating control signed-off up front. We don't store evidence of "clean"
> simulations or analyses.
>
> 2) If you haven't been doing that then you may still have been applying
> mitigating controls to your risks. If that's the case you can demonstrate
> that all risks have mitigations and therefore are detected up-front and thus
> the control is effective, even though you don't have evidence of the
> up-front reviews as per (1) for the past. Not ideal, but better than
> nothing.
>
> 3) If you really want to show that the analysis was run, and assuming it's
> run at pretty much the same time as you assign the access, then of course
> you could attempt to map the date/time stamp of role assingment changes from
> change history to an SM20 audit log of who ran the CC. Crude and cumbersome
> but possible. Of course you don't get any joy from new conflicts resulting
> from transported role changes either.
>
> Honestly speaking, the fact that you run the analysis is neither here nor
> there in of itself. The auditor is wanting to see what you do with it once
> you have the visibility. If you just go ahead and assign the access that's
> no control at all and obviously adds no value. It's the risk acceptance or
> provision of compensating controls from the business before conflicting
> access is assinged that the auditors are going to want to see so I'd say
> option 1) or worst case a retro-fit to achieve option 2) are your best ways
> forward.
>
> Cheers
> Chris v S
>
>
> ---------------Original Message---------------
> From: mpires100
> Sent: Tuesday, March 30, 2010 3:03 PM
> Subject: GRC - Compliance Calibrator
>
> > Do you know of a report in Compliance Calibrator that can be run to show
> whether or not a risk analysis was run for SAP User changes? I am looking
> for proof that a risk analysis for SOD conflicts were performed and to be
> used as documentation in the event PWC request this info during the audit.
Copyright © 2010 Toolbox.com and message author.
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Related Content
In the Spotlight
White Papers
In the Spotlight
55% of IT Pros Use Social Media to Advance Their Careers. See the Survey Results
View this thread online
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
_.____.__ 
