SlideShare ist ein Scribd-Unternehmen logo

GRCSing2015_Kumar_Howtoperformasystem

Barun Kumar
Barun Kumar
1 von 77
Downloaden Sie, um offline zu lesen
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2015 Wellesley Information Services. All rights reserved. How to Perform a System Audit and Technical Review of SAP Access Control Barun Kumar Turnkey Consulting
1 In This Session • Learn about:  Important audit concerns in an SAP Access Control environment  Control objectives of auditing SAP Access Control • Gain an understanding of:  Major risks associated with the identified control weaknesses  Preventative measures to remediate identified risks and possible issues • Learn how to implement and operate an audit-compliant SAP Access Control system
2 What We’ll Cover • Why, when, and what of an SAP Access Control audit • Technical and system information • Workflow and authorizations • Time zone and documentation • Archiving and disaster recovery • Wrap-up
3 The Big Picture – System Architecture Source: SAP Access Control sizing guide
4 Why Audit SAP Access Control? • A system audit is an exercise performed to gain assurance that defined controls work as intended, thereby eliminating the likelihood of fraudulent or malicious activities  It involves the verification of conformance to policies and procedures through acute review of objective and empirical evidence • SAP Access Control is the compliance tool in the SAP system landscape; hence, it needs to be self-compliant  Compromise of the tool can mean compromise of the entire system (SAP and non-SAP) in the landscape • Evaluation of the organization’s internal control design • Gain assurance on the operating effectiveness of defined controls
5 When to Audit • Review of the SAP Access Control system should be performed:  Pre-go-live  Post-go-live  On an ongoing basis • Irrespective of the timing, you should check the controls defined in the system against what is defined in the security policies of the organization
6 What to Audit • Technical Infrastructure  Hardware – Memory, CPU, etc.  Software – SAP component, databases, operating system  Network • Processes • Master data • Internal controls and policies • Customization settings • Documentation
7 What Happens If You Do Not Audit • Business implications  Possible compromise of the compliance tool  Loss of goodwill for the organization  Payment of huge fines  Inability of the business to continue to operate, in extreme cases • Technical implications  System performance degradation  Knowledge transfer gaps  Error-prone system  System unavailability  Obsolete functionalities
8 What We’ll Cover • Why, when, and what of an SAP Access Control audit • Technical and system information • Workflow and authorizations • Time zone and documentation • Archiving and disaster recovery • Wrap-up
9 Technical and System Information • Technical installation validation • Activation of Internet Communication Framework (ICF) Services • Background jobs administration and monitoring • Integration with back-end systems • Performance optimization
10 Technical Installation Validation • Installation of SAP Access Control requires installation of:  SAP  Database  Operating system • Major risk  The system might be:  Error prone  Unusable  Missing functionalities • Preventative measures  Ensure that the systems run the required, correct, and current software components and products
11 Technical Installation Validation (cont.) • SAP Access Control 10.x requires the following GRC software components and other dependent components:  GRCFND_A — Mandatorily installed on the GRC server  GRCPINW — Mandatorily installed on the back-end system  GRCPIERP — Optionally installed on the back-end system  Confirm GRCPIERP is installed if you need specific functionalities like HR triggers  Requires SAP_ABA and SAP_HR software components • Gain assurance about the consistency and synchronization requirement with the support package (SP) levels of the foundation and plug-in components  For SAP GRC 10.0 (prior to SP10), the version of the SP GRC foundation component and the plug-in must be the same
12 Technical Installation Validation (cont.) • Auditors must be assured that all required software components are installed  Setup of Adobe Document Services (which requires a Java instance) is required for PDF reports  Crystal Reports ALV adapter is required for generating Crystal Report-based reports • The technical review should evaluate the currency of software components  Current support package is implemented  Kernel is upgraded to the current patch level  Important SAP Notes are implemented (e.g., SAP Note 1545511)  Current operating system and database patches are deployed
13 Technical and System Information • Technical installation validation • Activation of Internet Communication Framework (ICF) Services • Background jobs administration and monitoring • Integration with back-end systems • Performance optimization
14 Activation of ICF Services • ICF supports the processing of HTTP, HTTPS, or SMTP requests in the ABAP work processes of an SAP system • As part of the post-installation activities, you need to activate a number of ICF services • Major risk  The system might be vulnerable to Internet (external) browser-based attacks • Preventative measure  Enforce control in the activation of ICF services  Only activate ICF services on a need-to-do basis
15 Activation of ICF Services (cont.) • It is possible to explicitly assign a user to an ICF service  This is commonplace when end-user log-on functionality is implemented  The authorization assigned to the user in the system must be adequately controlled • Check that ICF services are prevented from using functions that present a risk  Confirm that the following administrator settings are configured (Transaction code SICF  Go to  Settings):  Do not allow recording function  Do not allow trace function  Do not allow debugging function  Do not allow runtime analysis function
16 Technical and System Information • Technical installation validation • Activation of Internet Communication Framework (ICF) Services • Background jobs administration and monitoring • Integration with back-end systems • Performance optimization
17 Background Jobs Administration and Monitoring • Background jobs are programs or a collection of programs that can be executed by background work processes • Different background jobs are normally scheduled in the system to ensure that activities are performed properly • Major risk  Data inconsistencies between the SAP GRC system and the satellite system  Smooth running of the system might be impacted if administrative background jobs are not scheduled and executed successfully • Preventative measure  Schedule (in the correct order) and monitor background jobs for successful completion
18 Background Jobs Administration and Monitoring (cont.) • Important to have a meaningful job-naming convention to find correct and appropriate application knowledge for quick support • Recommendation for a background job name (e.g., (S_PRD100_UK_SPM_WORKFLOWSYNC_H)  Prefix: Indicate if the job contains customer coding (Z) or SAP standard coding (S)  System/client: Indicate the involved system/client combination (e.g., PRD100)  Organization: Indicate the involved organizational information (e.g., abbreviations for regions or countries [US, DE, FR])  Component: Involved component/application area such as ARA, SPM, CUP, and BRM  Job description: Specify a speaking name for the job (e.g., SPM_WORKFLOWSYNC)  Frequency: Job frequency (e.g., Hourly [H], Daily [D], Weekly [W])
19 Background Jobs Administration and Monitoring (cont.) • Ensuring data currency and consistency  Schedule standard background jobs in SAP Access Control to synchronize data between the GRC system and satellite systems • Major master data elements that need to be synchronized in the access control system  PFCG authorization  Profile  Roles  Users  Action usage  Role usage  EAM master data
20 Background Jobs Administration and Monitoring (cont.) • The implication of failed synchronization jobs can be grave because outdated data can expose the system to fraudulent activities. For example:  Access request might be routed to incorrect approver who might approve it based on inadequate knowledge of the risk exposure  This can happen because data source information for approver determination is unsynchronized  Detective control associated with the review of firefighter logs can be impaired  This can happen if the background job responsible for collecting firefighting session logs and sending same to the controller fails to execute successfully
21 Background Jobs Administration and Monitoring (cont.) • An auditor will be interested in ascertaining that the background jobs that drive data synchronization are always executed successfully as scheduled • Sequence of execution of these background jobs is also an important consideration during a technical review • Recommended sequence for background job execution: 1. Program GRAC_PFCG_AUTHORIZATION_SYNC 2. Program GRAC_REPOSITORY_OBJECT_SYNC 3. Program GRAC_ACTION_USAGE_SYNC 4. Program GRAC_ROLE_USAGE_SYNC
22 Background Jobs Administration and Monitoring (cont.) • Other programs that should be reviewed to ensure they are properly scheduled include:  Batch risk analysis: Program GRAC_BATCH_RISK_ANALYSIS  Firefighter logs collection: Program GRAC_SPM_LOG_SYNC_UPDATE  Firefighter workflow synchronization: Program GRAC_SPM_WORKFLOW_SYNC  IDM schema update: Program GRAC_SCHEMA_UPDATE • Check the status of background jobs via transaction SM37
23 Background Jobs Administration and Monitoring (cont.) • A technical system auditor should be abreast of required background jobs that should be scheduled for different underlying databases • For example, the following database management-related background jobs should be executed for a Microsoft SQL Server database:  CCMS Blocking Database Locks Statistics  CCMS Check Database (DBCC – Database Consistency Checker)  CCMS Update Table Statistics  MSSQL COLLECTOR • Also, review the successful execution of administrative background jobs, such as report RSBTCDEL (Delete Batch Job)
24 Background Jobs Administration and Monitoring (cont.) • Variants are used to eliminate the need to define same values in selection criteria fields every time you need to execute a report • This functionality is designed to reduce both data entry time and processing time of the system, which makes it commonplace in every SAP system environment • Variants should be reviewed for correctness and currency • Ideally, variants that are no longer relevant in the system should be discontinued or adjusted accordingly to avoid the chances of using them unknowingly • You can review the entries in table TBTCP to access the currency and relevance of defined variants
25 Technical and System Information • Technical installation validation • Activation of Internet Communication Framework (ICF) Services • Background jobs administration and monitoring • Integration with back-end systems • Performance optimization
26 Integration with Back-End Systems • Typical SAP GRC system is made up of more than just the GRC box  It also contains other back-end systems, such as SAP ERP, SAP Enterprise Portal, or Microsoft Active Directory • GRC system is used to provision access to the back-end system  Or the back-end system is used as the data source for user authentication and user details in the SAP Access Control system • Major risk  Vulnerabilities and data inaccuracy in the back-end system can impact the operation of the GRC system • Preventative measure  Ensure appropriate security and data accuracy is enforced in the satellite systems
27 Integration with Back-End Systems (cont.) • System review of back-end systems is just as important as system review of SAP Access Control • Security breaches in any dependent back-end system can impact the integrity of the access control system  For example, if the HR system is designed as the source of user details (e.g., Personnel Area drives the assignment of approval agent) and data maintained in the HR system is not accurate, an access request can be incorrectly routed • System auditor needs to be assured that systems connected to the GRC system are performing their intended roles in terms of:  Functionality delivery  Data accuracy  System availability
28 Technical and System Information • Technical installation validation • Activation of Internet Communication Framework (ICF) Services • Background jobs administration and monitoring • Integration with back-end systems • Performance optimization
29 Performance Optimization • Performance of the SAP Access Control system is dependent on the following:  Master data volume  Transaction data volume  Configuration settings (customizing)  Number of concurrent users  Size of the system landscape (number of systems and available system resources) • Major risk  Slowness or unavailability of the system • Preventative measure  Optimal preliminary sizing, appropriate configuration settings, efficient parameterization, and adequate capacity planning
30 Performance Optimization (cont.) • If system performance is degraded, it can lead to unavailability of the access control system and consequently affect functional use of the application • Audit should be focused on data maintenance strategies such as:  Data prevention  Data deletion  Table indexing and data reorganization • An auditor should review performance-centric customizing settings such as:  Indexing of tables  Profile parameter settings  Parameterization in IMG (configuration settings)
31 Performance Optimization (cont.) • Indexing of tables  Fields MANDANT, UTIME, UDATE, USERNAME in table CDHDR (SAP Note 1039144)  Fields MANDT, LANGU, and FIELD in table GRACFLDSYST (SAP Note 1866822) • Profile parameters  abap/heap_area_dia (limit of heap memory per dialog work process)  abap/heap_area_nondia (limit of heap memory per non-dialog work process)  abap/heap_area_total (limit of heap on application server)  em/initial_size_MB (initial size of extended memory pool)  abap/buffersize (program buffer size)
32 Performance Optimization (cont.) • Parameterization in IMG  Default user type for risk analysis (Parameter 1026) set to DIALOG  Include locked users (Parameter 1031) set to No  Include expired users (Parameter 1028) set to No  Include mitigated risks (Parameter 1030) set to No  Ignore critical roles and profiles (Parameter 1031) set to Yes  Batch size for batch risk analysis (Parameter 1120)  Batch size for user sync (Parameter 1121)  Batch size for role sync (Parameter 1122)  Batch size for profile sync (Parameter 1123)
33 What We’ll Cover • Why, when, and what of an SAP Access Control audit • Technical and system information • Workflow and authorizations • Time zone and documentation • Archiving and disaster recovery • Wrap-up
34 Workflow and Authorizations • Definition and maintenance of rule set • Workflow maintenance • Change management • Authorization management of technical users • Firefighter ID login prohibition • Segregation of duties
35 Definition and Maintenance of Rule Set • Rule set is a group of data elements that collectively form the segregation of duties risks and sensitive access risks in an enterprise • Validation of the rule set normally involves the review of dependent master data elements of a rule set, such as Risks and Functions (Actions and Permissions) • Major risk  Access risk violations might be under-reported or over-reported • Preventative measure  Ensure that SoD and sensitive access rules reflect the approved risk perception of the enterprise
36 Definition and Maintenance of Rule Set (cont.) • The review of the content of a rule set needs to be detailed  For example, the correctness of the absolute value defined for the corresponding authorization objects  Authorization object value :- 1 is not synonymous to 01 and “*” is not “any value” • Check via transaction SCPR20 that SoD ruleset-related BC sets were activated without errors • Check that the operators (AND, OR, and NOT) used in the rule set definition are properly defined • Validate the access risk level to ensure correct master data attributes (e.g., risk levels) are maintained • Review the SoD rule set for completeness  Inclusion of custom transaction codes and sensitive access
37 Definition and Maintenance of Rule Set (cont.) • Check for the existence of effective policies and procedures aimed at ensuring changes to the rule set are made in a controlled manner  Transport changes to ruleset via IMG  Activate change log functionality so audit trail is available for an auditor to review changes made to the elements of the rule set
38 Definition and Maintenance of Rule Set (cont.) • Parameterization for ruleset changes – workflow  Parameter 1062: Risk Maintenance  Parameter 1064: Function Maintenance  Parameter 1101: Create Request for Risk Approval  Parameter 1102: Update Request for Risk Approval  Parameter 1103: Delete Request for Risk Approval  Parameter 1104: Create Request for Function Approval  Parameter 1105: Update Request for Function Approval  Parameter 1106: Delete Request for Function Approval
39 Workflow and Authorizations • Definition and maintenance of rule set • Workflow maintenance • Change management • Authorization management of technical users • Firefighter ID login prohibition • Segregation of duties
40 Workflow Maintenance • Workflow is designed to ensure that activities within the system are properly reviewed and approved by designated individuals before changes are made to specific information or processes  This can include the provision of access to users or changes to master data, such as functions or assignment of mitigating controls to users and roles • Major risk  Approval request might not be treated in a timely manner and by the correct approver • Preventative measure  Ensure the workflow mechanism is properly configured and the approver (agent) master data is properly maintained
41 Workflow Maintenance (cont.) • Approver delegation table should be reviewed to gain assurance that every approval delegation entry is justifiable • Review the status of email messages generated in the system over a period of time via transaction SOST to ensure messages are not being trapped unnoticed • Check that all users have their email addresses correctly maintained
42 Workflow Maintenance (cont.) • Gain preliminary assurance that the workflow engine is working properly via transaction SWU3 • An audit interest in a workflow process is who the actor (approver) is  The approver must be reviewed for correctness and currency at defined intervals • Review the agent master data to ensure the workflow approval requests are routed to the appropriate approvers and that approval requests are attended to promptly  Review Service Level Agreement (SLA) report if configured
43 Workflow and Authorizations • Definition and maintenance of rule set • Workflow maintenance • Change management • Authorization management of technical users • Firefighter ID login prohibition • Segregation of duties
44 Change Management • The system landscape must be configured to adhere to at least the three-system landscape, typically made up of the development, quality assurance, and production systems • Major risk  Data and customization setting inconsistencies, thus making the system error prone • Preventative measure  Enforce control in the promotion of changed data or customizations across the system landscape by avoiding performing customizing activities directly in production system
45 Change Management (cont.) • System settings are designed to prevent the ability to make changes to client- independent objects in non-development systems  SE06 – Should be set to “Not modifiable” • Production client settings should be reviewed for appropriateness via transaction SCC4  Recommended production client settings  Client-specific changes/transports – No Changes allowed  Cross-client object changes – No change to repository and cross-client customizing objects  Protection: Client Copier and Comparison Tool – Protection level 2: No overwriting and no external availability  CATT and eCATT restriction – CATT and eCATT not allowed
46 Change Management (cont.) • Ascertain that all configuration changes, including master data (BRFplus rules [such as logic and master data, approvers, or user defaults]), are tested before the changes are promoted to destination/subsequent systems in the landscape • For BRFplus objects – Local object vs. transportable object
47 Change Management (cont.) • A number of master data items cannot be transported in SAP Access Control  These include reason codes, access control owner’s definition, coordinators, and firefighter master data • The authorization concept in conjunction with the SoD concept should be used to enforce control in the management of the non-transportable master data • Development and quality assurance systems also need to be secured appropriately  Defined security policy should address access rights, modification, and data composition of the non-production systems
48 Workflow and Authorizations • Definition and maintenance of rule set • Workflow maintenance • Change management • Authorization management of technical users • Firefighter ID login prohibition • Segregation of duties
49 Authorization Management of Technical Users • To operate the SAP Access Control system normally, some system users need to be created and assigned specific authorizations • Examples of these technical users are:  Remote Function Call (RFC) users  WF-BATCH users • Major risk  The technical user account might be used for malicious activities in the system • Preventative measure  Enforce control in the authorization assignment of technical users
50 Authorization Management of Technical Users (cont.) • SAP recommends that the following authorization objects and values be assigned to the RFC user for SAP Access Control:  ACTVT: 16  RFC_NAME: /GRCPI/GRIA, BAPT, RFC1, SDIF, SDIFRUNTIME, SDTX, SUSR, SUUS, SU_USER, SYST, SYSU  RFC_TYPE: FUGR • WF-BATCH user is a communication user that is required to run the workflow engine • Authorization assigned to these users must be well controlled  Check that SAP_ALL is not assigned to this user  Consult SAP Note 1251255 for WF-BATCH user authorization management  Don’t forget standard SAP users – SAP*, DDIC, SAPCPIC, etc.
51 Workflow and Authorizations • Definition and maintenance of rule set • Workflow maintenance • Change management • Authorization management of technical users • Firefighter ID login prohibition • Segregation of duties
52 Firefighter ID Login Prohibition • Firefighting is an act of using privileged user accounts in times of emergency • Because the firefighter ID possesses elevated privileges, it should not be directly used in the back-end system • Instead, it should be used via the assigned firefighter user on the SPM log-on pad • Major risk  The firefighter ID (with privileged authorization) might be used to log on directly to the back-end system to perform malicious activities and the logs will not be captured • Preventative measure  Implement the user exit as described in SAP Note 1545511
53 Firefighter ID Login Prohibition (cont.) • To enforce control around the use of the firefighter ID directly in the back-end system, implement a user exit in the back-end system where the firefighter ID resides • Check whether or not report ZXUSRU01 exists in the back-end system containing the include /GRCPI/GRIA_USEREXIT (SAP Note 1545511) • To further review if the user exit has been implemented, attempt to log on directly to the back-end system using a firefighter ID  The action should trigger the display of a dialog box confirming you are not authorized to directly log on
54 Workflow and Authorizations • Definition and maintenance of rule set • Workflow maintenance • Change management • Authorization management of technical users • Firefighter ID login prohibition • Segregation of duties
55 Segregation of Duties • SoD forms part of the requirements of many regulations, including Sarbanes-Oxley • The idea is to prevent the concentration of authority from carrying out critical activities in the system with specific users • Major risk  Perpetration of malicious activities as a result of the possession of excessive authorization • Preventative measure  Employ the principle of “least privilege” in authorization assignment and grant authorization on a “need-to-know” basis
56 Segregation of Duties (cont.) • Check if a set of incompatible SoD matrices for the SAP Access Control system exist  For example, the person who creates a mitigating control should not be able to maintain or assign the mitigating control • A technical review should establish that the authorizations assigned to specific job roles are optimal and do not create a mitigating conflict • SoD-centric configuration settings, such as the ones below, should be reviewed for correctness and appropriateness:  Approver cannot approve his own request (EUP settings)  Firefighter ID owner can submit request for firefighter ID owned (Parameter 4013)  Firefighter ID controller can submit request for firefighter ID controlled (Parameter 4014)
57 What We’ll Cover • Why, when, and what of an SAP Access Control audit • Technical and system information • Workflow and authorizations • Time zone and documentation • Archiving and disaster recovery • Wrap-up
58 Time Zone and Documentation • Time zone setting • Documentation
59 Time Zone Setting • Output of some log reports generated for Emergency Access Management is based on input in transaction STAD (SAP Workload: Business Transaction Analysis) in the plug-in system  Reports in transaction STAD are based on operating system time • Major risk  The difference in time zone is capable of impacting log collection, which will consequently impact correct reporting of firefighting session activities in the satellite system  This situation erodes the detective control capability of firefighter log review • Preventative measure  Ensure the time zone of the operating system and the SAP NetWeaver® engine are in sync in the SAP Access Control system and the satellite systems
60 Time Zone Setting (cont.) • An auditor should ensure the appropriate operating system time zone setting is maintained in the SAP Access Control system and the back-end system  It is best practice to have the same setting for:  The time zone of the operating system and the SAP NetWeaver system in the GRC system  The time zone of the operating system and the SAP NetWeaver system in the plug-in system (e.g., SAP ERP system) • However, the time zone setting of the GRC system and the plug-in system need not necessarily be the same • The time zone setting of the SAP NetWeaver system can be checked via report TZONECHECK (Check Time Zone Data for Consistency) • More information in SAP Notes 1430336, 198411, and 481835
61 Time Zone and Documentation • Time zone setting • Documentation
62 Documentation • Documentation is an integral part of any business solution delivery project, and serves as part of the knowledge transfer requirement • Major risk  Knowledge gap may exist as it relates to the system design, configuration, and operational activities, which can consequently impact the optimal support of the system • Preventative measure  Ensure documentation deliverables are agreed upon at project inception and consequently approved by senior management
63 Documentation (cont.) • Documentation related to the project should be assessed for completeness and correctness and cover the following:  Technical installation, blueprint and system design, support and operation guide, security and authorization design, testing materials, and users’ guide • Documentation must be approved by designated individuals with at least one representative from senior management or the project steering committee • Changes to documentation need to be approved and versioned • Security of where documents are stored needs to be reviewed to ensure they cannot be tampered with or manipulated • You can use SAP Solution Manager for document management
64 What We’ll Cover • Why, when, and what of an SAP Access Control audit • Technical and system information • Workflow and authorizations • Time zone and documentation • Archiving and disaster recovery • Wrap-up
65 Archiving and Disaster Recovery • Data archiving • Business continuity and disaster recovery
66 Data Archiving • Aside from business requirements and corporate policies, prevailing legal and regulation requirements influence data retention strategies adopted by an enterprise • Data archiving has a laudable implication, as it relates to enhancing system performance • Major risk  System performance might be impaired and data retention policies might be flaunted • Preventative measure  Archive data at defined intervals and based on corresponding local and global regulations
67 Data Archiving (cont.) • Gain an understanding of the archiving strategy of an organization and apply that in ensuring data is properly archived as scheduled using the appropriate tools • The following archiving objects are available to archive access control-specific data via transaction SARA:  GRFNMSMP – Archiving for GRC AC 2010 Requests  SPM_AU_LOG – SPM Audit Log Archive  SPM_CH_LOG – Change Log Archive  SPM_LOG – Archiving for SPM Log Reporting  SPM_OC_LOG – SPM OS Command Log Archiving  SPM_SY_LOG – SPM System Log Archival • Check the integrity of the storage location of the archived data
68 Archiving and Disaster Recovery • Data archiving • Business continuity and disaster recovery
69 Business Continuity and Disaster Recovery • Impact of the unavailability of the SAP Access Control system should be analyzed and documented • System unavailability might present a window to perpetrate malicious activities, especially when there are no tested procedures to address such business events or scenarios • Major risk  Data loss or inability to continue business operation in the event of a disaster • Preventative measure  Ensure that appropriate business continuity plan and disaster recovery plans exist and are tested at defined intervals
70 Business Continuity and Disaster Recovery (cont.) • Check to ensure there are adequate processes and controls in place to address the challenges that come with system unavailability or downtime (both planned and unplanned) • Gain assurance that business impact analysis has been performed • Confirm that adequate and effective back-up and restore strategies exist • Obtain test evidence of back-up and disaster recovery tests  Reviewing back-up log directly in the system via transaction DB12 • Technical review should also cover storage of back-up media and other back-up and recovery conventional audit concerns, such as back-up frequency
71 What We’ll Cover • Why, when, and what of an SAP Access Control audit • Technical and system information • Workflow and authorizations • Time zone and documentation • Archiving and disaster recovery • Wrap-up
72 Where to Find More Information • Kehinde Eseyin, “How to Prepare for a Comprehensive System Audit and Technical Review of SAP Access Control 10.0” (SAP Professional Journal, October 2013).  http://bit.ly/1G5aZzF • SAP Access Control 10.1 Security Guide  http://bit.ly/15aAAq2 * • Kehinde Eseyin, “10 Best Practices for Enforcing Data Security, Control, and Consistency in the Software Logistics Process” (Financials Expert, March 2010).  http://bit.ly/1yp2ieD • Kehinde Eseyin, “Combat Chaos with a Lock-Down Security Policy in 12 Key Areas of Your SAP Environment” (Financials Expert, June 2009).  http://bit.ly/1x8phG9 * Requires login credentials to the SAP Service Marketplace
73 7 Key Points to Take Home • Set the recommended administrator security-centric settings for ICF services • Archiving objects relevant to SAP Access Control objects • Implement workflow verification using transaction SWU3 • Know specific authorizations to assign to RFC technical users • Enhance system performance by using specific configuration and profile parameters • Enhance system performance for derived role import and firefighter log collection by indexing tables GRACFLDSYST and CDHDR respectively • Use report TZONECHECK to check time zone settings for data consistency
74 Your Turn! How to contact me: Barun Kumar Barun.Kumar@turnkeyconsulting.com Please remember to complete your session evaluation
75 Disclaimer SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.
Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026 Copyright © 2015 Wellesley Information Services. All rights reserved.

Empfohlen

GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]
GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]
GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]Barun Kumar
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access ControlNasir Gondal
 
34514_Process_Control_e-book_interactive
34514_Process_Control_e-book_interactive34514_Process_Control_e-book_interactive
34514_Process_Control_e-book_interactiveROMI Associates
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0Latha Kamal
 
Sap Access Risks Procedures
Sap Access Risks ProceduresSap Access Risks Procedures
Sap Access Risks ProceduresInprise Group
 
Wise Men Webinar: Fast Track Implementation of SAP GRC 10.1
Wise Men Webinar: Fast Track Implementation of SAP GRC 10.1 Wise Men Webinar: Fast Track Implementation of SAP GRC 10.1
Wise Men Webinar: Fast Track Implementation of SAP GRC 10.1Anup Lakra
 
Iia los angeles sap security presentation
Iia los angeles sap security presentation Iia los angeles sap security presentation
Iia los angeles sap security presentation hkodali
 
SAP GRC
SAP GRC SAP GRC
SAP GRC Kellton Tech Solutions Ltd
 

Empfohlen

GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]
GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]
GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]Barun Kumar
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access ControlNasir Gondal
 
34514_Process_Control_e-book_interactive
34514_Process_Control_e-book_interactive34514_Process_Control_e-book_interactive
34514_Process_Control_e-book_interactiveROMI Associates
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0Latha Kamal
 
Sap Access Risks Procedures
Sap Access Risks ProceduresSap Access Risks Procedures
Sap Access Risks ProceduresInprise Group
 
Wise Men Webinar: Fast Track Implementation of SAP GRC 10.1
Wise Men Webinar: Fast Track Implementation of SAP GRC 10.1 Wise Men Webinar: Fast Track Implementation of SAP GRC 10.1
Wise Men Webinar: Fast Track Implementation of SAP GRC 10.1Anup Lakra
 
Iia los angeles sap security presentation
Iia los angeles sap security presentation Iia los angeles sap security presentation
Iia los angeles sap security presentation hkodali
 
SAP GRC
SAP GRC SAP GRC
SAP GRC Kellton Tech Solutions Ltd
 
SAP Risk Management
SAP Risk ManagementSAP Risk Management
SAP Risk ManagementAuditBot SAP Security Audit
 
How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]akquinet enterprise solutions GmbH
 
Read Access Logging (RAL) for SAP NetWeaver Overview
Read Access Logging (RAL) for SAP NetWeaver OverviewRead Access Logging (RAL) for SAP NetWeaver Overview
Read Access Logging (RAL) for SAP NetWeaver OverviewSAP Technology
 
Cut your costs: Deactivate inactive users & reduce sap license fees. [Webinar]
Cut your costs: Deactivate inactive users & reduce sap license fees. [Webinar]Cut your costs: Deactivate inactive users & reduce sap license fees. [Webinar]
Cut your costs: Deactivate inactive users & reduce sap license fees. [Webinar]akquinet enterprise solutions GmbH
 
Crafting an End-to-End Pharma GRC Strategy
Crafting an End-to-End Pharma GRC StrategyCrafting an End-to-End Pharma GRC Strategy
Crafting an End-to-End Pharma GRC StrategyCognizant
 
Unified Connectivity (UCON) for SAP NetWeaver Overview
Unified Connectivity (UCON) for SAP NetWeaver OverviewUnified Connectivity (UCON) for SAP NetWeaver Overview
Unified Connectivity (UCON) for SAP NetWeaver OverviewSAP Technology
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 stepsERPScan
 
ERP Post Implementation Audit
ERP Post Implementation AuditERP Post Implementation Audit
ERP Post Implementation AuditSiva Subramanian TS
 
Engica Q4 CMMS brochure
Engica Q4 CMMS brochureEngica Q4 CMMS brochure
Engica Q4 CMMS brochureEngica Technology Systems International
 
Q4 Product Safety Demo
Q4 Product Safety DemoQ4 Product Safety Demo
Q4 Product Safety DemoEngica Technology Systems International
 
Financial reporting compliance cloud service presentation
Financial reporting compliance cloud service presentationFinancial reporting compliance cloud service presentation
Financial reporting compliance cloud service presentationFeras Ahmad
 
FlexNet Manager Platform Implementation Service
FlexNet Manager Platform Implementation ServiceFlexNet Manager Platform Implementation Service
FlexNet Manager Platform Implementation ServiceFlexera
 
Engica Q4 Safety brocure - Permit to Work - ISSOW
Engica Q4 Safety brocure - Permit to Work - ISSOWEngica Q4 Safety brocure - Permit to Work - ISSOW
Engica Q4 Safety brocure - Permit to Work - ISSOWEngica Technology Systems International
 
Q4 Product Engineering Demo
Q4 Product Engineering DemoQ4 Product Engineering Demo
Q4 Product Engineering DemoEngica Technology Systems International
 
SolMan CHARM Webinar
SolMan CHARM WebinarSolMan CHARM Webinar
SolMan CHARM WebinarWise Men
 
Fisma FedRAMP Drupal
Fisma FedRAMP DrupalFisma FedRAMP Drupal
Fisma FedRAMP DrupalMike Lemire
 
Legacy system.
Legacy system.Legacy system.
Legacy system.gourav kottawar
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationRafal Los
 
ERP IT Infrastructure Audit
ERP IT Infrastructure AuditERP IT Infrastructure Audit
ERP IT Infrastructure Auditvelcomerp
 
Tools for Accelerating Validation of Office 365
Tools for Accelerating Validation of Office 365Tools for Accelerating Validation of Office 365
Tools for Accelerating Validation of Office 365Montrium
 
Enterprise resource planning_system
Enterprise resource planning_systemEnterprise resource planning_system
Enterprise resource planning_systemJithin Zcs
 
Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...
Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...
Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...Glen Roberts, CISSP
 

Weitere ähnliche Inhalte

Was ist angesagt?

How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]akquinet enterprise solutions GmbH
 
Read Access Logging (RAL) for SAP NetWeaver Overview
Read Access Logging (RAL) for SAP NetWeaver OverviewRead Access Logging (RAL) for SAP NetWeaver Overview
Read Access Logging (RAL) for SAP NetWeaver OverviewSAP Technology
 
Cut your costs: Deactivate inactive users & reduce sap license fees. [Webinar]
Cut your costs: Deactivate inactive users & reduce sap license fees. [Webinar]Cut your costs: Deactivate inactive users & reduce sap license fees. [Webinar]
Cut your costs: Deactivate inactive users & reduce sap license fees. [Webinar]akquinet enterprise solutions GmbH
 
Crafting an End-to-End Pharma GRC Strategy
Crafting an End-to-End Pharma GRC StrategyCrafting an End-to-End Pharma GRC Strategy
Crafting an End-to-End Pharma GRC StrategyCognizant
 
Unified Connectivity (UCON) for SAP NetWeaver Overview
Unified Connectivity (UCON) for SAP NetWeaver OverviewUnified Connectivity (UCON) for SAP NetWeaver Overview
Unified Connectivity (UCON) for SAP NetWeaver OverviewSAP Technology
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 stepsERPScan
 
Financial reporting compliance cloud service presentation
Financial reporting compliance cloud service presentationFinancial reporting compliance cloud service presentation
Financial reporting compliance cloud service presentationFeras Ahmad
 
FlexNet Manager Platform Implementation Service
FlexNet Manager Platform Implementation ServiceFlexNet Manager Platform Implementation Service
FlexNet Manager Platform Implementation ServiceFlexera
 
SolMan CHARM Webinar
SolMan CHARM WebinarSolMan CHARM Webinar
SolMan CHARM WebinarWise Men
 
Fisma FedRAMP Drupal
Fisma FedRAMP DrupalFisma FedRAMP Drupal
Fisma FedRAMP DrupalMike Lemire
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationRafal Los
 
ERP IT Infrastructure Audit
ERP IT Infrastructure AuditERP IT Infrastructure Audit
ERP IT Infrastructure Auditvelcomerp
 

Was ist angesagt? (19)

SAP Risk Management
SAP Risk ManagementSAP Risk Management
SAP Risk Management
 
How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]
 
Read Access Logging (RAL) for SAP NetWeaver Overview
Read Access Logging (RAL) for SAP NetWeaver OverviewRead Access Logging (RAL) for SAP NetWeaver Overview
Read Access Logging (RAL) for SAP NetWeaver Overview
 
Cut your costs: Deactivate inactive users & reduce sap license fees. [Webinar]
Cut your costs: Deactivate inactive users & reduce sap license fees. [Webinar]Cut your costs: Deactivate inactive users & reduce sap license fees. [Webinar]
Cut your costs: Deactivate inactive users & reduce sap license fees. [Webinar]
 
Crafting an End-to-End Pharma GRC Strategy
Crafting an End-to-End Pharma GRC StrategyCrafting an End-to-End Pharma GRC Strategy
Crafting an End-to-End Pharma GRC Strategy
 
Unified Connectivity (UCON) for SAP NetWeaver Overview
Unified Connectivity (UCON) for SAP NetWeaver OverviewUnified Connectivity (UCON) for SAP NetWeaver Overview
Unified Connectivity (UCON) for SAP NetWeaver Overview
 
Securing SAP in 5 steps
Securing SAP in 5 stepsSecuring SAP in 5 steps
Securing SAP in 5 steps
 
ERP Post Implementation Audit
ERP Post Implementation AuditERP Post Implementation Audit
ERP Post Implementation Audit
 
Engica Q4 CMMS brochure
Engica Q4 CMMS brochureEngica Q4 CMMS brochure
Engica Q4 CMMS brochure
 
Q4 Product Safety Demo
Q4 Product Safety DemoQ4 Product Safety Demo
Q4 Product Safety Demo
 
Financial reporting compliance cloud service presentation
Financial reporting compliance cloud service presentationFinancial reporting compliance cloud service presentation
Financial reporting compliance cloud service presentation
 
FlexNet Manager Platform Implementation Service
FlexNet Manager Platform Implementation ServiceFlexNet Manager Platform Implementation Service
FlexNet Manager Platform Implementation Service
 
Engica Q4 Safety brocure - Permit to Work - ISSOW
Engica Q4 Safety brocure - Permit to Work - ISSOWEngica Q4 Safety brocure - Permit to Work - ISSOW
Engica Q4 Safety brocure - Permit to Work - ISSOW
 
Q4 Product Engineering Demo
Q4 Product Engineering DemoQ4 Product Engineering Demo
Q4 Product Engineering Demo
 
SolMan CHARM Webinar
SolMan CHARM WebinarSolMan CHARM Webinar
SolMan CHARM Webinar
 
Fisma FedRAMP Drupal
Fisma FedRAMP DrupalFisma FedRAMP Drupal
Fisma FedRAMP Drupal
 
Legacy system.
Legacy system.Legacy system.
Legacy system.
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with Automation
 
ERP IT Infrastructure Audit
ERP IT Infrastructure AuditERP IT Infrastructure Audit
ERP IT Infrastructure Audit
 

Ähnlich wie GRCSing2015_Kumar_Howtoperformasystem

Tools for Accelerating Validation of Office 365
Tools for Accelerating Validation of Office 365Tools for Accelerating Validation of Office 365
Tools for Accelerating Validation of Office 365Montrium
 
Enterprise resource planning_system
Enterprise resource planning_systemEnterprise resource planning_system
Enterprise resource planning_systemJithin Zcs
 
Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...
Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...
Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...Glen Roberts, CISSP
 
Continuous validation of office 365
Continuous validation of office 365Continuous validation of office 365
Continuous validation of office 365Montrium
 
Behavioral Analytics and Blockchain Applications – a Reliability View. Keynot...
Behavioral Analytics and Blockchain Applications – a Reliability View. Keynot...Behavioral Analytics and Blockchain Applications – a Reliability View. Keynot...
Behavioral Analytics and Blockchain Applications – a Reliability View. Keynot...Ingo Weber
 
How to Build TOGAF Architectures With System Architect (2).ppt
How to Build TOGAF Architectures With System Architect (2).pptHow to Build TOGAF Architectures With System Architect (2).ppt
How to Build TOGAF Architectures With System Architect (2).pptStevenShing
 
Best practices in networks and infrastructure
Best practices in networks and infrastructureBest practices in networks and infrastructure
Best practices in networks and infrastructurenicholas njoroge
 
Logicentrix Dashboards And Scorecards
Logicentrix Dashboards And ScorecardsLogicentrix Dashboards And Scorecards
Logicentrix Dashboards And Scorecardssanolan
 
What is Platform Observability? An Overview
What is Platform Observability? An OverviewWhat is Platform Observability? An Overview
What is Platform Observability? An OverviewKumar Kolaganti
 
Perfexpert
PerfexpertPerfexpert
Perfexpertgystell
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsERPScan
 
Service quality monitoring system architecture
Service quality monitoring system architectureService quality monitoring system architecture
Service quality monitoring system architectureMatsuo Sawahashi
 
Nagios Conference 2007 | Enterprise Application Monitoring with Nagios by Jam...
Nagios Conference 2007 | Enterprise Application Monitoring with Nagios by Jam...Nagios Conference 2007 | Enterprise Application Monitoring with Nagios by Jam...
Nagios Conference 2007 | Enterprise Application Monitoring with Nagios by Jam...NETWAYS
 
Share cics policy (2844)
Share cics policy (2844)Share cics policy (2844)
Share cics policy (2844)nick_garrod
 
Performing a successful technical debt assessment in Salesforce
Performing a successful technical debt assessment in SalesforcePerforming a successful technical debt assessment in Salesforce
Performing a successful technical debt assessment in SalesforceCoforge (Erstwhile WHISHWORKS)
 
Application Performance Management
Application Performance ManagementApplication Performance Management
Application Performance ManagementNoriaki Tatsumi
 
SaaS System Validation, practical tips on getting validated for go-live and t...
SaaS System Validation, practical tips on getting validated for go-live and t...SaaS System Validation, practical tips on getting validated for go-live and t...
SaaS System Validation, practical tips on getting validated for go-live and t...Steffan Stringer
 
Platform Observability and Infrastructure Closed Loops
Platform Observability and Infrastructure Closed LoopsPlatform Observability and Infrastructure Closed Loops
Platform Observability and Infrastructure Closed LoopsLiz Warner
 
Data center engineering operations
Data center engineering operationsData center engineering operations
Data center engineering operationsJagbir Sangwan
 

Ähnlich wie GRCSing2015_Kumar_Howtoperformasystem (20)

Tools for Accelerating Validation of Office 365
Tools for Accelerating Validation of Office 365Tools for Accelerating Validation of Office 365
Tools for Accelerating Validation of Office 365
 
Enterprise resource planning_system
Enterprise resource planning_systemEnterprise resource planning_system
Enterprise resource planning_system
 
Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...
Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...
Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...
 
Dinord
DinordDinord
Dinord
 
Continuous validation of office 365
Continuous validation of office 365Continuous validation of office 365
Continuous validation of office 365
 
Behavioral Analytics and Blockchain Applications – a Reliability View. Keynot...
Behavioral Analytics and Blockchain Applications – a Reliability View. Keynot...Behavioral Analytics and Blockchain Applications – a Reliability View. Keynot...
Behavioral Analytics and Blockchain Applications – a Reliability View. Keynot...
 
How to Build TOGAF Architectures With System Architect (2).ppt
How to Build TOGAF Architectures With System Architect (2).pptHow to Build TOGAF Architectures With System Architect (2).ppt
How to Build TOGAF Architectures With System Architect (2).ppt
 
Best practices in networks and infrastructure
Best practices in networks and infrastructureBest practices in networks and infrastructure
Best practices in networks and infrastructure
 
Logicentrix Dashboards And Scorecards
Logicentrix Dashboards And ScorecardsLogicentrix Dashboards And Scorecards
Logicentrix Dashboards And Scorecards
 
What is Platform Observability? An Overview
What is Platform Observability? An OverviewWhat is Platform Observability? An Overview
What is Platform Observability? An Overview
 
Perfexpert
PerfexpertPerfexpert
Perfexpert
 
EAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applicationsEAS-SEC: Framework for securing business applications
EAS-SEC: Framework for securing business applications
 
Service quality monitoring system architecture
Service quality monitoring system architectureService quality monitoring system architecture
Service quality monitoring system architecture
 
Nagios Conference 2007 | Enterprise Application Monitoring with Nagios by Jam...
Nagios Conference 2007 | Enterprise Application Monitoring with Nagios by Jam...Nagios Conference 2007 | Enterprise Application Monitoring with Nagios by Jam...
Nagios Conference 2007 | Enterprise Application Monitoring with Nagios by Jam...
 
Share cics policy (2844)
Share cics policy (2844)Share cics policy (2844)
Share cics policy (2844)
 
Performing a successful technical debt assessment in Salesforce
Performing a successful technical debt assessment in SalesforcePerforming a successful technical debt assessment in Salesforce
Performing a successful technical debt assessment in Salesforce
 
Application Performance Management
Application Performance ManagementApplication Performance Management
Application Performance Management
 
SaaS System Validation, practical tips on getting validated for go-live and t...
SaaS System Validation, practical tips on getting validated for go-live and t...SaaS System Validation, practical tips on getting validated for go-live and t...
SaaS System Validation, practical tips on getting validated for go-live and t...
 
Platform Observability and Infrastructure Closed Loops
Platform Observability and Infrastructure Closed LoopsPlatform Observability and Infrastructure Closed Loops
Platform Observability and Infrastructure Closed Loops
 
Data center engineering operations
Data center engineering operationsData center engineering operations
Data center engineering operations
 

GRCSing2015_Kumar_Howtoperformasystem

  • 1. Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2015 Wellesley Information Services. All rights reserved. How to Perform a System Audit and Technical Review of SAP Access Control Barun Kumar Turnkey Consulting
  • 2. 1 In This Session • Learn about:  Important audit concerns in an SAP Access Control environment  Control objectives of auditing SAP Access Control • Gain an understanding of:  Major risks associated with the identified control weaknesses  Preventative measures to remediate identified risks and possible issues • Learn how to implement and operate an audit-compliant SAP Access Control system
  • 3. 2 What We’ll Cover • Why, when, and what of an SAP Access Control audit • Technical and system information • Workflow and authorizations • Time zone and documentation • Archiving and disaster recovery • Wrap-up
  • 4. 3 The Big Picture – System Architecture Source: SAP Access Control sizing guide
  • 5. 4 Why Audit SAP Access Control? • A system audit is an exercise performed to gain assurance that defined controls work as intended, thereby eliminating the likelihood of fraudulent or malicious activities  It involves the verification of conformance to policies and procedures through acute review of objective and empirical evidence • SAP Access Control is the compliance tool in the SAP system landscape; hence, it needs to be self-compliant  Compromise of the tool can mean compromise of the entire system (SAP and non-SAP) in the landscape • Evaluation of the organization’s internal control design • Gain assurance on the operating effectiveness of defined controls
  • 6. 5 When to Audit • Review of the SAP Access Control system should be performed:  Pre-go-live  Post-go-live  On an ongoing basis • Irrespective of the timing, you should check the controls defined in the system against what is defined in the security policies of the organization
  • 7. 6 What to Audit • Technical Infrastructure  Hardware – Memory, CPU, etc.  Software – SAP component, databases, operating system  Network • Processes • Master data • Internal controls and policies • Customization settings • Documentation
  • 8. 7 What Happens If You Do Not Audit • Business implications  Possible compromise of the compliance tool  Loss of goodwill for the organization  Payment of huge fines  Inability of the business to continue to operate, in extreme cases • Technical implications  System performance degradation  Knowledge transfer gaps  Error-prone system  System unavailability  Obsolete functionalities
  • 9. 8 What We’ll Cover • Why, when, and what of an SAP Access Control audit • Technical and system information • Workflow and authorizations • Time zone and documentation • Archiving and disaster recovery • Wrap-up
  • 10. 9 Technical and System Information • Technical installation validation • Activation of Internet Communication Framework (ICF) Services • Background jobs administration and monitoring • Integration with back-end systems • Performance optimization
  • 11. 10 Technical Installation Validation • Installation of SAP Access Control requires installation of:  SAP  Database  Operating system • Major risk  The system might be:  Error prone  Unusable  Missing functionalities • Preventative measures  Ensure that the systems run the required, correct, and current software components and products
  • 12. 11 Technical Installation Validation (cont.) • SAP Access Control 10.x requires the following GRC software components and other dependent components:  GRCFND_A — Mandatorily installed on the GRC server  GRCPINW — Mandatorily installed on the back-end system  GRCPIERP — Optionally installed on the back-end system  Confirm GRCPIERP is installed if you need specific functionalities like HR triggers  Requires SAP_ABA and SAP_HR software components • Gain assurance about the consistency and synchronization requirement with the support package (SP) levels of the foundation and plug-in components  For SAP GRC 10.0 (prior to SP10), the version of the SP GRC foundation component and the plug-in must be the same
  • 13. 12 Technical Installation Validation (cont.) • Auditors must be assured that all required software components are installed  Setup of Adobe Document Services (which requires a Java instance) is required for PDF reports  Crystal Reports ALV adapter is required for generating Crystal Report-based reports • The technical review should evaluate the currency of software components  Current support package is implemented  Kernel is upgraded to the current patch level  Important SAP Notes are implemented (e.g., SAP Note 1545511)  Current operating system and database patches are deployed
  • 14. 13 Technical and System Information • Technical installation validation • Activation of Internet Communication Framework (ICF) Services • Background jobs administration and monitoring • Integration with back-end systems • Performance optimization
  • 15. 14 Activation of ICF Services • ICF supports the processing of HTTP, HTTPS, or SMTP requests in the ABAP work processes of an SAP system • As part of the post-installation activities, you need to activate a number of ICF services • Major risk  The system might be vulnerable to Internet (external) browser-based attacks • Preventative measure  Enforce control in the activation of ICF services  Only activate ICF services on a need-to-do basis
  • 16. 15 Activation of ICF Services (cont.) • It is possible to explicitly assign a user to an ICF service  This is commonplace when end-user log-on functionality is implemented  The authorization assigned to the user in the system must be adequately controlled • Check that ICF services are prevented from using functions that present a risk  Confirm that the following administrator settings are configured (Transaction code SICF  Go to  Settings):  Do not allow recording function  Do not allow trace function  Do not allow debugging function  Do not allow runtime analysis function
  • 17. 16 Technical and System Information • Technical installation validation • Activation of Internet Communication Framework (ICF) Services • Background jobs administration and monitoring • Integration with back-end systems • Performance optimization
  • 18. 17 Background Jobs Administration and Monitoring • Background jobs are programs or a collection of programs that can be executed by background work processes • Different background jobs are normally scheduled in the system to ensure that activities are performed properly • Major risk  Data inconsistencies between the SAP GRC system and the satellite system  Smooth running of the system might be impacted if administrative background jobs are not scheduled and executed successfully • Preventative measure  Schedule (in the correct order) and monitor background jobs for successful completion
  • 19. 18 Background Jobs Administration and Monitoring (cont.) • Important to have a meaningful job-naming convention to find correct and appropriate application knowledge for quick support • Recommendation for a background job name (e.g., (S_PRD100_UK_SPM_WORKFLOWSYNC_H)  Prefix: Indicate if the job contains customer coding (Z) or SAP standard coding (S)  System/client: Indicate the involved system/client combination (e.g., PRD100)  Organization: Indicate the involved organizational information (e.g., abbreviations for regions or countries [US, DE, FR])  Component: Involved component/application area such as ARA, SPM, CUP, and BRM  Job description: Specify a speaking name for the job (e.g., SPM_WORKFLOWSYNC)  Frequency: Job frequency (e.g., Hourly [H], Daily [D], Weekly [W])
  • 20. 19 Background Jobs Administration and Monitoring (cont.) • Ensuring data currency and consistency  Schedule standard background jobs in SAP Access Control to synchronize data between the GRC system and satellite systems • Major master data elements that need to be synchronized in the access control system  PFCG authorization  Profile  Roles  Users  Action usage  Role usage  EAM master data
  • 21. 20 Background Jobs Administration and Monitoring (cont.) • The implication of failed synchronization jobs can be grave because outdated data can expose the system to fraudulent activities. For example:  Access request might be routed to incorrect approver who might approve it based on inadequate knowledge of the risk exposure  This can happen because data source information for approver determination is unsynchronized  Detective control associated with the review of firefighter logs can be impaired  This can happen if the background job responsible for collecting firefighting session logs and sending same to the controller fails to execute successfully
  • 22. 21 Background Jobs Administration and Monitoring (cont.) • An auditor will be interested in ascertaining that the background jobs that drive data synchronization are always executed successfully as scheduled • Sequence of execution of these background jobs is also an important consideration during a technical review • Recommended sequence for background job execution: 1. Program GRAC_PFCG_AUTHORIZATION_SYNC 2. Program GRAC_REPOSITORY_OBJECT_SYNC 3. Program GRAC_ACTION_USAGE_SYNC 4. Program GRAC_ROLE_USAGE_SYNC
  • 23. 22 Background Jobs Administration and Monitoring (cont.) • Other programs that should be reviewed to ensure they are properly scheduled include:  Batch risk analysis: Program GRAC_BATCH_RISK_ANALYSIS  Firefighter logs collection: Program GRAC_SPM_LOG_SYNC_UPDATE  Firefighter workflow synchronization: Program GRAC_SPM_WORKFLOW_SYNC  IDM schema update: Program GRAC_SCHEMA_UPDATE • Check the status of background jobs via transaction SM37
  • 24. 23 Background Jobs Administration and Monitoring (cont.) • A technical system auditor should be abreast of required background jobs that should be scheduled for different underlying databases • For example, the following database management-related background jobs should be executed for a Microsoft SQL Server database:  CCMS Blocking Database Locks Statistics  CCMS Check Database (DBCC – Database Consistency Checker)  CCMS Update Table Statistics  MSSQL COLLECTOR • Also, review the successful execution of administrative background jobs, such as report RSBTCDEL (Delete Batch Job)
  • 25. 24 Background Jobs Administration and Monitoring (cont.) • Variants are used to eliminate the need to define same values in selection criteria fields every time you need to execute a report • This functionality is designed to reduce both data entry time and processing time of the system, which makes it commonplace in every SAP system environment • Variants should be reviewed for correctness and currency • Ideally, variants that are no longer relevant in the system should be discontinued or adjusted accordingly to avoid the chances of using them unknowingly • You can review the entries in table TBTCP to access the currency and relevance of defined variants
  • 26. 25 Technical and System Information • Technical installation validation • Activation of Internet Communication Framework (ICF) Services • Background jobs administration and monitoring • Integration with back-end systems • Performance optimization
  • 27. 26 Integration with Back-End Systems • Typical SAP GRC system is made up of more than just the GRC box  It also contains other back-end systems, such as SAP ERP, SAP Enterprise Portal, or Microsoft Active Directory • GRC system is used to provision access to the back-end system  Or the back-end system is used as the data source for user authentication and user details in the SAP Access Control system • Major risk  Vulnerabilities and data inaccuracy in the back-end system can impact the operation of the GRC system • Preventative measure  Ensure appropriate security and data accuracy is enforced in the satellite systems
  • 28. 27 Integration with Back-End Systems (cont.) • System review of back-end systems is just as important as system review of SAP Access Control • Security breaches in any dependent back-end system can impact the integrity of the access control system  For example, if the HR system is designed as the source of user details (e.g., Personnel Area drives the assignment of approval agent) and data maintained in the HR system is not accurate, an access request can be incorrectly routed • System auditor needs to be assured that systems connected to the GRC system are performing their intended roles in terms of:  Functionality delivery  Data accuracy  System availability
  • 29. 28 Technical and System Information • Technical installation validation • Activation of Internet Communication Framework (ICF) Services • Background jobs administration and monitoring • Integration with back-end systems • Performance optimization
  • 30. 29 Performance Optimization • Performance of the SAP Access Control system is dependent on the following:  Master data volume  Transaction data volume  Configuration settings (customizing)  Number of concurrent users  Size of the system landscape (number of systems and available system resources) • Major risk  Slowness or unavailability of the system • Preventative measure  Optimal preliminary sizing, appropriate configuration settings, efficient parameterization, and adequate capacity planning
  • 31. 30 Performance Optimization (cont.) • If system performance is degraded, it can lead to unavailability of the access control system and consequently affect functional use of the application • Audit should be focused on data maintenance strategies such as:  Data prevention  Data deletion  Table indexing and data reorganization • An auditor should review performance-centric customizing settings such as:  Indexing of tables  Profile parameter settings  Parameterization in IMG (configuration settings)
  • 32. 31 Performance Optimization (cont.) • Indexing of tables  Fields MANDANT, UTIME, UDATE, USERNAME in table CDHDR (SAP Note 1039144)  Fields MANDT, LANGU, and FIELD in table GRACFLDSYST (SAP Note 1866822) • Profile parameters  abap/heap_area_dia (limit of heap memory per dialog work process)  abap/heap_area_nondia (limit of heap memory per non-dialog work process)  abap/heap_area_total (limit of heap on application server)  em/initial_size_MB (initial size of extended memory pool)  abap/buffersize (program buffer size)
  • 33. 32 Performance Optimization (cont.) • Parameterization in IMG  Default user type for risk analysis (Parameter 1026) set to DIALOG  Include locked users (Parameter 1031) set to No  Include expired users (Parameter 1028) set to No  Include mitigated risks (Parameter 1030) set to No  Ignore critical roles and profiles (Parameter 1031) set to Yes  Batch size for batch risk analysis (Parameter 1120)  Batch size for user sync (Parameter 1121)  Batch size for role sync (Parameter 1122)  Batch size for profile sync (Parameter 1123)
  • 34. 33 What We’ll Cover • Why, when, and what of an SAP Access Control audit • Technical and system information • Workflow and authorizations • Time zone and documentation • Archiving and disaster recovery • Wrap-up
  • 35. 34 Workflow and Authorizations • Definition and maintenance of rule set • Workflow maintenance • Change management • Authorization management of technical users • Firefighter ID login prohibition • Segregation of duties
  • 36. 35 Definition and Maintenance of Rule Set • Rule set is a group of data elements that collectively form the segregation of duties risks and sensitive access risks in an enterprise • Validation of the rule set normally involves the review of dependent master data elements of a rule set, such as Risks and Functions (Actions and Permissions) • Major risk  Access risk violations might be under-reported or over-reported • Preventative measure  Ensure that SoD and sensitive access rules reflect the approved risk perception of the enterprise
  • 37. 36 Definition and Maintenance of Rule Set (cont.) • The review of the content of a rule set needs to be detailed  For example, the correctness of the absolute value defined for the corresponding authorization objects  Authorization object value :- 1 is not synonymous to 01 and “*” is not “any value” • Check via transaction SCPR20 that SoD ruleset-related BC sets were activated without errors • Check that the operators (AND, OR, and NOT) used in the rule set definition are properly defined • Validate the access risk level to ensure correct master data attributes (e.g., risk levels) are maintained • Review the SoD rule set for completeness  Inclusion of custom transaction codes and sensitive access
  • 38. 37 Definition and Maintenance of Rule Set (cont.) • Check for the existence of effective policies and procedures aimed at ensuring changes to the rule set are made in a controlled manner  Transport changes to ruleset via IMG  Activate change log functionality so audit trail is available for an auditor to review changes made to the elements of the rule set
  • 39. 38 Definition and Maintenance of Rule Set (cont.) • Parameterization for ruleset changes – workflow  Parameter 1062: Risk Maintenance  Parameter 1064: Function Maintenance  Parameter 1101: Create Request for Risk Approval  Parameter 1102: Update Request for Risk Approval  Parameter 1103: Delete Request for Risk Approval  Parameter 1104: Create Request for Function Approval  Parameter 1105: Update Request for Function Approval  Parameter 1106: Delete Request for Function Approval
  • 40. 39 Workflow and Authorizations • Definition and maintenance of rule set • Workflow maintenance • Change management • Authorization management of technical users • Firefighter ID login prohibition • Segregation of duties
  • 41. 40 Workflow Maintenance • Workflow is designed to ensure that activities within the system are properly reviewed and approved by designated individuals before changes are made to specific information or processes  This can include the provision of access to users or changes to master data, such as functions or assignment of mitigating controls to users and roles • Major risk  Approval request might not be treated in a timely manner and by the correct approver • Preventative measure  Ensure the workflow mechanism is properly configured and the approver (agent) master data is properly maintained
  • 42. 41 Workflow Maintenance (cont.) • Approver delegation table should be reviewed to gain assurance that every approval delegation entry is justifiable • Review the status of email messages generated in the system over a period of time via transaction SOST to ensure messages are not being trapped unnoticed • Check that all users have their email addresses correctly maintained
  • 43. 42 Workflow Maintenance (cont.) • Gain preliminary assurance that the workflow engine is working properly via transaction SWU3 • An audit interest in a workflow process is who the actor (approver) is  The approver must be reviewed for correctness and currency at defined intervals • Review the agent master data to ensure the workflow approval requests are routed to the appropriate approvers and that approval requests are attended to promptly  Review Service Level Agreement (SLA) report if configured
  • 44. 43 Workflow and Authorizations • Definition and maintenance of rule set • Workflow maintenance • Change management • Authorization management of technical users • Firefighter ID login prohibition • Segregation of duties
  • 45. 44 Change Management • The system landscape must be configured to adhere to at least the three-system landscape, typically made up of the development, quality assurance, and production systems • Major risk  Data and customization setting inconsistencies, thus making the system error prone • Preventative measure  Enforce control in the promotion of changed data or customizations across the system landscape by avoiding performing customizing activities directly in production system
  • 46. 45 Change Management (cont.) • System settings are designed to prevent the ability to make changes to client- independent objects in non-development systems  SE06 – Should be set to “Not modifiable” • Production client settings should be reviewed for appropriateness via transaction SCC4  Recommended production client settings  Client-specific changes/transports – No Changes allowed  Cross-client object changes – No change to repository and cross-client customizing objects  Protection: Client Copier and Comparison Tool – Protection level 2: No overwriting and no external availability  CATT and eCATT restriction – CATT and eCATT not allowed
  • 47. 46 Change Management (cont.) • Ascertain that all configuration changes, including master data (BRFplus rules [such as logic and master data, approvers, or user defaults]), are tested before the changes are promoted to destination/subsequent systems in the landscape • For BRFplus objects – Local object vs. transportable object
  • 48. 47 Change Management (cont.) • A number of master data items cannot be transported in SAP Access Control  These include reason codes, access control owner’s definition, coordinators, and firefighter master data • The authorization concept in conjunction with the SoD concept should be used to enforce control in the management of the non-transportable master data • Development and quality assurance systems also need to be secured appropriately  Defined security policy should address access rights, modification, and data composition of the non-production systems
  • 49. 48 Workflow and Authorizations • Definition and maintenance of rule set • Workflow maintenance • Change management • Authorization management of technical users • Firefighter ID login prohibition • Segregation of duties
  • 50. 49 Authorization Management of Technical Users • To operate the SAP Access Control system normally, some system users need to be created and assigned specific authorizations • Examples of these technical users are:  Remote Function Call (RFC) users  WF-BATCH users • Major risk  The technical user account might be used for malicious activities in the system • Preventative measure  Enforce control in the authorization assignment of technical users
  • 51. 50 Authorization Management of Technical Users (cont.) • SAP recommends that the following authorization objects and values be assigned to the RFC user for SAP Access Control:  ACTVT: 16  RFC_NAME: /GRCPI/GRIA, BAPT, RFC1, SDIF, SDIFRUNTIME, SDTX, SUSR, SUUS, SU_USER, SYST, SYSU  RFC_TYPE: FUGR • WF-BATCH user is a communication user that is required to run the workflow engine • Authorization assigned to these users must be well controlled  Check that SAP_ALL is not assigned to this user  Consult SAP Note 1251255 for WF-BATCH user authorization management  Don’t forget standard SAP users – SAP*, DDIC, SAPCPIC, etc.
  • 52. 51 Workflow and Authorizations • Definition and maintenance of rule set • Workflow maintenance • Change management • Authorization management of technical users • Firefighter ID login prohibition • Segregation of duties
  • 53. 52 Firefighter ID Login Prohibition • Firefighting is an act of using privileged user accounts in times of emergency • Because the firefighter ID possesses elevated privileges, it should not be directly used in the back-end system • Instead, it should be used via the assigned firefighter user on the SPM log-on pad • Major risk  The firefighter ID (with privileged authorization) might be used to log on directly to the back-end system to perform malicious activities and the logs will not be captured • Preventative measure  Implement the user exit as described in SAP Note 1545511
  • 54. 53 Firefighter ID Login Prohibition (cont.) • To enforce control around the use of the firefighter ID directly in the back-end system, implement a user exit in the back-end system where the firefighter ID resides • Check whether or not report ZXUSRU01 exists in the back-end system containing the include /GRCPI/GRIA_USEREXIT (SAP Note 1545511) • To further review if the user exit has been implemented, attempt to log on directly to the back-end system using a firefighter ID  The action should trigger the display of a dialog box confirming you are not authorized to directly log on
  • 55. 54 Workflow and Authorizations • Definition and maintenance of rule set • Workflow maintenance • Change management • Authorization management of technical users • Firefighter ID login prohibition • Segregation of duties
  • 56. 55 Segregation of Duties • SoD forms part of the requirements of many regulations, including Sarbanes-Oxley • The idea is to prevent the concentration of authority from carrying out critical activities in the system with specific users • Major risk  Perpetration of malicious activities as a result of the possession of excessive authorization • Preventative measure  Employ the principle of “least privilege” in authorization assignment and grant authorization on a “need-to-know” basis
  • 57. 56 Segregation of Duties (cont.) • Check if a set of incompatible SoD matrices for the SAP Access Control system exist  For example, the person who creates a mitigating control should not be able to maintain or assign the mitigating control • A technical review should establish that the authorizations assigned to specific job roles are optimal and do not create a mitigating conflict • SoD-centric configuration settings, such as the ones below, should be reviewed for correctness and appropriateness:  Approver cannot approve his own request (EUP settings)  Firefighter ID owner can submit request for firefighter ID owned (Parameter 4013)  Firefighter ID controller can submit request for firefighter ID controlled (Parameter 4014)
  • 58. 57 What We’ll Cover • Why, when, and what of an SAP Access Control audit • Technical and system information • Workflow and authorizations • Time zone and documentation • Archiving and disaster recovery • Wrap-up
  • 59. 58 Time Zone and Documentation • Time zone setting • Documentation
  • 60. 59 Time Zone Setting • Output of some log reports generated for Emergency Access Management is based on input in transaction STAD (SAP Workload: Business Transaction Analysis) in the plug-in system  Reports in transaction STAD are based on operating system time • Major risk  The difference in time zone is capable of impacting log collection, which will consequently impact correct reporting of firefighting session activities in the satellite system  This situation erodes the detective control capability of firefighter log review • Preventative measure  Ensure the time zone of the operating system and the SAP NetWeaver® engine are in sync in the SAP Access Control system and the satellite systems
  • 61. 60 Time Zone Setting (cont.) • An auditor should ensure the appropriate operating system time zone setting is maintained in the SAP Access Control system and the back-end system  It is best practice to have the same setting for:  The time zone of the operating system and the SAP NetWeaver system in the GRC system  The time zone of the operating system and the SAP NetWeaver system in the plug-in system (e.g., SAP ERP system) • However, the time zone setting of the GRC system and the plug-in system need not necessarily be the same • The time zone setting of the SAP NetWeaver system can be checked via report TZONECHECK (Check Time Zone Data for Consistency) • More information in SAP Notes 1430336, 198411, and 481835
  • 62. 61 Time Zone and Documentation • Time zone setting • Documentation
  • 63. 62 Documentation • Documentation is an integral part of any business solution delivery project, and serves as part of the knowledge transfer requirement • Major risk  Knowledge gap may exist as it relates to the system design, configuration, and operational activities, which can consequently impact the optimal support of the system • Preventative measure  Ensure documentation deliverables are agreed upon at project inception and consequently approved by senior management
  • 64. 63 Documentation (cont.) • Documentation related to the project should be assessed for completeness and correctness and cover the following:  Technical installation, blueprint and system design, support and operation guide, security and authorization design, testing materials, and users’ guide • Documentation must be approved by designated individuals with at least one representative from senior management or the project steering committee • Changes to documentation need to be approved and versioned • Security of where documents are stored needs to be reviewed to ensure they cannot be tampered with or manipulated • You can use SAP Solution Manager for document management
  • 65. 64 What We’ll Cover • Why, when, and what of an SAP Access Control audit • Technical and system information • Workflow and authorizations • Time zone and documentation • Archiving and disaster recovery • Wrap-up
  • 66. 65 Archiving and Disaster Recovery • Data archiving • Business continuity and disaster recovery
  • 67. 66 Data Archiving • Aside from business requirements and corporate policies, prevailing legal and regulation requirements influence data retention strategies adopted by an enterprise • Data archiving has a laudable implication, as it relates to enhancing system performance • Major risk  System performance might be impaired and data retention policies might be flaunted • Preventative measure  Archive data at defined intervals and based on corresponding local and global regulations
  • 68. 67 Data Archiving (cont.) • Gain an understanding of the archiving strategy of an organization and apply that in ensuring data is properly archived as scheduled using the appropriate tools • The following archiving objects are available to archive access control-specific data via transaction SARA:  GRFNMSMP – Archiving for GRC AC 2010 Requests  SPM_AU_LOG – SPM Audit Log Archive  SPM_CH_LOG – Change Log Archive  SPM_LOG – Archiving for SPM Log Reporting  SPM_OC_LOG – SPM OS Command Log Archiving  SPM_SY_LOG – SPM System Log Archival • Check the integrity of the storage location of the archived data
  • 69. 68 Archiving and Disaster Recovery • Data archiving • Business continuity and disaster recovery
  • 70. 69 Business Continuity and Disaster Recovery • Impact of the unavailability of the SAP Access Control system should be analyzed and documented • System unavailability might present a window to perpetrate malicious activities, especially when there are no tested procedures to address such business events or scenarios • Major risk  Data loss or inability to continue business operation in the event of a disaster • Preventative measure  Ensure that appropriate business continuity plan and disaster recovery plans exist and are tested at defined intervals
  • 71. 70 Business Continuity and Disaster Recovery (cont.) • Check to ensure there are adequate processes and controls in place to address the challenges that come with system unavailability or downtime (both planned and unplanned) • Gain assurance that business impact analysis has been performed • Confirm that adequate and effective back-up and restore strategies exist • Obtain test evidence of back-up and disaster recovery tests  Reviewing back-up log directly in the system via transaction DB12 • Technical review should also cover storage of back-up media and other back-up and recovery conventional audit concerns, such as back-up frequency
  • 72. 71 What We’ll Cover • Why, when, and what of an SAP Access Control audit • Technical and system information • Workflow and authorizations • Time zone and documentation • Archiving and disaster recovery • Wrap-up
  • 73. 72 Where to Find More Information • Kehinde Eseyin, “How to Prepare for a Comprehensive System Audit and Technical Review of SAP Access Control 10.0” (SAP Professional Journal, October 2013).  http://bit.ly/1G5aZzF • SAP Access Control 10.1 Security Guide  http://bit.ly/15aAAq2 * • Kehinde Eseyin, “10 Best Practices for Enforcing Data Security, Control, and Consistency in the Software Logistics Process” (Financials Expert, March 2010).  http://bit.ly/1yp2ieD • Kehinde Eseyin, “Combat Chaos with a Lock-Down Security Policy in 12 Key Areas of Your SAP Environment” (Financials Expert, June 2009).  http://bit.ly/1x8phG9 * Requires login credentials to the SAP Service Marketplace
  • 74. 73 7 Key Points to Take Home • Set the recommended administrator security-centric settings for ICF services • Archiving objects relevant to SAP Access Control objects • Implement workflow verification using transaction SWU3 • Know specific authorizations to assign to RFC technical users • Enhance system performance by using specific configuration and profile parameters • Enhance system performance for derived role import and firefighter log collection by indexing tables GRACFLDSYST and CDHDR respectively • Use report TZONECHECK to check time zone settings for data consistency
  • 75. 74 Your Turn! How to contact me: Barun Kumar Barun.Kumar@turnkeyconsulting.com Please remember to complete your session evaluation
  • 76. 75 Disclaimer SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.
  • 77. Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026 Copyright © 2015 Wellesley Information Services. All rights reserved.