This website is not affiliated with, sponsored by, or approved by SAP AG.

Definition of critical transaction from audit perspective

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

Definition of critical transaction from audit perspective

Postby sapking » Tue Mar 29, 2011 8:02 am

Hi,
I am trying to work with our auditors and we are in process of defining what are the critical transaction in SAP. I was wondering what others consider a critical transaction and how do you define that.
What is a definition of critical transaction from audit perspective in SAP.
Thanks.
sapking
 
Posts: 9
Joined: Wed Jun 25, 2003 1:09 pm

Re: Definition of critical transaction from audit perspective

Postby jurjen » Wed Mar 30, 2011 4:37 am

I prefer to think of critical actions in a system instead of critical transactions. Transactions are merely entry points. Denying people access to transactions can be part of your safety measures.
Marking transactions themselves as critical often leads to the misbeleif that you can secure your system by just blocking them.

To define which actions pose a risk to your system it's role is very important. Configuration changes are part of normal operations on a development system but should treated very carefully on a production system....
jurjen
 
Posts: 298
Joined: Wed May 17, 2006 8:17 am
Location: The Netherlands

Re: Definition of critical transaction from audit perspective

Postby Sharpshooter » Wed Mar 30, 2011 12:53 pm

The problem is that most auditors can only think in terms of Tcodes. Which I agree is totally wrong!
Good luck!
Sharpshooter
 
Posts: 1171
Joined: Wed Mar 17, 2010 12:01 pm
Location: In the dark

Re: Definition of critical transaction from audit perspective

Postby thx4allthefish » Fri Apr 01, 2011 6:49 am

Sharpshooter wrote:The problem is that most auditors can only think in terms of Tcodes. Which I agree is totally wrong!


Precisely. These times are long gone. We have menu-tabs that jump to other functions, not even calling a transaction anymore, but processing via BAPI etc. Just have a close look where you can go from transaction MD04 and I am not even beginning to go into abaping, querying, sqvi-ing, se16-ing ...

In order to assist your auditor you might do one hell of a good job, pointing this out to him ... right, Al.???
curiousorange wrote:I give up. Humanity isn't worth saving. Why is there never a Vogon Constructor Fleet around when you really need one?
thx4allthefish
 
Posts: 5694
Joined: Sat Oct 26, 2002 6:18 pm
Location: barolo barrel

Re: Definition of critical transaction from audit perspective

Postby Al. » Fri Apr 01, 2011 10:44 am

thx4allthefish wrote:In order to assist your auditor you might do one hell of a good job, pointing this out to him ... right, Al.???

If you have a good auditor then they'll understand, appreciate & help. If you have a bad one then you'll confuse them. Either way you win :D

Back to the other posters - I agree completely, you protect sensitive functions and tx are only one way of getting to them. For your SAP based ITGC's (IT General Controls) the methods of control are pretty well defined and there isn't too much contention over what is sensitive. If you are doing this for audit purposes then ask your auditors for the list of what they consider sensitive. If you are doing it for operational reasons then look at how you address integrity, confidentiality and availability in and for your SAP system. If you have confidential data (competitive, HR etc) then that becomes critical and you need to protect it in the same way you would prevent someone from executing arbitrary OS commands through SAP.
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3050
Joined: Tue Feb 25, 2003 5:35 am
Location: London

Re: Definition of critical transaction from audit perspective

Postby John A. Jarboe » Sat Apr 02, 2011 5:50 pm

There are relatively few stand alone critical transaction in SAP and most are in Basis and security. It is combinations of functionality that becomes critical in SAP. As example FB01 (posting invoice) by itself is pretty boring, but combine this with Vendor maintenance and now you are writting checks to your self and hving them deposited to you account.

A Few of the The Critical Tcodes are:
SU01 - create an SAP* equivalent ID vertually undetectable and do what you like
SM31 access to table T000 - change the client setting to allow coding in production either in production of from development allowing you to temporarily gain SAP_All access in production.
STMS - Tramsport management - allow import of trojan horse code to suspend a user's password insert one you know, logon the ID replace the old password or any other functionality you like.

Tcode to start and stop SAP - Business disruption impacts

Thse are just a few that come to mind...
John A. Jarboe
John A. Jarboe
 
Posts: 322
Joined: Tue Mar 07, 2006 8:48 am

Re: Definition of critical transaction from audit perspective

Postby Sharpshooter » Sun Apr 03, 2011 8:10 am

Isn't "Good auditor" an oxymoron???
Good luck!
Sharpshooter
 
Posts: 1171
Joined: Wed Mar 17, 2010 12:01 pm
Location: In the dark

Re: Definition of critical transaction from audit perspective

Postby Al. » Mon Apr 04, 2011 2:07 am

Sharpshooter wrote:Isn't "Good auditor" an oxymoron???


Not any more than "security professional" applies to the SAP industry unfortunately.
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3050
Joined: Tue Feb 25, 2003 5:35 am
Location: London

Re: Definition of critical transaction from audit perspective

Postby Bazza » Fri Apr 08, 2011 4:57 am

Whether its a transaction, a role, a process matters less than how 'critical' is defined by the Auditor.
Critical to the wellbeing of the system ? What, if abused can make it 'bad' or unstable
Critical to the wellbeing of the business ? Well, the business will know (ha!) what is critical to them.
John makes very good points.
Best Regards
Bazza
Bazza
 
Posts: 84
Joined: Tue Mar 15, 2005 11:27 am
Location: Stratford-on-Avon UK

Re: Definition of critical transaction from audit perspective

Postby Gary Morris » Fri May 06, 2011 10:02 am

To think about critical transactions from the auditors perspective you have to think about it from the Business perspective.
Your Business process owners must define what transactions are critical based on the risk of loss and high probability of loss occurring if users have the access.

Each business group, at the management level (FI, SD, etc) should write a policy. Controllers are also involved and often drive the request to secure these business tasks. Eventually these business tasks that they are concerned about protecting are communicated to you in terms of transactions.

The auditor is trying to determine whether your organization has determined what is critical to them and whether they have a documented policy on how they are protecting them. Then the auditors job is to audit to see if in fact they have been and are being protected since the policy went into effect.

Security administrators know that it is to be protected by authorization objects, but that is too difficult to communicate, so refrencing the transactions is simply a way to communicate.
Gary Morris
SAP Security Consultant
garydavidmorris@gmail.com
Gary Morris
 
Posts: 399
Joined: Sun Oct 20, 2002 10:42 pm
Location: San Antonio, Texas

Re: Definition of critical transaction from audit perspective

Postby Franke2012 » Thu Aug 18, 2011 6:26 am

So - if you are that "end-user" i.e. controller. Where do you start to determine what "authorizations" are critical vs. non-critical. I understand the functions: posting/un-posting journal entries, applying payments, creation of invoices/orders, creation of debit/credit memos, etc etc. Are functions I would like to have segregated/restricted. However, the only thing I can dig up is what transactions relate to those processes (at a very high level), it is very time consuming to continue to dig (even if I have the access in the system to do so), and see what authorzaionts/activities relate to those business processes, or what other transacations can exectue those objects/authorizations.

Therefore - what is best practice for the business end user to communicate which object classes/authorizations/activities should be locked down to which individuals? Should we only communicate at the business process level, and leave it to the sys admin to lock down all possible combinations of authorizations/object classes?
Franke2012
 
Posts: 3
Joined: Thu Aug 18, 2011 5:11 am

Re: Definition of critical transaction from audit perspective

Postby henrik » Thu Aug 18, 2011 3:36 pm

I think you need to sit down with your security guy and get his help in working through the options.
You can define the transactions, he can then tell you what the options for controls are in each transaction. It's not that difficult when you know what you are doing - especially when you get the business input served on a silver platter :-)

It is not a clear-cut line between who does what, and in my experience it always works a lot better when you work together to resolve it. Very few people has the entire picture of the business process AND the technical requirements in terms of authorisation objects and values.

just my thoughts...
www.turnkeyconsulting.com.au
henrik
 
Posts: 493
Joined: Wed Oct 23, 2002 6:38 am
Location: London, UK

Re: Definition of critical transaction from audit perspective

Postby Franke2012 » Fri Aug 19, 2011 10:30 am

Henrik,

Thanks - so I just need to focus on the transacation level, and let the security admin (when/if we get one) to focus on securing up "other" transactions/authorizations which could accomplish the same task. Therefore, my next question - where is a good place to start to understand what transactions can do, which exceeds the SAP table definition? I am looking for books/online trainning material etc.

Lastly, just from a best practices, I am assuming you would want to pre-plan these roles/transactions going into an implementation and not after.

Thanks in advance for any information.
Franke2012
 
Posts: 3
Joined: Thu Aug 18, 2011 5:11 am

Re: Definition of critical transaction from audit perspective

Postby henrik » Sun Aug 21, 2011 2:46 pm

Franke,
I don't think you can leave it to the security admin to identify all the other transactions... He/she can help you with the objects, but might not know all the other ways to get to the same transactions... Apart from that, you will need to think about which document types, company codes, cost centers etc. you want to control on. that is a business decision and not something the security guy can determine for you.

If you are doing this as part of an implementation it's much easier, because you will then only open up access for transactions that are needed - you will know exactly who's got what and why.

But my main point is that this is a collaborative effort - can't be done by business alone or by security person alone

hope that helps
www.turnkeyconsulting.com.au
henrik
 
Posts: 493
Joined: Wed Oct 23, 2002 6:38 am
Location: London, UK

Re: Definition of critical transaction from audit perspective

Postby os » Fri Aug 26, 2011 10:53 am

For an easy start you can use the standard variant in report RSUSR008_009_NEW. It is critical authorization objects and does not care about tcodes.

You can use tcodes as a second line of defense in the case of critical access but should not rely on it...
os
 
Posts: 469
Joined: Wed Dec 21, 2005 10:51 am


Return to SAP Security

Who is online

Users browsing this forum: No registered users and 5 guests





loading...


This website is not affiliated with, sponsored by, or approved by SAP AG.