Description
By attending this course, attendees will acquire the knowledge and skills to progress beyond the basic auditing employed by many auditors for SOX purposes, and become competent at an advanced auditing level to identify more in-depth operational and strategic risks. This three-day course will provide participants with an in-depth understanding of SAP® Basis and security assessment techniques necessary for performing a deep-dive technical audit. You will learn the advanced risks and control opportunities that should be considered in a thorough audit of the SAP Basis system, including considerations when using SAP GRC.
On completion of this course, attendees will be able to develop an effective SAP technical audit plan and prioritize key steps, discuss techniques for controlling both dialog and non-dialog user security, assess the appropriateness of SAP Basis configuration settings, recommend procedures for controlling customizations, analyze SAP Basis and security-related tables and describe effective research techniques related to advanced SAP technical issues. Attendees will explore changes introduced by SAP S/4HANA, specifically related to the implications of HANA and Fiori on the SAP security model. Participants will get a chance to explore newer issues around SAP cybersecurity, and see demonstrations of techniques used for hacking SAP. Participants will advance their knowledge through hands-on access to an SAP system, and get a chance to perform a mini security audit.
What you will learn
You will learn about the application’s risks and controls, the core elements of the application, and how to audit the application effectively.
Objectives
- Reviewing the Basics
- Advanced parameter settings
- Special authorization objects
- Control over standard SAP users and user types
- Logging Options
- NetWeaver security and control
- Security-Related Analytics
- Auditing SAP Customizations
- S/4HANA Security Overview + Implementation Best Practices
- SAP Hardening & Hacking
Agenda
Reviewing the Basics:
- system parameters
- authorization concept
- assessing segregation of duties and critical access
- most critical basis and security risks
Advanced SAP System Parameters:
- parameters that can cost you money
- parameters that mitigate terminated/transferred employee risks
- single sign-on parameters
- logging-related parameters
Advanced SAP Basis Security:
- securing direct access to tables
- securing access to ABAP programs
- controlling administrator access
- controlling transport administration and access
- protecting security-critical objects and tables
Controlling Non-Dialog User Types:
- system users
- communication users
- service users
- reference users (and their undocumented risks)
Special Considerations:
- protecting the most powerful ID in the SAP system
- global deactivation of authorization objects
- Remote Function Calls (RFC)
- virus protection
Netweaver Security:
- Secure Network Communications (SNC)
- Security for the SAP Web AS ABAP and Java components
- Protecting the SAP Gateway
- SAProuter issues
Advanced Auditing of SAP Customizations:
- reviewing ABAP code for insecure statements and back doors
- including custom tables in change document reports
- securing customized objects
Hacking SAP (aka: Hardening SAP against Hacking):
- current state of SAP cyber-security
- breaking SAP passwords
- taking over SAP user accounts
- SQL injection and other common exploits
- secure SAP programming (ABAP & Java)
- freeware hacking tools (and paid pen-testing tools)
Analyzing SAP Tables:
- transparent, cluster and structure tables
- key configuration tables
- key master data tables
- using the SQ01 query builder
- data access with ACL/IDEA
Other Modules (based on class interest):
- configured control opportunities
- other process-related controls
- useful reports and security considerations
New issues with S/4HANA:
- overview of S/4HANA
- major security-related changes
- cloud implication
- implementation considerations