SAP Baseline Security Audit

by Rajesh Gopinath | , GCIH  Discuss this article »»

A SAP Baseline Security Audit tells enterprises how their SAP security posture stacks up
against industry best practices. The Baseline Security Audit is the first step in a
comprehensive security audit program and is ideal for generating a quick win early. This
article outlines the areas covered under the SAP Baseline Security Audit we perform. The
audit covers two high-level areas:
1. Essential Technical Controls
2. Essential Process Controls
Essential Technical Controls
The key components of the SAP infrastructure are checked for technical vulnerabilities.
These components include:
 SAP web servers
 SAP ECC servers
 SAP database servers
 Firewalls
The technical controls we examine are categorized as:
 Authentication and Access controls
 Server controls
 Network controls
Next, we drill down into a few specific checks to illustrate the type of checks that are
performed in practice:
Authentication and Access Controls
 Has a minimum password length (login/min_password_lng) been enforced?
 Have the default passwords for default users (“SAP”, “DDIC”, etc) been changed?
 Has an expiration time been set for passwords?
(login/password_expiration_time)
 Is the maximum number of failed logins before an account is locked set?
(login/fails_to_user_lock)
 Are multiple user sessions suppressed?
 Have the password of default database accounts been changed?
 Access protection and requisite authorisations
Network Controls
 Has RFC communication in the SAP gateway been secured with the secinfo file?
 Is SSL or SNC in place to encrypt traffic for DIAG or RFC connections?
 Has the network been segmented with adequate isolation for various SAP
elements?
 Does the firewall rulebase have insecure rules?
 Are blocked connections logged?
Server Controls
 Have the latest patches been applied on the server?
 Are unnecessary and unsecured Internet services running?
 Are the OS file permissions adequately restrictive?
 Have OS commands that can be executed from SAP via SM49 been prevented?
Essential Process Controls
Key processes for administering the SAP environment are checked for compliance with
the enterprise policy and industry best practices in this phase of the audit.
The area that are covered under this are:
 Backup and Recovery Processes
 Change Management Processes
 Identity Management Processes
 Incident Management Processes
Next, we drill down into a few specific checks to illustrate the type of checks that are
performed in practice:
Key Roles and Responsibilities
 Have responsibilities been defined for key roles?
 Are key administrative roles separated? Eg. User creation and approval
Backup and Recovery Processes
 Does the backup schedule adhere to policy?
 Are backups encrypted?
 Are backup tapes labeled?
 Are offsite copies of backups maintained?
 Is recovery tested periodically in line with policy?
Change Management Processes
 Are well-defined processes adhered to for change management?
 Does a change management committee review and approve all changes to
production?
 Are changes to production tested in staging before being migrated to
production?
Identity Management Processes
 Is the administrative process for communicating passwords to new users secure?
Incident Management Processes
 Are incident management procedures defined and communicated to all key
personnel?
The above are sample checks performed as part of the baseline audit.
What a Baseline Security Audit Does Not Cover
The Baseline Security Audit focuses on quick wins; it does not cover the following audits
which require greater investment in time and effort:
 Authorizations audit, to check if authorizations have been given correctly
 Business process audit, to check if frauds can be permitted within the business
processes in SAP

Transactions
- ABAP programs
- Tables
- Files
- Authorizations, authorization profiles and user master records
- Data carriers
- Other security measures (such as table types and separating different
clients)

, Naming conventions when altering transactions ABAP’s, tables, files and

other SAP objects. determine whether they function properly and are
sufficiently documented.
Workbench Organizer and Transport System
Registration and documentation of all changes to system objects (objects in
the development environment, or ODEs). This includes Data Dictionary
elements (such as tables), ABAP/4 programs, screen templates, and userdefined
objects (UDOs) and customizing objects.
- Avoidance of concurrent changes to a system object made by different
developers.
- Orderly transfer and release of ODEs between different SAP systems or
various clients within a SAP system
Changes made to tables and programs-traceablity
binding rules must be established for job submission (such as the
creation of an ABAP) and implementation of changes, as well as for testing,
acceptance, and transferring changes to the productive system

Correction and repair

- original objects and

- copies of original objects
Transport logs-For success or failure
authorizations to change an ODE
Causes of and reasons for changing a table
- Consequences of changing a table

Functional Scope

A)Project Preparation Phase

 project organization
 project schedule
 Project charter
 Standards and procedures
 Scope
 Training Plans
B)Business Blue Print Phase
 As-Is Study
 To-Be Process
 Business Blue Print
 Idetification of gaps
 Work arounds for gaps
 Organizational Structure
 Business Process Master List
 Baseline Scope Definition (80/20 rule)
 Interfaces Required
 Conversions required
 Reports needed
 Authorizations
 Enhancements Needed
 Level 1 Training and feed back reports
 BBP Signoff
 Issue log maintenance ,addressing and escalation
 Risk analysis and mitigation
 Backup and Recovery plans

C)Realization Phase
 Level-2 traing and Feed back reports
 Unit Testing plans
 Unit test by consultants and core team members and test scripts acceptance.
 Base line integration test scripts and results.
 User acceptance tests and results.
 Testing of reports and acceptance.
 Testing of developments and acceptance.
 Base line configuration documents.
 Functional and technical specs for developments.
 D)Final Preparation
 Final Configuration and documentation
 Completion of Interface development and testing and user acceptance.
 Cutover strategy preparation and documentation.
 Level 3 traing of core team members.Traing feed back.
 Training of End users and feed back
 Retraining as per feed back.
 Test scripts for Integration testing and user testing and acceptance.
 Closure of open issues.
 Volume testing and stress testing of SAP system and Interphases.
 Preparation for Go-live
 Setting up of Help desk and issue redressal mechanism and SLAs
E)Go live-
 Review of support desk activities

SAP IMPLEMENTATION AUDIT

Scope of audit comprises of two parts
o Technical Audit
o Functional Audit
TECHNICAL AUDIT
o