sap系统审计清单与程序Word文档下载推荐.docx
《sap系统审计清单与程序Word文档下载推荐.docx》由会员分享,可在线阅读,更多相关《sap系统审计清单与程序Word文档下载推荐.docx(29页珍藏版)》请在冰豆网上搜索。
14.Determinethenumberofclientsystemsrunning.
15.DeterminewhichgeographicallocationsarerunningSAP
16.Determinewhatlevelofcustomprogramminginon-going
∙ABAP/4programs
∙Dataentryscreens
17.EvaluatetheoverallSAPsecurityarchitecture
18.Determinetheoperatingsystemsanddatabasemanagementsystemsrunningwithinthe
environment
19.ObtainalistingofallSAPclients
∙TableT000hastheSAPclients
∙Path:
SYSTEM-SERVICES-TABLEMAINTENANCE
∙SE16orSE17
∙TableT001hasthecompanies
TOOLS-ABAP/4WORKBENCH-OVERVIEW-DATABROWSER-TABLECONTENTS
20.Obtainalistingofallgroupcompanies
∙ListtableT042G
21.Obtainalistingofallbusinessareas
∙ListtableTGSBandTGSBT
22.Obtainalistingofallcreditcontrolareas
∙ListtableT014andT014T
23.Obtainalistofallchartsofaccounts
∙ListtableT004andT004T
24.Obtainalistingofallplants
∙ListtablesT001WandTVKWZ
25.Obtainalistingofstoragelocations
∙ListtableT001L
26.Obtainalistingofallpurchasingorganizations
∙ListtableT024W
27.Obtainalistingofallpurchasinggroups
∙ListtableT024
28.Obtainalistingofallsalesorganizations
∙ListtableTVKOandTVKOT
29.Obtainalistingofdistributionchannels
∙ListtableTVTW,TVTWT,andTVKOV
30.Obtainalistingofalldivisions
∙ListtablesTSPA,TSPAT,andTVKOS
31.Obtainalistingofsalesareas
∙ListtableTVTA
32.Obtainalistingofsalesoffices
∙ListtablesTVBUR,TVKBT,andTVKBZ
33.Obtainalistingofsalesgroups
∙ListtablesTVKGR,TVBVK,andTVGRT
II.DesignAndImplementation
1.Determineifproperplanninghasbeenformalized
∙Hasaclearlyestablishedfunctionalorgeographicalapproachbeenestablished?
∙Hasastructuremethodologybeenadopted?
∙Hasatop-downplanbeendevelopedtoaddresssystemintegrationissues?
∙HaveSAPreleasedatesbeentakenintoconsiderationaspartoftheplan?
∙Doestheplanconsiderthetimetoperformapost-implementationreview?
2.Determineiftheproperorganizationandstaffingfortheteamhasbeencompleted.
∙HasaSteeringCommitteebeenorganizedtoincludeallfunctionalbusinessareas?
∙Haveenterprise-widestandardsbeenestablished?
∙Areusersassignedtokeyprojectmanagementpositions?
∙Hasanintegrationteambeenestablishedwithmembersfromallfunctionalareas?
∙Hasatechnicalteambeenestablishedseparatefromthefunctionalteamtosharetechnicalresponsibilityandtoensurestandardtechniquesareemployed?
∙Isthestaffsizeappropriateforthescopeoftheimplementation?
∙5-7membersforeachcoremodule.
3.Determineifadequatetrainingisconducted.
∙Reviewthetrainingprogramtoensurethatitisadequateandaddressesallfunctionalareas.
∙Ensurethatthetrainingapproachisintegratedintotheprojectmethodology.
∙Ensurethatadequatetimeforalllevelsoftrainingisscheduled.
4.Determineiftheprojectisproperlycontrolledthroughbudget,quality,andschedule.
∙Arestandardprojectcontroltoolsanddocumentationformatsusedacrossteamstoensureconsistentcommunicationandminimizeimpactofteamturnover?
∙Areweeklyorevendailycross-teamprogressmeetingsheldalongwithmonthlysteeringcommitteemeetingstocommunicatestatusandresolveissues?
∙Areissueslogsusedtoresolveprojectdelays?
∙Ensurethataconsistentimplementationmethodologyacrossallteamsisbeingemployed.
∙Istheprojectmeasuredbyworkplantasksanddeliverablesratherthanhoursspent?
∙AresupportsystemssuchasLotusNotesore-mailestablishedatthebeginningoftheproject.
5.Determinetowhatextentre-engineeringisbeingemployed.
∙Iftheprojectteamisgoingthroughalargere-engineeringeffort,ensurethatitiscompletedpriortothebeginningtheSAPimplementationprocess.Otherwise,thechangescanbeincorporatedduringtheanalysisanddesignphases.
∙Ensurethatallre-engineeringprocessesareformallysigned-off.
6.Determineifaadequateglobaldesigniscompleted.
∙HavepracticesandprocessesgloballybeenharmonizedalongwithSAPfunctionality?
∙HaveworldwiderepresentativesontheprojectbeenpresentduringtheprototypingandJoinApplicationDevelop(JAD)sessionstoensurethatsystemdecisionsareproperlyconducted.
∙Arekeysystemcheckpointsmappedtotheglobaldesigntoensurethesystemmeetstheneedsofeachregion?
∙Aretheuseofprototypingandplaybacksusedtovalidatethedesign?
∙Havekeydataitemssuchasmaterialnumber,customernumber,chartofaccounts,andcompanycodesbeenstandardized?
7.Determineifproperintegrationhasbeendesignedintothesystem.
∙Determineifanoverallintegrationplanhasbeendevelopedandreviewedbytheintegrationteam?
∙Hastheintegrationteambeeninvolvedthroughouttheproject?
∙Aretheintegrationpointstestedthroughouttheproject?
8.DetermineiftheSAPsoftwareisproperlyconfigured.
∙HastheorganizationalhierarchybeenproperlyestablishedwithinSAPasaninitialstep?
∙HaveanymodificationstotheSAPsuppliedsoftwarebeencompleted?
Ifso,determinetheriskimpactofsuchmodifications.
∙Arecross-checksconductedperiodicallyfortableconfigurationswithallteammembers?
∙Arechecksconductedtoensurethattableandfilestructuresareconsistentacrossalllocations?
9.Determineifmatrixesareusedtodefinejobfunctionsandproperseparationofduties.
10.DetermineifdataownershipresponsibilitiesaredefinedfortheSAPobjects(fields).
III.WorkstationSecurity
1.Obtainaccesstotheapplication’sinterface(GUI)testenvironment.
2.Obtainaconfigurationlistingofatypicalenduserworkstation.
3.Determineiftheuserisrequiredtosignontotheworkstation.
4.EvaluatetheGUI(accordingtorequirementsanddesigndocumentation)todetermineifthe
editsonthesystemareadequate.
5.Evaluatethemiddlewareconnectiontothefileserversandthemainframeprocessorfroma
securityandcontrolperspective.
∙OpenData-LinkInterface(ODI)drivers
∙NET.CFGfile
∙LinkSupportLayerfileLSL.COM
∙ProtocolStacksIPXODI.COM
∙NetWareShell
∙SAPs
∙DDE
∙OLE
6.Determinethatanymodificationtostartupfilesareproperlyrecordedtopreventthekeystroke
captureprogramsfromexecuting.
7.DeterminethattheworkstationisproperlyprotectedfromTrojanGUIsfromrunning.
IV.ApplicationSupport
1.Determinetheexistenceofaqualifiedgroup(orindividual)designatedtosupportthe
application.
2.Reviewthejobfunctionsstatementandinterviewusersoftheservicetodeterminethescope
andeffectivenessoftheposition.
3.Determineifremoteworkstationprocessinglocationsareprovidedwith“hotline”consultation
onproblemsrelatingtoworkstationhardwareandsoftware.
4.Determineifallincidentsandresolutionsareproperlyrecorded.
V.ReviewTheSecurityAndControlOverTheUnixOperatingSystem.
1.DeterminewhohasaccesstoexecuteprogramSAPMSOS0.Thisprogramhasaccesstothe
UNIXcommandprompt.ThisprogramisrunbyTransactionSM52.
2.ObtainalistingoftheusersthatcansignontotheUNIXoperatingsystemdirectly:
∙$catetc/passwd
3.Obtainalistingofthegroupsandtheuserswhobelongtothesegroups:
∙$catetc/group
4.ObtainalistingoftheSAPdirectoriesanddeterminewhohasreadandwriteauthoritiestothese
directoriesandfiles:
∙/usr/sap
∙Manyofthefilesandsub-directoriesholdpertinentinformation:
∙/usr/sap/trans/buffer-informationonwhichtransportsaretobeimported
∙/usr/sap/trans/cofiles-informationontransportrequests
∙/usr/sap/trans/sapnames-informationforusersontransportrequeststatus
∙/usr/sap/trans/tmp-temporarydata
∙/usr/sap/trans/log-localsystemlog
∙/usr/sap/trans/work-runtimedata
5.Obtainacopyoftheinitializationfileandbesurethatasumcommand(hashtotal)isrunonthe
filedailytoidentifyanychanges.
∙/etc/inittab
6.ListthetrustedenvironmentwithinUNIXtoensurethatanytrustrelationshipsarealsoproperly
protected.
∙etc/hosts.equiv
∙.rhost
7.ListtheexportedfilesystemtodetermineifanySAPfileisexportedoverthenetwork.
∙etc/exports
8.ReviewthebatchjobsubmissionfilewithinUNIXtoensurethatitisproperlyprotected.
∙/usr/spool/cron/crontabs/root
∙RDDIMPDPmigratestoproductionqueuedupjobs(every5minutes)
9.Reviewthelistofservicestoensurethatnounsecuredserviceisrunning.
∙/etc/services
∙/etc/inetd.conf
10.Ifanyusersotherthanthesystemadministrator(rootoruid=0)havecommandlineauthority,
thenevaluatewhytheyneedthislevelofauthorityontheSAPproductionmachine.
11.Performafindcommandtoidentifyallsuidandsgidprogramsthatareownedbyroot.Using
thisoutputsumtheresulttocomparefromonedaytothenexttotrackdifferen