sap系统审计清单与程序Word文档下载推荐.docx

1、14. Determine the number of client systems running.15. Determine which geographical locations are running SAP16. Determine what level of custom programming in on-goingABAP/4 programsData entry screens17. Evaluate the overall SAP security architecture18. Determine the operating systems and database m

2、anagement systems running within the environment19. Obtain a listing of all SAP clientsTable T000 has the SAP clientsPath: SYSTEM - SERVICES - TABLE MAINTENANCESE16 or SE17Table T001 has the companies TOOLS - ABAP/4 WORKBENCH - OVERVIEW - DATA BROWSER - TABLE CONTENTS20.Obtain a listing of all group

3、 companiesList table T042G21.Obtain a listing of all business areas List table TGSB and TGSBT22.Obtain a listing of all credit control areasList table T014 and T014T23.Obtain a list of all charts of accountsList table T004 and T004T24.Obtain a listing of all plantsList tables T001W and TVKWZ25.Obtai

4、n a listing of storage locationsList table T001L26.Obtain a listing of all purchasing organizationsList table T024W27.Obtain a listing of all purchasing groupsList table T02428.Obtain a listing of all sales organizationsList table TVKO and TVKOT29.Obtain a listing of distribution channelsList table

5、TVTW, TVTWT, and TVKOV30.Obtain a listing of all divisions List tables TSPA, TSPAT, and TVKOS31.Obtain a listing of sales areasList table TVTA32.Obtain a listing of sales officesList tables TVBUR, TVKBT, and TVKBZ33.Obtain a listing of sales groupsList tables TVKGR, TVBVK, and TVGRTII. Design And Im

6、plementation 1.Determine if proper planning has been formalizedHas a clearly established functional or geographical approach been established?Has a structure methodology been adopted?Has a top-down plan been developed to address system integration issues?Have SAP release dates been taken into consid

7、eration as part of the plan?Does the plan consider the time to perform a post-implementation review?2.Determine if the proper organization and staffing for the team has been completed.Has a Steering Committee been organized to include all functional business areas?Have enterprise-wide standards been

8、 established?Are users assigned to key project management positions?Has an integration team been established with members from all functional areas?Has a technical team been established separate from the functional team to share technical responsibility and to ensure standard techniques are employed

9、?Is the staff size appropriate for the scope of the implementation?5-7 members for each core module.3.Determine if adequate training is conducted.Review the training program to ensure that it is adequate and addresses all functional areas.Ensure that the training approach is integrated into the proj

10、ect methodology.Ensure that adequate time for all levels of training is scheduled.4.Determine if the project is properly controlled through budget, quality, and schedule.Are standard project control tools and documentation formats used across teams to ensure consistent communication and minimize imp

11、act of team turnover?Are weekly or even daily cross-team progress meetings held along with monthly steering committee meetings to communicate status and resolve issues?Are issues logs used to resolve project delays?Ensure that a consistent implementation methodology across all teams is being employe

12、d.Is the project measured by workplan tasks and deliverables rather than hours spent?Are support systems such as Lotus Notes or e-mail established at the beginning of the project.5.Determine to what extent re-engineering is being employed.If the project team is going through a large re-engineering e

13、ffort, ensure that it is completed prior to the beginning the SAP implementation process. Otherwise, the changes can be incorporated during the analysis and design phases.Ensure that all re-engineering processes are formally signed-off.6.Determine if a adequate global design is completed.Have practi

14、ces and processes globally been harmonized along with SAP functionality?Have worldwide representatives on the project been present during the prototyping and Join Application Develop （JAD） sessions to ensure that system decisions are properly conducted.Are key system checkpoints mapped to the global

15、 design to ensure the system meets the needs of each region?Are the use of prototyping and playbacks used to validate the design?Have key data items such as material number, customer number, chart of accounts, and company codes been standardized?7.Determine if proper integration has been designed in

16、to the system.Determine if an overall integration plan has been developed and reviewed by the integration team?Has the integration team been involved throughout the project? Are the integration points tested throughout the project?8.Determine if the SAP software is properly configured.Has the organi

17、zational hierarchy been properly established within SAP as an initial step?Have any modifications to the SAP supplied software been completed? If so, determine the risk impact of such modifications.Are cross-checks conducted periodically for table configurations with all team members?Are checks cond

18、ucted to ensure that table and file structures are consistent across all locations?9.Determine if matrixes are used to define job functions and proper separation of duties.10.Determine if data ownership responsibilities are defined for the SAP objects （fields）.III. Workstation Security1. Obtain acce

19、ss to the applications interface （GUI） test environment. 2. Obtain a configuration listing of a typical end user workstation. 3. Determine if the user is required to signon to the workstation. 4. Evaluate the GUI （according to requirements and design documentation ） to determine if the edits on the

20、system are adequate. 5. Evaluate the middleware connection to the file servers and the mainframe processor from a security and control perspective. Open Data-Link Interface （ODI） drivers NET.CFG file Link Support Layer file LSL.COM Protocol Stacks IPXODI.COM NetWare Shell SAPs DDEOLE6. Determine tha

21、t any modification to startup files are properly recorded to prevent the key stroke capture programs from executing.7. Determine that the workstation is properly protected from Trojan GUIs from running. IV. Application Support1. Determine the existence of a qualified group （or individual） designated

22、 to support the application. 2. Review the job functions statement and interview users of the service to determine the scope and effectiveness of the position. 3. Determine if remote workstation processing locations are provided with “hot line” consultation on problems relating to workstation hardwa

23、re and software.4. Determine if all incidents and resolutions are properly recorded. V. Review The Security And Control Over The Unix Operating System.1. Determine who has access to execute program SAPMSOS0. This program has access to the UNIX command prompt. This program is run by Transaction SM52.

24、2. Obtain a listing of the users that can sign onto the UNIX operating system directly:$ cat etc/passwd 3. Obtain a listing of the groups and the users who belong to these groups:$ cat etc/group4. Obtain a listing of the SAP directories and determine who has read and write authorities to these direc

25、tories and files:/usr/sapMany of the files and sub-directories hold pertinent information:/usr/sap/trans/buffer - information on which transports are to be imported/usr/sap/trans/cofiles - information on transport requests/usr/sap/trans/sapnames - information for users on transport request status/us

26、r/sap/trans/tmp - temporary data/usr/sap/trans/log - local system log/usr/sap/trans/work - runtime data5. Obtain a copy of the initialization file and be sure that a sum command （hash total） is run on the file daily to identify any changes./etc/inittab6. List the trusted environment within UNIX to e

27、nsure that any trust relationships are also properly protected.etc/hosts.equiv.rhost7. List the exported file system to determine if any SAP file is exported over the network.etc/exports8. Review the batch job submission file within UNIX to ensure that it is properly protected./usr/spool/cron/cronta

28、bs/rootRDDIMPDP migrates to production queued up jobs （every 5 minutes）9. Review the list of services to ensure that no unsecured service is running./etc/services/etc/inetd.conf10. If any users other than the system administrator （root or uid = 0） have command line authority, then evaluate why they need this level of authority on the SAP production machine.11. Perform a find command to identify all suid and sgid programs that are owned by root. Using this output sum the result to compare from one day to the next to track differen