Jose Espin, CISA, CISSP, MCP, SAP Certified Security Consultant
Under normal operating situations, IT personnel should have restricted access to the SAP production environment and a business user’s access should be based on assigned job responsibilities. However, system problems may require support personnel to have extraordinary access to resolve an issue that affects a mission-critical business function. Emergency IDs with high levels of access are often assigned to provide immediate resolution and to address problems that occur after normal working hours.
Granting temporary extensive system access to individuals with the knowledge and experience to resolve system problems that affect normal business operations is absolutely required, but the risk of granting access that could be used to commit and conceal a misstatement or to perpetrate fraudulent business transactions should also be addressed.
There are situations in which software vendors, contractors, IT personnel and key business users—all with extensive knowledge of the system and, in many cases, the business processes and related controls—obtain extensive system access for hours and even days to address system issues or to perform required improvements. In some cases, adequate controls to detect instances of unauthorized business transactions and access to sensitive information are not in place. This also has a negative impact on regulatory and compliance requirements, such as the US Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), or the Gramm-Leach-Bliley Act (GLBA), that could have costly consequences for the enterprise.
This article provides a concise overview of the tools and solutions to consider when establishing acceptable IT practices to address the challenge that emergency access to SAP environments poses to many IT organizations.
Several third-party tools offer features that could help mitigate the risk of unauthorized access while providing the required emergency IDs to support SAP systems. However, it should be considered that, out of the box, SAP provides logs and utilities that could be used to monitor the use of these IDs.
The following outlines some of the standard resources provided by SAP that could be used to monitor emergency IDs and facilitate compliance efforts regarding unauthorized access to sensitive information and fraudulent business transactions:
The components described previously provide the basic elements required to address emergency access. The ID that was used, date/time information, activities performed in terms of transaction codes (figure 3) and data changes (figure 4) are provided through the described SAP standard functionality. It should be taken into consideration that these features offer useful information on the usage of the ID, but the process may need support from IT personnel to extract the logs from the system and provide them to the individual who monitors emergency ID usage. The impact on system performance caused by utilizing these standard features should be minimal, given that the audit events to be captured are filtered using the assigned emergency IDs as a condition to be evaluated before storing data in the log. The change documents log is not an extra load being placed on the system because it is a necessary capability enabled by default.
There are several tools available in the market (e.g., SAP, GRC Access Controls, Security Weaver, Approva) that provide automated features to help strengthen emergency access controls and gain efficiencies in the process. Following are some of the most relevant features currently offered by these tools:
A well-established process is necessary regardless of the tools used to address the risk related to emergency IDs. Without a formal process and assigned personnel responsibilities, an organization may fail to appropriately address the risk and adequately meet compliance requirements. The following is a list of suggested topics to consider when implementing a process that accompanies the related tools (refer to figure 5):
When performing an audit or risk assessment of SAP emergency access processes, the following is a suggested checklist that could be used in determining whether the process to address the risk posed by emergency IDs in SAP environments is adequate:
The use of SAP-supplied or third-party tools to manage emergency IDs can help to address the related risk of personnel having elevated access, but there are important processes that need to be in place to accompany the tools and numerous considerations that should be taken into account to appropriately address the risks of emergency access.
SAP provides several logs and utilities that could be used to appropriately monitor emergency IDs. The implementation of these tools should be evaluated against the frequency and use of those IDs. A company that utilizes the IDs very often should evaluate the implementation of a more robust application that automates the functions involved in the monitoring process. A more robust third-party application may be warranted when the volume of emergency access is high since monitoring through standard SAP logs and utilities will require system reports that will probably have to be generated by IT personnel.
Root-cause analysis is a key component of the process that may help decrease the use of emergency IDs. By analyzing the reasons for frequent use of emergency access, an organization may discover that the use of the IDs could be decreased to the point that the monitoring through just standard SAP logs and utilities becomes an adequate solution that reduces the need for more costly third-party tools.
The use of emergency IDs to resolve SoD conflicts that are difficult to remove is often seen but should be closely controlled and monitored. Controls include ensuring that the concept of least privilege is enforced and those IDs created to address SoD issues have access to only the conflicting functions and do not have the ability to disable logging or automated notifications.
One of the most important controls when implementing a process to address emergency access is the appropriate review of the logs to verify that only required and authorized activities were performed. This key activity creates a closed-loop process and is often the area in which exceptions are found. Regular IT audits should include assessment of the timely and complete performance of log reviews, including follow-up on instances when the log review identified inappropriate or suspicious activities.
Security, Audit and Control Features SAP® ERP, 3rd Edition is available from the ISACA Bookstore. For information, visit www.isaca.org/bookstore. The appendices for the audit programs and ICQs are posted in word for ISACA members at www.isaca.org/auditprograms.
Jose Espin, CISA, CISSP, MCP, SAP Certified Security Consultantis a manager in the Advisory Services practice of Ernst & Young LLP. He focuses on IT risk and assurance specializing in SAP security and governance, risk and compliance (GRC) solutions for SAP environments. Espin has 14 years of professional experience in the IT field across various industries— with nine years spent on application security and controls, risk assessments, and SAP postimplementation reviews and five years of experience designing and developing business applications. The author can be reached at [email protected].
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2010 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.