Service Model | Audit Directly | Rely on Third Party Report |
OnPremise | Physical data storage, database, operating system, middleware and application | N/A |
Infrastructure-as-a-Service (IaaS) | Operating system, middleware and application | Physical data storage, database |
Platform-as-a-Service (PaaS) | (Middleware) and application | Physical data storage, database, Operating system (and middleware) |
SaaS | Application | Physical data storage, database, operating system, middleware and application |
Area | Subarea | Description | Comment |
Access Management | User provisioning | Management approves the nature and extent of user-access privileges for new and modified user access. | Relevant for the IT-Audit in SAP S/4HANA Cloud. |
Access Management | User deprovisioning | Access for terminated and/or transferred users is removed or modified in a timely manner. | Relevant for the IT-Audit in SAP S/4HANA Cloud. |
Access Management | User review | User access is periodically reviewed. | Relevant for the IT-Audit in SAP S/4HANA Cloud. |
Access Management | SoD monitoring | Segregation of duties is monitored and conflicting access is either removed or mapped to mitigating controls. | Relevant for the IT-Audit in SAP S/4HANA Cloud. |
Access Management | Access Authentication | Access is authenticated through unique user IDs and passwords. Password parameters meet company and/or industry standards. | Relevant for the IT-Audit in SAP S/4HANA Cloud. |
Access Management | Privileged Access | Privileged-level access is authorized and appropriately restricted. | Relevant for the IT-Audit in SAP S/4HANA Cloud. |
Access Management | Table Access | Table update access is restricted based on specific business need. | Customers do not have access on table level per default. Therefore, this audit activity is not always relevant for an IT-Audit in SAP S/4HANA Cloud. |
Access Management | Password Parameters | The default passwords for standard SAP IDs have been changed in all clients and secured appropriately. | Default password: Standard users (SAP*, DDIC, EARLYWATCH, and SAPCPIC) cannot be locked/unlocked/edited by the business itself. This means that the business has no influence over these standard users. The above-mentioned standard users can only be displayed in a list. The client is therefore unable to log in to SAP Cloud with these standard (technical) users. This can only be done with the business users. |
Change Management | Application Changes | Application changes are appropriately tested and approved before being moved into the production environment. | Include in the IT-Audit for changes to the system configuration. Changes to SAP’s programs are not possible. |
Access Management | Password Changes Authorization | Access to change the password parameters is granted appropriately based on job responsibilities. | Password parameters are defined in the Identity Authentication Service (IAS) by the customer. Therefore, relevant for the IT-Audit in SAP S/4HANA Cloud. |
Access Management | Change Authorization | Access to implement changes into the application production environment is appropriately restricted and segregated from the development environment. | Include in the IT-Audit for changes to the system configuration. Changes to SAP’s programs are not possible. |
Access Management | Privileged Access | Powerful profiles SAP_ALL and SAP_NEW are adequately secured by ensuring no dialog or service user has access to these profiles. | SAP_ALL and SAP_NEW profiles do not exist for the customer in SAP S/4 HANA Cloud. Therefore, not relevant for an IT-Audit in SAP S/4HANA Cloud. |
Access Management | Remote Access | Remote access to SAP for software maintenance for the SAP vendor is restricted, approved by management and removed in a timely manner. | Relevant for the IT-Audit in SAP S/4HANA Cloud. |
Access Management | Emergency Access | Emergency access to SAP is permitted only with prior approval, logged, monitored by someone other than users who administer the access and removed in a timely manner. | Relevant for the IT-Audit in SAP S/4HANA Cloud. |
Access Management | BI/BW workbench Access | Access to the BI/BW workbench, data flows, queries and variables is appropriately restricted. | Not relevant for the IT-Audit in the S/4HANA Cloud. |
System Parameter Settings | Production Client Settings | The production client settings have been flagged to not allow changes to programs and configuration. Client and system setting changes are logged, monitored and approved by management. | Production client settings are not accessible in S/4 HANA for customers. Therefore, not relevant for the IT-Audit in the S/4HANA Cloud. |
System Parameter Settings | Global System Change | The ability to maintain the global system change option and client maintenance settings is restricted. | Global system change option and client maintenance settings are not accessible S/4 HANA for customers. Therefore, not relevant for the IT-Audit in the S/4HANA Cloud. |
Access Management | Development Access | Development access is not granted in the production environment. In case development access is granted, it is limited to authorized accounts (e.g., emergency access) and the usage is monitored. | Development access is not available for customers in S/4 HANA. Therefore, not relevant for the IT-Audit in the S/4HANA Cloud. |
Access Management | Privileged Access | Debug access is not permanently granted in the production environment. | Debug access is not available for customers in S/4 HANA. Therefore, not relevant for the IT-Audit in the S/4HANA Cloud. |
IT Operations | IDOC Monitoring | IDOCS are monitored and identified issues are resolved timely. | Relevant for the IT-Audit in SAP S/4HANA Cloud. |
Access Management | Access to Shared Accounts | Access granted to privileged-level shared and/or generic accounts is appropriately secured, and passwords to such accounts are modified on a periodic basis. | Relevant for the IT-Audit in SAP S/4HANA Cloud. |
Matthias Ems (SAP) – Business Information Security Officer SAP S/4HANA and Chief Security Product Owner S/4HANA With more than 20 years of experience in SAP Security, Auditing and Compliance, Matthias leads a team of Security Experts, responsible for Cloud Operations Security, Secure Development, Data Protection & Privacy and Security Attestation & Certification. | |
Florian Eller (SAP) – Product Management SAP S/4HANA Security Florian has more than 15 years of experience working at SAP. For the past 8 years, his focus has been on application security. | |
Björn Brencher (SAP) – Chief Product Security Architect SAP S/4HANA Bjoern is working in the field of SAP security for more than 2 decades with additional experience in SAP implementation and IT auditing. | |
Patrick Boch (SAP) – Product Management SAP S/4HANA Security Patrick has 20 years experience of working with SAP, with a focus on SAP security for over a decade. | |
Heiko Jacob (Deloitte) – Partner Risk Advisory (IT & Specialized Assurance) Heiko Jacob has more than 20 years of experience in the field of IT auditing and IT consulting, both in industry and with financial service providers. | |
Christina Köhler (Deloitte) – Senior Manager Risk Advisory (IT & Specialized Assurance) Christina Köhler has more than 5 years of professional experience in the field of IT auditing and IT consulting, both in industry and with financial service providers. |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
1 | |
1 |