How to plan and carry out your SAP System Audit with SAST Risk and Compliance Management

SAST Blog: How to Plan and Carry Out Your SAP System Audit with SAST Risk and Compliance ManagementThe complexity of SAP systems often makes it difficult for administrators to keep track of all their facets. How can an SAP system audit be planned constructively, for example? The SAST SUITE gives you sophisticated analysis methods to identify vulnerabilities quickly, before they can be exploited. The SAST SUITE also offers a wide variety of functions for analyzing and increasing the security of your SAP systems.


SAST Risk and Compliance Management

With the SAST Risk and Compliance Management module, the SAST SUITE enables you to make fast, qualified decisions within your IT risk management framework:

  • Create and manage risks with criticality categories from very high to strictly informative
  • Create and maintain checks
  • Create and maintain policies
  • Schedule automated and cyclical audit runs
  • Handling of audit results:
    • Work lists for securing (hardening) systems
    • Create and manage mitigation measures
    • Delta comparison between different audit runs
    • Export of results lists in standard office formats
    • Archiving of audit results

The checking rules contained in the SAST SUITE include more than 2,200 risks and 3,600 checks, providing an excellent source for your comprehensive SAP system audit.

Planning and execution of your SAP system audit

Your first step for creating an audit plan is the generation of variants for the three types of checks, using the SAST System Security Validation and SAST Authorization Management modules.

SAST Blog: How to Plan and Carry Out Your SAP System Audit with SAST Risk and Compliance Management
Figure 1: Example  of creating a variant in SSV

In the next step, you maintain the scope and frequency of the cyclical system and authorization check in the Risk & Compliance Management module, under the Audit Scheduling function.

SAST Blog: How to Plan and Carry Out Your SAP System Audit with SAST Risk and Compliance Management
Figure 2: Maintain audit plan ID in SAST Risk & Compliance Management

You only need to enter a few values to create an audit plan: An appropriate name in the “Audit Plan ID” field, a brief description, and the person responsible for the current audit plan (SAP user name or e-mail address). Checkboxes control which options are activated for e-mail notifications and enable you to configure reminders.

The Scope and frequence section controls the content and scheduling of the audit plan.

There are two selection options under “Org. Level ID”: ALL (all SAP organizational levels are included in the check) and NONE (all SAP organizational levels are ignored in the check). NONE is the default selection.

The “Policy ID” for performing the check must also be specified. An SAST policy can be used here or you can use your own company policy. The checkboxes indicating which audit types will be carried out are initially inactive. They are activated when the systems and variants to be checked are entered under Assigned systems. Last but not least, you specify the start date, start time, and interval in the Scope and frequence area.

You have to schedule an hourly batch job for an audit plan to run regularly at the specified time. You do this in transaction SM36, with a special batch user that has to be assigned the suitable SAST roles.

Alternatively, you can also start an audit run directly with the Start Audit Cycle button.

Last but not least, you can click the List Audit Cycles button to find the status of current audit runs and those already performed.

You also have the option of saving audit results locally via Download or adding a list to your audit results via Upload.

With SAST Risk and Compliance Management, your IT risk management will no longer be a reactive process. And after you have successfully planned a system audit, the next step involves assessing the risk potential of your SAP landscapes and implementing security precautions.

Would you like to take a look at the audit results and how they are handled with the SAST SUITE? If so, you can look forward to part 2 of our blog post “SAP System Audit with SAST Risk and Compliance Management”, in which we will show you how this module gives you full mitigation reporting.

Until then, you’ll find helpful information on our SAST SOLUTIONS website or feel free to just get in touch with us directly.

Matthias Anstötz (SAST SOLUTIONS)
Matthias Anstötz (SAP Security Consultant, SAST SOLUTIONS)


That might also be interesting for you:

SAP Security Audit Log – Recommendations for Optimal Monitoring

Detect and Eliminate Vulnerabilities in SAP Systems – Thanks to Security Audit and RFC Interface Analysis