Critical Analysis SAP System Security

Question: Discuss about the Critical Analysis for SAP System Security. Answer: Introduction: The transaction code consists of the letters, numbers. This is mainly seen to be entered in the field of the command which is found to be at the top of the SAP screen. The t-code has been used for the menu, navigation and the execution with the combinations to set in the field to navigate the users to the screen. This is mainly through the use of SAP due to navigation of the menus which is time consuming. The user needs to know the transaction code. There is a alternative which has been set for the favourite menu. For this, there is a use of the procedural software of SAP. SAP R/3 has been for handling the queries that are performed in SQL with the proper conversion of data from one to other stage. The data has been able to enter in the transactions where it gets updated in the database. The transactions are mainly for handling the operations which works on making the changes in the database. The SAP R/3 systems are for the transaction processing which shows that there is a flow of d ata to run the applications with the executions. (Missbach et al., 2016). The transactions are mainly for handling the sequence of the different steps with the handling of transaction monitor, SAP dispatcher which is for the different sequencing steps. SM19 has been for the access of the security auditing log configuration screen which has been from the menu of the SAP standard. This has been chosen from the configuration settings which is in the security audit dialog box. The filters are mainly for defining the needs which are important as per the records along with the auditing class, importance of the events. The filters can be easily static or dynamic where the static are for the storage of data in database and the dynamic is for creating the profiles to activate them in any time for the proper selection of the events. The analysing of the auditing log has been based on producing the analysis report for the events that are in the local, remote or the different servers of the SAP system. For this, the log analysis is choosing the standardised value for monitoring the analysis through the security function. this can easily be able to scan the time period, user and the report for the transaction process. (Brooks et al., 2016). The security auditing log has been for successful and unsuccessful dialog with the RFC logon attempts. The RFC calls are for handling the functional modules with the successful and unsuccessful transactions. The security settings are able to save the audits which are corresponding to the auditing file that has been performed on a daily basis. This directly depends on the SAP systems and the filters which are specified. The statistical information can easily be retrieved on the different transactions and the reports. The user master record in SAP is mainly for assigning all the important authorisations for the users in order to execute the transactions with the system of SAP. This is for the management set under the administrative and the authorisation process. The SAP security contains the user id with the proper transaction authorisation to handle the details which can easily be monitored by the SAP administrator. This includes the details of the users with the login session with the user rights, passwords and the profiles. (Cras et al., 2015). Some of the components which are for handling the user master records are the: address which contains the details of the user like handling the personal data with the proper communication details along with address of company. The logon data is for the updating of the user types with a proper validity period and the cost centres. Defaults are set for the start menu, logon language and the default printer with the format of data and time. Parameters have been set for the containing the default parameters which are for the user. Roles are for the user. Profiles are for the user group to handle the predefined SAP_ALL with the authorisations of the SAP system. (Lee et al., 2015). The personalisation is based on assignment with the user ID and the licence data is to access the user details with the transactions, passwords as well as the profiles of the authorisation. Hence, with this, the transaction code is SU01 The user is able to use the authorised data for the logon to the system. There have been corresponding passwords which are existing. Here, the users need to define the roles where there have been restrictions by the authorisation to perform operations. The user master records have been set for the clients inorder to maintain the clients in the system of SAP. Hence, with this, there has been ERP SAP system where the roles have been assigned for the users in order to handle the clients, then the user is able to perform the activities in the clients only. With the SAP objects, there is a need to maintain the user records of the master: Object S_USER_GRP: these are able to create the master records for assigning it to the groups of the user. Object S_USER_PRO: for the assigning of the authorisation profile to handle the users. Object S_USER_AUTH: for the maintenance of the authorisations. Object S_USER_AGR for the authorisation with the protection of the roles and specifying the activities to be easily created, modified and displayed. Object S_USER_TCD: for assigning the codes of transacting. Object S_USER_VAL: for the authorisation of the values with the change in the profile of the user. For the handling of the user accounts in SAP, there is a need to:Aligning the configuration setting of SAP which has been directed with the policies of the organisation. This includes the IT security policy with the specifications of the different important software which are important with the handling of the no exceptions. The SAP settings are for the configurable pattern with a control on the using of the system parameters. This includes the transactions through the RSPFPAR. There have been login/password_expiration_time with the default 0, recommended 30 that has been for the users to change the password for the SAP. (Sarfarez, 2015). The login/fails_to_user_lock with the default 12 and the recommended 5 where there have been number of times where the user can easily enter into the incorrect password before the SAP is able to lock the user master records from the logons done further. The access is for the generic user accounts which is for holding the software application with the intended parts for the initial installation. The pattern is for the setup of the ID with the SAP ID. There have been passwords for the generic IDs to handle the reset with the high privileging profiles like the SAP_ALL and SAP_NEW. Hence, it is important to handle the allocation of the wide accessing profiles with the higher number of the privilege generic profiles with the accessing of the system. The allocations are based on working over the support and the project team users that directly reflects on the accessing of requirements. Ethical Behaviour for an Information Security Professional Security hole in Distributed Record Management System used by Company X and Company Y - Summary of case As per the case study, there have been signing of the business agreements where Faisal is the computer software programmer in company Z. As per the scenario, it has been seen that there were some security holes in the database systems of the company Y where there was a breach of the confidential information. Hence, being an honest engineer, Faisal is looking forward to help the other company by telling them about the problems. The key ethical concerns include the integrity, transparency and the confidentiality to work on the obedience to law. Hence, the internal regulations for the professional ethics is based on the self-serving with the deal to complete the monopoly on the particular area of knowledge. With the breach of security, there are issues with the lower security standards. (Di et al., 2016). Another ethical issue is the promising of more than you can deliver and then, co mpletely ignoring the problem of security hold in the record management as the manager of Faisal just asked him to work as unstructured rather than being worried for the problems in the software of other company.As per the ACS code of conduct, there have been honesty, competence and the professionalism. For work, it is important to be honest with not breaching the public trust in the profession. Hence, the major observance is for the utmost honesty and the integrity with the underling of the professional decisions and actions. This is mainly in accordance to the value where Faisal would reject or will not make any mistake in the company. There is a need to distinguish in between the professional and the personal opinions with the advice. The qualification of the professional opinions with the handling of limited knowledge and experience. (Lee et al., 2015). The competency is based on performing where Faisal do not hesitate to think about the right technique to help company Y for informing them about the security holes. This will be helpful with the acceptance of responsibility for the work. A proper respect will seek the professional expertise in the areas of competency. The professional development is only when you are true to the values and clear to the work demands. Considering the case of Faisal, there is a need for him to tell the manager of his company Z to focus on a proper professional development with the different career paths. The loyalty to the work and respectfulness is based on integration with the code of conduct where there have been rules to implement the programs along with carry improvement in the values of company. Carol Fraudulent Member of ACS Branch Summary of case Considering the ethical concerns which are on fraud where Carol actions of stealing the money from the company for personal use, without informing anyone. The principle is in accordance to the general nature of the morals with the specific moral choices. For here, there is a need to focus on professional client relationship with the informed consent and handling the confidentiality. There has been professional development with the integrity of the Society with respect of the members. As per the ACS code of ethics, there is a need to be loyal to the work with honesty and integrity so that the organisation is able to work properly and are able to rely on each other. (Agarwal et al., 2015). With this, there is a standardised conduct along with ensuring the knowledge to meet the trust of the team members. By the activity performed by Carol, all the members will surely be losing the trust from her now and she will have to face the problems of ignorance. It would have been better if she co uld have informed the member of the family and then tries to keep hold of the internal regulations with the ethical standards. The patterns are based on the complete monopoly with the area of knowledge and the professional consensus. As per the ethical performance, it is important that Carol should be professional in her work. In the ICT industry, it is important that there have been rapid change and to acquire the standards, there is a need to improve your quality of work for bringing confidence in the people of the company. It is also imperative that the members of the Society are able to easily maintain the professional standards with the complete improvement and enhancement in the industrial image. With the accordance to this, there have been certain objectives with the informed and knowledgeable stance for the professional work. This is based on taking all the appropriate actions against the members who are able to engage in the behaviours which have been completely contrary to this code. (Rabetge et al., 2015). There have been confronting attempts to limit the diversity in the workplace with assured opportunities for the employment, advancement and the remuneration conditions. The corporate actions have bee n set to involve the attempts of the influence which can help in endeavouring to extend towards the public knowledge along with understanding the ICT. A complete cooperation in the advancement of the ICT is by communication with the other professionals. There is a major pride in the profession with complete protection and the promotion in ICT. The Advanced Persistent Threat is the network attack which has been mainly on the unauthorised person for the gain of the access to the network. This is based on the attack where the major intention is to steal the data along with causing the damage to the network. The attacks have been set with the higher value information. The next step is the gathering of the validated user credentials with the proper handling of the spear fishing. The next step is for the validating user credentials to install the bogus utilities with the proper creation of the infrastructure with the distribution of the malware. The threat is using the multiple phase for the break in the network with the avoiding of detection and the harvesting of the valuable information. (Iovan et al., 2016). There have been infographic details where there is a complete focus on the capturing and the exfiltration process where the information captured is sent back to the team who has attacked on the home based for the proper a nalysis. The APT focus on the increased elevated log-on which are rapidly handling the escalations to take over the authentication of the database with the stealing of all the important credentials or reusing them. The finding of the widespread backdoor Trojans has been set to ensure that they can get changes when the victim gets the clue. There is an information flow of all the unexpected range where there has been origination of the points to the other internal or the external computers. The flow is mainly targeted through the picking up of the emails from the other country. hence, to detect the APT, there is a need to understand the flow of data. The advanced persistent attacks are for the business and the political targets which set a higher degree of the stealthiest over the duration of the operations which is set for the systems. The advancement is based on utilising the full spectrum of the computer intrusion technology. With the individual components, there have been advanced attacks which are common for the DIY construction. The persistent criminal operations are for the specific tasks which are seeking the financial gain. (Kerschbaum et al., 2015). This is based on the attack which is conducted through the continuous approach, monitoring and the interaction for the proper defined objectives. The threat is set for the higher level of the coordinated involvement in the attack which has the internet based malware infection, physical malware and the external exploitation. This includes the abuses and the other concerns from the trusted companies which are the key ingredients of the APT. Reference Missbach, M., Staerk, T., Gardiner, C., McCloud, J., Madl, R., Tempes, M., Anderson, G. (2016). Securing SAP on the Cloud. InSAP on the Cloud(pp. 75-120). Springer Berlin Heidelberg. Brooks, A., Sieu, C. (2016). The potential of community fish refuges (CFRs) in rice field agro-ecosystems for improving food and nutrition security in the Tonle Sap region. Cras, J. Y. Y., Mion, G. V., Guinan, D., Petritsch, H. (2015).U.S. Patent No. 9,195,841. Washington, DC: U.S. Patent and Trademark Office. Lee, J. E., Park, S. H., Yoon, H. (2015, April). Security policy based device management for supporting various mobile OS. InComputing Technology and Information Management (ICCTIM), 2015 Second International Conference on(pp. 156-161). IEEE. Sarferaz, S. (2015).U.S. Patent No. 8,935,743. Washington, DC: U.S. Patent and Trademark Office. Di, N., Mariano, C. (2016).U.S. Patent No. 20,160,154,962. Washington, DC: U.S. Patent and Trademark Office. Lee, J. E., Park, S. H., Yoon, H. (2015, April). Security policy based device management for supporting various mobile OS. InComputing Technology and Information Management (ICCTIM), 2015 Second International Conference on(pp. 156-161). IEEE. Agarwal, A., Bastin, N., Singh, P. K., Martin, S. (2015).U.S. Patent No. 8,955,032. Washington, DC: U.S. Patent and Trademark Office. Rabetge, C., Kunz, T., Boehrer, O., Zubev, A., Falter, T., Savchenko, V. (2015).U.S. Patent No. 9,148,488. Washington, DC: U.S. Patent and Trademark Office. Iovan, A., Robu, R. (2016). Handling of the demilitarized zone using service providers in SAP. InIOP Conference Series: Materials Science and Engineering(Vol. 106, No. 1, p. 012003). IOP Publishing. Lee, J. E., Park, S. H., Yoon, H. (2015, April). Security policy based device management for supporting various mobile OS. InComputing Technology and Information Management (ICCTIM), 2015 Second International Conference on(pp. 156-161). IEEE. Kerschbaum, F., Nita-Rotaru, C., Ray, I. (2015, October). CCSW 2015: The 7th ACM Cloud Computing Security Workshop. InProceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(pp. 1703-1704). ACM.