SAP implementation - log files 1928



  • Dear All,
    I enjoy reading the posts on this forum. I am working on a Sox project in Germany and one issue came up I would like to discuss with you.
    We have just implemented SAP FI/CO within our company and the user access rights are not appropriate concerning segregation of duties at the moment. We have only two key users who can do basically anything for a temporary period of two to six months. This is not Sox conform.
    Now, I was thinking of a control to face this problem. The regular print out and review of SAP log files by different persons came to my mind, however, in Germany we cannot use Log files for this purposse due to protection of privacy. Our work council will not agree to this procedure.
    Maybe you can help me with ideas, how to get this problem Sox compliant.
    Many thanks.



  • Hi and welcome to the forums 🙂
    Below are some ideas which may or may not be applicable:

    1. Would you consider your SAP implementation in production? If your company is in a implementation and roll-out phase, the two SAP ‘admins’ who are configuring the environment might need this level of authority to setup the environment.
    2. It might be beneficial to discuss this with audit for suggestions or control techniques. Systems like SAP will most likely need an applications administrator anyway even when the full user community comes onboard.
    3. Is it possible for the 2 individuals to cross-check each other’s work as person ‘A’ might approve major changes made by person ‘B’ (and vise versa). They may be working on different sides of the SAP system, but if they could approve each other’s work that approach might help.
    4. Could some unneeded admin rights be gradually withdrawn as the system comes more online for the entire user community.
    5. In the United States, our privacy laws allow security administrators to monitor the security aspects associated with system access for business systems. For the SAP implementation, the ability to track and audit significant financial events for users seems like something you all will eventually need to have?
    6. This thread might be helpful also in describing how SOX 404 relates with IT security. SOX 404 is more about the management awareness and control of IT security risks, rather than step-by-step instructions on security:
      http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1919


  • Dear All,
    We have just implemented SAP FI/CO within our company and the user access rights are not appropriate concerning segregation of duties at the moment. We have only two key users who can do basically anything for a temporary period of two to six months. This is not Sox conform.

    Not an unusual problem. Configuration of user access is complex in SAP and most companies do not invest the time up front to get this right. Look at tools like Virsa’s RAT tool which help.
    Now, I was thinking of a control to face this problem. The regular print out and review of SAP log files by different persons came to my mind, however, in Germany we cannot use Log files for this purposse due to protection of privacy. Our work council will not agree to this procedure.
    I don’t see why this would be a Betriebsrat issue at all, there is no personal data being stored - it is company data that is stored in SAP. I have worked with many German companies in the past and have never had this problem.



  • Many thanks for your comments. We are life with the SAP CO/FI system already, that means productive environment. The working council problem with user log files is the following:
    How can management assure that information gathered by log files is only used for security and business continuity purposes and not used for analysis and evaluation of employees working perfromance? As long as it is technically possible to do the latter activity, working council cannot agree to implementing log files.
    Probably the only possibility to solve this problem is to have a written company agreement that data stored is only used for the above reasons and not for analysis purposes. Agree it with the working council and install a new data protection officer who is responsible for monitoring this agreement.
    What do you think?



  • Hi Lee-Michael: Yes, I would implement this exactly as proposed … The purpose of the control is strictly to monitor highly privileged security events on the SAP servers. Another idea in proposing this to the working council is to exclude any monitoring of email or Internet usage, restricting the logging to the SAP production servers exclusively.
    If the Working Council agrees, it might also be good to formally document this and let the 2 individuals know exactly how the system monitoring controls will work, so that they are aware (esp. if questions surface later).



  • Does the works council realise how difficult it would be to analyse and evaluate worker performance from SAP log files. There are probably a thousand easier ways of doing it.



  • if at all an individual has been identified as the application owner, he/she will be the correct individual to review the SAP logs.
    I do not understand how a privacy issue comes into picture. Logging of a USER ID, I repeat USER ID would generate logs which carry the user name, machine name, nature of logon and the transaction code used.
    This basic log does not divulge any company sensitive information at all. By reviewing this log we will be in a position to comment on the appropriateness of access. this is for user activity.
    The next thing would be to enable logs on important tables in SAP. Iam pretty sure your organization gets a non-disclosure agreement and confidentiality agreement signed. given these there should ideally be no problem for log review.
    hope this added some value



  • I agree with NCs good points and below are additional points:

    1. The only folks that should review access logs would be the IT security team normally. IT Auditors might periodically sample the logs when evaluating controls. The system owners might even review actual access logs (if they had technical skillsets, but this has been rare in my experiences). However any questionable practices or decisions on who should have certain access rights must be discussed with the system owners.
    2. This control should not violate Privacy laws, however they should be throughly checked out prior to implementation, as guidelines vary in different states and countries. The monitoring should be limited in scope to ensuring security controls are in place and are not being violated (balanced within the framework of privacy laws)
    3. Depending on how the User ID is structured, it may not even be decipherable to a specific person (for example, if my ID were A0123456 instead of HWaldron, a translation table might be needed anyway when reviewing the raw logged data)
      Privacy and security monitoring can be achieved, as long as there’s good design that takes both into account and that the process is reviewed for any potential legal issues as well.

Log in to reply