Call for Bids. No. PROC-B IS Security and Authorization concept for ERP

Transcription

1 Call fr Bids N. PROC-B IS Security and Authrizatin cncept fr ERP Questins & Answers Mr. Dietmar PLESSE, Head, Prcurement Divisin, ITU Date: 17 March 2010 Questins Answers General Questins We understand that Scpe f Audit is limited t SAP Just SAP, nt O/S Applicatin Level. Please clarify if the audit has t be dne at OS level. Can we knw the number f tickets raised in last 3-6 Very limited. N actual cunt available. mnths in the area f security/authrizatins? What is cunt f Users in each system landscape? SAP ERP: 180 dialg users Rles, user, SAP systems Please specify the number f user fr each SAP system in scpe. SAP ERP: 180 dialg users What is the number f existing rles? ERP: 297 custm rles BI: 42 custm rles SRM: 4 custm rles What is the number f users f yur ERP system cvered by the security and authrizatin cncept? Can yu give us details as t the number f sites, their gegraphical spread, and sites pening times? We understd that the mdules FI, CO, FM, SD, MM, HCM are in scpe. Are there any additinal mdules in scpe? HCM: Integratin int Organizatinal Management. Are the rles linked with the rganizatinal mdel? Please specify the number f current SAP rles in scpe ERP Security: SAP ERP: 180 dialg users Everything related t SAP is managed frm ITU Headquarters in Geneva. Nrmal wrking hurs: Mnday thru Friday frm 8am until 6pm We als use GM (Grant Management), CATS (Crss applicatin Time sheet), TV (Travel management) N All custm rles

2 Use f aligned and glbally valid master-rle Simple structure. Only ne lcatin. structure? Are rles standardized and aligned with the regins? D yu have ne cmmn SAP rle Only ne lcatin : HQ. One rle is assigned t all users by default. cncept? Is the current structure cmplex and requires N high maintenance csts when change, create and assign rles and authrizatins? D yu have central user maintenance? N If yes, which ne? Are these BW authrizatins in scpe r ut f scpe? In scpe Is the analysis f the DEV and QA system regarding authrizatins and SD cnflicts in scpe as well? Yes, analysis f security/authrizatins in DEV and QA are in scpe. Nt necessarily fr SD thugh. Are there crss system prcesses which are SD relevant? If yes, which prcesses wuld be affected? Yes. E.g. prcurement. We use SRM in the frnt-end but GR/IR in back-end.. What is SLA (Service Level Agreement): lead time Nne expected t create a new user? T mdify a rle? Can yu prvide the ttal number f users fr the system? And the distributin by mdule/business prcess? SAP ERP: 180 dialg users Have yu gt a Central User Administratin t N manage the ID and accesses prfile f the users? Prcesses Is it desired t have a standard and glbal wrkflw fr user and rle administratin? Answering this type f questins is the purpse f the analysis. We will entertain any recmmendatin Is an autmated user creatin prcess cnsidered t be in scpe? Answering this type f questins is the purpse f the analysis. We will entertain any recmmendatin Which tls may supprt this prcess? Answering this type f questins is the purpse f the analysis. We will entertain any recmmendatin Are prcess and rle wners defined? N Prject team Hw many persns frm Business and IT will the ITU dedicate t this prject? Hw high will be the dedicatin t the prject frm the Business prcess experts, e.g. 10% r 100%? Is there currently an internal rganizatin/persn respnsible fr managing SD and authrizatin rights? When yes, hw is the team structured (e.g. security team, administratrs, utsurcing, extern Team) Risk T be discussed with cmpany selected t perfrm the analysis. A very limited participatin frm the business is planned but full cperatin frm IS Department. N internal rganizatin. Is there a current risk management prcess in place? Rudimentary IS risk management prcess. What tl(s) supprt currently the risk management prcess? N special tls. We keep a risk register and stre it n SharePint D yu already use a tl t manage IT risks N special tls. We keep a risk register and stre it

3 gvernance? If yes, what is the level f maturity f the Actual Mde? Have auditrs already assigned value frm 1 t 5? Other Is there nly ne rganizatinal unit managed in SAP with a unique lcalizatin and a unique Cmpany Cde? Have yu already defined SOD Matrix in the current implementatin? If yes, can yu send us the standard f reference? Prject Scpe Are the Prductin systems the nly nes t be analyzed r will the Develpment and Quality systems be included als; Fr each system, hw many clients we need t analyze? Please prvide the number f users per System/Envirnment/Client; Please prvide the number f cmpanies/business departments/areas f respnsibility that access the System/Envirnment/Client; Please prvide the number f prfiles per System/Envirnment/Client; Please prvide the critical transactin list fr each SAP System/Envirnment/Client. Other subjects n SharePint. Auditrs have nt assigned a value t it. Only 1 Cmpany Cde, 1 cntrlling area, 1 FM area, 1 sales area, 1 purchasing rganizatin, etc. N SD Matrix. Develpment and Quality systems are part f the scpe All SAP ERP: 180 dialg users Only 1 rganizatin ERP Prductin: 242 prfiles. Nne available Detailed risk list and respective mitigatin cntrls; This is part f the analysis Detailed specificatin and descriptin f the N prcedures. this is part f the analysis. integratin f HR prcedures (hiring, retiring, psitin change) with system access and authrizatins; If pssible please prvide a list f all users, prfiles, This can be prvided but is cnsidered part f the authrizatin bjects, and field values per analysis effrt. System/Envirnment/Client; SAP ERP: 180 dialg users In pint 2.9 f the RfP, when yu mentin Security Organizatin d yu mean the setting up f a new IT security task frce/department within yur rganizatin? This shuld be part f yur recmmendatin resulting frm the as-is analysis. The kind f rganizatin shuld be put in place t manage SAP security and SD. Overall Are there any specific milestnes fr the security and authrizatin cncept review (e. g. earliest prject start, review results ready by, due date fr the final N, t be agreed upn with the cmpany selected t perfrm the analysis.

4 presentatin, etc.?) ITU rganizatin Are the SAP functins used centrally nly (e. g. in Geneva) r as well decentralized (lcally by representatives f member states and sectrs)? If decentralized, what SAP functins are used lcally (e.g. budgeting, purchasing, general ledger psting, HR, timesheet etc.)? Primarily central (Geneva based) use f the system. Field staff (nn-geneva based staff) can access the system via the prtal fr time entry nly. We als pst their pay slip n the prtal which they can view as well. N SAPGUI access t the system by field staff. Hw ITU rganizatin reflected in SAP? Can yu prvide us with the SAP rganizatin mdel? Hw many users have access t SAP in ttal? Hw many f thse users are lcated centrally (e. g. in Geneva) r lcally (in the different wrldwide lcatins), and hw many users per functin (e.g. budgeting, purchasing, general ledger psting, HR, timesheet, etc.)? User Management Hw is SAP user management (access administratin etc.) rganized? Centralized in Geneva r in different lcatins? Is the user management the same fr all SAP platfrms (e.g. ERP, SRM, BI, Prtal)? Recmmendatin We assume that recmmendatin related t security rganizatin (see sectin II f RfP, technical terms f reference, scpe f wrk 2.9) is nly related t the utcme f wrk perfrmed as stated in scpe f wrk 2.1 t 2.8. Is that crrect? Plicies Can yu please prvide further infrmatin n plicies included t review as mentined in sectin II f RfP, technical terms f reference, scpe f wrk 2. 5b and 2.6a. Custm develpment Are there any custm develpments related t SAP security and authrizatin? If yes, can yu please prvide further details? Technical Terms f Reference 2.1 (a t d) Security/authrizatin analysis f the ERP System What is cunt f custm rles in Prductin System fr SRM, BI, Prtal and HR. (single/cmpsite r Master/Derived)? Is there an existing SD management prcess/tl used? Very simple rg structure: 1 Cmpany Cde, 1 cntrlling area, 1 FM area, 1 sales area, 1 purchasing rganizatin, etc. Details will be answered during as-is analysis. SAP ERP: 180 dialg users Centrally in Geneva. ERP, SRM, and BI share the same username. Yes Review f plicies is part f the prject. We have custm reprts, custm transactins, user exits and enhancements, custm frms. SAP ERP: 297 custm rles in Prductin system. BI: 42 rles SRM: 4 custm rles N Need mre clarificatin n what is being sught here The latter; i.e. capability f the security staff t

5 in terms f upgrade capability- Is it capability (skills) f the rganizatin t carry ut an upgrade? Or is it the capability f the security staff t manage Security changes required as a result f upgrade? Technical Terms f Reference 2.2 Review SRM authrizatins Which cmpnents f SRM are implemented in the current landscape? Technical Terms f Reference 2.3 Review BI Authrizatins Is Analysis Authrizatins cncept f BI 7.0 used? If yes, then what is the existing cunt f analysis authrizatins? manage Security changes required as a result f upgrade Technical Terms f Reference 2.4 Review Prtal authrizatins Which applicatins are hsted n Prtal? CA-TS (timesheet). Web Bex Reprts, ESS (pay slip), Hmemade BSP (emplyee read nly access t its wn HR data). What is the surce data fr UME (User Management Active Directry Engine)? Technical Terms f Reference 2.7 Review the integratin f HR Is Rle based r psitin based security implemented in HCM mdule? N This is part f the analysis. We're nt using Rle based Additinal Dcumentatin 1) Please prvide the fllwing plicies (mentined in the RFP) fr analysis: Part f the scpe f the prject. Plicies n user ID s within the System landscape; Prcedures regarding bslete user ID s and authrizatins Plicies n access risks. 2) If pssible please prvide infrmatin n the fllwing: Part f the scpe f the prject. Is there a defined IT security plicy? The IT Security Plicy is a detailed security plicy that applies standards fr each and every system and applicatin within the crpratin.

6 Is there a develpment standard plicy? The Develpment Plicy defines items such interfaces, database cnnectins, prgramming languages used (such as XML r JAVA), and any custm develpment fr each system. Is there a system maintenance plicy? The System Management Plicy will cver items such as database, spl, fax, tablescape, and user management settings and prcedures. There shuld als be a set f steps fr backup and recvery that can help yu identify when they happen, where they happen, and t what media they reside.