MSS and SoX compliance
Hi,
when I use Manager Self-Service to display and modify financial data over the Enterprise Portal in an Intranet environment, has the conection between the portal and the desktop to be encrypted (SSL/HTTPS) to be SoX compliant?
br,
Tobias
Hi,
Well, to sum it up:
1. It's up to the auditor. He decides whether my control framework is accurate or not. Worst case: I choose a bad auditor and the SOx compliance won't stand up in the court.
2. What's data integrity and confidentiality is up to the data/process. As all of you are stating:
"data being entered is accurate" [Simon]
"SOx does bother about whether appropriate controls have been defined and are operating effectively" [Vinay]
"The availability,integrity and confidentiality rules will be very much applicable to your context" [Ramesh]
The usage of SSL/encryption depends on the process and on the environment. If the process/data is highly critical, I need all the mechanisms/security necessary to ensure data integrity and confidentiality. These parameters differ from external and internal access and what is already implemented in the organization (SSO, Kerberos, backend system, etc)
3. To ensure point 1+2 I can decide from varios frameworks. If the framework I selected - eg COBIT (PO2.3 & DS5) - and my implementation of this framework mandates security, I have to implement SSL.
Are there any best practices of the varios possibilities available? Like:
1. If the application is available externally, verify at least: Firewall, provide SSL, etc.
2. If the application is available only internally, verify that I&AM is compliant to ISO X, etc?
br,
Tobias
Similar Messages
-
Hello,
I am new to Oracle EBS
I would like to know what are the features of Oracle EBS to comply with SOX (Access to data and programs, change control, Operations)
Thanks in advanceHave a look at the following notes/links, it may be helpful:
[Note: 406401.1 - R12 Responsibilities And Roles Based On Business Flows|https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=406401.1]
[The SOX Effect On Oracle Apps Technical Development |http://apps2fusion.com/at/pb/264-the-sox-effect-on-oracle-apps-technical-development]
[DBA Guide to Understanding Sarbanes-Oxley (SOX) |http://www.integrigy.com/security-resources/whitepapers/DBA-Guide-to-Understanding-Sarbanes-Oxley.pdf/view]
[Sarbanes-Oxley (SOX)—Impact on Security In Software|http://www.developer.com/security/article.php/3320861]
[Applications Releases 11i and 12|http://www.oracle.com/technology/documentation/applications.html] -
SAP NW BPM and NW CE in heterogeneous system landscape and SOX
Hi,
Does anybody have experience with implementation of SAP NW BPM in a heterogeneous system environment (SAP, non-SAP, Legacy) in regards to detailed audit requirements (SOX compliance)? SAP Business Workflow is well established regarding SOX compliancy. But, what about NW BPM?
Thanks for you replies in advance.
ShahramHi Shahram,
Not sure about the way you are implementing BPM in SAP/NonSAP scenario, but in BPM you can have detailed reporting and analytics for auditing purpose.
You can also create your own data source and pass data values from the process.
Check : [Real-Time Reporting|http://help.sap.com/saphelp_nw72/helpdata/en/a1/bde4657d1f42e3a7c698d16a699635/content.htm]
-Abhijeet -
Security solution with Identity server for SOX compliance
Hi all,
Has anybody used Identity Server as security solution to achieve SOX compliance? i want to know general view, opinions , experiance of ppl while implementing such solution.
Just a little background of SOX: It is Created by US Congress in the wake of corporate scandals like Enron in 2001 and 2002.it is an attempts to tighten controls over corporate financial reporting and transparency.
I am basically interested in implementing security solutions using Identity server for SOX compliance. Section 404 of this act deals with internal controls, which essentially requires organizations to provide following facilities -
1. User Identification, authorization and access
2. User control of user accounts
3. Central identification and access rights/permissions management
4. Violation and security activity report
Has anybody developed such solution? What are your general experiance, problems , issues etc? Please share your view....Just too quick to draw conclusion: See below FAQ
If you are not in the same AS container, let me know. Jerry
Copy from J2EE agent FAQ
Question - Is it possible to install a J2EE 2.1agent and Identity Server on the same instance of the application server ?
Installing the IS60SP1/IS61 server and J2EE 2.1 policy agent on the sameninstance of Application server is not a supported configuration. We do support the 21 J2EE agent and IS installed on different instances of the application server. So, users can install theJ2EE 2.1 agent on a one instance of the application server and install IS on a different instance of the apps server. -
SOX Compliance in HFM- Best Practice
Hi guys,
Is there any "best practice" for SOX compliance in HFM? Can you do it by using Shared Services? Should I work with the .SEC file?
Have you ever been required to do so? I was asked to do so, but since it's not my field, I'm kind of lost...
Any advice would be greatly appreciated.
Thanks!
JaySOX covers a number of topics. Ask for the request list from the SOX auditors, and then go through each item and determine where in the system is the best source.
The .sec file is likely not going to work. There is a provisioning report that is more helpful for user access. -
SOX Compliance for Oracle Retail
Is oracle retail SOX ( Sarbanes and Oxley) compliance? Under what conditions of implementation will oracle retail ( primarily RMS) be SOX compliant?
Great question. Curious to learn the answer.
-
my requirement is :
SOX compliance will require that there is a record of date and time of when an object is changed.
There has been some report that the record of date and time on some objects are changed, even when the object is used, and not really modified. Need to know more about it. Please list any issues or recommendations.
how do i check this feature.coldfire,
Let's start off with some questions.
1) Define 'object'
2) "There has been some report" - from whom?
3) "some objects are changed, even when the object is used, and not really modified." - define 'changed'.
4) Can you provide an example of this on apex.oracle.com?
Joel -
NetWeaver Portal and ERP 6.0: BI, ESS/MSS and full Portal on one machine
Hello,
with ERP 6.0 you need a EP Core Portal for BI Java. An other EP Core Portal for HCM ECC/MSS. The iViews from this portal you integrate in the main portal via federated portal. But in this scenario i need to much portals and have a lot of maintenance costs (administration overhead for evry portal). For a small Customer i will build one Portal for all. It is possible e.g. to use the BI Portal with ESS/MSS and as full portal?
Best regards,
PatrickHi,
So you would like one BI installation with both the ABAP and the Java-stack with the full BI-functionallity and additionally the XSS-component and set it up to work against the ECC ABAP-only system ?
I think the scenario would actually work, but:
1) You might get future problems if you want to upgrade your BI-system and not the ECC-system.
Is it possible to run the old XSS-components in the new java-stack ?
2) You might get future problems if you want to upgrade your ECC-system and not the BI-system.
What if the new version of the XSS-component demands certain java-components which the BI-system do not have.
So my recommendation is still to run the java-stack on both systems.
ECC with the XSS-java-components and BI with the Bi-java-components.
This way you do not lock yourself into a corner and each system can be upgrade independent of the other. -
SAP Product and REACH Compliance 2.0 dese not add-on in SAP ECC 6.0 EHP5
hi experts,
I upgraded ECC 6.0 EHP5 and then try to add-on SAP Product and REACH Compliance 2.0 in SAP ECC 6.0 EHP5.
I aleady knew REACH 2.0 is available with ERP 6.0 EHP5 through Note 1389561 - SAP PRC 2.0: Installation and upgrade for ERP 6.0 and SAP Note 1456663 - SAINT: Enhancement Package 5 components on NW 7.02.
But unfortunately, When I try to install REACH 2.0 using SAINT, The error message was pop-up
========================================================================
OCS package SAPK-360COINTDAGBCA does not match the current software component vector
========================================================================
any idea pleas...
For reference
==========================
tp version : 720 patch 90
R3trans version : 720 patch 89
SPAM/SAINT : 7.02/43
SAP_BASIS : 702 sp 07
SAP/EA_APPL : 605 sp 04
Thanks and regards,
JunHi Jun,
You could check the upgrade logs and traces at the location ../usr/sap/<sid>/upg/abap/logs.
Check for the latest last changed logs. Mos probably a prerequisite package for the REACH 2.0 installation is not included in the upgrade. The detailed logs should mention which prerequisite is missing.
Fore reference see thread: EHP4 upgrade error on SAPK-603DHINEAPS
Regards,
Srikishan -
Reports available in the Business Package for MSS and ESS
Hi,
I have searched sdn.sap.com throughout looking for a comprehensive list of reports available in the business packages for both MSS and ESS, i got a little bit of joy and found some of the MSS reports but not all on sdn.sap.com, can anyone please advise where i would find such information on both these packages, just to re-iterate, i am looking for a list of reports these business packages offer? any help much appreciated.
Thanks
John
P.s any documents can be sent to [email protected]@John
(1) ESS- We built our own custom PORTAL role/workset in which one of the worksets we created is called "Tools and Forms". Under that workset, we placed various pages/iViews that either are simple URL iViews that link to external documents and such (like vacation request forms since they do not do online leave requests yet) as well as a couple ot t-code iViews that run reports in ECC for the employee. Nothing very mind blowing there. Just some content creation on the portal side.....oh, and some config on the backend to create a Homepage Framework Area Page and all for it (I liked that part!)
(2) Wow....talk about perfect timing...I just had to document the way MSS sees the MDT reports in it's "reporting" area yesterday! haha Here goes the quick explaination....in configuration for MDT, you have various "scenarios". These kinda determine which "groups" of reports will show in MDT. For MSS for the Reporting webdynpro/service, the scenario is RPT0 (in ECC 5.0, at least). Soooo if you look at the function CODES assigned to RPT0, you will see several for Training and one for Accounting (Cost Centers)...you can reference the function CODES listed back to the "pool"/library of function codes a bit up/previous in the same config area for MDT(I think it is called "Define Function Codes"). However, there is one more piece you will see listed under RPT0....it is a DIRECT call to function MODULE "HR_HIS_READ" (this was a bugger to find because I could not find the "Maternity" report listed in the function codes and had to figure out where the heck it was coming from! haha). Anyways....what the function MODULE actually does is call the HR Information System (HIS) passing it the RPT0/MSS scenario. This returns the particular reports for Employee Data and Time&Attendance. You can see this if you run the HR_HIS_READ function directly and enter RPT0 for the second input value (first and third are not needed or you can just enter "*". Sooooo that is how the "magic" happens. Hope that explained it. From there, you can simply config you own scenario/reports to add into MSS if you like.
Hope this helped! -
Hi all,
we are about do one project for US based company for which they are asking about SOX compliance in SAP.
Can any one tell, what we have to do in SAP R/3 in order meet SOX compliance as per US regulations.
Regs,
Ramesh BHi Ramesh,
You have to maintain proper Basis authorization prefer work flow, set up prcess for any functional or technical changes in the production system i.e. form for change request, incident request for authorization, no direct access to tables in the Production client, authorization group assignment for custom program for dual validation, monthly window for production transport or Emergency transport.
Regards,
Santosh -
Hello - does any one have any experience with MSS and BW reporting?
We have a requirement to implement BW reports to Line Managers through MSS.
For R/3 Reports we have no issue as we can use the standard structural authorisation function module to restrict access to empoyees directly reporting to the manager.
How can we restrict BW reports in the same way? i.e. When Manager runs the report they should only see data about the employees that report to them in the Org structure.
We are using BW 7.0.Hi Mike,
Did You implement this scenario. Even we are trying to do the same.
I am kind of no clue about which authorizations a manager needs in BW system.
We are using EP6.0 SP16 and backend system is ECC5.0.
I have couple of questions.
1. What authorizations in BW system the portal user (Me with content admin, system admin, user admin roles) needs to view the BW reports or BW iviews?
2. Manager (MSS) can not view crystal reports in the work set 'Reporting' assigned to a manager in ECC5.0. Other iviews within the BP60.1 are working fine.
3. When manager tried to see a crystal report , it threw an error saying that
Portal Runtime Error
An exception occurred while processing a request for :
iView : N/A
Component Name : N/A
Unable to lookup System 'SAP_BW_HumanResources'. Please check the system object and the alias..
See the details for the exception ID in the log file
com.sap.portal.appintegrator.sap.CrystalReport::CrystalReport/SSOLayer
Could you please help in finding proper documentation on setting up manager to see the reports in BW system.
Thanks! -
Can anybody send me some docs on ESS/MSS and Adobe Forms.
Hi all,
Can anybody please send me some doc/materials/link on how to coonfigure/develop/work with ESS/MSS and Adobe forms.
Its very urgent requirement.
Thanks n Regards
A.M.RaoFor ERP 2005 check out
hi ,
for ess..
http://help.sap.com/printdocu/core/Print46c/en/data/pdf/CAESS/ESSIAC.pdf
Personnel Admin.http://help.sap.com/saphelp_erp2005vp/helpdata/en/c5/0fab358b096510e10000009b38f839/frameset.htm
Training & Event management
http://help.sap.com/saphelp_erp2005vp/helpdata/en/44/2bc9367a23fb68e10000009b38f889/frameset.htm
Personnel Development
http://help.sap.com/saphelp_erp2005vp/helpdata/en/cf/5e9b38f8236e6de10000009b38f842/frameset.htm
ESS - http://help.sap.com/saphelp_erp2005vp/helpdata/en/5b/76a6d7fd3a4e91bfb422405bf3e04d/frameset.htm
MSS - http://help.sap.com/saphelp_erp2005vp/helpdata/en/29/d7844205625551e10000000a1550b0/frameset.htm
For ERP 2004
ESS - http://help.sap.com/saphelp_erp2004/helpdata/en/5b/76a6d7fd3a4e91bfb422405bf3e04d/frameset.htm
MSS - http://help.sap.com/saphelp_erp2004/helpdata/en/0a/8b3b40b1607a56e10000000a1550b0/frameset.htm
Also if you have S User ID on SAP Service Marketplace, check out https://service.sap.com/mss-staging for MSS.
regards,
venkat. -
Hi Experts,
What is the relationship between MSS and Personnel Action (PA40)? Can a manager that have access to mss perform personnel action (eg Organizational Transfer) for his/her subordinate employees? ThanksYes as indicated above use processes and forms which are standard delivered and mimic the pa40
you can create your own forms just like actiions
http://help.sap.com/erp2005_ehp_04/helpdata/EN/2e/5a5d45d9f24fbdb06be2ff53651c3e/frameset.htm -
App Store and Corporate Compliancy
Hi All,
What is everyone's thoughts on the App Store and corporate compliancy? If you are an Admin are you going to let your Clients download whatever they want from the App Store or will you remove the application completely?
Thanks!It looks like you can block users from using App Store.app via Parental Controls but I've never found a way to clone Parental Controls to all my machines.
At this point, it appears we'll need to run "rm -rf /Applications/App\ Store.app" as root immediately after the 10.6.6 install.
IMO, it will be a lot easier to reinstall the app later after we determine it's value, than try to clean up a bunch of Macs should it prove to be a problem to business users.
Maybe you are looking for
-
Administrator Bios Password won't work on HP 4420s XT940UT#ABA Windows 7 64 Bit
Someone please help me with this!! I bought this laptop from a friend (have a receipt) who sold it to me because the screen was cracked and all spidered out when you turned it on. Well everywhere he went to ask about getting the screen fixed it was v
-
Error message SWF_UTL_000 number 021
Hi Team, When I try to process an Output Type for an Outbound Delivery, I am getting the error message "Object reference expected: 'IDOCMSG' is not a valid object type" (Message Class: SWF_UTL_000 Message Number: 021). I think this is related to a wo
-
How can I set up cross fade to automatically trim files ?
How can I set up cross fade to automatically trim the two files to size when fading between them? Thanks
-
Can anyone send a form for creating New user account for SAP Like when a new user joins or a new server is set which contain information like first name, last name, location, Department or want access to FICO, HR etc. Thanks in advance
-
I've created a playlist in iTunes for someone in a specific order. I've bought them an iPod shuffle and have downloaded the playlist onto the iPod. Unfortunately, the iPod shuffle then reorders the paylist and it also plays in another order. The shuf