SAS 70 Audit Requirements

Similar Messages

• IT audit Requirement

  Customers have IT audit requirement to monitor the date and time of user access to the system.
  Currently I only know that SAP B1 keeps the last logon date information. So no way a regular job can track user time of access.
  Is there a feature in 2007B to retrieve user access logon information?

  Hi,
  it is another point to log the windows logon and the B1 logon. I do not know, how to solve this issue by B1. But you can solve it by using a VB or batch script for starting B1.
  In batch it could look like this (you just need to edit the pathes for login.txt and B1):
  echo %username%;%Date%;%time% >> login.txt
  c:
  cd\
  cd Programme\SAP\SAP Business One\
  SAPBus~1.exe
  In VB it would be better, cause you can set multiple parameters. For security reasons you should restrict the access for the scripts and log files.
  Regards Steffen

• Interface Auditing requirements

  We have mainly IDoc to IDoc scenarios to configure. One Idoc contains only one transaction. In Auditing, Once we process Idoc, we have to pass the success, warning or error message details with transaction/error/ interface details to java API. Or call Java API to record this messages. Using this messages Java API will generate some Auditing reports over time period for that particular Interface. This Auditing report will have total number of IDoc processed over time, Successful IDocs, Warning IDocs, Fetal error IDocs etc.
  Queries are:-
  G-  How we can pass message for error/ success or warning to API. This message should be generated at the completion of processing.
  H-  Or can we call Java API at any of XI components to catch these requirements.
  I-  We have to pass set of process ID’s to API ( ID’s like project if, Interface id, message id, error id, etc.). How we can pass those to API
  J-  Do we have any way to collect auditing data over time period. (I mean any XI table where we have it and using this we can prepare auditing report)

  Have you checked this <a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/0e/ddf63d0cfa46dba4390846352f6c0f/frameset.htm">SAP Help</a> ?
  ~Suresh

• Evaluation Paths for Audit Requirements

  Hi,
  For requirements, which belong to the "Subrequirements" requirements category, is "A500" typically the value that one would specify for this?
  Thank you,
  Eric

  Yesterday, I defined the evaluation path as you suggested. I am still seeing problems, so I assume that I must have something misconfigured or unconfigured somewhere else. This implies that I'm probably not done bothering the forum yet....
  As far as getting the "SC" requirement selection into 4.72, it is not much of an issue for me, since we are supposed to be upgrading fairly soon, and for testing purposes, I should be able to use an eval path. I might still post an OSS message, as you suggest.
  One thing that would be nice would be a complete "changelog" to view somewhere. I can see the release notes for my version in the implementation guide, but it would be nice to see the release notes for all versions. This would allow someone to make a quick determination about what became available and when. If such a changelog already exists, can you tell me where to access it?
  Thanks again for your help, Joachim.
  Best,
    Eric

• Question for GR IR functionality - audit requirement (three-way) match

  Hello,
  I have a question in regards to three way match functionality in SAP (matching of PO, GR and IR).  Auditors asked us if  GR-IV indicator is checked for every PO, and for our company this indicator cannot be checked for every PO due to drop shipments, LC terms, etc.  However, AP is ensuring that GR document is posted prior to posting IR for all POs.  In this case, even though GR-IV indicator is not checked at PO item level, does SAP enforce automatic three way matching based on the tolerance key set (DQ and PP), or does SAP not perform three way match since the GR-IV indicator was not set in the first place? 
  Please share some insight.  Thank you.  

  Hi,
  As you know three ways match related to PO-GR-IV but in your case you want pay drop shipments and LC terms to vendor where you need two way match which is with PO-IV. The disadvantage in two way match, you never know whether the whole PO amount is delivered or not in your system (in real scenario). For two way match, select those vendors in t.code:XK02 and do not select check box of “GR-Based Inv. Verif.” in Control data segment in Purchasing data view & then save.
  Now create a new PO and go for directly invoice verification WRT new PO.
  For more refer threeway match details
  SAP Threeway Match Functionality & configuration
  Regards,
  Biju K

• Best solution for DDL audit required

  I have a db on which more than 20 developers are working I want to track all the ddl's made to table and views, which can be the best solution to track the ddl
  thanks in advance

  I am using a DDL trigger, as suggested, but this is the second "line of defense".
  In the databases I maintain, only a DBA can perform DDL commands. Developers are connecting to empty schemas (connectors), that have update/query roles on schemas that hold the actual application objects (owner schemas).
  This way, our developers don't know the password to the owners, and you can be calm your databases are safe...
  Idan.

• Weird behavior in assigning requirement pattern (audit graduation)

  Hello,
  I have the following setup:
  On the SC i have filled infotype "Requirement Catalogs (1778)" with a Requirement Catalogs and Requirement Catalogs for audit type 1000. I've also marked it as a "Main catalog".
  Requirement Catalogs: VAHO
  Version: 2.0
  Now in the IMG i have the following setting:
  Student Lifecycle Management -> Processes in Student Lifecycle Management -> Audits -> Requirement Catalogs -> Define Structure of Version Sets
  Set          Version       Default version
  Audit       1.0              X
  Audit       2.0
  When i exicute the Audit via PIQAUD_MP_CP it is giving me an error:
  No requirement pattern is assigned to requirement catalog VAHO, version 1.0, and audit type 1000.
  When I change the default version to 2.0 it is working correctly.
  This seems stange to me because on the SC I have said that the version 2.0 must be used.
  Am I missing something, did i missunderstood something or is it just a little bug in SLcM?
  Please help.
  Thanks a lot

  Hello Molenaar,
  You are Specifying that the requirements defined in version u2018audit 1u2019 as your current requirements of your university by setting u2018 audit 1u2019 as the default version, where as you are trying to evaluate the requirements in u2018audit 2u2019 which are not your current requirements though you have specified them in your program of study. If your current requirements are in version u2018audit 2u2019, then set u2018audit 2 u2018as the default version.
  Remember default version is always the basis for evaluating the requirements.
  Regards,
  Sravan
  Edited by: Sravan on Mar 10, 2009 7:24 AM
  Edited by: Sravan on Mar 10, 2009 7:26 AM

• Create a follow-on audit in SAP Audit Management

  Hi,  I am struggling with figuring out how to create a subsequent or follow-on audit in SAP Audit Management.
  I am aware of the "Subsequent audit required" check box on the evaluation screen of the Audit, but as far as I could tell from other people's feedback is that the system does not create a follow-on audit automatically.
  How then does the system recognize the "Last Audit" when you click on the "Display Last Audit" button?
  Thank you
  Melinda

  Hi,
  "Subsequent audit required" check box is just informative. It does not automatically create an audit.
  When you click on the "Display Last Audit" button, system finds the last completed audit for the audit object assigned. You can customize the function of this button by a BADI, defined in customization for Audit Management.
  Regards.

• Aaa-reports! enterprise v1.2 - audit solutions for Cisco Secure ACS

  Extraxi is pleased to announce the latest version of its flagship reporting package - aaa-reports! enterprise v1.2
  The next release of aaa-reports! enterprise has just been made - mainly concentrating on new reports and datasets including:
  Single TACACS+ command authorisations. Shows both permitted and denied commands by combining log entries from Failed Attempts and T+ Device Administration logs
  RADIUS and TACACS session reports. These provide single row per session with all relevant data.
  RADIUS identity networking reports. The dataset used by the RADIUS session report is key for auditing identity network environments allowing for a username to be tied to a client side MAC address/IP Address or telephone number, assigned IP address etc. Using the point and click query builder its possible to create deployment-centric reports with multi-level grouping, sorting, filtering plus calculated fields using flexible Visual Basic syntax and full function library
  Stability and bug fixes
  Updated installers
  aaa-reports! enterprise v1.2 is a free upgrade for existing customers with a current support contract.
  Visit www.extraxi.com for full product details and a 60 day fully working trial.
  To see how aaa-reports! can help you meet your ACS audit requirements please take a look at this earlier post.

  bump

• Auditing rows in Oracle

  Hello,
  I have been told it is not possible to audit operations done to specific rows in Oracle 8.1.7.3.0 or 8.1.7.4.0
  Is this true? I just can audit operations done to tables but not know what specific rows were affected.
  Thank you.
  Javier Fernandez

  Depending on the specifics of the conversation and what type of audit requirement level is involved you were told wrong. See the DBA Administration manual chapter on auditing. However, the row level auditing performed via the native audit command will only tell you what rows were affected by whom and not what the data looked like.
  For detailed row level data auditing you need to use table triggers to capture change data history.
  HTH -- Mark D Powell --

• Auditing in HRMS

  Hi Guys,
  Could I get few pointers from auditing point of view?
  What procedures we can adopt, what reports to run and how to control user access?
  There are some concurrent programs which maintain security, I am not sure which ones and how frequently we should run them?
  I know some auditors recommending that we should put a profile option in place which would show number of unsuccessful attempts made by user to login, are there any more features?
  Your help would be very much appreciated. :-)

  Hello,
  Here are a few things that I find useful:
  System Administrator Reports:
  - Active Responsibilities and Users
  - Signon Audit Users
  - Users of a Responsibility
  From the standard documentation sets, I find these highly useful:
  - Oracle E-Business Suite System Administrator's Guide - Security
  - Oracle HRMS Configuring, Reporting, and System Administration Guide
  These are available on My Oracle Support > Knowledge > Online Documentation > E-Business Suite Documentation
  If you have specific audit requirements (SOX, DPA, etc.), then it would be helpful to define those and then determine how you can meet those requirements. You can use Audit Trail, but that should be used with caution.
  I hope you find this useful.
  Best regards,
  Mark Pescatrice
  Edited by: user2229285 on Oct 2, 2012 9:37 AM

• Oracle Database Session events auditing

  Hi,
  I've have a unique audit requirement for which I want to design the solution. Kindly help me in this.
  What I want to do is that whenever the user create a session, say through scott schema and perform whatever in this session,
  it should be logged in the audit table. What I know about features that Oracle database provide for auditing like Mendatory.standard, value
  and fined grain auditing does not fullfill exect the about requirement.
  Like I can audit the user machine from which It login to database and other info through after log on trigger, but how can I log the information
  what he did after login like performing specific actions.
  Regards,
  Kamran

  What version of Oracle? Oracle supports over 200 auditing events, so basically if there is a system privilege you can audit it. If there is an object owned in a schema, you can audit access or attempts to modify it.
  Check out the 11g docs for auditing (or your relevant version) http://docs.oracle.com/cd/E11882_01/network.112/e16543/auditing.htm#BCGIDBFI
  You are going to have a lot of design work to understand your system and what is acceptable accesses, acceptable privileges, etc. and what is not. For example, you probably don't want to audit successful selects against a table when the application primarily does selects. You may only want to see unsuccessful select attempts audited. And you don't want a trigger to does this work for you. You want to turn auditing on (audit_trail=DB_EXTENDED for example) and allow the Oracle kernel to handle populating the audit trail.

• CUSTOMIZED AUDITING

  We are looking at solution alternatives for a 'customized auditing' requirement, whereby we with to log GRANT/REVOKE statements made. In addition to the columns that out-of-box Oracle auditing would provide through SYS.AUD$, and its associated views (eg: DBA_AUDIT_TRAIL),
  we wish to record 2 additional 'custom' attributes -
  (1) TicketID and
  (2) BusinessReason for making the privilege change.
  Our front-end interface that issues the GRANTS and REVOKES provides for collecting the custom attribute values, which we currently 'store' by setting public property values in a package.
  Our initial idea was to write an After Insert trigger on SYS.AUD$, but ORA-04089 disallows this, and for good reason !!
  We're now considering writing 'AFTER GRANT ON DATABASE' and 'AFTER REVOKE ON DATABASE' database event triggers. This certainly can be done. If possible, in addition to our TicketID and BusinessReason custom attributes, we'd like to record whatever columns are needed to allow for 'linking to' the associated
  SYS.AUD$ row that is written if appopriate Oracle auditing is turned on. In
  this way, we would have access to the detailed attributes captured in SYS.AUD$.
  There are 2 fundamental questions:
  1. Would the associated SYS.AUD$ rows be in the table at the time our database
  event triggers are being performed ?
  2. What set of columns from SYS.AUD$ would support the 'linking' capability ?

  Any updates.
  Thanx

• Collecting File System Audit logs with Audit Vault

  Can Audit Vault collect multi-platform OS file system audit records and logs as well as network component logs from switchs and routers in addition to DB audit records to satisify ICD 503/NIST/DOD auditing requirements? If not could it be configured to do so?
  thanks

  it only collect data from databases which may be oracle or non-oracle.
  Oracle Audit Vault automates the consolidation and monitoring of audit data from Oracle and non-Oracle databases.
  http://www.oracle.com/technetwork/products/audit-vault/overview/index.html

• Is the Database Vault portion of Audit Vault only for the Audit Vault DB?

  Hi all, first of thanks in advance.
  I am doing a bit of research in order to fulfill some security system requirements for an upcoming project. In summary the requirement states that DBAs should not have the ability to view personal health information stored in the database.
  My initial thought was to use Oracle Label Security but recall that SYS is exempt from the OLS policies. Next I looked into Oracle Database Vault and the product appears to meet the requirements. However another part of the requirement states that we must prevent undetectable data tampering - which to me sounds like we need to have an auditing product in place not only to audit access and data changes but also to make sure that audit logs can't be tampered with. It seems like Oracle Audit Vault should meet the requirement. When looking into Audit Vault it mentions it comes with Oracle Database Vault and there is some wording which makes me believe that the Oracle Database Vault component is only for the Audit Vault database. Short of installing the product I thought I would post a message to see if my assumption is correct.
  If the assumption is correct it sounds like we would need to purchase both Audit Vault and Database Vault to fully meet the requirement. Can anyone think of any reason we need to include OLS as well?
  Once again, thanks in advance.
  Cheers,
  Eric

  I imagine you are dealing with the HIPAA compliance requirements and facing the same issue faced by many others.
  To audit who has viewed data ... SELECT statements ... you can use Fine Grained Auditing (FGA).
  To meet the government's auditing requirements, as well as those for hospital accreditation Audit Vault will do the trick.
  Keeping DBAs out of the data can be done by a number of means but the issue often comes down to the applications you have purchased and the quality of the vendors. One major source of hospital software in the US, for example, has installed thousands of systems with the exact same password for the schema owner ... and that schema owner has DBA privs.
  So before your run too far down the road of closing the back door ... make sure the front door isn't wide open.