Career Corner Discussions
Join the conversation in the Career Corner group to ask career-related questions, find approaches to building skills, and seek career advancements.
cancel
Showing results for 
Search instead for 
Did you mean: 

SAP Security Training

Former Member
0 Kudos

I have a question regarding SAP Security Training ..

How important is Audit in SAP Security Training ?

Do I need to get trained in Auditing part orelse Regular R/3 security and GRC training is sufficient for career in SAP Security ?

Auditing as in ..

Configuring and Using Basis Security Audit Tools Configuration of the Audit Log Reading the Audit Log

Audit Information System (AIS)

Key steps to auditing SAP security

Security best practices

Etc...

3 REPLIES 3

giri_ayyagari
Active Participant
0 Kudos

Hi Shashank

To understand process and methods i suggest taking formal trianing best bet, have you checked at sap training website?

https://training.sap.com/shop/certification/c_audsec_731-sap-certified-technology-associate---sap-au...

In self learning you might miss here or there, i strongly suggest take basics ant you can go from there.

Good luck..

-Giri

Former Member
0 Kudos

Thanks a lot for the reply ..

Currently I am working on SAP Security R/3  and I would like to advance my career in SAP Security field .. Currently I am planning to learn GRC 10.0

Questions

1) Usually how many years experience do I need to have in SAP Security to  get into Auditing profile in sap security ?

2) If I wanted to get into Auditing in future - Do I need to under go any other trainings  for auditing ?

3) I am interested in Auditing part and I wanted to know if there is any specific training for Audit orelse will it come by experience ?  


Thanks for your time

Colleen
Advisor
Advisor
0 Kudos

Hi Shashank

My specialty in SAP is Security and GRC so happy to chime in here with some advise....


How important is Audit in SAP Security Training ?

I would consider auditing to be complementary to security training. If you happen to have a bit of an audit background it will help you appreciate security. To cover some of the items you have mentioned:

  • Reading the Audit Log - yes it's useful and recommended that clients configure it for some minimum scenarios. It is not difficult to use or interpret. If you are interested, this is quite a good blog written by a top SAP security employee -
  • AIS - I must admit I've never configured AIS before. Again, there's not harm in learning it and it'll really depend on being on a client site that uses it.

So that covers off on your topics... in relation to actual security activites. These are the following you would need to learn as you move into the area:

  • User Administration - SU01/SU10 - Creating, Maintaining, Administering users
  • Security Role Build - PFCG/SU24/SUPC - maintaining security roles (composite, single, imparting and derived)
  • System Security - start branching out into the technical security (SSO, system parameters, etc)

You would slowly build on the items (starting with password issues or account setup through to authorisations errors and role build).


Do I need to get trained in Auditing part orelse Regular R/3 security and

As mentioned, this would really depend on whether you want to go down an auditing path. It is valuable understanding what auditors look for so you can pre-empt them in your system. I'm not the only one who finds "audit season" a challenge. Each year they will search your system to find at least one risk, etc.


GRC training is sufficient for career in SAP Security ?

GRC Component for Access Controls is a hybrid of both security and internal controls functions. Within GRC, knowing security first is useful as the Access Controls contain Business Role Management, Access Request Management and Password Self Service - these items all impact SU01 and PFCG

Access Controls also contains Access Risk Analysis and Emergency Access Management (Firefighter). These two assist with improving internal controls in the system.

Finally, GRC also includes Risk Management and Process Controls which are less about traditional security and more towards the internal controls.

The auditors then sit further back and audit the system to ensure your Security and Internal controls are compliant with your processes, company policy and other compliance requirements (e.g. contracts, legal and regulatory compliance).

Others areas of security that you can then branch out to also include the SAP Identity Management, Single-Sign-On and then there's also the security of each module or system (each component has a slightly different take). It is a massive area and as we move to the cloud is only going to get bigger (hope that translates to management buy in and appropriate funding for it)

For me, I have recently joined ISACA and am starting to branch out and study for my CISA. I feel that to develop my security further obtaining some of the non-vendor auditing or security concepts and goals would be of benefit. Just need to find the time as all I've achieved thus far is purchasing the books and paying membership.

Good luck in choosing your career. If it's security, welcome to the every changing environment! If it's audit, please be kind on us security people

Regards

Colleen