2014 Oct 23 6:21 PM
I have a question regarding SAP Security Training ..
How important is Audit in SAP Security Training ?
Do I need to get trained in Auditing part orelse Regular R/3 security and GRC training is sufficient for career in SAP Security ?
Auditing as in ..
Configuring and Using Basis Security Audit Tools Configuration of the Audit Log Reading the Audit Log
Audit Information System (AIS)
Key steps to auditing SAP security
Security best practices
Etc...
2014 Oct 23 6:34 PM
Hi Shashank
To understand process and methods i suggest taking formal trianing best bet, have you checked at sap training website?
In self learning you might miss here or there, i strongly suggest take basics ant you can go from there.
Good luck..
-Giri
2014 Oct 23 10:41 PM
Thanks a lot for the reply ..
Currently I am working on SAP Security R/3 and I would like to advance my career in SAP Security field .. Currently I am planning to learn GRC 10.0
Questions
1) Usually how many years experience do I need to have in SAP Security to get into Auditing profile in sap security ?
2) If I wanted to get into Auditing in future - Do I need to under go any other trainings for auditing ?
3) I am interested in Auditing part and I wanted to know if there is any specific training for Audit orelse will it come by experience ?
Thanks for your time
2014 Oct 26 1:31 PM
Hi Shashank
My specialty in SAP is Security and GRC so happy to chime in here with some advise....
How important is Audit in SAP Security Training ?
I would consider auditing to be complementary to security training. If you happen to have a bit of an audit background it will help you appreciate security. To cover some of the items you have mentioned:
So that covers off on your topics... in relation to actual security activites. These are the following you would need to learn as you move into the area:
You would slowly build on the items (starting with password issues or account setup through to authorisations errors and role build).
Do I need to get trained in Auditing part orelse Regular R/3 security and
As mentioned, this would really depend on whether you want to go down an auditing path. It is valuable understanding what auditors look for so you can pre-empt them in your system. I'm not the only one who finds "audit season" a challenge. Each year they will search your system to find at least one risk, etc.
GRC training is sufficient for career in SAP Security ?
GRC Component for Access Controls is a hybrid of both security and internal controls functions. Within GRC, knowing security first is useful as the Access Controls contain Business Role Management, Access Request Management and Password Self Service - these items all impact SU01 and PFCG
Access Controls also contains Access Risk Analysis and Emergency Access Management (Firefighter). These two assist with improving internal controls in the system.
Finally, GRC also includes Risk Management and Process Controls which are less about traditional security and more towards the internal controls.
The auditors then sit further back and audit the system to ensure your Security and Internal controls are compliant with your processes, company policy and other compliance requirements (e.g. contracts, legal and regulatory compliance).
Others areas of security that you can then branch out to also include the SAP Identity Management, Single-Sign-On and then there's also the security of each module or system (each component has a slightly different take). It is a massive area and as we move to the cloud is only going to get bigger (hope that translates to management buy in and appropriate funding for it)
For me, I have recently joined ISACA and am starting to branch out and study for my CISA. I feel that to develop my security further obtaining some of the non-vendor auditing or security concepts and goals would be of benefit. Just need to find the time as all I've achieved thus far is purchasing the books and paying membership.
Good luck in choosing your career. If it's security, welcome to the every changing environment! If it's audit, please be kind on us security people
Regards
Colleen