SAP Audit Information System (AIS) serves as a centralized repository for reports, queries, and views of interest to auditors. It is designed to address the overall system configuration as well as SAP business processes and their related control features, providing audit and security practitioners with the critical information they need to conduct effective reviews of their SAP systems. SAP administrators can use AIS for security auditing. The AIS plays a supportive role in providing security services for SAP systems. The primary function of AIS is auditing but auditing features can derive the measures that help in developing the security policy for SAP systems.

A successful security set up of a SAP system concludes with proper management and administration of user IDs, password resetting, audit trails, audit logs, access control list, and personnel responsibilities.

Security administration in SAP includes maintenance of the overall SAP security environment using the SAP Profile Generator, creating user-level activity groups and creating user master records.

The concept of SAP security is flexible as well as complex. SAP has a multi-layered integrated framework. To ensure adequate protection, security measures must be factored into all layers of the SAP infrastructure. With client/server architecture, SAP systems include many components that exchange information, each of which constitutes a layer of the SAP security infrastructure. Security is often not a priority in an implementation and as a result, the default security is not strong. SAP security functionality could be enhanced using various measures as discussed above.

Enterprises must develop a security strategy to ensure a secure and functional SAP system. A business critical application like SAP needs continuous monitoring and improvement of its security features.

pdf version (printer friendly) of this paper ...