PROJECT PLAN

START DATE: 11TH AUGUST 2016

END DATE: 6TH OCTOBER 2016

A. Screenshots of security audit (48hrs)

DURATION: 11TH AUGUST 12TH AUGUST 2016

SAP R/3 OVERVIEW

S/N ACTIVITY HOURS

Determine the clients organizational structure
(clients, company codes, purchasing
organizations, plants, charts of account, 2
controlling areas, business areas, sales
organization, division, storage location,
valuation areas, customers, materials and
1 vendors
2 Identify the powerful user IDs in the system. 2
Verification of the users who are able to 2
maintain authorization, user master records
3 and profiles.
Identify the users who are able perform batch 2
administrators right, job authorization for
4 delete, lock and release
Batch input activities for change, delete and 2
5 lock
Verify that no SAP_ALL profile is not 2
6 assigned to any user.
7 Password management controls; determine the 2
following parameters using
login/password_expiration_time
(default 0, should not be equal to 0)
login/min_password_lng (minimal 3,
maximal 8, should be between 4 and 6)
login/fails_to_session_end (default 3,
should be between 3 and 6)
login/fails_to_user_lock (default 12,
 should be less than 12)
login/no_automatic_user_sap* (should
be set to 1)
rdisp/gui_auto_logout (default 0,
should not be equal to 0)

Verify if the organizations have defined 2

8 passwords which are not allowed
Verify that the passwords of SAP standard 2
9 users have been changed in all clients
Verify users that have never logged on, verify 2
users that have never logged on for 90 and
10 180 days
Verify which users are able to access the log 2
11 and trace file.
Verify which users ID are able to change the 2
12 system settings.
Verify which user IDs are able to change the 2
13 system parameter values.
Verify which user IDs are able to maintain 2
14 client dependent and independent tables
Verify which User IDs are able to change 2
15 number range
Verify which User IDs are able to maintain 2
17 operating system commands
Verify which User IDs are able to execute 2
18 programs
Verify which User IDs are able to maintain 2
customer master data, change customer credit
limit, unblock customers, process incoming
19 payments and post customer credit memo
Verify which User IDs are able to maintain 2
vendor master record, post good receipt,
accounts payable voucher entry, post out
20 going payments
Verify that user groups are defined according 2
21 to organizational requirement
 Verify that each client has the option changes 2
and transports for client dependent objects set
to automatic recording of changes for
configuration clients and no transports
22 allowed for training and education clients.
Verify whether company codes are productive 2
23 or not.
2
Verify which user-IDs are able to perform
Authorization to release tasks, Authorization
to release and export change requests,
Authorization to change owner for task,
Authorization to change owner for change
request, Authorization to add user to change
24 request.

B. REVIEW OF ADM DOCUMENTS (ADM940- 8DAYS, ADM950-

6DAYS, ADM960-9DAYS)
DURATION: 15TH AUGUST 2016 15TH SEPTEMBER 2016
30DAYS FOR THE JOB TO BE COMPLETED (15TH SEPTEMBER)

C. SAP SECURITY EXAMS PREPARATION (3 WEEKS)

15TH SEPTEMBER 6TH OCTOBER
D. REMIND MANAGEMENT OF THE EXAM ON THE 23RD OF
SEPTEMBER 2016
E. EXAM PROPOSED DATE IS 7TH OCTOBER.