TASK 1: SAP SYSTEM SECURITY PARAMETERS
Question 1: User Master Record in Sap
In Systems, application and products (SAP), a user master record is a record containing crucial master data for the system users. It contains the roles assigned to all users. It ensures that user menus with respective authorizations for the activities in the user menu are assigned to the respective user. The system only allows login by users with user master records. The user master record helps in assigning appropriate rights, authorizing individual users and assigning activity roles or groups. This helps users to execute transactions in the system. The system’s main use is in authorization and administrative management.
Importance of user master record in SAP
SAP users have user ids, which have transaction authorization. The SAP administrator can monitor all of the user’s details such as user rights, profiles, login sessions, and passwords among others. The user master record has various components or tabs, which maintain different data for the different users, to enable it to carry out the stated functions. The Logon data updates the user type, cost centre, and validity period. The Address contains the user’s address details like company address, communication details, and personal data. The Parameters contain default parameters assigned to different users (Shaughnessy, 1997). The Defaults contain the default logon language start up menu, printer, time format, and data format. The Profiles are for assigning user groups to users. For instance, SAP system authorizations are offered predefined SAP_ALL by the system. The Roles assign roles to users. The Licence data assigns licence data to users such as passwords, user access transactions, and authorization profiles. The Personalization assigns personalization to user ids.
By navigating these tabs in the SAP system’s user master record, users are able to feed certain data to the system. The system then uses this data to perform tasks such as assigning appropriate rights (using the profile information), assigning activity roles (using of the logon data), and authorizing individual users (using the license data). A user can only get authorization to access the SAP system if there exists a user master record and a password that correspond to each other (Colwill, 2009). The system generally defines a user by one or more roles. The system also restricts users by assigning appropriate authorization for performing different operations.
The fact that user master records are based on clients means that users have to maintain their own user records for all clients in the SAP system. For instance, if there are two clients in the ERP SAP system, with roles assigned to users for specific clients, then users can perform activities in their specific clients only.
The user master record ensures that the specific roles are assigned to the right user and proper authorization for the role granted. This plays an important role in data security and integrity in that the users cannot access unauthorized data. In addition, any changes of data in the system can be easily traced from the user master data.
Question 2: Default User Account SAP*
Several different people need to execute tasks in different functions for Management of Internal Controls. As such, there is a special concept for roles and authorizations. The concept has general and specific roles. SAP R/3 forms four default user accounts. These accounts have default passwords protecting them, and these passwords are commonly known. Such accounts have power or super user access rights (Young, 2009).
Speciality of the Default User Account
The default user account is special in that people with the super user access rights can change MIC specific roles by using edit roles to customize, or by employing a web application available from the MIC start page. Sample roles are delivered in BC sets, but need activation of the set in customizing. Any other role editing activities can be done in the web application and customizing (Caballero, 2009). Role editing involves role level specification, and assigning all tasks that individuals assigned to the role should have permission to perform. Role levels define if tasks should be done for the complete corporate group, process groups, single organizational unit, a process step, or for a process. Tasks are delivered by SAP and are unchangeable. Assigning roles and subsequent tasks to a person or to persons depends on an object (like an organizational unit).
Different people in the organization hierarchy use a web application to perform role assignment. Power users start this process for the highest organization hierarchy levels. As such, power users can use a sequence to perform the mentioned functions. If so desired, use customizing to activate the appropriate BC set for delivered sample roles. They can also create own roles or change delivered sample roles, activate desired roles and save entries. Role assignment can then be done on the start page’s navigation area.
Question 3: Securing SAP* From Misuse
Any vulnerability in SAP security could cause business disruptions, financial loss, and misstatement of financial information among other issues. SAP’s security bridges have a direct impact on the business, and being an integrated system causes a widespread impact of any errors. Applications and their supporting infrastructure ought to have security in the system to prevent misuse of SAP* user accounts.
One control to prevent misuse of the account authorization controls. SAP users should perform their specific roles and secure these transactions from unauthorized access simultaneously. This concept is complex and scalable in that it determines the kind of activity that a user can perform, as well as the place to perform it. The enforcement concept is pseudo object oriented, and it uses authorization objects. The roles have assigned authorizations, and users have assigned roles. In this kind of control, SAP analyses the user master record for the required authorization. SAP then gives information stating which authorizations are required for specific transaction codes. All disabled authorization checks should be searched. Additionally, there should be a review of the control of access to sensitive or critical activities, the appropriateness of user access and the appropriateness of roles (Schmidt et al., 2009).
Another control is the segregation of duties. This ensures that no single person completely controls a process’ major phase. It is also a major part of any effective controls in the internal environment. Its typical enforcement is through combining mitigation controls and access control. Reviews should be done to ensure definition of SoD framework; no user SoD conflicts, no role SoD conflicts, and existence of mitigating controls should be done in case there arises SoD user conflicts.
TASK 2: Ethical Behavior for an Information Security Professional
Question 1: Ethical concerns for Helen
In the case of Helen and her clients, she should indeed refuse to develop the system as requested by her clients. The clients want to save on costs; hence, they have opted for a system with minimal security for their firm. The system will keep extremely sensitive information about its employees (like salaries, performance evaluations, and medical records for insurance claims filings), and such information should be secure and safe. Development of the internet has come with increased security threats in terms of hacking. If a criminal accesses an employee’s salary information for instance, they can find targets for theft either through physical robbery or identity theft. This shows that the firm is choosing to save costs and leave its employees vulnerable to all kinds of security threats, which is unethical on the part of the company. Helen has tried to push for increased system security but the management is focused on cost management.
Helens’ ethical behaviors are being tested in this case. She can either conform to the clients demand and develop a non-secure system or refuse the clients demand. Developing a non-secure system will be risking the data to be stored in the system. This data belongs to members of the public and any unauthorized access to such data can be very harmful. In this digital era, criminals are using stolen data to blackmail people. It is Helens’ ethical duty to ensure that her work affects positively on the lives of other individuals (Schmidt et al., 2009). Her refusal to create a sub-standard system will mean that she will lose business, which will reduce her company’s income. She will have to choose between her company’s profits and the well-being of the people who will be affected by the unsecure system (Oz, 2001).
Question 2: Ethical concerns in Helens’ case
One of the values of the ACS Code of Professional Practice is the public interest primacy. This code stipulates that public interest should preside over private, sectional, and personal interest. The resolution to any conflicts arising should favour public interest. In addition, the immediate stakeholders should have their interests safeguarded, so long as these interests bring no conflict to the loyalty and duty owed to the public. Public interests involve safety, environmental and public health issues. From the case, it is clear that should Helen opt to grant the clients their wish for a minimum-security system, the public would suffer the most. The system will leave the employees of the client company vulnerable to security attacks from hackers. For instance, access to an individual’s salary information might result in identity theft to gain access to his or her salary. The clients would save funds from a lower security system, but this would be a selfish deed on their part. It is Helen’s duty to object to such occurrences, by refusing to grant the client’s wish, and choosing to protect the interests of the public, or the employees that would be affected by the system (Schmidt et al., 2009, p. 232).
Considering the value of enhancing quality of life, it is acknowledged that ICT has negative and positive effects. It is expected that all ICT workers are ethical in conducting their businesses, so that these negative effects are mitigated. It is Helen’s duty to promote the safety of those that her work would affect. The proposed system will leave the clients vulnerable to cyber crime attacks, and this will bring problems rather than limit their problems. This would especially be worse for those employees with disabilities as they struggle more than the regular people in their lives. For instance, in the case of an identity theft by a criminal to access the employee’s salary, the employee will be left in a financial distress, where he or she will be unable to pay bills or perform other transactions requiring finances. Helen has to refuse to create the system if the clients are adamant about the threat posed to their employees (Schmidt et al., 2009).
Question 3: Ethical concerns for Fred
Fred seems to be careless with the company’s stored information. First he downloaded it onto his personal computer at the office, and then he took the data home on a CD, having burned the information on to it. Additionally, he left the disk at home after he was done with it. Different individuals at different places have now exposed the sensitive information about the company’s clients to scrutiny. First, there are his work mates who may borrow his computer for use, and happen to stumble upon this information. Second, there are the family members and other houseguests who may gain access to this information from the forgotten disk (Workman, Bommer & Straub, 2008).
All companies are expected to keep their client information private due to various issues that may arise in the clients’ lives should the information be made public (Caballero, 2009). For instance, some people may face discrimination at work and from the society if it is known that they were or are drug or alcohol addicts. It could even lead to loss of carriers for the clients who are public figures like in politics. Fred is only thinking of himself and how to get the assigned task completed, probably for purposes of getting credit and recognition from his superiors for his excellence in efficiency. He could also be in a competition with other work mates for a promotion, or a certain reward, hence the pressure to finish the task on time. Whatever the driving force behind his actions, he leaves the company clients exposed to various threats should their personal information be accessed and fall in the wrong hands.
Question 4: Ethical concerns in Fred’s’ case
According to honesty as a value of the ACS Code of Professional Practice, no ICT employee should attempt to enhance his or her own reputation while risking the reputation of another individual. The actions by Fred in leaving the company’s client information scattered in different places poses a risk to the reputation of the affected clients (Caballero, 2009). Be it out of forgetfulness or pure intent, all employees of the ICT should ensure security of their clients’ reputation by ensuring the security of their personal sensitive information. Fred did not want to risk tainting his employment record by a late delivery of the assigned task, which prompted him to carry the information from work to home (Prior, Rogerson & Fairweather, 2002). He should at least have ensured that other persons protect the computer and the disks against unauthorized entry.
The value of public interest primacy also stresses on the preservation of the privacy and confidentiality of other people’s information. The divulgence of certain kinds of information about high profile individuals in the society might lead to a destruction of their carriers, and this especially applies to political figures (Schmidt et al., 2009). Such individuals with a history of such problems may never be trusted again to handle public office and serve the community. This would be unfair, especially if the said individual has already overcome his or her addiction. Therefore, Fred should have been more keen and attentive in handling the information, and to the risks posed by unauthorized access to the lives of the clients.
TASK 3: TOP TEN OSWASP VULNERABILITIES AND ONE ZERO DAY SOFTWARE VULNERABILITY.
CVE-2013-3893
This IE vulnerability permits attackers to operate codes on machines of the users visiting websites that are maliciously crafted. The vulnerability anchored the “Deputy Dog” malware campaign, which began some time in August targeting Japanese organizations. A similar exploit was used by no less than three other APT campaigns including Taidoor, th3bug, and Web2Crew.
The OWASP top 10 vulnerabilities has Invalidated Redirects and Forwards as tenth on the list. The threats agents are specific to applications. Here, attackers’ link redirects that are invalidated to websites and victims are tricked into clicking it (Schmidt et al., 2009). This could include users being tricked to submit requests to company websites. There is a likelihood of the trick being successful because the link is on a valid website. By so doing, users give attackers unsafe go ahead for bypassing security checks. There are frequent scenarios of applications redirecting users to different pages, or using internal forwards similarly. In some cases, the target page is stated in invalidated parameters, which allows attackers to decide on the destination page.
It is easy to detect unchecked redirects. This can be accomplished by looking for redirects that can allow the full URL to be set (Krsul, 1998). It is harder to detect unchecked forwards as they aim for internal pages. These redirects may try malware onto the machine. It could also trick users to reveal passwords or any other sensitive information. Additionally, unsafe forwards could enable access to bypass of control.
Maintaining trust between an organization and its clients is crucial to the business’ success. If a malware owns clients and they trace the source of that malware to the company website, they will blame the company. The implication given would be that the company is unable to protect its clients and client information (Hornberger & Schneider, 2002). It makes it difficult to trust any other aspects of the organization, because the clients would presume that the other aspects would also be prone to security threats. The result is that the business will start to deteriorate. For instance, the concerns over the security of personal information might prompt investors to shy away from the company, because they will be cautious over researching the company on the company website. It is worth noting that information on an organization is what pulls investors towards accompany, after they will have made an analysis of the information available about the company to come to certain conclusions that they deem favourable to them and the company (Caballero, 2009). This zero day vulnerability can thus be catastrophic to a business if measures are not taken to leave no room for such an occurrence.
References
Basta, A. & Zgola, M., 2012. Database security, Boston, Mass.: Course Technology/Cengage Learning.
Caballero, Albert., 2009, “14”. Computer and Information Security Handbook. Morgan Kaufmann Publications. Elsevier Inc. p.232
Colwill, C., 2009, Human factors in information security: The insider threat–Who can you trust these days?. Information security technical report, 14(4), 186-196.
Füchsle, M., & Zierke, M. E, 2010, SAP CRM Web Client: Customizing and Development. Galileo Press.
Hornberger, W. & Schneider, J., 2002. Security and data protection with SAP systems English., London: SAP Press/Addison-Wesley.
Krsul, I. V., 1998, Software vulnerability analysis (Doctoral dissertation, Purdue University).
Ndez, J. & Keogh, J., 2006, SAP R/3 handbook 3rd ed. McGraw-Hill/Osborne.
Schmidt et al., 2009, An integrated framework for information security management. Review of Business 30(1):58-69
OWASP, T. 10, OWASP TOP 10: The Ten Most Critical Web Application Security Vulnerabilities (2007).
Oz, E., 2001, Organizational commitment and ethical behavior: An empirical study of information system professionals. Journal of Business Ethics, 34(2), 137-142.
Prior, M., Rogerson, S., & Fairweather, B., 2002, The ethical attitudes of information systems professionals: outcomes of an initial survey. Telematics and Informatics, 19(1), 21-36.
Shaughnessy, S. T., 1997, System and methods for improved file management in a multi-user environment, U.S. Patent No. 5,692,178: U.S. Patent and Trademark Office.
Whitman, M.E. & Mattord, H.J., 2012. Principles of information security 4th ed., Boston, MA: Course Technology.
Workman, M., Bommer, W. H., & Straub, D., 2008, Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in Human Behavior, 24(6), 2799-2816.
Young, L., 2009. SAP security configuration and deployment the IT administrator’s guide to best practices, Burlington, MA: Syngress Pub.
Do you need an Original High Quality Academic Custom Essay?