A framework for separation of duties in an SAP R/3 environment
2008-11-26 16:09
471 查看
由于公司要上马SoD的项目,所以在网络上搜寻些SoD相关的资料来对SoD有个直接的了解, 也发现了些不错的paper,和大家分享下吧.
A framework for SoD in an SAP R3 environment是2003年发表在Managerial Auditing Journal上的一篇paper,作者Adam Little和Peter J.Best,一个是来自Ernst&Young的资深IT Auditor,一个是来自QUT的学者, 西方的学术论文好象大多都是这类的组合,也可以说是咱们的理论加上实践吧.由于时限性,文章的平台SAP R/3使用的公司应该不多了,不过文章的主体思想还是非常的有用,所以向想了解SoD的朋友们推荐下.
还是西方论文体的标准格式,首先的background介绍了文章的平台是基于SAP R/3,以及SoD被应用的原因,首先当前的IT环境中,不少的IT公司都面临着信息安全的问题,大致包括以下,Passive techniques, Attempted break-ins, Browsing, and Viruses and worms, 这篇文章主要是基于Browsing来讲.那么什么是Browsing呢,打个简单的比方,应该很多人都遇到过,你在公司的系统中操作的时候, 突然发现系统中有些你不熟悉的业务操作,而你又没有这些权限, 你去尝试使用这些业务操作的时候就是Browsing了,这个应该是非常普遍的case.
然后作者通过提出一些比较普遍的应对措施(应该是所有的信息安全中都会提到的Authentication, Access control, Cryptography, Auditor trail log)来引出对SoD的介绍, SoD通俗的说就是职权分离,就是在一个组织环境下, 所有的人都应该获得的是也仅仅是与他的业务相关的权限, 不仅仅是在系统中的分配, 在business环境下,也应该做到不违背SoD的一些基本原则,包括以下: 1. Separation of the custody of assets from accounting, 2. Separation of the authorization if transactions from the custody of related assets, 3. Separation of operational responsibility from record-keeping responsibility, 4. Separation of IT duties from duties of key users out of IT.
基于本文的主要方向separation of duties with in the general ledger(GL), accounts receivable(AR), and accounts payable (AR), 作者又提出了以下的准则来作为SoD的依据:
1. Users who can create and modify master records should not be able to post transactions.
2. Credit management should be separated from master record maintenance in accounts receivable.
3. Dunning and credit management should be separated from invoice and receipt data entry.
4. Receipt data entry should be separated from invoice and credit memo data entry.
5. In accounts payable, cheques should be managed any payments performed by someone other than the person who enters vendor invoices.
6. Writing off an account receivable as a bad debt should be separated from receipt data entry.
7. Users’ activities should not cross boundaries between GL,AR, and AP.
在这些依据的基础上,本文的作者,通过分析SAP R/3的权限设计的原理,来设计出一个比较具体的如何在R/3系统中给用户分配权限的模型, 通过与这个模型的对比, internal auditor或者consultant可以来判断, SoD是否偏离了方向.
总的来说,这篇文章还是说得比较的general的,尤其是对SAP的权限设计的讲述,以及如何在SAP中配置用户权限来实现SoD的介绍, 但是对希望对SoD能有个直观印象的朋友来说,文章的理论描述以及丰富的case study还是很有帮助.本文出自 “城” 博客,请务必保留此出处http://lizhen.blog.51cto.com/378434/115459
A framework for SoD in an SAP R3 environment是2003年发表在Managerial Auditing Journal上的一篇paper,作者Adam Little和Peter J.Best,一个是来自Ernst&Young的资深IT Auditor,一个是来自QUT的学者, 西方的学术论文好象大多都是这类的组合,也可以说是咱们的理论加上实践吧.由于时限性,文章的平台SAP R/3使用的公司应该不多了,不过文章的主体思想还是非常的有用,所以向想了解SoD的朋友们推荐下.
还是西方论文体的标准格式,首先的background介绍了文章的平台是基于SAP R/3,以及SoD被应用的原因,首先当前的IT环境中,不少的IT公司都面临着信息安全的问题,大致包括以下,Passive techniques, Attempted break-ins, Browsing, and Viruses and worms, 这篇文章主要是基于Browsing来讲.那么什么是Browsing呢,打个简单的比方,应该很多人都遇到过,你在公司的系统中操作的时候, 突然发现系统中有些你不熟悉的业务操作,而你又没有这些权限, 你去尝试使用这些业务操作的时候就是Browsing了,这个应该是非常普遍的case.
然后作者通过提出一些比较普遍的应对措施(应该是所有的信息安全中都会提到的Authentication, Access control, Cryptography, Auditor trail log)来引出对SoD的介绍, SoD通俗的说就是职权分离,就是在一个组织环境下, 所有的人都应该获得的是也仅仅是与他的业务相关的权限, 不仅仅是在系统中的分配, 在business环境下,也应该做到不违背SoD的一些基本原则,包括以下: 1. Separation of the custody of assets from accounting, 2. Separation of the authorization if transactions from the custody of related assets, 3. Separation of operational responsibility from record-keeping responsibility, 4. Separation of IT duties from duties of key users out of IT.
基于本文的主要方向separation of duties with in the general ledger(GL), accounts receivable(AR), and accounts payable (AR), 作者又提出了以下的准则来作为SoD的依据:
1. Users who can create and modify master records should not be able to post transactions.
2. Credit management should be separated from master record maintenance in accounts receivable.
3. Dunning and credit management should be separated from invoice and receipt data entry.
4. Receipt data entry should be separated from invoice and credit memo data entry.
5. In accounts payable, cheques should be managed any payments performed by someone other than the person who enters vendor invoices.
6. Writing off an account receivable as a bad debt should be separated from receipt data entry.
7. Users’ activities should not cross boundaries between GL,AR, and AP.
在这些依据的基础上,本文的作者,通过分析SAP R/3的权限设计的原理,来设计出一个比较具体的如何在R/3系统中给用户分配权限的模型, 通过与这个模型的对比, internal auditor或者consultant可以来判断, SoD是否偏离了方向.
总的来说,这篇文章还是说得比较的general的,尤其是对SAP的权限设计的讲述,以及如何在SAP中配置用户权限来实现SoD的介绍, 但是对希望对SoD能有个直观印象的朋友来说,文章的理论描述以及丰富的case study还是很有帮助.本文出自 “城” 博客,请务必保留此出处http://lizhen.blog.51cto.com/378434/115459
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- An Evaluation Framework for MPEG video transmission in NS2 environment
- A Deep Compositional Framework for Human-like Language Acquisition in Virtual Environment
- [Javascript] A function works like 'print_r()' in PHP to print out the details of an object for JS debugging
- Get indices for sorted permutation of an array in Ruby?
- Moiseinst An organizational model for specifying rights and duties of autonomous agents
- Insider Computer Fraud: An In-depth Framework for Detecting and Defending against Insider IT Attacks
- Get the content of an Iframe in Javascript – crossbrowser solution for both IE and Firefox
- The bundle does not contain an app icon for iPhone / iPod Touch of exactly '120x120' pixels, in .pn
- 论文笔记:LSTM, GRU, Highway and a Bit of Attention: An Empirical Overview for Language Modeling in Speec
- Method and apparatus for verification of coherence for shared cache components in a system verification environment
- Get the content of an Iframe in Javascript – crossbrowser solution for both IE and Firefox
- Question 12: In C++, which of the following is the best declaration for an overloaded operator[] to allow read-only access (and
- In C++, which of the following syntax can be used for instantiating an object named arr of the vecto
- Get the content of an Iframe in Javascript – crossbrowser solution for both IE and Firefox
- an empirical study of learning rates in deep neural networks for speech recognition 总结
- 'Missing recommended icon file - The bundle does not contain an app icon for iPhone / iPod Touch of exactly '120x120' pixels, in .png format'
- [转]Sorting, Filtering, and Paging with the Entity Framework in an ASP.NET MVC Application (3 of 10)
- Get the content of an Iframe in Javascript – crossbrowser solution for both IE and Firefox
- Method and apparatus for an atomic operation in a parallel computing environment
- The bundle does not contain an app icon for iPhone / iPod Touch of exactly '120x120' pixels, in .pn