Question: my auditor asked me to provide him all the changes to role so far
I went to
SUIM > Change document for role > All change documents (Technical View)
and provided the dump to him
He is now asking me that there are multiple rows in the dump.
The only difference in them is "Table key" is different.
My answer to him is that though they are duplicate rows they are for the same change as long as other fields are not changing.
the different rows are because SAP has around 100's of flags which it resets eg - Coll_AGR and others and thats why the multiple entries
Answer:
Hi Devna,
Again, get an auditor who knows what he is auditing
If this is what the auditor asked for, then it is not your reponsibility to explain it.
In fact, it is a good practice just to give what they ask for and volunteer no other information (as you tend to get biten by such activities later).
Ask him, "is this not the report you asked for?". And if you are evil "you are the auditor, you should know what you are auditing before you ask for it".
Answer:
Hi Devna,
Again, get an auditor who knows what he is auditing
If this is what the auditor asked for, then it is not your reponsibility to explain it.
In fact, it is a good practice just to give what they ask for and volunteer no other information (as you tend to get biten by such activities later).
Ask him, "is this not the report you asked for?". And if you are evil "you are the auditor, you should know what you are auditing before you ask for it".
Good advice from Guest. Personally (and this often gets challenged) I ask to see the credentials of anyone auditing security. If they don't look like they know what they are doing it then challenge it. Your firm is paying for it after all!
Failing that sit with them & ask them to walk you through everything - that is, they tell you what report to run & you run it in front of them. They have no comeback if the info is not what they are looking for.
Also, don't accept what they say as fact unless it makes sense. If they have a risk & you can prove it's mitigated (no matter how - not just how they want to see it) then you have done your bit
Auditing Security
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment