SAPLIB

2 Security and access protection
2.1 Objective
An access protection system and the ability to grant individual authorizations basically serves four purposes:
- To protect confidential data against unauthorized disclosure
- To protect the data against unauthorized, but also against unintentional, changes or deletion
- To facilitate the transparency of the procedures by tracing exactly who did what in the system, and when.
- To guarantee that applications can be audited.

According to commercial law, these measures (i.e. preemptive controls in the internal control system) should prevent violations of any legal restrictions on the erasure of electronically stored data. They should also guarantee legally required audit trail traceability and ensure that no violations against complete and orderly accounting occur. These measures ensure, then, that no data which is unauthorized, incomplete, incorrect, or posted to the wrong period or account is entered into the system.

2.2 Requirements
The access protection system must ensure that only authorized individuals have access to the system and to particular data. It must be possible to key in the corresponding codes (passwords) without others being able to see them. The system should ensure that:
- only passwords of a defined minimum length are accepted,
- certain sequences of characters that could be easily guessed are not accepted,
- the password may be defined and altered by the user only,
- the system automatically demands the password to be changed at defined intervals,
- passwords are protected against being divulged to anyone other than the user him/herself. (more…)

Popularity: 28% [?]