The second step in surviving an SAP Security Audit requires the organization to use the information collected in Step 1 to created a collaborative action plan per the pre-determined remediation requirements.
It’s at this time when we have to start asking those tough questions… the ones no one likes to hear. You’ve gotten to the point in your SAP romance where someone’s going to seek you out, “I think it’s time we had a little chat,” which quickly turns into “What are your intentions with my daughter?” The hard stuff, so-to-speak. “SON, IT’S TIME TO MAKE A COMMITMENT.”
Stage 2: Political Reform requires that one be able to not only answer the tough questions, but be able to provide a suitable approach, which is well defined and documented in order to clean up the blaring deficiencies identified in Stage 1.
We all know one-too-many politicians who have made un-fulfilled promises. Well my friends, the time for action is now: The Tough Questions, The Answers, and the Systematic Approach to Reformation:
Political reform refers to the need to make modifications to the current role design, role management methodologies, or user provisioning process. This can lead to a need for clearer definition of jobs and responsibilities in the SAP landscape. Additionally, it may require previously grouped tasks to be separated across individuals within an organization to avoid inherent SoD conflicts. For some companies, the greatest challenge in prioritizing SAP security is the need for increased collaboration between the business and IT. This collaboration can lead to more defined requirements regarding ownership of SAP roles and critical permissions across functional areas within the organization.
Political reform allows the organization to right the wrongs of the past by doing an overhaul that mirrors the concerns of the auditors. There are many proprietary tools in the SAP ecosystem that will highlight SoD violations inherent in your role design and by user master record. Furthermore, the use of automated (GRC AC) or manual controls that are embedded within the functional business processes will allow for a greater ease of use in regards to compensating controls for unavoidable risks, user provisioning and role management.
Stage 2 Steps:
1. Task-based role design approach
2. Remove avoidable risks that are inherent in any given role
3. Restructure job responsibilities and assign access based on the “rule of least privilege” to avoid risks in individual User Master Records
4. Assign compensating (mitigating) controls to unavoidable SoD risks
5. Automate the user provisioning process and provide traceable workflow capabilities for Role changes and User Master Record changes
6. Protect the SAP Security Landscape further by securing critical transactions and permissions and by utilizing industry standards for securing custom tables and codes, SAP default users, etc. Remediation efforts from a system-wide settings standpoint, including password rules and default parameters is just as vital as minimizing SoD risks.
Stage 2 provides the organization with a clean, controlled environment, around which we can outline the objectives and the corresponding procedures to maintain control long-term. In the final installment of this series, I will provide an overview of ongoing legislature that will enable an organization to take ownership of their SAP environment and protect themselves from reintroduction to risk exposures.
The above information is not comprehensive, but rather a brief overview of the general approach in order to survive an SAP Audit. For questions, comments or knowledge on how we can make this a reality for your organization, please reach out to me directly… firstname.lastname@example.org
I got 99 problems but commitment isn’t one,