Why your works council has nothing to fear from SAP security. [Webinar]

Why your works
council has nothing
to fear from SAP
security.

WELCOME!
Introduction of your hosts today:
- 4 -
AXEL DALDORF
Senior PreSales Consultant SAST SUITE
UWE KETTERN

§ 87 – Co-determination rights
(1) The works council shall have a right of co-determination in […]
the introduction and use of technical devices designed to monitor the behaviour or
performance of the employees […]
§ 90 – Information and consultation rights
(1) The employer shall inform the works council in due time of any plans concerning
[…] technical plants
(2) The employer shall consult the works council in good time on the action envisaged
and its effects on the employees, taking particular account of its impact on the
nature of their work and the resultant demands on the employees so that
suggestions and objections on the part of the works council can be taken into
account in the plans. […]
Key points of the Works Constitution Act
- 6 -

Key points of the right of co-determination
- 7 -
 Works Council
 technical equipment for potential monitoring of behavior or
performance
Includes
 protection from special dangers of technical surveillance
 not protection from surveillance
 employees not object of surveillance technology
Protection of
personality
 in planning, introduction and operation of technical equipment
 No right to prohibit
Right of co-
determination

Trade-offs in the introduction of technical aids:
Keep different interests in balance.
Legal and
regulatory
requirements
Protection of
critical data
- 8 -

 A user should not have more permissions than he
needs to perform his work.
Legal and
regulatory
requirements
Protection of
critical data
- 9 -

 A user may not have authorizations that violate the
4-eyes principle.
Legal and
regulatory
requirements
Protection of
critical data
- 10 -

 A user may not have authorizations that violate the
4-eyes principle.
 The board of directors (management) is responsible
for compliance with the security guidelines.
 IT is responsible of physical data security (virus
security, firewall, backup, ...).
 The departments are responsible for logical data
security. (Who is allowed to record, change,
delete, evaluate, ...?).
Legal and
regulatory
requirements
Protection of
critical data
Least privileges
Segregation of
Duties
Data responsibility
Right of
Information and
consultation
Right of Co-
determination
Personal rights
- 11 -

PRINCIPLES OF
THE OPTIMIZED SAP
AUTHORIZATION
SYSTEM

 Complex role and authorization concepts lead to confusion.
 SAP ERP consists of over 150,000 transactions ➔ with the 4 standard functions
resulting in 600,000 possibilities.
 Time and effort for authorization management is usually high.
 Time-consuming survey of all key users regarding used transactions.
 Determination of transaction accesses of users while maintaining separation of
functions.
 Manual collection of data time-consuming and error-prone.
Authorization management in SAP environment
- 13 -
Role and authorization projects are among the most complex and expensive in the SAP environment.
!
The challenge

Risk of posting incoming invoices to
fictitious accounts
Cash outflow due to invoice
settlement
Posting Documents/Invoicing
Incoming goods
Posting of fictitious invoices
FB60 / FB65 /
FB01 / F-53
Far-reaching authorizations favor error and fraudulent actions
- 14 -
FUNCTION RISK AUTHORIZATION
Maintenance Supplier master
data
Creation of non-existent vendors FK01 / XK01
+
=
Maintenance master data
AND
Transactional data
(FK01 / XK01) +
(FB60 / FB65 / FB01 / F-53)

The Segregation of Duties Principle (SoD)
Level 1
SoD
Level 2
SoD
Level 3
SoD
Level-1-SOD
Level-2-SOD
Level-3-SOD
It must be ensured that in the single roles. no violation
of the principle of dual control regarding to transactions.
4-eyes principle exists in the single roles.
Step 1
It must be ensured (by assigning several single roles)
that there is no violation of the 4-eyes principle in the
composite roles regarding to transactions.
Step 2
It must be ensured that there is no violation of the dual
control principle in the user master regarding to
transactions. If segregation of duties conflicts cannot be
avoided at the user level, appropriate compensating
controls must be introduced.
Step 3
- 15 -

SAST SUITE
Software for SAP Security,
Governance, Risk & Compliance.

Comprehensive protection in real-time:
Overview of our software suite.
- 17 -
SECURITY INTELLIGENCE
PLATFORM SECURITY IDENTITY AND USER ACCESS MANAGEMENT
SAST SUITE for SAP ERP or S/4HANA
Interface Management
System Security Validation Authorization Management
Role Management
User Access Management
Password Self-Service
Risk and Compliance Management
Management Dashboard
Safe Go-Live Management
Code Vulnerability Analysis Self-Adjusting Authorizations
Superuser Management Security Radar
Download Management

SAST
AUTHORIZATION
MANAGEMENT
Authorization management
and Segregation of Duties
in real-time

Comprehensive protection in real-time:
Overview of our software suite.
- 19 -
Role Management
Download Management

SAST Authorization Management:
Governance, risk & compliance conformity for your SAP systems.
- 20 -
 Extensive authorizations in SAP do favor errors and fraudulent actions.
 Segregations of Duty (SoD) violate compliance rules and represent a high security risk.
 Cross-system analyses and hardening of roles are time-consuming.
 Detecting and resolving SoD conflicts with standard tools is almost impossible.
 Experienced authorization experts are difficult to find and cost-intensive.
Complex authorizations often represent a serious security and compliance risk.
!
✓ Using SAST SUITE, enables you to monitor and evaluate your SAP authorizations, combinations,
processes and SoD ruleset.
The challenge

SAST Authorization Management:
Proactive Validation of SoD conflicts.
- 21 -
Request for new user ID and authorization
Approval by supervisor
✓
User-Admin assigns roles
✓
Supervisor notification: ok / not ok
Real-time scan
for SoD risks
SoD-
Matrix
Rules

Evaluation of the actual usage allows precise conclusions to be drawn about the applications
used. Transactions that...
 … a user never used, can be revoked.
 … not used by a any user, can be removed from the roles.
Evaluations are based on SAP's ST03N statistics records and are updated monthly.
Actual usage analysis and actual SoD analysis
- 22 -

 Create roles as needed based on transactions used.
 Revoke unnecessarily assigned permissions.
SAST Transaction usage per role/user
- 23 -

Prevent data theft
in SAP systems.
SAST DOWNLOAD
MANAGEMENT

Intelligent risk management with real-time monitoring
- 25 -
Role Management
Download Management

Data loss prevention for your SAP systems
- 26 -
 Prevent your critical corporate data from misuse, industrial espionage, or theft.
 Traceability of the critical download content from SAP systems.
 Missing emergency workflows in the event of critical downloads.
The export of data from SAP systems is almost impossible to trace.
!
✓ With the SAST SUITE you log all your downloads including content analysis!
The challenge

Protection against data leakage with SAST SUITE
- 27 -
Consulting SAST SUITE
Monitoring Evaluation
Phase 3:
Warning for
critical and
unusual
downloads.
Phase 2:
Identify and log
critical and
unusual
downloads.
DATA LOSS PREVENTION
Monitoring
strategy/
risk
treatment
Data Access
authorization
Data Download
authorization
Phase 1:
Creating awareness – classification of data, access and
download authorization worthy of protection as well as
possibilities of access protection and continuous securing
of downloads in the SAP standard.
Data
classification

TOGETHER ON
THE HOME
STRETCH
How to find a satisfactory solution
together with your works council.

Recommendation of AKQUINET for a successful introduction
04
Announce the
contact person in
case of questions
03
Easily describe
the functional
scope of the
software
02
Define software
deployment goals
clearly and
unambiguously
01
Inform early (in
the planning
phase)
- 29 -

 Evaluation of transaction statistics is only done in projects SAP role assignment.
 Behavioral and performance data are neither collected nor considered.
 There is no quantitative analysis of transaction calls, only an ABC analysis:
 Transaction is used.
 Transaction is used occasionally or only at a specific time.
 Transaction is not used.
 The transaction evaluation can only be executed by specially authorized SAP administrators.
 Transaction evaluation is only available during direct analysis in the SAP system.
Proposal for the content of an agreement with the works council
In general, the SAP standard enables behavior and performance monitoring, and its use is therefore
subject to co-determination.
!
✓ The SAST SUITE allows you to technically implement organizational measures defined by you for
restriction.
- 30 -

Take Home Messages
Always keep legal requirements in mind.
Don't avoid discussion - open communication promotes acceptance.
Describe the goals and expectations of the software deployment as simply and
comprehensibly as possible.
Know about the range of services offered by the planned software - this is the
only way to honestly address employees' concerns.
SAST uses the SAP standard and does not generate its own data for performance
monitoring - So you remain transparent.
- 31 -
✓
✓
✓
✓
✓

Keep the
ball rolling
with us.
© Copyright AKQUINET AG. All rights reserved. This publication is protected by copyright.
All rights, in particular the right of reproduction, distribution, and translation, are reserved. No part of this document may be reproduced in any form (photocopy, microfilm or other process) or processed, copied, or distributed using electronic systems without the
prior written agreement of AKQUINET AG. Some of the names mentioned in this publication are registered trademarks of the respective provider and as such are subject to legal provisions.
The information in this publication has been compiled with the greatest care. However, no guarantee can be given for its applicability, correctness, and completeness. AKQUINET AG shall assume no liability for losses arising from use of the information.

DO YOU HAVE ANY QUESTIONS?
WE ANSWER. WITH CERTAINTY.
© Copyright AKQUINET AG. All rights reserved. This publication is protected by copyright.
All rights reserved, in particular the right of reproduction and distribution as well as translation. No part of this documentation may be reproduced in any form (by photocopy, microfilm or any other process) or processed, duplicated or distributed using electronic systems
without the prior written consent of AKQUINET AG. The designations mentioned in this publication are partly also registered trademarks of the respective suppliers and as such are subject to the legal regulations. The information in this publication has been compiled with
the greatest care. However, no guarantee can be given for its usability, correctness and completeness.
AKQUINET AG accepts no liability for damages that may arise from the use of the information.
AXEL DALDORF
Tel: +49 40 88173-109
E-Mail: mail@sast-solutions.de
Web: sast-solutions.com

Why your works council has nothing to fear from SAP security. [Webinar]

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Why your works council has nothing to fear from SAP security. [Webinar]

Similar to Why your works council has nothing to fear from SAP security. [Webinar] (20)

Recently uploaded

Recently uploaded (20)

Why your works council has nothing to fear from SAP security. [Webinar]