SlideShare a Scribd company logo

Roadmap to SAP® Security and Compliance | Symmetry

Symmetry™
Symmetry™

Executives often view security and compliance management with a mixture of confusion and dread. The tragedy is that compliance rules are designed to protect your assets, security, clients and reputation. When they use the threat of civil and criminal liability, it’s primarily to get you to do things you should be doing anyway. But to benefit from compliance, you need to understand how it’s structured, and how it fits into your SAP landscape and your business as a whole.

Technology
1 of 4
Download to read offline
1Roadmap | SAP® Security and Compliance Roadmap to SAP® Security and Compliance Executives often view security and compliance management with a mixture of confusion and dread. The word itself encompasses so much: financial controls and reporting (SOX), privacy and data protection (HIPAA), technological deployment (HITECH), FDA regulations (21 CFR Part 11), and even national security (ITAR and EAR). Although security and compliance management in an SAP landscape has a very specific meaning, it often eludes decision makers. The tragedy is that compliance rules are designed to protect your assets, security, clients and reputation. When they use the threat of civil and criminal liability, it’s primarily to get you to do things you should be doing anyway. But to benefit from compliance, you need to understand how it’s structured, and how it fits into your SAP landscape and your business as a whole. SAP Compliance Management & GRC Compliance management refers to the controls put in place to restrict and monitor how users access, view and modify information within the SAP landscape. These tasks are handled by a Governance, Risk and Compliance program, such as ControlPanelGRC, or SAP GRC. These compliance management tasks include: • Establishing an internal control structure • Validating the effectiveness of internal controls • Certifying the accuracy of financial statements • Preventing tampering • Reporting detailed financial information • Disclosing confilicts of interest GRC software monitors user access to identify potential segregation of duty and excessive access risks. For example, a single user shouldn’t be able to complete multiple portions of a business transaction (e.g. creating and paying a vendor), change the record of a transaction, or modify a financial report so that it excludes or differs from information in the database. Monitoring excessive access is also a top priority; as critical business transactions should only be granted to appropriate individuals to prevent both fraud and errors. GRC programs also need to monitor financial controls, and verify all access and changes to documents in order to create an audit trail. This supports authentication of important records; helps admins and auditors spot suspicious activity and bugs in the system; and provides a powerful disincentive against fraud, leaks and tampering. Finally, the GRC program needs to be able to organize and report on effectiveness of controls, according to compliance rules, while maintaining proper access control.
2Roadmap | SAP® Security and Compliance Auditors, investors and customers will all need access to different amounts of information, and much of the data auditors need could breach confidentiality or expose trade secrets if shared with other parties. Your compliance management program also needs to account for conflicts of interest and other mandated non-financial data. Compliance management is crucial to nearly everything your company does. It’s how you verify payroll, sales or HR records, and protect information integrity and confidentiality. Whether it’s a trade secret, a 21 CFR 11 medical study, or HIPAA PHI, compliance management plays a role in keeping it safe. Cyber Security and Compliance At the risk of oversimplifying it, GRC prevents people from misusing your system; while cyber security prevents them from breaking in. We can illustrate this by picturing security in a museum. Standard (GRC) safeguards include: • Guards to enfoce rules • Ropes and cases to prevent theft of damage to assets • Locked doors and alarms to restrict access to valuable assets • Cameras and motion detectors for monitoring But what stops thieves from picking a lock and cutting the power to dissable the alarm, or entering through a hatch in the roof? That’s where cyber security comes in. People get confused by the different things each compliance regime says about cyber security. For example, PCI requires specific technical safeguards like encryption across open networks, firewalls and the elimination of default passwords, while HIPAA emphasizes broader principles, training and legal frameworks like BAAs. But under a security best practices approach, the differences are actually pretty minor. HIPAA may not technically mandate encryption or firewalls, but they vastly reduce HIPAA compliance risks. Similarly, PCI might not require BAAs, but it’s in your company’s best interest to make sure your partners are adhering to stringent data protection standards. Process Documentation and Quality Management It may sound obvious, but cyber security and compliance management initiatives won’t go far, unless your company implements and consistently uses them — and that requires good process documentation. Everything from network configuration, to access control to daily system health checks and maintenance needs to be spelled out clearly and succinctly; the goal isn’t impressive, weighty tomes — it’s simple documents that spell out all necessary tasks.
3Roadmap | SAP® Security and Compliance This documentation needs to be incorporated into a quality management program. Although quality management doesn’t focus exclusively on security and compliance, many aspects have important functions in this domain, including technology policies, SOPs, auditing procedures, training, document control, and audit trails. Putting it all together almost always requires outside help. Choosing the Right SAP Security and Compliance Partner A provider needs to understand the compliance requirements of your industry, but doesn’t need to focus exclusively on them. Often, experience across multiple industries is a better sign of a company that understands security and compliance. It’s crucial, however, that your partner practices what is preaches. There should be a quality management program in place with things like: Formalized Quality Policy, Quality Plan, and Procedures • Audit trails • Version control • Sample installation qualifications SOPs for critical systems should be recorded on controlled documents, approved by management, stored where no one can tamper with them, and trained and retrained regularly by anyone who does the work. Your partner should be ready to answer questions on anything from employee training and monitoring, to server hardening, to what happens when you call the help line. In particular, they need good quality assurance, with separate task completion and verification staff. Finally, they should be ready to undergo regular 3rd party audits to assess and validate internal controls. ALMOST THERE
4 www.SymmetryCorp.com salesinfo@symmetrycorp.com 888-796-2677 Interested in learning more about SAP Security and Compliance? Contact your Symmetry representative or visit our website at: Roadmap | SAP® Security and Compliance Unified Approach Business Success The Case for Bundling Security and Compliance with Managed Services In the SAP hosting and managed services realm, companies that once had separate providers for hosting, IT project management, admin, DR/HA and so on, are moving to an integrated approach, citing benefits like lower cost, increased flexibility, greater knowledge base and less administrative overhead. In security and compliance management, however, tasks like IT security auditing, physical security auditing, GRC, monitoring and incident response are often farmed out to a web of different providers. you leverage your provider’s internal controls and knowledge base, along with their auditing framework. The people auditing, monitoring and hardening your system can work directly with the people running it, meaning better communication, quicker results and a lower administrative overhead. In an emergency, you won’t have to make frantic calls between your hosting provider, your database administrator and your network engineer — everyone is already working together, which means quicker resolutions, leading to better outcomes. It also provides legal cover in the event of a breach, attack or outage. Successful hacks often simultaneously exploit Forward-looking companies, however, are already starting to see the benefits of a unified managed services approach incorporating security and compliance. This approach lets weaknesses in hardware setup, software patching, GRC, training, monitoring and other domains. In a disaster, everyone goes into damage control mode, and you can end up with multiple agencies fighting it out in the courts (and in the press!) for years. If one provider handles everything, on the other hand, it’s their reputation on the line. Getting SAP Security and Compliance Management Right The most secure organizations don’t look at SAP compliance management and security requirements as roadblocks, but as a way to protect their investments. Governance, risk and compliance provides a powerful framework to protect your organization from errors, corruption and costly mistakes, and industry-specific compliance regimes provides similar fortification against external threats. Legal regimes and industry guidelines can’t account for every threat an organization faces. Partners like Symmetry view compliance regimes as more than just boxes to check, and as one aspect of an organization-wide program including risk assessment, training, auditing and monitoring. WELCOME HOME

Recommended

SAP Compliance Management Demystified | Symmetry
SAP Compliance Management Demystified | SymmetrySAP Compliance Management Demystified | Symmetry
SAP Compliance Management Demystified | SymmetrySymmetry™
 
Nasrhuma Inc Grc Solutions 011010
Nasrhuma Inc Grc Solutions 011010Nasrhuma Inc Grc Solutions 011010
Nasrhuma Inc Grc Solutions 011010Nasser J Khan
 
Data Sheet For Erg
Data Sheet For ErgData Sheet For Erg
Data Sheet For Ergmjschreck
 
Security as a Service flyer
Security as a Service flyerSecurity as a Service flyer
Security as a Service flyerScott Fields
 
Alignia for Business Security
Alignia for Business SecurityAlignia for Business Security
Alignia for Business SecurityLaurie LeBlanc
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) ControlCase
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTControlCase
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 

Recommended

SAP Compliance Management Demystified | Symmetry
SAP Compliance Management Demystified | SymmetrySAP Compliance Management Demystified | Symmetry
SAP Compliance Management Demystified | SymmetrySymmetry™
 
Nasrhuma Inc Grc Solutions 011010
Nasrhuma Inc Grc Solutions 011010Nasrhuma Inc Grc Solutions 011010
Nasrhuma Inc Grc Solutions 011010Nasser J Khan
 
Data Sheet For Erg
Data Sheet For ErgData Sheet For Erg
Data Sheet For Ergmjschreck
 
Security as a Service flyer
Security as a Service flyerSecurity as a Service flyer
Security as a Service flyerScott Fields
 
Alignia for Business Security
Alignia for Business SecurityAlignia for Business Security
Alignia for Business SecurityLaurie LeBlanc
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) ControlCase
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTControlCase
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1ControlCase
 
How It All Ties Together Sun Idm Roadshow For Sun
How It All Ties Together Sun Idm Roadshow For SunHow It All Ties Together Sun Idm Roadshow For Sun
How It All Ties Together Sun Idm Roadshow For Sunvijaychn
 
SAP Governance,Risk and Compliance
SAP Governance,Risk and ComplianceSAP Governance,Risk and Compliance
SAP Governance,Risk and ComplianceTLI GrowthSession
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
4 Security Guidelines for SharePoint Governance
4 Security Guidelines for SharePoint Governance4 Security Guidelines for SharePoint Governance
4 Security Guidelines for SharePoint GovernanceImperva
 
BAI Security - Brochure - IT Security Assessment (Financial)
BAI Security - Brochure - IT Security Assessment (Financial)BAI Security - Brochure - IT Security Assessment (Financial)
BAI Security - Brochure - IT Security Assessment (Financial)Prahlad Reddy
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECControlCase
 
Why should I do SOC2?
Why should I do SOC2?Why should I do SOC2?
Why should I do SOC2?VISTA InfoSec
 
QSA Shares PCI 3.0 Advice & Checklist
QSA Shares PCI 3.0 Advice & ChecklistQSA Shares PCI 3.0 Advice & Checklist
QSA Shares PCI 3.0 Advice & ChecklistTripwire
 
Why does-your-company-need-a-third-party-risk-management-program
Why does-your-company-need-a-third-party-risk-management-programWhy does-your-company-need-a-third-party-risk-management-program
Why does-your-company-need-a-third-party-risk-management-programCharles Steve
 
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.Unified11
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity managementNis
 
How to Evaluate a Managed Services Firm
How to Evaluate a Managed Services FirmHow to Evaluate a Managed Services Firm
How to Evaluate a Managed Services Firmoneneckitservices
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessAyham Kochaji
 
The Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementThe Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementRyan Gallavin
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringControlCase
 
brainwaregroup ITAM Review Tools Day Presentation 2015
brainwaregroup ITAM Review Tools Day Presentation 2015brainwaregroup ITAM Review Tools Day Presentation 2015
brainwaregroup ITAM Review Tools Day Presentation 2015Martin Thompson
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)ControlCase
 
PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management ComplianceControlCase
 
Enterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftEnterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftAppsian
 
Connecting Access Governance and Privileged Access Management
Connecting Access Governance and Privileged Access ManagementConnecting Access Governance and Privileged Access Management
Connecting Access Governance and Privileged Access ManagementEMC
 

More Related Content

What's hot

Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1ControlCase
 
How It All Ties Together Sun Idm Roadshow For Sun
How It All Ties Together Sun Idm Roadshow For SunHow It All Ties Together Sun Idm Roadshow For Sun
How It All Ties Together Sun Idm Roadshow For Sunvijaychn
 
SAP Governance,Risk and Compliance
SAP Governance,Risk and ComplianceSAP Governance,Risk and Compliance
SAP Governance,Risk and ComplianceTLI GrowthSession
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
4 Security Guidelines for SharePoint Governance
4 Security Guidelines for SharePoint Governance4 Security Guidelines for SharePoint Governance
4 Security Guidelines for SharePoint GovernanceImperva
 
BAI Security - Brochure - IT Security Assessment (Financial)
BAI Security - Brochure - IT Security Assessment (Financial)BAI Security - Brochure - IT Security Assessment (Financial)
BAI Security - Brochure - IT Security Assessment (Financial)Prahlad Reddy
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECControlCase
 
Why should I do SOC2?
Why should I do SOC2?Why should I do SOC2?
Why should I do SOC2?VISTA InfoSec
 
QSA Shares PCI 3.0 Advice & Checklist
QSA Shares PCI 3.0 Advice & ChecklistQSA Shares PCI 3.0 Advice & Checklist
QSA Shares PCI 3.0 Advice & ChecklistTripwire
 
Why does-your-company-need-a-third-party-risk-management-program
Why does-your-company-need-a-third-party-risk-management-programWhy does-your-company-need-a-third-party-risk-management-program
Why does-your-company-need-a-third-party-risk-management-programCharles Steve
 
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.Unified11
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity managementNis
 
How to Evaluate a Managed Services Firm
How to Evaluate a Managed Services FirmHow to Evaluate a Managed Services Firm
How to Evaluate a Managed Services Firmoneneckitservices
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessAyham Kochaji
 
The Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementThe Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementRyan Gallavin
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringControlCase
 
brainwaregroup ITAM Review Tools Day Presentation 2015
brainwaregroup ITAM Review Tools Day Presentation 2015brainwaregroup ITAM Review Tools Day Presentation 2015
brainwaregroup ITAM Review Tools Day Presentation 2015Martin Thompson
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)ControlCase
 
PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management ComplianceControlCase
 

What's hot (20)

Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1
 
How It All Ties Together Sun Idm Roadshow For Sun
How It All Ties Together Sun Idm Roadshow For SunHow It All Ties Together Sun Idm Roadshow For Sun
How It All Ties Together Sun Idm Roadshow For Sun
 
SAP Governance,Risk and Compliance
SAP Governance,Risk and ComplianceSAP Governance,Risk and Compliance
SAP Governance,Risk and Compliance
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
4 Security Guidelines for SharePoint Governance
4 Security Guidelines for SharePoint Governance4 Security Guidelines for SharePoint Governance
4 Security Guidelines for SharePoint Governance
 
BAI Security - Brochure - IT Security Assessment (Financial)
BAI Security - Brochure - IT Security Assessment (Financial)BAI Security - Brochure - IT Security Assessment (Financial)
BAI Security - Brochure - IT Security Assessment (Financial)
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Why should I do SOC2?
Why should I do SOC2?Why should I do SOC2?
Why should I do SOC2?
 
QSA Shares PCI 3.0 Advice & Checklist
QSA Shares PCI 3.0 Advice & ChecklistQSA Shares PCI 3.0 Advice & Checklist
QSA Shares PCI 3.0 Advice & Checklist
 
Why does-your-company-need-a-third-party-risk-management-program
Why does-your-company-need-a-third-party-risk-management-programWhy does-your-company-need-a-third-party-risk-management-program
Why does-your-company-need-a-third-party-risk-management-program
 
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity management
 
How to Evaluate a Managed Services Firm
How to Evaluate a Managed Services FirmHow to Evaluate a Managed Services Firm
How to Evaluate a Managed Services Firm
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
 
The Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementThe Essentials | Privileged Access Management
The Essentials | Privileged Access Management
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
 
brainwaregroup ITAM Review Tools Day Presentation 2015
brainwaregroup ITAM Review Tools Day Presentation 2015brainwaregroup ITAM Review Tools Day Presentation 2015
brainwaregroup ITAM Review Tools Day Presentation 2015
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management Compliance
 

Similar to Roadmap to SAP® Security and Compliance | Symmetry

Enterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftEnterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftAppsian
 
Connecting Access Governance and Privileged Access Management
Connecting Access Governance and Privileged Access ManagementConnecting Access Governance and Privileged Access Management
Connecting Access Governance and Privileged Access ManagementEMC
 
Power your businesswith risk informed decisions
Power your businesswith risk informed decisionsPower your businesswith risk informed decisions
Power your businesswith risk informed decisionsAlireza Ghahrood
 
managed-services-buying-guide
managed-services-buying-guidemanaged-services-buying-guide
managed-services-buying-guideMarie Peters
 
EY Software Asset Management Advisory
EY Software Asset Management AdvisoryEY Software Asset Management Advisory
EY Software Asset Management AdvisoryMohit Madan
 
34514_Process_Control_e-book_interactive
34514_Process_Control_e-book_interactive34514_Process_Control_e-book_interactive
34514_Process_Control_e-book_interactiveROMI Associates
 
Why Outsource Application Management?
Why Outsource Application Management?Why Outsource Application Management?
Why Outsource Application Management?oneneckitservices
 
Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5justinklooster
 
Introduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfIntroduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfSALES97
 
Alignia for Business Security
Alignia for Business SecurityAlignia for Business Security
Alignia for Business SecurityLaurie LeBlanc
 
Business-Driven Identity and Access Governance: Why This New Approach Matters
Business-Driven Identity and Access Governance: Why This New Approach MattersBusiness-Driven Identity and Access Governance: Why This New Approach Matters
Business-Driven Identity and Access Governance: Why This New Approach MattersEMC
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management WorkshopStacy Willis
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practicesamiable_indian
 
10 Easy Steps to Mastering Org Security
10 Easy Steps to Mastering Org Security10 Easy Steps to Mastering Org Security
10 Easy Steps to Mastering Org SecuritySalesforce Admins
 
SAP GRC PROCESS CONTROL OVERVIEW AND APPROCH
SAP GRC PROCESS CONTROL OVERVIEW AND APPROCHSAP GRC PROCESS CONTROL OVERVIEW AND APPROCH
SAP GRC PROCESS CONTROL OVERVIEW AND APPROCHAMITTIWARI620759
 
7 steps to build an effective corporate compliance strategy
7 steps to build an effective corporate compliance strategy7 steps to build an effective corporate compliance strategy
7 steps to build an effective corporate compliance strategyMaarten BOONEN
 

Similar to Roadmap to SAP® Security and Compliance | Symmetry (20)

Enterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftEnterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoft
 
Connecting Access Governance and Privileged Access Management
Connecting Access Governance and Privileged Access ManagementConnecting Access Governance and Privileged Access Management
Connecting Access Governance and Privileged Access Management
 
Power your businesswith risk informed decisions
Power your businesswith risk informed decisionsPower your businesswith risk informed decisions
Power your businesswith risk informed decisions
 
managed-services-buying-guide
managed-services-buying-guidemanaged-services-buying-guide
managed-services-buying-guide
 
EY Software Asset Management Advisory
EY Software Asset Management AdvisoryEY Software Asset Management Advisory
EY Software Asset Management Advisory
 
34514_Process_Control_e-book_interactive
34514_Process_Control_e-book_interactive34514_Process_Control_e-book_interactive
34514_Process_Control_e-book_interactive
 
Why Outsource Application Management?
Why Outsource Application Management?Why Outsource Application Management?
Why Outsource Application Management?
 
web-MINImag
web-MINImagweb-MINImag
web-MINImag
 
Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5Reciprocity_GRC Software Buyers Guide v5
Reciprocity_GRC Software Buyers Guide v5
 
Introduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdfIntroduction to IT compliance program and Discuss the challenges IT .pdf
Introduction to IT compliance program and Discuss the challenges IT .pdf
 
Alignia for Business Security
Alignia for Business SecurityAlignia for Business Security
Alignia for Business Security
 
Business-Driven Identity and Access Governance: Why This New Approach Matters
Business-Driven Identity and Access Governance: Why This New Approach MattersBusiness-Driven Identity and Access Governance: Why This New Approach Matters
Business-Driven Identity and Access Governance: Why This New Approach Matters
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management Workshop
 
task 1
task 1task 1
task 1
 
A Guide To IT Compliance Assessment And Management
A Guide To IT Compliance Assessment And ManagementA Guide To IT Compliance Assessment And Management
A Guide To IT Compliance Assessment And Management
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
 
10 Easy Steps to Mastering Org Security
10 Easy Steps to Mastering Org Security10 Easy Steps to Mastering Org Security
10 Easy Steps to Mastering Org Security
 
SAP GRC PROCESS CONTROL OVERVIEW AND APPROCH
SAP GRC PROCESS CONTROL OVERVIEW AND APPROCHSAP GRC PROCESS CONTROL OVERVIEW AND APPROCH
SAP GRC PROCESS CONTROL OVERVIEW AND APPROCH
 
7 steps to build an effective corporate compliance strategy
7 steps to build an effective corporate compliance strategy7 steps to build an effective corporate compliance strategy
7 steps to build an effective corporate compliance strategy
 
Information Security
Information SecurityInformation Security
Information Security
 

More from Symmetry™

Delivering Unparalleled System Uptime and Peace-of-Mind For Critical Systems ...
Delivering Unparalleled System Uptime and Peace-of-Mind For Critical Systems ...Delivering Unparalleled System Uptime and Peace-of-Mind For Critical Systems ...
Delivering Unparalleled System Uptime and Peace-of-Mind For Critical Systems ...Symmetry™
 
Carlisle Construction Materials: Value Achieved in Automated Controls in an S...
Carlisle Construction Materials: Value Achieved in Automated Controls in an S...Carlisle Construction Materials: Value Achieved in Automated Controls in an S...
Carlisle Construction Materials: Value Achieved in Automated Controls in an S...Symmetry™
 
An SAP upgrade and HANA Cloud Case Study: Carlisle Construction Materials | S...
An SAP upgrade and HANA Cloud Case Study: Carlisle Construction Materials | S...An SAP upgrade and HANA Cloud Case Study: Carlisle Construction Materials | S...
An SAP upgrade and HANA Cloud Case Study: Carlisle Construction Materials | S...Symmetry™
 
Managed Hosting Buyer’s Checklist | Symmetry
Managed Hosting Buyer’s Checklist | SymmetryManaged Hosting Buyer’s Checklist | Symmetry
Managed Hosting Buyer’s Checklist | SymmetrySymmetry™
 
SAP HANA® Deployment Guide | Symmetry
SAP HANA® Deployment Guide | SymmetrySAP HANA® Deployment Guide | Symmetry
SAP HANA® Deployment Guide | SymmetrySymmetry™
 
ControlPanelGRC® Security Risk Assessment | Symmetry
ControlPanelGRC® Security Risk Assessment | SymmetryControlPanelGRC® Security Risk Assessment | Symmetry
ControlPanelGRC® Security Risk Assessment | SymmetrySymmetry™
 
Review the five signs that you need a new Segregation of Duties compliance st...
Review the five signs that you need a new Segregation of Duties compliance st...Review the five signs that you need a new Segregation of Duties compliance st...
Review the five signs that you need a new Segregation of Duties compliance st...Symmetry™
 
Prevent SAP Security Vulnerabilities | Symmetry
Prevent SAP Security Vulnerabilities | SymmetryPrevent SAP Security Vulnerabilities | Symmetry
Prevent SAP Security Vulnerabilities | SymmetrySymmetry™
 
3 Ways to Future-Proof Your SAP® on IBM i Implementation
3 Ways to Future-Proof Your SAP® on IBM i Implementation3 Ways to Future-Proof Your SAP® on IBM i Implementation
3 Ways to Future-Proof Your SAP® on IBM i ImplementationSymmetry™
 
Simplifying the path to SAP Solution Manager 7.2 | Symmetry™
Simplifying the path to SAP Solution Manager 7.2 | Symmetry™Simplifying the path to SAP Solution Manager 7.2 | Symmetry™
Simplifying the path to SAP Solution Manager 7.2 | Symmetry™Symmetry™
 
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™ Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™ Symmetry™
 
Best Practices for SAP Access Controls | Symmetry™
Best Practices for SAP Access Controls | Symmetry™Best Practices for SAP Access Controls | Symmetry™
Best Practices for SAP Access Controls | Symmetry™Symmetry™
 
Compliant Cloud Hosting: What You Need to Know | Symmetry™
Compliant Cloud Hosting: What You Need to Know | Symmetry™Compliant Cloud Hosting: What You Need to Know | Symmetry™
Compliant Cloud Hosting: What You Need to Know | Symmetry™Symmetry™
 
Get Audit Ready | Enterprise Risk Management Implementation | Symmetry™
Get Audit Ready | Enterprise Risk Management Implementation | Symmetry™Get Audit Ready | Enterprise Risk Management Implementation | Symmetry™
Get Audit Ready | Enterprise Risk Management Implementation | Symmetry™Symmetry™
 
Compliance Automation: The Complete Journey | Symmetry™
Compliance Automation: The Complete Journey | Symmetry™Compliance Automation: The Complete Journey | Symmetry™
Compliance Automation: The Complete Journey | Symmetry™Symmetry™
 
Symmetry and smartShift | Revolutionizing SAP® Technology Transformation
Symmetry and smartShift | Revolutionizing SAP® Technology TransformationSymmetry and smartShift | Revolutionizing SAP® Technology Transformation
Symmetry and smartShift | Revolutionizing SAP® Technology TransformationSymmetry™
 

More from Symmetry™ (16)

Delivering Unparalleled System Uptime and Peace-of-Mind For Critical Systems ...
Delivering Unparalleled System Uptime and Peace-of-Mind For Critical Systems ...Delivering Unparalleled System Uptime and Peace-of-Mind For Critical Systems ...
Delivering Unparalleled System Uptime and Peace-of-Mind For Critical Systems ...
 
Carlisle Construction Materials: Value Achieved in Automated Controls in an S...
Carlisle Construction Materials: Value Achieved in Automated Controls in an S...Carlisle Construction Materials: Value Achieved in Automated Controls in an S...
Carlisle Construction Materials: Value Achieved in Automated Controls in an S...
 
An SAP upgrade and HANA Cloud Case Study: Carlisle Construction Materials | S...
An SAP upgrade and HANA Cloud Case Study: Carlisle Construction Materials | S...An SAP upgrade and HANA Cloud Case Study: Carlisle Construction Materials | S...
An SAP upgrade and HANA Cloud Case Study: Carlisle Construction Materials | S...
 
Managed Hosting Buyer’s Checklist | Symmetry
Managed Hosting Buyer’s Checklist | SymmetryManaged Hosting Buyer’s Checklist | Symmetry
Managed Hosting Buyer’s Checklist | Symmetry
 
SAP HANA® Deployment Guide | Symmetry
SAP HANA® Deployment Guide | SymmetrySAP HANA® Deployment Guide | Symmetry
SAP HANA® Deployment Guide | Symmetry
 
ControlPanelGRC® Security Risk Assessment | Symmetry
ControlPanelGRC® Security Risk Assessment | SymmetryControlPanelGRC® Security Risk Assessment | Symmetry
ControlPanelGRC® Security Risk Assessment | Symmetry
 
Review the five signs that you need a new Segregation of Duties compliance st...
Review the five signs that you need a new Segregation of Duties compliance st...Review the five signs that you need a new Segregation of Duties compliance st...
Review the five signs that you need a new Segregation of Duties compliance st...
 
Prevent SAP Security Vulnerabilities | Symmetry
Prevent SAP Security Vulnerabilities | SymmetryPrevent SAP Security Vulnerabilities | Symmetry
Prevent SAP Security Vulnerabilities | Symmetry
 
3 Ways to Future-Proof Your SAP® on IBM i Implementation
3 Ways to Future-Proof Your SAP® on IBM i Implementation3 Ways to Future-Proof Your SAP® on IBM i Implementation
3 Ways to Future-Proof Your SAP® on IBM i Implementation
 
Simplifying the path to SAP Solution Manager 7.2 | Symmetry™
Simplifying the path to SAP Solution Manager 7.2 | Symmetry™Simplifying the path to SAP Solution Manager 7.2 | Symmetry™
Simplifying the path to SAP Solution Manager 7.2 | Symmetry™
 
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™ Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
 
Best Practices for SAP Access Controls | Symmetry™
Best Practices for SAP Access Controls | Symmetry™Best Practices for SAP Access Controls | Symmetry™
Best Practices for SAP Access Controls | Symmetry™
 
Compliant Cloud Hosting: What You Need to Know | Symmetry™
Compliant Cloud Hosting: What You Need to Know | Symmetry™Compliant Cloud Hosting: What You Need to Know | Symmetry™
Compliant Cloud Hosting: What You Need to Know | Symmetry™
 
Get Audit Ready | Enterprise Risk Management Implementation | Symmetry™
Get Audit Ready | Enterprise Risk Management Implementation | Symmetry™Get Audit Ready | Enterprise Risk Management Implementation | Symmetry™
Get Audit Ready | Enterprise Risk Management Implementation | Symmetry™
 
Compliance Automation: The Complete Journey | Symmetry™
Compliance Automation: The Complete Journey | Symmetry™Compliance Automation: The Complete Journey | Symmetry™
Compliance Automation: The Complete Journey | Symmetry™
 
Symmetry and smartShift | Revolutionizing SAP® Technology Transformation
Symmetry and smartShift | Revolutionizing SAP® Technology TransformationSymmetry and smartShift | Revolutionizing SAP® Technology Transformation
Symmetry and smartShift | Revolutionizing SAP® Technology Transformation
 

Recently uploaded

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Recently uploaded (20)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

Roadmap to SAP® Security and Compliance | Symmetry

  • 1. 1Roadmap | SAP® Security and Compliance Roadmap to SAP® Security and Compliance Executives often view security and compliance management with a mixture of confusion and dread. The word itself encompasses so much: financial controls and reporting (SOX), privacy and data protection (HIPAA), technological deployment (HITECH), FDA regulations (21 CFR Part 11), and even national security (ITAR and EAR). Although security and compliance management in an SAP landscape has a very specific meaning, it often eludes decision makers. The tragedy is that compliance rules are designed to protect your assets, security, clients and reputation. When they use the threat of civil and criminal liability, it’s primarily to get you to do things you should be doing anyway. But to benefit from compliance, you need to understand how it’s structured, and how it fits into your SAP landscape and your business as a whole. SAP Compliance Management & GRC Compliance management refers to the controls put in place to restrict and monitor how users access, view and modify information within the SAP landscape. These tasks are handled by a Governance, Risk and Compliance program, such as ControlPanelGRC, or SAP GRC. These compliance management tasks include: • Establishing an internal control structure • Validating the effectiveness of internal controls • Certifying the accuracy of financial statements • Preventing tampering • Reporting detailed financial information • Disclosing confilicts of interest GRC software monitors user access to identify potential segregation of duty and excessive access risks. For example, a single user shouldn’t be able to complete multiple portions of a business transaction (e.g. creating and paying a vendor), change the record of a transaction, or modify a financial report so that it excludes or differs from information in the database. Monitoring excessive access is also a top priority; as critical business transactions should only be granted to appropriate individuals to prevent both fraud and errors. GRC programs also need to monitor financial controls, and verify all access and changes to documents in order to create an audit trail. This supports authentication of important records; helps admins and auditors spot suspicious activity and bugs in the system; and provides a powerful disincentive against fraud, leaks and tampering. Finally, the GRC program needs to be able to organize and report on effectiveness of controls, according to compliance rules, while maintaining proper access control.
  • 2. 2Roadmap | SAP® Security and Compliance Auditors, investors and customers will all need access to different amounts of information, and much of the data auditors need could breach confidentiality or expose trade secrets if shared with other parties. Your compliance management program also needs to account for conflicts of interest and other mandated non-financial data. Compliance management is crucial to nearly everything your company does. It’s how you verify payroll, sales or HR records, and protect information integrity and confidentiality. Whether it’s a trade secret, a 21 CFR 11 medical study, or HIPAA PHI, compliance management plays a role in keeping it safe. Cyber Security and Compliance At the risk of oversimplifying it, GRC prevents people from misusing your system; while cyber security prevents them from breaking in. We can illustrate this by picturing security in a museum. Standard (GRC) safeguards include: • Guards to enfoce rules • Ropes and cases to prevent theft of damage to assets • Locked doors and alarms to restrict access to valuable assets • Cameras and motion detectors for monitoring But what stops thieves from picking a lock and cutting the power to dissable the alarm, or entering through a hatch in the roof? That’s where cyber security comes in. People get confused by the different things each compliance regime says about cyber security. For example, PCI requires specific technical safeguards like encryption across open networks, firewalls and the elimination of default passwords, while HIPAA emphasizes broader principles, training and legal frameworks like BAAs. But under a security best practices approach, the differences are actually pretty minor. HIPAA may not technically mandate encryption or firewalls, but they vastly reduce HIPAA compliance risks. Similarly, PCI might not require BAAs, but it’s in your company’s best interest to make sure your partners are adhering to stringent data protection standards. Process Documentation and Quality Management It may sound obvious, but cyber security and compliance management initiatives won’t go far, unless your company implements and consistently uses them — and that requires good process documentation. Everything from network configuration, to access control to daily system health checks and maintenance needs to be spelled out clearly and succinctly; the goal isn’t impressive, weighty tomes — it’s simple documents that spell out all necessary tasks.
  • 3. 3Roadmap | SAP® Security and Compliance This documentation needs to be incorporated into a quality management program. Although quality management doesn’t focus exclusively on security and compliance, many aspects have important functions in this domain, including technology policies, SOPs, auditing procedures, training, document control, and audit trails. Putting it all together almost always requires outside help. Choosing the Right SAP Security and Compliance Partner A provider needs to understand the compliance requirements of your industry, but doesn’t need to focus exclusively on them. Often, experience across multiple industries is a better sign of a company that understands security and compliance. It’s crucial, however, that your partner practices what is preaches. There should be a quality management program in place with things like: Formalized Quality Policy, Quality Plan, and Procedures • Audit trails • Version control • Sample installation qualifications SOPs for critical systems should be recorded on controlled documents, approved by management, stored where no one can tamper with them, and trained and retrained regularly by anyone who does the work. Your partner should be ready to answer questions on anything from employee training and monitoring, to server hardening, to what happens when you call the help line. In particular, they need good quality assurance, with separate task completion and verification staff. Finally, they should be ready to undergo regular 3rd party audits to assess and validate internal controls. ALMOST THERE
  • 4. 4 www.SymmetryCorp.com salesinfo@symmetrycorp.com 888-796-2677 Interested in learning more about SAP Security and Compliance? Contact your Symmetry representative or visit our website at: Roadmap | SAP® Security and Compliance Unified Approach Business Success The Case for Bundling Security and Compliance with Managed Services In the SAP hosting and managed services realm, companies that once had separate providers for hosting, IT project management, admin, DR/HA and so on, are moving to an integrated approach, citing benefits like lower cost, increased flexibility, greater knowledge base and less administrative overhead. In security and compliance management, however, tasks like IT security auditing, physical security auditing, GRC, monitoring and incident response are often farmed out to a web of different providers. you leverage your provider’s internal controls and knowledge base, along with their auditing framework. The people auditing, monitoring and hardening your system can work directly with the people running it, meaning better communication, quicker results and a lower administrative overhead. In an emergency, you won’t have to make frantic calls between your hosting provider, your database administrator and your network engineer — everyone is already working together, which means quicker resolutions, leading to better outcomes. It also provides legal cover in the event of a breach, attack or outage. Successful hacks often simultaneously exploit Forward-looking companies, however, are already starting to see the benefits of a unified managed services approach incorporating security and compliance. This approach lets weaknesses in hardware setup, software patching, GRC, training, monitoring and other domains. In a disaster, everyone goes into damage control mode, and you can end up with multiple agencies fighting it out in the courts (and in the press!) for years. If one provider handles everything, on the other hand, it’s their reputation on the line. Getting SAP Security and Compliance Management Right The most secure organizations don’t look at SAP compliance management and security requirements as roadblocks, but as a way to protect their investments. Governance, risk and compliance provides a powerful framework to protect your organization from errors, corruption and costly mistakes, and industry-specific compliance regimes provides similar fortification against external threats. Legal regimes and industry guidelines can’t account for every threat an organization faces. Partners like Symmetry view compliance regimes as more than just boxes to check, and as one aspect of an organization-wide program including risk assessment, training, auditing and monitoring. WELCOME HOME