2. 1
In This Session
• Understand the key challenges to maintaining compliance over
time
• Consider ways to integrate compliance into good practice on
projects and as part of BAU
• Learn how to develop a sustainable approach to compliance that
includes not just technology but also organization and process
• Provide tips on extending the reach of GRC to optimize your
compliance environment
• Understand the standard SAP tools available to help you remain
compliant
3. 2
What We’ll Cover
• Common areas of non-compliance
• Designing and building for sustainable success
• The people factor: organizational challenges
• Getting the most from GRC to support compliance objectives
• Future-proofing system compliance using standard SAP tools to
remain compliant
• Wrap-up
4. 3
Lack of Governance and Control
• There is often a gap between those setting the objectives and
those responsible for administering the controls
Not always aligned
Do not communicate – not aware of gaps or changes in the
environment
• Decision-making authority does not reside at the right level
Lack of clarity over who can make decisions
• Owners and approvers are not identified
May have changed over time
Documentation not maintained
5. 4
Understanding Compliance Objectives and Solution
• Finance organization is usually responsible for setting objectives
Do not always have detailed knowledge of SAP solution
Are the objectives really aligned with the business perception
of risk?
Too many/too few
Do not reflect risk profile
• Business finds it difficult to manage the volume of process
controls
Testing, monitoring
Unable to prioritize
• Administrators do not understand the risks being mitigated
Controls may not be implemented correctly or at all
6. 5
Unwieldy Processes That Are Overly Complex
• Processes often have unnecessary steps and checks built in
Inefficient processes that take too long
No value add
• Increased risk to the organization
Users bypass the process just to “get things done”
No controls
E.g., Users sharing powerful IDs
E.g., Changes made directly in production
• Increased cost
Support costs increase along with cost of non-compliance
Investigate and resolve issues
Financial loss incurred
7. 6
Gaps in the Supporting Technology
• Difficult to maintain compliance without some degree of
automation …
• … but needs to be configured correctly to avoid pitfalls of process
complexity
• Workflow approvals
Delegation of authority set up?
• Alert monitoring
Are you notified when suspicious activity occurs, or a
compliance breach?
• SoD matrix
How easy is it to identify and mitigate potential conflicts?
8. 7
What We’ll Cover
• Common areas of non-compliance
• Designing and building for sustainable success
• The people factor: organizational challenges
• Getting the most from GRC to support compliance objectives
• Future-proofing system compliance using standard SAP tools to
remain compliant
• Wrap-up
9. 8
Establish Your Control Framework
• Develop a framework that supports business goals
Ensures IT goals are aligned
Across the organization
• Identify the core control objectives and prioritize
Business risk
Complexity
Known areas of weakness
• Define and design controls
• Test the effectiveness of the controls
• Document testing for continuous use
10. 9
Build the Right Controls into Your Business
Processes
• Business process controls should be identified and applied
During an implementation
As part of any redesign or enhancement activity
May be manual or automated
Detective or preventative
• Controls should be commensurate with the associated risk
E.g., do not add verification steps if noone will review the
output and take action accordingly
• Use control mechanisms to simplify the process wherever
possible
Workflow tools, e.g., to manage PO approvals, set tolerances
11. 10
Ensure Appropriate IT Controls Are in Place
• Environment build standards are in place and are followed
System parameters
Security components and audit logging
• Technical change and release management processes are
followed
Impact assessment completed by appropriate skilled staff
Changes are tested
Approvers are defined
Changes are documented
Alignment between production stack and project stack
QA and Prod in sync
Regression testing
12. 11
Develop Relevant Access Controls Across
Landscape
• Role design concept is documented and maintained
End user and support team roles
Concept is easy to understand and administer
• Role owners/approvers identified within the business
Understand role content and control objectives
• Role documentation is maintained
Changes
Restrictions and org. levels
• SoD reviews are conducted as part of role build or role change
Reviews of single roles and sensitive access checks
Conflicts are mitigated
• Changes are tested and approved
13. 12
Access Controls Apply not Only in Production
• Specific roles defined for non-Production access
• SoD checks should still be applied
Particular focus on sensitive access
• Data restrictions should be considered
Production data available in QA systems for testing?
HR, customer, vendor details widely available?
Data privacy constraints
14. 13
Implement Efficient User Management Processes
• Ensure processes are aligned with agreed standards
• Determine approvers and document these for support teams
Make sure documentation is kept up-to-date
• Simplify the request form
Easy to complete
Easy to identify access required
• Use of identity management tools
Joiners and leavers
Follow up on users that have not logged on for an extended
period/never logged on
Contractors/third parties
15. 14
Verify User Management Processes Are Maintained
• Are there well defined SLAs in place and, are they met?
Failures are usually due to:
Incomplete request – user does not know what to ask for
Lack of “informed” approver
Difficult to identify roles to be assigned
• Regular monitoring and audits
Access validation by approvers
SoD reviews
Violations managed down
Non-dialog IDs
Specific roles
Approvals
16. 15
Don’t Forget Patching!
• Process established for managing patches
Security patching should be one element in overall patching
approach
Where support is outsourced, contract may be “patch on fail”
Assess potential vulnerabilities
• Use EarlyWatch alerts to flag when security-critical notes have
not been applied
• Assess and test security notes in a timely manner
Use monthly SAP Security Patch Day to drive review process
• Apply patches following standard change and release
management processes
17. 16
Monitoring Practices Are Implemented
• Identify key risk areas to be monitored
Existing weakness
High impact
• Develop KPIs based on good practice and reality of environment
Audit/Compliance input
Only measure what you intend to action
• Agree on owners for KPIs
Who will investigate and take action over variances?
How do you prioritize activities?
18. 17
Examples of KPIs
• Number of dialog or service users with SAP_ALL
• Number of times Firefighter access has been invoked
• Number of end-user roles with direct table access
• Number of security incidents logged in a reporting period
• KPIs will vary by organization
Do the KPIs provide useful information to your organization?
Can you measure them?
Do you plan to resolve the issues that are identified?
Be prepared to change your KPIs as new areas of
risk are identified
19. 18
What We’ll Cover
• Common areas of non-compliance
• Designing and building for sustainable success
• The people factor: organizational challenges
• Getting the most from GRC to support compliance objectives
• Future-proofing system compliance using standard SAP tools to
remain compliant
• Wrap-up
20. 19
Develop the Supporting Organizational Structure
• The existing organization structure may not support ongoing
compliance
• Establish a RACI
What are the key compliance-related activities?
Which roles are accountable, responsible, etc.?
Where are the gaps?
• Publish the RACI and implement
May need to restructure to ensure gaps are closed
Will provide clarity on roles and responsibilities to all parties
Integration points may require attention
• Governance model will highlight decision-making and ownership
21. 20
Ensure Ongoing Business Stakeholder Engagement
• Responsibility for SAP compliance does not only sit with IT
Business must take ownership
Identify potential new risks/change in existing risks
Risk and control owners
Approver roles
• Partnership between Business – Controls – SAP Security Support
Regular conversation and reviews
Develop mutual understanding of roles and responsibilities
Increased collaboration will ultimately result in a
more secure and compliant environment
22. 21
Establish a Training and Education Programme
• Training and education are important, not as a one-off but ongoing
SAP Security
IT Support
Business and Controls
End users
• Link all aspects of the controls environment together
How does each area impact the others?
Hand-off points
• Regular updates on changes to:
Process
Risks/Mitigations
Approvers
23. 22
Keep Outsource Providers Involved
• Ultimate accountability for risk management and compliance sits
with the organization, not the outsource provider
• Partnership with outsource providers (win-win approach)
Support function
Implement/administer based on organization “rules”
Auditors
Provide input in compliance requirements
Can help the support organization develop a response to
requirements
Third parties can bring experience and alternative
perspective to help achieve compliance goals
24. 23
What We’ll Cover
• Common areas of non-compliance
• Designing and building for sustainable success
• The people factor: organizational challenges
• Getting the most from GRC to support compliance objectives
• Future-proofing system compliance using standard SAP tools to
remain compliant
• Wrap-up
25. 24
ARA Enables Greater Transparency Over Access
Conflicts
• As a rule, audit findings focus on Segregation of Duty conflicts
• Implementing ARA will enable the organization to:
Document a wide range of business rules plus sensitive access
restrictions
Identify potential risks at a granular level and mitigate them
Avoid SoD issues at all through simulations during role build
and user assignment
Promote ownership of SoD management within the business
Risk owners
Real-time reporting directly into the business
26. 25
Opportunity to Manage and Control Privileged
Access Usage
• Extend use of Firefighter to cover broader privileged access
requirements
Emergency access
Sensitive, one-time access, e.g., year-end scenarios
Cutover, project support access
• Good time to review and revise privileged access roles and re-
validate usage criteria
Who can use in what scenarios
Firefighter owners and approvers
• Automated audit logs provide usage details, but reliant on
reviewers with the requisite knowledge
Training needs
27. 26
Enhanced, Automated Access Request Management
Process
• Online request form that makes it easier for the user to select the
most appropriate access
• Ability to introduce multiple approvers for specific access
requests
Workflow is key to speeding up the approval process whilst
ensuring the right controls are in place
• Ability to provision access directly based on approval
Reduces risk of human error
Potential to reduce cost of compliance over time
28. 27
Enhanced Control Monitoring
• Ability to enhance existing process controls
Workflow alerts
IT General Controls as well as business controls
Real-time view of compliance breaches
• Continuous control monitoring (CCM) to determine whether
controls are effective
• Automated testing to reduce audit and compliance footprint
• Potential to integrate with broader transaction monitoring tools in
order to identify suspicious transactions
• Trend reporting
29. 28
Simplified Business Role Management Tools
• Role mapping database to facilitate role assignment
Translates technical security roles into “business speak”
Simplifies the role design and build process
Requesters can more easily identify and define new
requirements
• Simplified role maintenance and administration
Central design repository
Easier to control build process in a larger organization
Role derivation is easier to manage with prepopulated org
levels
Option to store role owner information
30. 29
What We’ll Cover
• Common areas of non-compliance
• Designing and building for sustainable success
• The people factor: organizational challenges
• Getting the most from GRC to support compliance objectives
• Future-proofing system compliance using standard SAP tools to
remain compliant
• Wrap-up
31. 30
Standard SAP Tools
• Use Solution Manager central monitoring and reporting
Earlywatch Alerts
Security related SAP Notes (High Level)
Users with critical authorizations
Default passwords of standard users
Report through SAP BW (SM 7.10 SP3)
• RSECNOTE
Detailed information on security related notes and
implementation status
Requires configuration. SAP Note 888889.
32. 31
Security Optimization Self-Service
• Perform detailed security analysis
Recommend to run quarterly as part of security housekeeping
Wider coverage than just using ARA
Access to sensitive functionality
Security related parameter settings
External authentication
SAP Router
JAVA configuration and administration
SOS-S checks are regularly updated
Audit firms are waking up to external threats
33. 32
What We’ll Cover
• Common areas of non-compliance
• Designing and building for sustainable success
• The people factor: organizational challenges
• Getting the most from GRC to support compliance objectives
• Future-proofing system compliance using standard SAP tools to
remain compliant
• Wrap-up
34. 33
Where to Find More Information
• www.isaca.org
Contains useful information regarding risk management,
compliance, governance including COBIT
• http://scn.sap.com/community/grc
SCN Resource Area for GRC
• https://websmp207.sap-ag.de/securitynotes
SAP security patch day information
• https://support.sap.com/content/dam/library/support/support-
programs-services/support-services/SIS262_presentation.pdf
Cross-system reporting on security notes
35. 34
7 Key Points to Take Home
• Projects (new implementations, upgrades) are a good opportunity
to improve compliance
• Ownership and decision-making authority is the foundation for
getting and remaining compliant
• KPIs are essential for baselining and maintaining compliance
initiatives
• Effective business engagement is needed to ensure that
compliance is not “something IT does”
• Training and education are key tools for developing appropriate
skills and behaviors
• Use GRC to automate compliance activities where possible
• SAP provides useful tools to monitor and report on areas that are
key focus areas for internal and external auditors
36. 35
Your Turn!
How to contact me:
Barun Kumar
Barun.kumar@turnkeyconsulting.com
@TwitterUserName
Please remember to complete your session evaluation
37. 36
Disclaimer
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or
an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective
companies. Wellesley Information Services is neither owned nor controlled by SAP SE.