SlideShare a Scribd company logo

GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]

Barun Kumar
Barun Kumar
1 of 37
Download to read offline
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2014 Wellesley Information Services. All rights reserved. Lessons and Strategies for Ensuring Your SAP Systems Remain Compliant Barun Kumar Turnkey Consulting Malaysia
1 In This Session • Understand the key challenges to maintaining compliance over time • Consider ways to integrate compliance into good practice on projects and as part of BAU • Learn how to develop a sustainable approach to compliance that includes not just technology but also organization and process • Provide tips on extending the reach of GRC to optimize your compliance environment • Understand the standard SAP tools available to help you remain compliant
2 What We’ll Cover • Common areas of non-compliance • Designing and building for sustainable success • The people factor: organizational challenges • Getting the most from GRC to support compliance objectives • Future-proofing system compliance using standard SAP tools to remain compliant • Wrap-up
3 Lack of Governance and Control • There is often a gap between those setting the objectives and those responsible for administering the controls Not always aligned Do not communicate – not aware of gaps or changes in the environment • Decision-making authority does not reside at the right level Lack of clarity over who can make decisions • Owners and approvers are not identified May have changed over time Documentation not maintained
4 Understanding Compliance Objectives and Solution • Finance organization is usually responsible for setting objectives Do not always have detailed knowledge of SAP solution Are the objectives really aligned with the business perception of risk? Too many/too few Do not reflect risk profile • Business finds it difficult to manage the volume of process controls Testing, monitoring Unable to prioritize • Administrators do not understand the risks being mitigated Controls may not be implemented correctly or at all
5 Unwieldy Processes That Are Overly Complex • Processes often have unnecessary steps and checks built in Inefficient processes that take too long No value add • Increased risk to the organization Users bypass the process just to “get things done” No controls E.g., Users sharing powerful IDs E.g., Changes made directly in production • Increased cost Support costs increase along with cost of non-compliance Investigate and resolve issues Financial loss incurred
6 Gaps in the Supporting Technology • Difficult to maintain compliance without some degree of automation … • … but needs to be configured correctly to avoid pitfalls of process complexity • Workflow approvals Delegation of authority set up? • Alert monitoring Are you notified when suspicious activity occurs, or a compliance breach? • SoD matrix How easy is it to identify and mitigate potential conflicts?
7 What We’ll Cover • Common areas of non-compliance • Designing and building for sustainable success • The people factor: organizational challenges • Getting the most from GRC to support compliance objectives • Future-proofing system compliance using standard SAP tools to remain compliant • Wrap-up
8 Establish Your Control Framework • Develop a framework that supports business goals Ensures IT goals are aligned Across the organization • Identify the core control objectives and prioritize Business risk Complexity Known areas of weakness • Define and design controls • Test the effectiveness of the controls • Document testing for continuous use
9 Build the Right Controls into Your Business Processes • Business process controls should be identified and applied During an implementation As part of any redesign or enhancement activity May be manual or automated Detective or preventative • Controls should be commensurate with the associated risk E.g., do not add verification steps if noone will review the output and take action accordingly • Use control mechanisms to simplify the process wherever possible Workflow tools, e.g., to manage PO approvals, set tolerances
10 Ensure Appropriate IT Controls Are in Place • Environment build standards are in place and are followed System parameters Security components and audit logging • Technical change and release management processes are followed Impact assessment completed by appropriate skilled staff Changes are tested Approvers are defined Changes are documented Alignment between production stack and project stack QA and Prod in sync Regression testing
11 Develop Relevant Access Controls Across Landscape • Role design concept is documented and maintained End user and support team roles Concept is easy to understand and administer • Role owners/approvers identified within the business Understand role content and control objectives • Role documentation is maintained Changes Restrictions and org. levels • SoD reviews are conducted as part of role build or role change Reviews of single roles and sensitive access checks Conflicts are mitigated • Changes are tested and approved
12 Access Controls Apply not Only in Production • Specific roles defined for non-Production access • SoD checks should still be applied Particular focus on sensitive access • Data restrictions should be considered Production data available in QA systems for testing? HR, customer, vendor details widely available? Data privacy constraints
13 Implement Efficient User Management Processes • Ensure processes are aligned with agreed standards • Determine approvers and document these for support teams Make sure documentation is kept up-to-date • Simplify the request form Easy to complete Easy to identify access required • Use of identity management tools Joiners and leavers Follow up on users that have not logged on for an extended period/never logged on Contractors/third parties
14 Verify User Management Processes Are Maintained • Are there well defined SLAs in place and, are they met? Failures are usually due to: Incomplete request – user does not know what to ask for Lack of “informed” approver Difficult to identify roles to be assigned • Regular monitoring and audits Access validation by approvers SoD reviews Violations managed down Non-dialog IDs Specific roles Approvals
15 Don’t Forget Patching! • Process established for managing patches Security patching should be one element in overall patching approach Where support is outsourced, contract may be “patch on fail” Assess potential vulnerabilities • Use EarlyWatch alerts to flag when security-critical notes have not been applied • Assess and test security notes in a timely manner Use monthly SAP Security Patch Day to drive review process • Apply patches following standard change and release management processes
16 Monitoring Practices Are Implemented • Identify key risk areas to be monitored Existing weakness High impact • Develop KPIs based on good practice and reality of environment Audit/Compliance input Only measure what you intend to action • Agree on owners for KPIs Who will investigate and take action over variances? How do you prioritize activities?
17 Examples of KPIs • Number of dialog or service users with SAP_ALL • Number of times Firefighter access has been invoked • Number of end-user roles with direct table access • Number of security incidents logged in a reporting period • KPIs will vary by organization Do the KPIs provide useful information to your organization? Can you measure them? Do you plan to resolve the issues that are identified? Be prepared to change your KPIs as new areas of risk are identified
18 What We’ll Cover • Common areas of non-compliance • Designing and building for sustainable success • The people factor: organizational challenges • Getting the most from GRC to support compliance objectives • Future-proofing system compliance using standard SAP tools to remain compliant • Wrap-up
19 Develop the Supporting Organizational Structure • The existing organization structure may not support ongoing compliance • Establish a RACI What are the key compliance-related activities? Which roles are accountable, responsible, etc.? Where are the gaps? • Publish the RACI and implement May need to restructure to ensure gaps are closed Will provide clarity on roles and responsibilities to all parties Integration points may require attention • Governance model will highlight decision-making and ownership
20 Ensure Ongoing Business Stakeholder Engagement • Responsibility for SAP compliance does not only sit with IT Business must take ownership Identify potential new risks/change in existing risks Risk and control owners Approver roles • Partnership between Business – Controls – SAP Security Support Regular conversation and reviews Develop mutual understanding of roles and responsibilities Increased collaboration will ultimately result in a more secure and compliant environment
21 Establish a Training and Education Programme • Training and education are important, not as a one-off but ongoing SAP Security IT Support Business and Controls End users • Link all aspects of the controls environment together How does each area impact the others? Hand-off points • Regular updates on changes to: Process Risks/Mitigations Approvers
22 Keep Outsource Providers Involved • Ultimate accountability for risk management and compliance sits with the organization, not the outsource provider • Partnership with outsource providers (win-win approach) Support function Implement/administer based on organization “rules” Auditors Provide input in compliance requirements Can help the support organization develop a response to requirements Third parties can bring experience and alternative perspective to help achieve compliance goals
23 What We’ll Cover • Common areas of non-compliance • Designing and building for sustainable success • The people factor: organizational challenges • Getting the most from GRC to support compliance objectives • Future-proofing system compliance using standard SAP tools to remain compliant • Wrap-up
24 ARA Enables Greater Transparency Over Access Conflicts • As a rule, audit findings focus on Segregation of Duty conflicts • Implementing ARA will enable the organization to: Document a wide range of business rules plus sensitive access restrictions Identify potential risks at a granular level and mitigate them Avoid SoD issues at all through simulations during role build and user assignment Promote ownership of SoD management within the business Risk owners Real-time reporting directly into the business
25 Opportunity to Manage and Control Privileged Access Usage • Extend use of Firefighter to cover broader privileged access requirements Emergency access Sensitive, one-time access, e.g., year-end scenarios Cutover, project support access • Good time to review and revise privileged access roles and re- validate usage criteria Who can use in what scenarios Firefighter owners and approvers • Automated audit logs provide usage details, but reliant on reviewers with the requisite knowledge Training needs
26 Enhanced, Automated Access Request Management Process • Online request form that makes it easier for the user to select the most appropriate access • Ability to introduce multiple approvers for specific access requests Workflow is key to speeding up the approval process whilst ensuring the right controls are in place • Ability to provision access directly based on approval Reduces risk of human error Potential to reduce cost of compliance over time
27 Enhanced Control Monitoring • Ability to enhance existing process controls Workflow alerts IT General Controls as well as business controls Real-time view of compliance breaches • Continuous control monitoring (CCM) to determine whether controls are effective • Automated testing to reduce audit and compliance footprint • Potential to integrate with broader transaction monitoring tools in order to identify suspicious transactions • Trend reporting
28 Simplified Business Role Management Tools • Role mapping database to facilitate role assignment Translates technical security roles into “business speak” Simplifies the role design and build process Requesters can more easily identify and define new requirements • Simplified role maintenance and administration Central design repository Easier to control build process in a larger organization Role derivation is easier to manage with prepopulated org levels Option to store role owner information
29 What We’ll Cover • Common areas of non-compliance • Designing and building for sustainable success • The people factor: organizational challenges • Getting the most from GRC to support compliance objectives • Future-proofing system compliance using standard SAP tools to remain compliant • Wrap-up
30 Standard SAP Tools • Use Solution Manager central monitoring and reporting Earlywatch Alerts Security related SAP Notes (High Level) Users with critical authorizations Default passwords of standard users Report through SAP BW (SM 7.10 SP3) • RSECNOTE Detailed information on security related notes and implementation status Requires configuration. SAP Note 888889.
31 Security Optimization Self-Service • Perform detailed security analysis Recommend to run quarterly as part of security housekeeping Wider coverage than just using ARA Access to sensitive functionality Security related parameter settings External authentication SAP Router JAVA configuration and administration SOS-S checks are regularly updated Audit firms are waking up to external threats
32 What We’ll Cover • Common areas of non-compliance • Designing and building for sustainable success • The people factor: organizational challenges • Getting the most from GRC to support compliance objectives • Future-proofing system compliance using standard SAP tools to remain compliant • Wrap-up
33 Where to Find More Information • www.isaca.org Contains useful information regarding risk management, compliance, governance including COBIT • http://scn.sap.com/community/grc SCN Resource Area for GRC • https://websmp207.sap-ag.de/securitynotes SAP security patch day information • https://support.sap.com/content/dam/library/support/support- programs-services/support-services/SIS262_presentation.pdf Cross-system reporting on security notes
34 7 Key Points to Take Home • Projects (new implementations, upgrades) are a good opportunity to improve compliance • Ownership and decision-making authority is the foundation for getting and remaining compliant • KPIs are essential for baselining and maintaining compliance initiatives • Effective business engagement is needed to ensure that compliance is not “something IT does” • Training and education are key tools for developing appropriate skills and behaviors • Use GRC to automate compliance activities where possible • SAP provides useful tools to monitor and report on areas that are key focus areas for internal and external auditors
35 Your Turn! How to contact me: Barun Kumar Barun.kumar@turnkeyconsulting.com @TwitterUserName Please remember to complete your session evaluation
36 Disclaimer SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.

Recommended

GRCSing2015_Kumar_Howtoperformasystem
GRCSing2015_Kumar_HowtoperformasystemGRCSing2015_Kumar_Howtoperformasystem
GRCSing2015_Kumar_HowtoperformasystemBarun Kumar
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...akquinet enterprise solutions GmbH
 
SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]akquinet enterprise solutions GmbH
 
34514_Process_Control_e-book_interactive
34514_Process_Control_e-book_interactive34514_Process_Control_e-book_interactive
34514_Process_Control_e-book_interactiveROMI Associates
 
Sap Access Risks Procedures
Sap Access Risks ProceduresSap Access Risks Procedures
Sap Access Risks ProceduresInprise Group
 
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...akquinet enterprise solutions GmbH
 
Casa engl
Casa englCasa engl
Casa englIBS Schreiber GmbH
 
Towards new shores with cross-system SoD analyses. [Webinar]
Towards new shores with cross-system SoD analyses. [Webinar]Towards new shores with cross-system SoD analyses. [Webinar]
Towards new shores with cross-system SoD analyses. [Webinar]akquinet enterprise solutions GmbH
 

Recommended

GRCSing2015_Kumar_Howtoperformasystem
GRCSing2015_Kumar_HowtoperformasystemGRCSing2015_Kumar_Howtoperformasystem
GRCSing2015_Kumar_HowtoperformasystemBarun Kumar
 
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...Fiori and S/4 authorizations: What are the biggest challenges, and where do t...
Fiori and S/4 authorizations: What are the biggest challenges, and where do t...akquinet enterprise solutions GmbH
 
SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]SAST Managed Services for SAP [Webinar]
SAST Managed Services for SAP [Webinar]akquinet enterprise solutions GmbH
 
34514_Process_Control_e-book_interactive
34514_Process_Control_e-book_interactive34514_Process_Control_e-book_interactive
34514_Process_Control_e-book_interactiveROMI Associates
 
Sap Access Risks Procedures
Sap Access Risks ProceduresSap Access Risks Procedures
Sap Access Risks ProceduresInprise Group
 
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...
SAP Security & Compliance Audits. Find your vulnerabilities before you get hu...akquinet enterprise solutions GmbH
 
Casa engl
Casa englCasa engl
Casa englIBS Schreiber GmbH
 
Towards new shores with cross-system SoD analyses. [Webinar]
Towards new shores with cross-system SoD analyses. [Webinar]Towards new shores with cross-system SoD analyses. [Webinar]
Towards new shores with cross-system SoD analyses. [Webinar]akquinet enterprise solutions GmbH
 
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...akquinet enterprise solutions GmbH
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0Latha Kamal
 
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...akquinet enterprise solutions GmbH
 
How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]akquinet enterprise solutions GmbH
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grchkodali
 
SAST Threat Detection for SAP [Webinar]
SAST Threat Detection for SAP [Webinar]SAST Threat Detection for SAP [Webinar]
SAST Threat Detection for SAP [Webinar]akquinet enterprise solutions GmbH
 
Iia los angeles sap security presentation
Iia los angeles sap security presentation Iia los angeles sap security presentation
Iia los angeles sap security presentation hkodali
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP securityERPScan
 
SAP Risk Management
SAP Risk ManagementSAP Risk Management
SAP Risk ManagementAuditBot SAP Security Audit
 
ERP Post Implementation Audit
ERP Post Implementation AuditERP Post Implementation Audit
ERP Post Implementation AuditSiva Subramanian TS
 
Ch2 2009 cisa
Ch2 2009 cisaCh2 2009 cisa
Ch2 2009 cisaasrulsani09
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 stepsERPScan
 
What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...akquinet enterprise solutions GmbH
 
Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]akquinet enterprise solutions GmbH
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access ControlNasir Gondal
 
Crafting an End-to-End Pharma GRC Strategy
Crafting an End-to-End Pharma GRC StrategyCrafting an End-to-End Pharma GRC Strategy
Crafting an End-to-End Pharma GRC StrategyCognizant
 
ERP Security as a Service 2017
ERP Security as a Service 2017ERP Security as a Service 2017
ERP Security as a Service 2017Jane Jones
 
FCAPS from an ITIL perspective
FCAPS from an ITIL perspective FCAPS from an ITIL perspective
FCAPS from an ITIL perspective ManageEngine
 
Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1
Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1
Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1Anup Lakra
 
The Information Office
The Information OfficeThe Information Office
The Information OfficeMahesh Patwardhan
 
GRC IMPRIVA
GRC IMPRIVAGRC IMPRIVA
GRC IMPRIVAtimearhart
 
SAP Inside Track Toronto ASUG Ontario 2013 Enterprise Risk Management: Align ...
SAP Inside Track Toronto ASUG Ontario 2013 Enterprise Risk Management: Align ...SAP Inside Track Toronto ASUG Ontario 2013 Enterprise Risk Management: Align ...
SAP Inside Track Toronto ASUG Ontario 2013 Enterprise Risk Management: Align ...William Newman
 

More Related Content

What's hot

How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...akquinet enterprise solutions GmbH
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0Latha Kamal
 
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...akquinet enterprise solutions GmbH
 
How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]akquinet enterprise solutions GmbH
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grchkodali
 
Iia los angeles sap security presentation
Iia los angeles sap security presentation Iia los angeles sap security presentation
Iia los angeles sap security presentation hkodali
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP securityERPScan
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 stepsERPScan
 
What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...akquinet enterprise solutions GmbH
 
Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]akquinet enterprise solutions GmbH
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access ControlNasir Gondal
 
Crafting an End-to-End Pharma GRC Strategy
Crafting an End-to-End Pharma GRC StrategyCrafting an End-to-End Pharma GRC Strategy
Crafting an End-to-End Pharma GRC StrategyCognizant
 
ERP Security as a Service 2017
ERP Security as a Service 2017ERP Security as a Service 2017
ERP Security as a Service 2017Jane Jones
 
FCAPS from an ITIL perspective
FCAPS from an ITIL perspective FCAPS from an ITIL perspective
FCAPS from an ITIL perspective ManageEngine
 
Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1
Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1
Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1Anup Lakra
 

What's hot (20)

How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
How to manage users, roles and rights in S/4HANA systems audit compliant. [We...
 
Sap grc process control 10.0
Sap grc process control 10.0Sap grc process control 10.0
Sap grc process control 10.0
 
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...
 
How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]How can managed services improve your SAP security and compliance? [Webinar]
How can managed services improve your SAP security and compliance? [Webinar]
 
081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc081712 isaca-atl-auditing sap-grc
081712 isaca-atl-auditing sap-grc
 
SAST Threat Detection for SAP [Webinar]
SAST Threat Detection for SAP [Webinar]SAST Threat Detection for SAP [Webinar]
SAST Threat Detection for SAP [Webinar]
 
Iia los angeles sap security presentation
Iia los angeles sap security presentation Iia los angeles sap security presentation
Iia los angeles sap security presentation
 
What CISOs should know about SAP security
What CISOs should know about SAP securityWhat CISOs should know about SAP security
What CISOs should know about SAP security
 
SAP Risk Management
SAP Risk ManagementSAP Risk Management
SAP Risk Management
 
ERP Post Implementation Audit
ERP Post Implementation AuditERP Post Implementation Audit
ERP Post Implementation Audit
 
Ch2 2009 cisa
Ch2 2009 cisaCh2 2009 cisa
Ch2 2009 cisa
 
Implementing SAP security in 5 steps
Implementing SAP security in 5 stepsImplementing SAP security in 5 steps
Implementing SAP security in 5 steps
 
What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...
 
Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]Why your works council has nothing to fear from SAP security. [Webinar]
Why your works council has nothing to fear from SAP security. [Webinar]
 
SAP GRC 10 Access Control
SAP GRC 10 Access ControlSAP GRC 10 Access Control
SAP GRC 10 Access Control
 
Crafting an End-to-End Pharma GRC Strategy
Crafting an End-to-End Pharma GRC StrategyCrafting an End-to-End Pharma GRC Strategy
Crafting an End-to-End Pharma GRC Strategy
 
ERP Security as a Service 2017
ERP Security as a Service 2017ERP Security as a Service 2017
ERP Security as a Service 2017
 
FCAPS from an ITIL perspective
FCAPS from an ITIL perspective FCAPS from an ITIL perspective
FCAPS from an ITIL perspective
 
Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1
Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1
Webinar: Simplify, Gain Insight, Strengthen with SAP GRC 10.1
 
The Information Office
The Information OfficeThe Information Office
The Information Office
 

Viewers also liked

SAP Inside Track Toronto ASUG Ontario 2013 Enterprise Risk Management: Align ...
SAP Inside Track Toronto ASUG Ontario 2013 Enterprise Risk Management: Align ...SAP Inside Track Toronto ASUG Ontario 2013 Enterprise Risk Management: Align ...
SAP Inside Track Toronto ASUG Ontario 2013 Enterprise Risk Management: Align ...William Newman
 
Wise Men Webinar: Fast Track Implementation of SAP GRC 10.1
Wise Men Webinar: Fast Track Implementation of SAP GRC 10.1 Wise Men Webinar: Fast Track Implementation of SAP GRC 10.1
Wise Men Webinar: Fast Track Implementation of SAP GRC 10.1Anup Lakra
 
Strategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management RightStrategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management RightProformative, Inc.
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsRohan Andrews
 
Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 trainingsuresh
 
SAP Security Chat Tips to Improve SAP ERP Security
SAP Security Chat Tips to Improve SAP ERP SecuritySAP Security Chat Tips to Improve SAP ERP Security
SAP Security Chat Tips to Improve SAP ERP SecurityPanaya
 

Viewers also liked (9)

GRC IMPRIVA
GRC IMPRIVAGRC IMPRIVA
GRC IMPRIVA
 
SAP Inside Track Toronto ASUG Ontario 2013 Enterprise Risk Management: Align ...
SAP Inside Track Toronto ASUG Ontario 2013 Enterprise Risk Management: Align ...SAP Inside Track Toronto ASUG Ontario 2013 Enterprise Risk Management: Align ...
SAP Inside Track Toronto ASUG Ontario 2013 Enterprise Risk Management: Align ...
 
Wise Men Webinar: Fast Track Implementation of SAP GRC 10.1
Wise Men Webinar: Fast Track Implementation of SAP GRC 10.1 Wise Men Webinar: Fast Track Implementation of SAP GRC 10.1
Wise Men Webinar: Fast Track Implementation of SAP GRC 10.1
 
Strategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management RightStrategic Risk Management as a CFO: Getting Risk Management Right
Strategic Risk Management as a CFO: Getting Risk Management Right
 
SAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM WorkflowsSAP GRC AC 10.1 - ARM Workflows
SAP GRC AC 10.1 - ARM Workflows
 
SAP grc
SAP grc SAP grc
SAP grc
 
Grc 10 training
Grc 10 trainingGrc 10 training
Grc 10 training
 
SAP Security Chat Tips to Improve SAP ERP Security
SAP Security Chat Tips to Improve SAP ERP SecuritySAP Security Chat Tips to Improve SAP ERP Security
SAP Security Chat Tips to Improve SAP ERP Security
 
GRC
GRCGRC
GRC
 

Similar to GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]

Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015 Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015 CA CISA Jayjit Biswas
 
Compliance challenges in Information Security
Compliance challenges in Information Security Compliance challenges in Information Security
Compliance challenges in Information Security Manas Deep
 
Proactive Internal Auditing -- The Key to Improving Your Quality System
Proactive Internal Auditing -- The Key to Improving Your Quality SystemProactive Internal Auditing -- The Key to Improving Your Quality System
Proactive Internal Auditing -- The Key to Improving Your Quality SystemSafetyChain Software
 
Scalable integrated program audit (sipa)
Scalable integrated program audit (sipa)Scalable integrated program audit (sipa)
Scalable integrated program audit (sipa)Vishnuvarthanan Moorthy
 
Continous compliance october 2019 webinar (2)
Continous compliance october 2019 webinar (2)Continous compliance october 2019 webinar (2)
Continous compliance october 2019 webinar (2)Nimonik
 
Ronan Consulting Group - Systems Selection and Implementation
Ronan Consulting Group - Systems Selection and ImplementationRonan Consulting Group - Systems Selection and Implementation
Ronan Consulting Group - Systems Selection and ImplementationSteve Ronan
 
The Good, The Bad, and The Metrics
The Good, The Bad, and The Metrics The Good, The Bad, and The Metrics
The Good, The Bad, and The MetricsTeamQualityPro
 
How to prepare for an audit and maintain oversight within your e qms
How to prepare for an audit and maintain oversight within your e qmsHow to prepare for an audit and maintain oversight within your e qms
How to prepare for an audit and maintain oversight within your e qmsMontrium
 
FCB Partners Course Preview: Process Owners in Action
FCB Partners Course Preview: Process Owners in ActionFCB Partners Course Preview: Process Owners in Action
FCB Partners Course Preview: Process Owners in ActionFCBPartners
 
Segregation of Duties Solutions
Segregation of Duties SolutionsSegregation of Duties Solutions
Segregation of Duties SolutionsAhmed Abdul Hamed
 
Leveraging DevOps Principles for Release and Deploy
Leveraging DevOps Principles for Release and DeployLeveraging DevOps Principles for Release and Deploy
Leveraging DevOps Principles for Release and DeploySerena Software
 
Partner for Process Transformation
Partner for Process Transformation Partner for Process Transformation
Partner for Process Transformation Thought At Work
 
Proven Methods to Abnormality Management and Error Proofing
Proven Methods to Abnormality Management and Error ProofingProven Methods to Abnormality Management and Error Proofing
Proven Methods to Abnormality Management and Error ProofingSafetyChain Software
 
Automating PeopleSoft Segregation of Duties: Financials/HCM/Campus Solutions
Automating PeopleSoft Segregation of Duties: Financials/HCM/Campus SolutionsAutomating PeopleSoft Segregation of Duties: Financials/HCM/Campus Solutions
Automating PeopleSoft Segregation of Duties: Financials/HCM/Campus SolutionsSmart ERP Solutions, Inc.
 
Best Practices & Considerations in “IT Suppliers Audit”
Best Practices & Considerations in “IT Suppliers Audit”Best Practices & Considerations in “IT Suppliers Audit”
Best Practices & Considerations in “IT Suppliers Audit”Shankar Subramaniyan
 
The 4 ERP governance best practices you can’t ignore
The 4 ERP governance best practices you can’t ignoreThe 4 ERP governance best practices you can’t ignore
The 4 ERP governance best practices you can’t ignoreGrant Thornton LLP
 
Process Management by Jan Mohammed.pptx
Process Management by Jan Mohammed.pptxProcess Management by Jan Mohammed.pptx
Process Management by Jan Mohammed.pptxJanMohammed3
 
Why Are We Still Talking About SharePoint Governance? presented by Anders Skj...
Why Are We Still Talking About SharePoint Governance? presented by Anders Skj...Why Are We Still Talking About SharePoint Governance? presented by Anders Skj...
Why Are We Still Talking About SharePoint Governance? presented by Anders Skj...European SharePoint Conference
 
SPS Cape Town - Measuring Governance Maturity
SPS Cape Town - Measuring Governance MaturitySPS Cape Town - Measuring Governance Maturity
SPS Cape Town - Measuring Governance MaturityMelinda Morales
 

Similar to GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode] (20)

Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015 Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
 
Compliance challenges in Information Security
Compliance challenges in Information Security Compliance challenges in Information Security
Compliance challenges in Information Security
 
Proactive Internal Auditing -- The Key to Improving Your Quality System
Proactive Internal Auditing -- The Key to Improving Your Quality SystemProactive Internal Auditing -- The Key to Improving Your Quality System
Proactive Internal Auditing -- The Key to Improving Your Quality System
 
Scalable integrated program audit (sipa)
Scalable integrated program audit (sipa)Scalable integrated program audit (sipa)
Scalable integrated program audit (sipa)
 
Continous compliance october 2019 webinar (2)
Continous compliance october 2019 webinar (2)Continous compliance october 2019 webinar (2)
Continous compliance october 2019 webinar (2)
 
Ronan Consulting Group - Systems Selection and Implementation
Ronan Consulting Group - Systems Selection and ImplementationRonan Consulting Group - Systems Selection and Implementation
Ronan Consulting Group - Systems Selection and Implementation
 
The Good, The Bad, and The Metrics
The Good, The Bad, and The Metrics The Good, The Bad, and The Metrics
The Good, The Bad, and The Metrics
 
How to prepare for an audit and maintain oversight within your e qms
How to prepare for an audit and maintain oversight within your e qmsHow to prepare for an audit and maintain oversight within your e qms
How to prepare for an audit and maintain oversight within your e qms
 
FCB Partners Course Preview: Process Owners in Action
FCB Partners Course Preview: Process Owners in ActionFCB Partners Course Preview: Process Owners in Action
FCB Partners Course Preview: Process Owners in Action
 
Segregation of Duties Solutions
Segregation of Duties SolutionsSegregation of Duties Solutions
Segregation of Duties Solutions
 
Leveraging DevOps Principles for Release and Deploy
Leveraging DevOps Principles for Release and DeployLeveraging DevOps Principles for Release and Deploy
Leveraging DevOps Principles for Release and Deploy
 
What’s New for Firms’ Monitoring and Remediation Processes
What’s New for Firms’ Monitoring and Remediation ProcessesWhat’s New for Firms’ Monitoring and Remediation Processes
What’s New for Firms’ Monitoring and Remediation Processes
 
Partner for Process Transformation
Partner for Process Transformation Partner for Process Transformation
Partner for Process Transformation
 
Proven Methods to Abnormality Management and Error Proofing
Proven Methods to Abnormality Management and Error ProofingProven Methods to Abnormality Management and Error Proofing
Proven Methods to Abnormality Management and Error Proofing
 
Automating PeopleSoft Segregation of Duties: Financials/HCM/Campus Solutions
Automating PeopleSoft Segregation of Duties: Financials/HCM/Campus SolutionsAutomating PeopleSoft Segregation of Duties: Financials/HCM/Campus Solutions
Automating PeopleSoft Segregation of Duties: Financials/HCM/Campus Solutions
 
Best Practices & Considerations in “IT Suppliers Audit”
Best Practices & Considerations in “IT Suppliers Audit”Best Practices & Considerations in “IT Suppliers Audit”
Best Practices & Considerations in “IT Suppliers Audit”
 
The 4 ERP governance best practices you can’t ignore
The 4 ERP governance best practices you can’t ignoreThe 4 ERP governance best practices you can’t ignore
The 4 ERP governance best practices you can’t ignore
 
Process Management by Jan Mohammed.pptx
Process Management by Jan Mohammed.pptxProcess Management by Jan Mohammed.pptx
Process Management by Jan Mohammed.pptx
 
Why Are We Still Talking About SharePoint Governance? presented by Anders Skj...
Why Are We Still Talking About SharePoint Governance? presented by Anders Skj...Why Are We Still Talking About SharePoint Governance? presented by Anders Skj...
Why Are We Still Talking About SharePoint Governance? presented by Anders Skj...
 
SPS Cape Town - Measuring Governance Maturity
SPS Cape Town - Measuring Governance MaturitySPS Cape Town - Measuring Governance Maturity
SPS Cape Town - Measuring Governance Maturity
 

GRCSG2014_Kumar_Lessons for ensuring_F2E [Compatibility Mode]

  • 1. Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2014 Wellesley Information Services. All rights reserved. Lessons and Strategies for Ensuring Your SAP Systems Remain Compliant Barun Kumar Turnkey Consulting Malaysia
  • 2. 1 In This Session • Understand the key challenges to maintaining compliance over time • Consider ways to integrate compliance into good practice on projects and as part of BAU • Learn how to develop a sustainable approach to compliance that includes not just technology but also organization and process • Provide tips on extending the reach of GRC to optimize your compliance environment • Understand the standard SAP tools available to help you remain compliant
  • 3. 2 What We’ll Cover • Common areas of non-compliance • Designing and building for sustainable success • The people factor: organizational challenges • Getting the most from GRC to support compliance objectives • Future-proofing system compliance using standard SAP tools to remain compliant • Wrap-up
  • 4. 3 Lack of Governance and Control • There is often a gap between those setting the objectives and those responsible for administering the controls Not always aligned Do not communicate – not aware of gaps or changes in the environment • Decision-making authority does not reside at the right level Lack of clarity over who can make decisions • Owners and approvers are not identified May have changed over time Documentation not maintained
  • 5. 4 Understanding Compliance Objectives and Solution • Finance organization is usually responsible for setting objectives Do not always have detailed knowledge of SAP solution Are the objectives really aligned with the business perception of risk? Too many/too few Do not reflect risk profile • Business finds it difficult to manage the volume of process controls Testing, monitoring Unable to prioritize • Administrators do not understand the risks being mitigated Controls may not be implemented correctly or at all
  • 6. 5 Unwieldy Processes That Are Overly Complex • Processes often have unnecessary steps and checks built in Inefficient processes that take too long No value add • Increased risk to the organization Users bypass the process just to “get things done” No controls E.g., Users sharing powerful IDs E.g., Changes made directly in production • Increased cost Support costs increase along with cost of non-compliance Investigate and resolve issues Financial loss incurred
  • 7. 6 Gaps in the Supporting Technology • Difficult to maintain compliance without some degree of automation … • … but needs to be configured correctly to avoid pitfalls of process complexity • Workflow approvals Delegation of authority set up? • Alert monitoring Are you notified when suspicious activity occurs, or a compliance breach? • SoD matrix How easy is it to identify and mitigate potential conflicts?
  • 8. 7 What We’ll Cover • Common areas of non-compliance • Designing and building for sustainable success • The people factor: organizational challenges • Getting the most from GRC to support compliance objectives • Future-proofing system compliance using standard SAP tools to remain compliant • Wrap-up
  • 9. 8 Establish Your Control Framework • Develop a framework that supports business goals Ensures IT goals are aligned Across the organization • Identify the core control objectives and prioritize Business risk Complexity Known areas of weakness • Define and design controls • Test the effectiveness of the controls • Document testing for continuous use
  • 10. 9 Build the Right Controls into Your Business Processes • Business process controls should be identified and applied During an implementation As part of any redesign or enhancement activity May be manual or automated Detective or preventative • Controls should be commensurate with the associated risk E.g., do not add verification steps if noone will review the output and take action accordingly • Use control mechanisms to simplify the process wherever possible Workflow tools, e.g., to manage PO approvals, set tolerances
  • 11. 10 Ensure Appropriate IT Controls Are in Place • Environment build standards are in place and are followed System parameters Security components and audit logging • Technical change and release management processes are followed Impact assessment completed by appropriate skilled staff Changes are tested Approvers are defined Changes are documented Alignment between production stack and project stack QA and Prod in sync Regression testing
  • 12. 11 Develop Relevant Access Controls Across Landscape • Role design concept is documented and maintained End user and support team roles Concept is easy to understand and administer • Role owners/approvers identified within the business Understand role content and control objectives • Role documentation is maintained Changes Restrictions and org. levels • SoD reviews are conducted as part of role build or role change Reviews of single roles and sensitive access checks Conflicts are mitigated • Changes are tested and approved
  • 13. 12 Access Controls Apply not Only in Production • Specific roles defined for non-Production access • SoD checks should still be applied Particular focus on sensitive access • Data restrictions should be considered Production data available in QA systems for testing? HR, customer, vendor details widely available? Data privacy constraints
  • 14. 13 Implement Efficient User Management Processes • Ensure processes are aligned with agreed standards • Determine approvers and document these for support teams Make sure documentation is kept up-to-date • Simplify the request form Easy to complete Easy to identify access required • Use of identity management tools Joiners and leavers Follow up on users that have not logged on for an extended period/never logged on Contractors/third parties
  • 15. 14 Verify User Management Processes Are Maintained • Are there well defined SLAs in place and, are they met? Failures are usually due to: Incomplete request – user does not know what to ask for Lack of “informed” approver Difficult to identify roles to be assigned • Regular monitoring and audits Access validation by approvers SoD reviews Violations managed down Non-dialog IDs Specific roles Approvals
  • 16. 15 Don’t Forget Patching! • Process established for managing patches Security patching should be one element in overall patching approach Where support is outsourced, contract may be “patch on fail” Assess potential vulnerabilities • Use EarlyWatch alerts to flag when security-critical notes have not been applied • Assess and test security notes in a timely manner Use monthly SAP Security Patch Day to drive review process • Apply patches following standard change and release management processes
  • 17. 16 Monitoring Practices Are Implemented • Identify key risk areas to be monitored Existing weakness High impact • Develop KPIs based on good practice and reality of environment Audit/Compliance input Only measure what you intend to action • Agree on owners for KPIs Who will investigate and take action over variances? How do you prioritize activities?
  • 18. 17 Examples of KPIs • Number of dialog or service users with SAP_ALL • Number of times Firefighter access has been invoked • Number of end-user roles with direct table access • Number of security incidents logged in a reporting period • KPIs will vary by organization Do the KPIs provide useful information to your organization? Can you measure them? Do you plan to resolve the issues that are identified? Be prepared to change your KPIs as new areas of risk are identified
  • 19. 18 What We’ll Cover • Common areas of non-compliance • Designing and building for sustainable success • The people factor: organizational challenges • Getting the most from GRC to support compliance objectives • Future-proofing system compliance using standard SAP tools to remain compliant • Wrap-up
  • 20. 19 Develop the Supporting Organizational Structure • The existing organization structure may not support ongoing compliance • Establish a RACI What are the key compliance-related activities? Which roles are accountable, responsible, etc.? Where are the gaps? • Publish the RACI and implement May need to restructure to ensure gaps are closed Will provide clarity on roles and responsibilities to all parties Integration points may require attention • Governance model will highlight decision-making and ownership
  • 21. 20 Ensure Ongoing Business Stakeholder Engagement • Responsibility for SAP compliance does not only sit with IT Business must take ownership Identify potential new risks/change in existing risks Risk and control owners Approver roles • Partnership between Business – Controls – SAP Security Support Regular conversation and reviews Develop mutual understanding of roles and responsibilities Increased collaboration will ultimately result in a more secure and compliant environment
  • 22. 21 Establish a Training and Education Programme • Training and education are important, not as a one-off but ongoing SAP Security IT Support Business and Controls End users • Link all aspects of the controls environment together How does each area impact the others? Hand-off points • Regular updates on changes to: Process Risks/Mitigations Approvers
  • 23. 22 Keep Outsource Providers Involved • Ultimate accountability for risk management and compliance sits with the organization, not the outsource provider • Partnership with outsource providers (win-win approach) Support function Implement/administer based on organization “rules” Auditors Provide input in compliance requirements Can help the support organization develop a response to requirements Third parties can bring experience and alternative perspective to help achieve compliance goals
  • 24. 23 What We’ll Cover • Common areas of non-compliance • Designing and building for sustainable success • The people factor: organizational challenges • Getting the most from GRC to support compliance objectives • Future-proofing system compliance using standard SAP tools to remain compliant • Wrap-up
  • 25. 24 ARA Enables Greater Transparency Over Access Conflicts • As a rule, audit findings focus on Segregation of Duty conflicts • Implementing ARA will enable the organization to: Document a wide range of business rules plus sensitive access restrictions Identify potential risks at a granular level and mitigate them Avoid SoD issues at all through simulations during role build and user assignment Promote ownership of SoD management within the business Risk owners Real-time reporting directly into the business
  • 26. 25 Opportunity to Manage and Control Privileged Access Usage • Extend use of Firefighter to cover broader privileged access requirements Emergency access Sensitive, one-time access, e.g., year-end scenarios Cutover, project support access • Good time to review and revise privileged access roles and re- validate usage criteria Who can use in what scenarios Firefighter owners and approvers • Automated audit logs provide usage details, but reliant on reviewers with the requisite knowledge Training needs
  • 27. 26 Enhanced, Automated Access Request Management Process • Online request form that makes it easier for the user to select the most appropriate access • Ability to introduce multiple approvers for specific access requests Workflow is key to speeding up the approval process whilst ensuring the right controls are in place • Ability to provision access directly based on approval Reduces risk of human error Potential to reduce cost of compliance over time
  • 28. 27 Enhanced Control Monitoring • Ability to enhance existing process controls Workflow alerts IT General Controls as well as business controls Real-time view of compliance breaches • Continuous control monitoring (CCM) to determine whether controls are effective • Automated testing to reduce audit and compliance footprint • Potential to integrate with broader transaction monitoring tools in order to identify suspicious transactions • Trend reporting
  • 29. 28 Simplified Business Role Management Tools • Role mapping database to facilitate role assignment Translates technical security roles into “business speak” Simplifies the role design and build process Requesters can more easily identify and define new requirements • Simplified role maintenance and administration Central design repository Easier to control build process in a larger organization Role derivation is easier to manage with prepopulated org levels Option to store role owner information
  • 30. 29 What We’ll Cover • Common areas of non-compliance • Designing and building for sustainable success • The people factor: organizational challenges • Getting the most from GRC to support compliance objectives • Future-proofing system compliance using standard SAP tools to remain compliant • Wrap-up
  • 31. 30 Standard SAP Tools • Use Solution Manager central monitoring and reporting Earlywatch Alerts Security related SAP Notes (High Level) Users with critical authorizations Default passwords of standard users Report through SAP BW (SM 7.10 SP3) • RSECNOTE Detailed information on security related notes and implementation status Requires configuration. SAP Note 888889.
  • 32. 31 Security Optimization Self-Service • Perform detailed security analysis Recommend to run quarterly as part of security housekeeping Wider coverage than just using ARA Access to sensitive functionality Security related parameter settings External authentication SAP Router JAVA configuration and administration SOS-S checks are regularly updated Audit firms are waking up to external threats
  • 33. 32 What We’ll Cover • Common areas of non-compliance • Designing and building for sustainable success • The people factor: organizational challenges • Getting the most from GRC to support compliance objectives • Future-proofing system compliance using standard SAP tools to remain compliant • Wrap-up
  • 34. 33 Where to Find More Information • www.isaca.org Contains useful information regarding risk management, compliance, governance including COBIT • http://scn.sap.com/community/grc SCN Resource Area for GRC • https://websmp207.sap-ag.de/securitynotes SAP security patch day information • https://support.sap.com/content/dam/library/support/support- programs-services/support-services/SIS262_presentation.pdf Cross-system reporting on security notes
  • 35. 34 7 Key Points to Take Home • Projects (new implementations, upgrades) are a good opportunity to improve compliance • Ownership and decision-making authority is the foundation for getting and remaining compliant • KPIs are essential for baselining and maintaining compliance initiatives • Effective business engagement is needed to ensure that compliance is not “something IT does” • Training and education are key tools for developing appropriate skills and behaviors • Use GRC to automate compliance activities where possible • SAP provides useful tools to monitor and report on areas that are key focus areas for internal and external auditors
  • 36. 35 Your Turn! How to contact me: Barun Kumar Barun.kumar@turnkeyconsulting.com @TwitterUserName Please remember to complete your session evaluation
  • 37. 36 Disclaimer SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.