Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2014 Wellesley

Information Services. All rights reserved.

Lessons and Strategies for Ensuring Your SAP Systems Remain Compliant

Barun KumarTurnkey Consulting Malaysia

1

In This Session

• Understand the key challenges to maintaining compliance over

time

• Consider ways to integrate compliance into good practice on

projects and as part of BAU

• Learn how to develop a sustainable approach to compliance that

includes not just technology but also organization and process

• Provide tips on extending the reach of GRC to optimize your

compliance environment

• Understand the standard SAP tools available to help you remain

compliant

2

What We’ll Cover

• Common areas of non-compliance

• Designing and building for sustainable success

• The people factor: organizational challenges

• Getting the most from GRC to support compliance objectives

• Future-proofing system compliance using standard SAP tools to

remain compliant

• Wrap-up

3

Lack of Governance and Control

• There is often a gap between those setting the objectives and

those responsible for administering the controls

� Not always aligned

� Do not communicate – not aware of gaps or changes in the

environment

• Decision-making authority does not reside at the right level

� Lack of clarity over who can make decisions

• Owners and approvers are not identified

� May have changed over time

� Documentation not maintained

4

Understanding Compliance Objectives and Solution

• Finance organization is usually responsible for setting objectives

� Do not always have detailed knowledge of SAP solution

� Are the objectives really aligned with the business perception

of risk?

� Too many/too few

� Do not reflect risk profile

• Business finds it difficult to manage the volume of process

controls

� Testing, monitoring

� Unable to prioritize

• Administrators do not understand the risks being mitigated

� Controls may not be implemented correctly or at all

5

Unwieldy Processes That Are Overly Complex

• Processes often have unnecessary steps and checks built in

� Inefficient processes that take too long

� No value add

• Increased risk to the organization

� Users bypass the process just to “get things done”

� No controls

� E.g., Users sharing powerful IDs

� E.g., Changes made directly in production

• Increased cost

� Support costs increase along with cost of non-compliance

� Investigate and resolve issues

� Financial loss incurred

6

Gaps in the Supporting Technology

• Difficult to maintain compliance without some degree of

automation …

• … but needs to be configured correctly to avoid pitfalls of process

complexity

• Workflow approvals

� Delegation of authority set up?

• Alert monitoring

� Are you notified when suspicious activity occurs, or a

compliance breach?

• SoD matrix

� How easy is it to identify and mitigate potential conflicts?

7

What We’ll Cover

• Common areas of non-compliance

• Designing and building for sustainable success

• The people factor: organizational challenges

• Getting the most from GRC to support compliance objectives

• Future-proofing system compliance using standard SAP tools to

remain compliant

• Wrap-up

8

Establish Your Control Framework

• Develop a framework that supports business goals

� Ensures IT goals are aligned

� Across the organization

• Identify the core control objectives and prioritize

� Business risk

� Complexity

� Known areas of weakness

• Define and design controls

• Test the effectiveness of the controls

• Document testing for continuous use

9

Build the Right Controls into Your Business Processes

• Business process controls should be identified and applied

� During an implementation

� As part of any redesign or enhancement activity

� May be manual or automated

� Detective or preventative

• Controls should be commensurate with the associated risk

� E.g., do not add verification steps if noone will review the

output and take action accordingly

• Use control mechanisms to simplify the process wherever

possible

� Workflow tools, e.g., to manage PO approvals, set tolerances

10

Ensure Appropriate IT Controls Are in Place

• Environment build standards are in place and are followed

� System parameters

� Security components and audit logging

• Technical change and release management processes are

followed

� Impact assessment completed by appropriate skilled staff

� Changes are tested

� Approvers are defined

� Changes are documented

� Alignment between production stack and project stack

� QA and Prod in sync

� Regression testing

11

Develop Relevant Access Controls Across Landscape

• Role design concept is documented and maintained

� End user and support team roles

� Concept is easy to understand and administer

• Role owners/approvers identified within the business

� Understand role content and control objectives

• Role documentation is maintained

� Changes

� Restrictions and org. levels

• SoD reviews are conducted as part of role build or role change

� Reviews of single roles and sensitive access checks

� Conflicts are mitigated

• Changes are tested and approved

12

Access Controls Apply not Only in Production

• Specific roles defined for non-Production access

• SoD checks should still be applied

� Particular focus on sensitive access

• Data restrictions should be considered

� Production data available in QA systems for testing?

� HR, customer, vendor details widely available?

� Data privacy constraints

13

Implement Efficient User Management Processes

• Ensure processes are aligned with agreed standards

• Determine approvers and document these for support teams

� Make sure documentation is kept up-to-date

• Simplify the request form

� Easy to complete

� Easy to identify access required

• Use of identity management tools

� Joiners and leavers

� Follow up on users that have not logged on for an extended

period/never logged on

� Contractors/third parties

14

Verify User Management Processes Are Maintained

• Are there well defined SLAs in place and, are they met?

� Failures are usually due to:

� Incomplete request – user does not know what to ask for

� Lack of “informed” approver

� Difficult to identify roles to be assigned

• Regular monitoring and audits

� Access validation by approvers

� SoD reviews

� Violations managed down

� Non-dialog IDs

� Specific roles

� Approvals

15

Don’t Forget Patching!

• Process established for managing patches

� Security patching should be one element in overall patching

approach

� Where support is outsourced, contract may be “patch on fail”

� Assess potential vulnerabilities

• Use EarlyWatch alerts to flag when security-critical notes have

not been applied

• Assess and test security notes in a timely manner

� Use monthly SAP Security Patch Day to drive review process

• Apply patches following standard change and release

management processes

16

Monitoring Practices Are Implemented

• Identify key risk areas to be monitored

� Existing weakness

� High impact

• Develop KPIs based on good practice and reality of environment

� Audit/Compliance input

� Only measure what you intend to action

• Agree on owners for KPIs

� Who will investigate and take action over variances?

� How do you prioritize activities?

17

Examples of KPIs

• Number of dialog or service users with SAP_ALL

• Number of times Firefighter access has been invoked

• Number of end-user roles with direct table access

• Number of security incidents logged in a reporting period

• KPIs will vary by organization

� Do the KPIs provide useful information to your organization?

� Can you measure them?

� Do you plan to resolve the issues that are identified?

Be prepared to change your KPIs as new areas of

risk are identified

18

What We’ll Cover

• Common areas of non-compliance

• Designing and building for sustainable success

• The people factor: organizational challenges

• Getting the most from GRC to support compliance objectives

• Future-proofing system compliance using standard SAP tools to

remain compliant

• Wrap-up

19

Develop the Supporting Organizational Structure

• The existing organization structure may not support ongoing

compliance

• Establish a RACI

� What are the key compliance-related activities?

� Which roles are accountable, responsible, etc.?

� Where are the gaps?

• Publish the RACI and implement

� May need to restructure to ensure gaps are closed

� Will provide clarity on roles and responsibilities to all parties

� Integration points may require attention

• Governance model will highlight decision-making and ownership

20

Ensure Ongoing Business Stakeholder Engagement

• Responsibility for SAP compliance does not only sit with IT

� Business must take ownership

� Identify potential new risks/change in existing risks

� Risk and control owners

� Approver roles

• Partnership between Business – Controls – SAP Security Support

� Regular conversation and reviews

� Develop mutual understanding of roles and responsibilities

Increased collaboration will ultimately result in a

more secure and compliant environment

21

Establish a Training and Education Programme

• Training and education are important, not as a one-off but ongoing

� SAP Security

� IT Support

� Business and Controls

� End users

• Link all aspects of the controls environment together

� How does each area impact the others?

� Hand-off points

• Regular updates on changes to:

� Process

� Risks/Mitigations

� Approvers

22

Keep Outsource Providers Involved

• Ultimate accountability for risk management and compliance sits

with the organization, not the outsource provider

• Partnership with outsource providers (win-win approach)

� Support function

� Implement/administer based on organization “rules”

� Auditors

� Provide input in compliance requirements

� Can help the support organization develop a response to

requirements

Third parties can bring experience and alternative

perspective to help achieve compliance goals

23

What We’ll Cover

• Common areas of non-compliance

• Designing and building for sustainable success

• The people factor: organizational challenges

• Getting the most from GRC to support compliance objectives

• Future-proofing system compliance using standard SAP tools to

remain compliant

• Wrap-up

24

ARA Enables Greater Transparency Over Access Conflicts

• As a rule, audit findings focus on Segregation of Duty conflicts

• Implementing ARA will enable the organization to:

� Document a wide range of business rules plus sensitive access

restrictions

� Identify potential risks at a granular level and mitigate them

� Avoid SoD issues at all through simulations during role build

and user assignment

� Promote ownership of SoD management within the business

� Risk owners

� Real-time reporting directly into the business

25

Opportunity to Manage and Control Privileged Access Usage

• Extend use of Firefighter to cover broader privileged access

requirements

� Emergency access

� Sensitive, one-time access, e.g., year-end scenarios

� Cutover, project support access

• Good time to review and revise privileged access roles and re-

validate usage criteria

� Who can use in what scenarios

� Firefighter owners and approvers

• Automated audit logs provide usage details, but reliant on

reviewers with the requisite knowledge

� Training needs

26

Enhanced, Automated Access Request Management Process

• Online request form that makes it easier for the user to select the

most appropriate access

• Ability to introduce multiple approvers for specific access

requests

� Workflow is key to speeding up the approval process whilst

ensuring the right controls are in place

• Ability to provision access directly based on approval

� Reduces risk of human error

� Potential to reduce cost of compliance over time

27

Enhanced Control Monitoring

• Ability to enhance existing process controls

� Workflow alerts

� IT General Controls as well as business controls

� Real-time view of compliance breaches

• Continuous control monitoring (CCM) to determine whether

controls are effective

• Automated testing to reduce audit and compliance footprint

• Potential to integrate with broader transaction monitoring tools in

order to identify suspicious transactions

• Trend reporting

28

Simplified Business Role Management Tools

• Role mapping database to facilitate role assignment

� Translates technical security roles into “business speak”

� Simplifies the role design and build process

� Requesters can more easily identify and define new

requirements

• Simplified role maintenance and administration

� Central design repository

� Easier to control build process in a larger organization

� Role derivation is easier to manage with prepopulated org

levels

� Option to store role owner information

29

What We’ll Cover

• Common areas of non-compliance

• Designing and building for sustainable success

• The people factor: organizational challenges

• Getting the most from GRC to support compliance objectives

• Future-proofing system compliance using standard SAP tools to

remain compliant

• Wrap-up

30

Standard SAP Tools

• Use Solution Manager central monitoring and reporting

� Earlywatch Alerts

� Security related SAP Notes (High Level)

� Users with critical authorizations

� Default passwords of standard users

� Report through SAP BW (SM 7.10 SP3)

• RSECNOTE

� Detailed information on security related notes and

implementation status

� Requires configuration. SAP Note 888889.

31

Security Optimization Self-Service

• Perform detailed security analysis

� Recommend to run quarterly as part of security housekeeping

� Wider coverage than just using ARA

� Access to sensitive functionality

� Security related parameter settings

� External authentication

� SAP Router

� JAVA configuration and administration

� SOS-S checks are regularly updated

� Audit firms are waking up to external threats

32

What We’ll Cover

• Common areas of non-compliance

• Designing and building for sustainable success

• The people factor: organizational challenges

• Getting the most from GRC to support compliance objectives

• Future-proofing system compliance using standard SAP tools to

remain compliant

• Wrap-up

33

Where to Find More Information

• www.isaca.org

� Contains useful information regarding risk management,

compliance, governance including COBIT

• http://scn.sap.com/community/grc

� SCN Resource Area for GRC

• https://websmp207.sap-ag.de/securitynotes

� SAP security patch day information

• https://support.sap.com/content/dam/library/support/support-

programs-services/support-services/SIS262_presentation.pdf

� Cross-system reporting on security notes

34

7 Key Points to Take Home

• Projects (new implementations, upgrades) are a good opportunity

to improve compliance

• Ownership and decision-making authority is the foundation for

getting and remaining compliant

• KPIs are essential for baselining and maintaining compliance

initiatives

• Effective business engagement is needed to ensure that

compliance is not “something IT does”

• Training and education are key tools for developing appropriate

skills and behaviors

• Use GRC to automate compliance activities where possible

• SAP provides useful tools to monitor and report on areas that are

key focus areas for internal and external auditors

35

Your Turn!

How to contact me:

Barun Kumar

Barun.kumar@turnkeyconsulting.com

@TwitterUserName

Please remember to complete your session evaluation

36

Disclaimer

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or

an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective

companies. Wellesley Information Services is neither owned nor controlled by SAP SE.