Security User Segregation of Duties - SAP GRC |
Abstract
A major Irish organisation had a requirement to ensure that their SAP user access was appropriately provided. It was discovered that security management processes for SAP were not operating effectively. A two stage project was implemented to strengthen controls.
Challenge
SAP had been implemented a couple of years ago, at which time role and user access design did not take Segregation of Duties fully into account. The user base included over 10,000 users of which over 100 were Super Users. It was found that many users had excessive access rights.
Security management processes for SAP were not operating effectively. Appropriate detective and preventative security controls had not been implemented. This led to inappropriate and excessive system access as well as unmonitored system activity. Consequently, there was a heightened risk of service disruption or financial and reputational loss.
Approach
The decision was taken to split the project into two Phases:
- Phase I would be the ‘Sprint – Get Clean’ phase, and
- Phase II would be the ‘Marathon – Stay Clean’ phase.
Phase I had to be completed for the year-end deadline to support SOX. This posed a number of risks, the main risk being that we would be making serious changes to the SAP system and user access privileges during the lead up to year-end.
The SAP Virsa tools for Compliance Calibrator and Firefighter had already been installed on the clients SAP system. The Compliance Calibrator tool is made up of over 15,000 SoD rules across the various SAP modules. The tool is used to identify the SoD risks of the various roles and users and to help remediate and mitigate these risks. The Firefighter module is an audit tool that helps to manage privileged and emergency access.
Our approach was based on a four step implementation:
Understand the ‘As-Is’ situation
- Installed and generated the first reports.
- Performed a fit gap analysis between existing SoD rules and the SAP Compliance Calibrator rule set.
- Determined which rules needed to be changed or created.
- Executed Risk Analysis Reports in SAP Compliance Calibrator for Single
Roles and profiles
- Eliminated unnecessary conflicts in the roles and created new roles where required.
Achieve a compliant status
- Executed Risk Analysis Reports in SAP Compliance Calibrator at user level.
- Ensured integrity of reporting and eliminated unnecessary conflicts.
- Resolved conflicts and ensured that SOX compliance requirements were met.
- Documented all mitigating controls where required.
- Transferred ownership of the SoD issues to the business process owners.
Maintaining compliance
Without changes to how access is granted and business ownership of the processes, the compliance status achieved will quickly degenerate into a non-complaint status therefore ongoing monitoring of all mitigating controls is necessary.
Dealing with exceptions and privileged access
- Determined which transactions to be configured for the Firefighter tool.
- Agreed on who the Firefighter users, owners and controllers would be.
- Allocated privileged and emergency access using the Firefighter tool.
- Ongoing monitoring of the use of the Firefighter tool.
Solution
We were successful in mitigating over 25,000 SoD conflicts across the organisation. By the year-end deadline the following modules Basis, Finance, Procurement, HR and Payroll were completed. There was no longer a major control issue in the security management area for SAP.
