Security User Segregation of Duties - SAP GRC
A major Irish organisation had a requirement to ensure that their SAP user access was appropriately provided. It was discovered that security management processes for SAP were not operating effectively. A two stage project was implemented to strengthen controls.
SAP had been implemented a couple of years ago, at which time role and user access design did not take Segregation of Duties fully into account. The user base included over 10,000 users of which over 100 were Super Users. It was found that many users had excessive access rights.
Security management processes for SAP were not operating effectively. Appropriate detective and preventative security controls had not been implemented. This led to inappropriate and excessive system access as well as unmonitored system activity. Consequently, there was a heightened risk of service disruption or financial and reputational loss.
The decision was taken to split the project into two Phases:
Phase I had to be completed for the year-end deadline to support SOX. This posed a number of risks, the main risk being that we would be making serious changes to the SAP system and user access privileges during the lead up to year-end.
The SAP Virsa tools for Compliance Calibrator and Firefighter had already been installed on the clients SAP system. The Compliance Calibrator tool is made up of over 15,000 SoD rules across the various SAP modules. The tool is used to identify the SoD risks of the various roles and users and to help remediate and mitigate these risks. The Firefighter module is an audit tool that helps to manage privileged and emergency access.
Our approach was based on a four step implementation:
Understand the ‘As-Is’ situation
Roles and profiles
Achieve a compliant status
Without changes to how access is granted and business ownership of the processes, the compliance status achieved will quickly degenerate into a non-complaint status therefore ongoing monitoring of all mitigating controls is necessary.
Dealing with exceptions and privileged access
We were successful in mitigating over 25,000 SoD conflicts across the organisation. By the year-end deadline the following modules Basis, Finance, Procurement, HR and Payroll were completed. There was no longer a major control issue in the security management area for SAP.