SAP systems contain business critical data and needs to be secured. But investing in security means investing time and money. It is always difficult to find a budget for security related tasks. But do note that the costs for non-compliancy like damage to the brand, fines and penalties, theft of proprietary and loss of revenue are way higher than investing in a good solution for compliancy.
When starting implementing compliancy, there are two approaches that can be taken:
a fragmented approach: The organization first focus is on one security aspects first, like SoD conflicts. Especially after the introduction of the Sarbanes Oxley Act (SOX) we could see an increase of interest that companies were searching for a solution to report their SoD conflicts and finding a way how to solve them, like removing authorizations from users or defining compensating controls. This was often a one-time project and can be a good starting point for a compliant organization, but organizations have to be aware that there are more security aspects than SoD conflicts and that they have to broaden their scope eventually. When this insight is there, the compliance activities can expand to cover all risks within the organization and the GRC maturity grows.
- a global approach: the insight into GRC aspects is gained first, and all compliance related tasks and activities are inventoried. Afterwards one global GRC solution is acquired. The technology is already available to support organizations’ global GRC.
In both approaches, the most important (first) step is that the boardroom must be involved in defining compliancy for the organization. This set of rules must then be translated into the technical details by the underlying layer. If this is done, everybody will understand the risks and there will be commitment within the whole organization.
Another aspect where boardroom must be involved, is in the reporting. The reporting of the risk findings must be a multi-layer activity. Visibility in risks and controls must be reported to high level management to manage risk and compliancy optimally and to achieve a good return on their GRC technology investment. Technical details about the security risks are also needed to have insights into mitigating the risk. A good GRC solution needs to cover these different layers of reporting.
CSI tools simplifies GRC for SAP environments. CSI tools’ GRC solution covers all aspects to support the compliancy processes within the organization. CSI tools’ GRC suite is divided in five different solutions to audit, analyze, handle user requests, emergency requests and build and maintain compliant roles. Both the fragmented approach and the global approach for implementing compliancy within the organization is supported by CSI tools’ solution since the tools can also be licensed separately.
CSI tools gives its customers guidance to simplify the complexity of the SAP authorization concept by splitting it into two layers: a governance layer and a technical layer. The main advantage lies in the fact that access governances become transparent. The management can focus on the governance aspects and the technical people can focus on technical layer and get the instructions through the governance layer. CSI tools' solutions have a unique approach. They structure the technical security data into 300 data elements that are easy to understand and interpret within all layers of the organization.
The focus in CSI tools’ GRC solution for SAP environments not only about reporting, but also on mitigation of risks. Dash boarding overviews for high level management, for example the insight in risk vs. mitigation effort, makes it possible to manage risk and compliancy optimally and to achieve a good return on the technology investment. While the technical details are available for the technical layer. Using the information about the used roles and transactions in the system simplifies the remediation part.