SoD & Risk analysis and monitoring - CSI Authorization Auditor

SoD & Risk analysis and monitoring - CSI Authorization Auditor 2016 (CSI AA)

Download the leaflets
CSI Authorization Auditor 2016 Leaflet v10
CSI Authorization Auditor 2016 Brochure Features v02

CSIAA2016 256

Also available as Client/Server version and Software as a Service (SaaS)

CSI Authorization Auditor (CSI AA) is the audit & monitoring application for authorization and role setup in SAP environments. It makes a snapshot of a SAP system to gain insight into the past or current authorization setup of the SAP system.

It reveals weaknesses in your authorization concept but also helps identifying undesired authorizations, accumulation of access rights, unsecured back doors and cross-system Segregation of Duties. Assess your risk exposure by finding inconsistencies between what people are allowed to do, can do, did and can almost do. CSI Authorization Auditor 2016 comes with a pre-defined SoD engine with more than 400 SoD conflicts.

The application further supports the security & control processes by allowing documenting control measures, such as compensating controls.

Functionality

CSI Authorization Auditor maintains the audit queries (rule set) and SoD conflicts (role based). Delta reporting is possible between various analyses. Because transaction code access and authorization access is checked separately, this module can verify the completeness of SAP GRC rule sets. Other features include statistical error reporting such as overwritten organizational values, unused roles, user types, manual and changed authorizations.

CSI Authorization Auditor now also reports all causing information to support remediation projects. The dashboards and trending overviews enable management to monitor the SoD statuses. The user access procedure with preventive SoD analysis ensures that the system stays clean.

CSI Authorization Auditor can be used to document all risks, control objectives and control measures. A control measure can be a manual or a configurable control. Configurable controls are analyzed automatically. It replaces your current documentation with control checks to be performed.

With one license you can audit or monitor an unlimited number of SAP systems and unlimited number of users.

New features

While we retained the trusted features that are so well-known by the wide CSI Authorization Auditor user base, the newly built interface of CSI AA 2016 makes running SAP Security processes simple and convenient.

These new features of CSI Authorization Auditor 2016 will help you get:

Faster results, even with larger data. SAP systems keep getting bigger. CSI AA 2016 can handle large data sets and is faster in analyzing the data. The .Net architecture of CSI Authorization Auditor 2016, doesn't only render data at high speed, it also eliminates the 2GB database restriction that was known as platform memory limitations.
Easier performance of tasks, so less training is needed. A sequence of dialog boxes leads the user through a series of well-defined steps (wizard). Tasks that are infrequently performed are easier to perform using the wizard. CSI AA 2016 supports reporting the right results in the fastest way. Because of the use of the new interface and wizards, users are guided through the application with additional information on the screen, which reduces training effort enormously.
Receive messages automatically. Messages can be distributed according the RACI matrix. Implement the organizations’ responsibility assignment matrix to automate the security task messages. People are informed automatically when they need to perform a task in the security process.
Speed up the reporting process. Work simultaneously with multiple users on the same data to see the results, no more manual report distribution.
Flexible reporting. CSI AA 2016 comes with a large number of useful reports and dashboards. Is the report or dashboard not fitting the business requirements? Customization is also possible, which enables you to make your own reports. End-users can define their own grouping of all data shown on screen and every view can be exported to different formats like .xlsx, .xml, .pdf and .accdb.
Be able to reproduce audit reports all the time. CSI AA 2016 uses two databases; an application database and an archive database. All original SAP data, as well as all the audit results, are saved in the archive. The advantages are enormous. Previous audit result are immediately available if necessary, the audit results can be compared in detail with previous audit results and new audit roles and requirements can be checked against old downloads. Trending dashboards that show the evolution over (a) certain period(s) can be produced within seconds.
More effective security process. New reports and dashboards make it possible to compare the audit results. See if your security results are improving.
Get compliant. With the use of role information and statistical data from your SAP system you can analyze the correctness of your role assignments. CSI 2016 also gives a clear view if access rights are accumulating in the security concept. This information can be used to clean up your authorization concept to get in compliance.
Gain insight into inconsistencies. All analyses are done separately on authorization level and transaction code level, including executed information. The differences between these results give authorization managers an immediate insight into inconsistencies in the SAP roles and/or audit rules and/or in the access governance process.
Causing information is available. All audit reports have the full causing information available within insight how these access rights are assigned to users. An indication is given on every level if the user needs the role.
Speed up documenting the security process: Documenting the security process can take a long time. With CSI AA 2016 you can simultaneously implement and document the business process with risks and controls step by step. Add any information about the security process to CSI AA 2016 and make changes on the fly. Use CSI AA 2016 to quickly document the security process.
Information available at your fingertips. Useful user information can now be found in CSI AA 2016. Always wanted to know which roles are assigned to the user, which transactions a user can (and did) execute (even if the transactions are already removed) and which authorizations is assigned to the user in his user buffer? All this, and more information is available.
Reduce time, automate your controls. SAP table values can be checked automatically against pre-defined values. Reduce your monitoring time with automated monitoring.
Prove that you are compliant. All the compliance data (like test evidence, compensating controls, business model, etc.) is stored in CSI AA 2016. With all the information in one place, you can easily prove you are compliant.
Save on SAP license costs. Are you paying too much for SAP licenses? Reduce expensive license costs and pay only for the licenses and authorizations you really need. CSI AA 2016 gives a clear overview of all your SAP licenses.
Control the changes. CSI AA 2016 logs all changes made to the rule sets.

Gains

Information available at your fingertips. On user level all information available:

all indirect roles assigned,
user buffer details,
all transaction codes a user can execute,
all transaction codes executed by the user in the past (even if the user no longer has access).
Flexible reporting. The end-user can define its own grouping of all data shown on the screen and every grid can be exported to .xlsx, .xml, .pdf, .accdb.
Causing information is available. All audit reports have the full causing information available with insight into how these access rights are assigned to users. On every level an indication is given if the user needs the role.
Less training needed. A new interface and wizards guide users through the application. Additional information is given on-screen which reduces training effort enormously.
Be able to reproduce audit reports at all time. CSI AA uses two databases; an application database and an archive database. All original SAP data as well as all the audit results are saved in the archive. The advantages are enormous. Previous audit result are immediately available if necessary, the audit results can be compared in detail with previous audit results and new audit roles and requirements can be checked against old downloads. Trending dashboards that show the evolution over (a) period(s) can be produced within seconds.
Gain insight into inconsistencies. All analyses are done separately on authorization level and transaction code level and executed information. The differences between these results give experts an immediate insight into inconsistencies in the SAP roles and / or audit rules and / or in the access governance process.

Benefits

Efficient (ROI)

Can be done online with instant access to intelligence reports
Root cause analysis is done automatically and available on screen

Effective (Best Practice / Security Improvement)

Mergers: IT risks are known within a week
QA check on your SAP monitoring system
Simulation on rule changes
How much does the system deviate
Preventive SOD analysis can be run
Full root cause analysis done in each SoD report

Tuned for business readiness

Dynamic and pointed on demand on any SAP system
Mergers: process & IT risks are known within a week
Report on Desired State versus Actual State

Client/Server

Maybe the biggest advantage of CSI Authorization Auditor is that the application can also be installed as a Client/Server application. All the above advantages of the PC based solution are also applicable for this version since they are the same application. But since the data is now centralized on a server the following additional advantages come into play:

Collaborating is easy;
Auditor does no longer need to distribute audit reports since auditee and management have access to the reports themselves;
By using a server, the performance will increase;
Virtual PC, VM-Ware, Remote Desktop are supported by the application.

CSI Authorization Auditor Client/Server is a fully-automated application:

No manual intervention is needed anymore;
The complete audit cycle, incl. downloads, audit runs and report distribution can be scheduled;
Continuous monitoring;
End-users no longer need to have access to the application since a Web User Interface is available;
Data is filtered so that a responsible only sees their data;
Dynamic Dashboarding is also accessible via web interface.

Value proposition of CSI Authorization Auditor 2016 Client/Server

The Client/Server application will drastically improve your SAP Access Governance with efficiency, effectiveness and business agility.

Efficient (ROI)

Less training
Higher performance
Automated audit runs
Lower Total Cost of Ownership (TCO)

Effective (Best Practice / Security Improvement)

Access to intelligence reports
Root cause analysis is done automatically
Simulations possible
Trending dashboards available

Business Agility

Client/Server
Email integration
Web based User Interface

SaaS

CSI Authorization Auditor 2016 is also available as a SaaS license. Our SaaS environment (also dedicated available) has advantages compared to the local installation and can be used with or without VPN connection to your SAP environment(s).

High adoption. With Software as a Service (SaaS) the application is available from any computer or any device, any time and anywhere.
Lower initial costs. CSI Authorization Auditor SaaS application is subscription based. No license fees mean lower initial costs. Having CSI tools manage the IT infrastructure means lower IT costs for hardware, software, and the people necessary to manage it all.
Painless upgrades. Because CSI tools manages all updates and upgrades, there are no updates for customers to download or install. CSI tools also manages availability, so there’s no need for customers to add hardware, software, or bandwidth as the user base grows.
Seamless integration. CSI tools can scale indefinitely to meet the customer's demands. CSI tools also offers customization capabilities to meet specific needs. A VPN connection to your SAP system is possible so you can fully automate and integrate with the SAP systems.