SoD & Risk analysis and monitoring - CSI Authorization Auditor

SoD & Risk analysis and monitoring - CSI Authorization Auditor 2019 (CSI AA)

Download the leaflets
CSI AA 2019 Leaflet - v12
CSI AA 2019 Brochure - v03

CSIAA2016 256

Available on-premise as multi-user Client/Server or single-user PC version and in the cloud as Software as a Service (SaaS)

CSI Authorization Auditor (CSI AA) is the audit & monitoring application for authorization and role setup in SAP environments. It makes a snapshot of a SAP system to gain insight into the past or current authorization setup of the SAP system.

CSI AA reveals weaknesses in your authorization concept but also helps identifying undesired authorizations, accumulation of access rights, unsecured back doors and cross-system Segregation of Duties. Assess your risk exposure by finding inconsistencies between what people are allowed to do, can do, did and can almost do. CSI Authorization Auditor comes with a pre-defined SoD engine with more than 400 SoD conflicts.

CSI AA further supports the security & control processes by allowing documenting control measures, such as compensating controls.

Functionality

CSI Authorization Auditor maintains the audit queries (rule set) and SoD conflicts (role based). Delta reporting is possible between various analyses. Because transaction code access and authorization access is checked separately, this module can verify the completeness of SAP GRC rule sets. Other features include statistical error reporting such as overwritten organizational values, unused roles, user types, manual and changed authorizations.

CSI Authorization Auditor now also reports all causing information to support remediation projects. The dashboards and trending overviews enable management to monitor the SoD statuses. The user access procedure with preventive SoD analysis ensures that the system stays clean.

CSI Authorization Auditor can be used to document all risks, control objectives and control measures. A control measure can be a manual or a configurable control. Configurable controls are analyzed automatically. It replaces your current documentation with control checks to be performed.

With one license you can audit or monitor an unlimited number of SAP systems and unlimited number of users.

Features

CSI Authorization Auditor will help you get:

Faster results, even with larger data. SAP systems keep getting bigger. CSI AA can handle large data sets and is efficient in analyzing the data. The .NET architecture of CSI Authorization Auditor doesn't only render data at high speed, it also eliminates the 2GB database restriction that was known as a platform memory limitation.
Easier performance of tasks, so less training is needed. A sequence of dialog boxes guides the user through a series of well-defined steps (wizard). Tasks that are infrequently performed are easier to perform using the wizard. CSI AA supports reporting the right results in the fastest way. Because of the use of the new interface and wizards, users are guided through the application with additional information on the screen, which reduces training effort enormously.
Receive messages automatically. Messages can be distributed according the RACI matrix. Implement the organizations’ responsibility assignment matrix to automate the security task messages. People are informed automatically when they need to perform a task in the security process.
Speed up the reporting process. Work simultaneously with multiple users on the same data to see the results, no more manual report distribution.
Flexible reporting. CSI AA comes with a large number of useful reports and dashboards. Is the report or dashboard not fitting the business requirements? Customization is also possible, which enables you to make your own reports. End-users can define their own grouping of all data shown on screen and every view can be exported to different formats like .xlsx, .xml, .pdf and .accdb.
Be able to reproduce audit reports all the time. CSI AA uses two databases; an application database and an archive database. All original SAP data, as well as all the audit results, are saved in the archive. The advantages are enormous. Previous audit results are immediately available if necessary, the audit results can be compared in detail with previous audit results, while new audit roles and requirements can be checked against old downloads. Trending dashboards that show the evolution over (a) certain period(s) can be produced within seconds.
More effective security process. New reports and dashboards make it possible to compare the audit results, which enable to user to see if security results are improving.
Get compliant. With the use of role information and statistical data from your SAP system you can analyze the correctness of your role assignments. CSI also gives a clear view if access rights are accumulating in the security concept. This information can be used to clean up your authorization concept to get in compliance.
Gain insight into inconsistencies. All analyses are done separately on authorization level and transaction code level, including executed information. The differences between these results give authorization managers an immediate insight into inconsistencies in the SAP roles and/or audit rules and/or in the access governance process.
Causing information is available. All audit reports have the full causing information available within insight how these access rights are assigned to users. An indication is given on every level if the user needs the role.
Speed up documenting the security process: Documenting the security process can take a long time. With CSI AA you can simultaneously implement and document the business process with risks and controls step by step. Add any information about the security process to CSI AA and make changes on the fly. Use CSI AA to quickly document the security process.
Information available at your fingertips. Useful user information can now be found in CSI AA. Always wanted to know which roles are assigned to the user, which transactions a user can (and did) execute (even if the transactions are already removed) and which authorizations is assigned to the user in his user buffer? All this, and more information is available.
Reduce time, automate your controls. SAP table values can be checked automatically against pre-defined values. Reduce your monitoring time with automated monitoring.
Prove that you are compliant. All the compliance data (like test evidence, compensating controls, business model, etc.) is stored in CSI AA. With all the information in one place, easily prove you are compliant.
Save on SAP license costs. Are you paying too much for SAP licenses? Reduce expensive license costs and only pay for the licenses and authorizations you really need. CSI AA gives a clear overview of all your SAP licenses.
Control the changes. CSI AA logs all changes made to the ruleset(s).

Gains

Information available at your fingertips. On user level all information available:

all indirect roles assigned,
user buffer details,
all transaction codes a user can execute,
all transaction codes executed by the user in the past (even if the user no longer has access).
Flexible reporting. The end-user can define its own grouping of all data shown on the screen and every grid can be exported to .xlsx, .xml, .pdf, .accdb.
Causing information is available. All audit reports have the full causing information available with insight into how these access rights are assigned to users. On every level an indication is given if the user needs the role.
Less training needed. A new interface and wizards guide users through the application. Additional information is given on-screen which reduces training effort enormously.
Be able to reproduce audit reports at all time. CSI AA uses two databases; an application database and an archive database. All original SAP data as well as all the audit results are saved in the archive. The advantages are enormous. Previous audit result are immediately available if necessary, the audit results can be compared in detail with previous audit results and new audit roles and requirements can be checked against old downloads. Trending dashboards that show the evolution over (a) period(s) can be produced within seconds.
Gain insight into inconsistencies. All analyses are done separately on authorization level and transaction code level and executed information. The differences between these results give experts an immediate insight into inconsistencies in the SAP roles and / or audit rules and / or in the access governance process.

Benefits

Efficient (ROI)

Fast installation - up & running after installation
Can be done online with instant access to intelligence reports
Root cause analysis is done automatically and available on screen

Effective (Best Practice / Security Improvement)

Mergers: IT risks are known within a week
QA check on your SAP monitoring system
Simulation on rule changes
How much does the system deviate
Preventive SOD analysis can be run
Full root cause analysis done in each SoD report

Tuned for business readiness

Dynamic and pointed on demand on any SAP system
Mergers: process & IT risks are known within a week
Report on Desired State versus Actual State

Client/Server

Maybe the biggest advantage of CSI Authorization Auditor is that the application can also be installed as a Client/Server application. All the above advantages of the PC based solution are also applicable for this version since they are the same application. But since the data is now centralized on a server the following additional advantages come into play:

Collaborating is easy;
Auditor does no longer need to distribute audit reports since auditee and management have access to the reports themselves;
By using a server, the performance will increase;
Virtual PC, VM-Ware, Remote Desktop are supported by the application.

CSI Authorization Auditor Client/Server is a fully-automated application, to fully automated your audit cycle:

No manual intervention is needed anymore;
The complete audit cycle, incl. downloads, audit runs and report distribution can be scheduled;
Continuous monitoring;
End-users no longer need to have access to the application since a Web User Interface is available;
Data is filtered so that a responsible only sees their data;
Dynamic Dashboarding is also accessible via web interface.

Value proposition of CSI Authorization Auditor Client/Server

The Client/Server application will drastically improve your SAP Access Governance with efficiency, effectiveness and business agility.

Efficient (ROI)

Less training
Higher performance
Automated audit runs
Lower Total Cost of Ownership (TCO)

Effective (Best Practice / Security Improvement)

Access to intelligence reports
Root cause analysis is done automatically
Simulations possible
Trending dashboards available

Business Agility

Client/Server
Email integration
Web based User Interface

SaaS

CSI Authorization Auditor is also available in the cloud as a SaaS license. Our SaaS environment (also dedicated available) has advantages compared to the local installation and can be used with or without VPN connection to your SAP environment(s).

High adoption. With Software as a Service (SaaS) the application is available from any computer or any device, any time and anywhere.
Lower initial costs. CSI Authorization Auditor SaaS application is subscription based. No license fees mean lower initial costs. Having CSI tools manage the IT infrastructure means lower IT costs for hardware, software, and the people necessary to manage it all.
Painless upgrades. Because CSI tools manages all updates and upgrades, there are no updates for customers to download or install. CSI tools also manages availability, so there’s no need for customers to add hardware, software, or bandwidth as the user base grows.
Seamless integration. CSI tools can scale indefinitely to meet the customer's demands. CSI tools also offers customization capabilities to meet specific needs. A VPN connection to your SAP system is possible so you can fully automate and integrate with the SAP systems.