But the truth is, mitigating risk was one of Pablo Escobar’s greatest achievements, and the way he operated provides us with some great principles that we can apply to SAP security and access risk management.

Now, I’m in no way glorifying Escobar’s antics, but the fact is that he ran a multi-billion dollar a year industry that had many moving parts – all without the help of the kind of sophisticated technology many of us have access to today. That’s no small feat.

While I’m not suggesting you go out and commit crime, there are some important lessons you can take from Escobar to help manage risk, enhance SAP security and improve access risk management in your organisation.

The three lines of defence for SAP security

Escobar’s greatest fear was to be caught and extradited to the US. So how is it possible that he was the most wanted person in the world for a 10 –15 year period, everyone knew the city where he resided, yet some of the most powerful government agencies could not catch him?

The answer is Escobar was brilliant at managing risk. He not only had a very clear idea what his risks were, but he implemented a strategy better than any organisation today to mitigate those risks.

Escobar appreciated and perfected the three lines of defence. In business or otherwise, you have three lines of defence when it comes to SAP security:

• First line: Operational / Business users
• Second line: Risk / Compliance departments
• Third line: Audit / Assurance departments

Your first line of defence should be your strongest

Escobar implemented an exceptionally effective first line of defence.

In his city of Medellin, he was almost untouchable. He realised the importance of having many eyes and ears on the ground, so there were all walks of life that fed him information when there was any risk. From street kids to grandmothers vending food at street corners, the moment something looked suspicious, Escobar was informed.

If a Westerner arrived at Medellin Airport, it was assumed he was a DEA agent and they would be followed and monitored. When the Columbian army made their move on Escobar, a street vendor noticed many army trucks leaving the barracks and thought that could only be for one reason – and subsequently alerted Escobar.

It could be argued that Escobar’s second line of defence was bribing the police and the army. His third line of defence was possibly his army of assassins. However, it was Escobar’s first line of defence that was his most effective in that it got him out of trouble the most often.

For organisations, this is also true: Your first line of defence should always be your strongest.

An organisation’s first line of defence are usually the employees (super / key users) that have been in the organisation for 15 – 20 years. They understand their area of the business and business processes better than anyone else.

Unfortunately, in most organisations this is typically the weakest line of defence. That’s not because those employees don’t know the risks in their area, it’s because the organisation has not implemented the correct processes and solutions to empower those users to participate in the risk management activities.

Empower your first line of defence with business-centric solutions

If you have employees who have been with your organisation either for many years and/or have an in-depth knowledge of their area of the business as well as a clear understanding of the risks – you are in a good position.

But just having these people available is not enough.

You need to empower them with the right solutions and processes to manage access risk and strengthen SAP security.

All too often organisations end up implementing complex solutions that are too technical for the business users, which result in the solutions being under-utilised or redundant. At best, these technical solutions end up being used as ‘back-end’ solutions by the IT or technical team.

When this happens, you lose your first line of defence.

Be more like Escobar (minus the drugs and deaths)

Escobar implemented a system and process where people on the ground could effectively act as the first line of defence. These first liners were educated on what was deemed a risk for Escobar. When identifying a risk, there was a clear process in which the first liners could use to feed this information through to the relevant people in the organisation. Escobar empowered his first liners to raise the alarm if they noticed anything that posed a risk.

While you may not have the weapons that Escobar had, you do have a powerful weapon in risk management at your disposal – loyal and experienced operational and business users.

By enhancing business buy-in and improving your first line of defence, your organisation will become more risk aware and will be able to identify and respond more rapidly to security threats.

To give your organisation the best chance of fighting risk, you need to equip your users with the right weapons – and one of your best weapons today is a business-friendly GRC solution. By giving your people tools that they not only understand but are also not afraid to use, you empower them to effectively manage your organisation’s risk.

About Soterion

Soterion is an international leading provider of governance, risk and compliance solutions for organisations running SAP. Soterion’s user-friendly GRC solutions provide in-depth access risk reporting to allow organisations to effectively manage their access risk exposure. Soterion is passionate about simplifying the governance, risk and compliance processes, with a focus on translating this complexity into a business-friendly language to enhance better decision making and business accountability.

How can Soterion Help You?

Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.

Feel free to email us on info@soterion.com. Let us help you take your GRC to the next level.

This article is sponsored by Soterion

The post Can Pablo Escobar teach us something about Risk Management? appeared first on InsideSAP Asia.

Surprisingly, it was discovered that more than half of the companies surveyed haven’t customised their rule sets and are still using the vendor’s out-the-box standard rule set. This comes as a surprise considering SAP access risk rule set customisation is a common recommendation by many of the Big 4 audit firms.

SAP access risk rule sets typically contain risks for the following categories:

• Segregation of Duties (SOD)
• Critical Transactions
• Data Privacy

There are a number of benefits to customising these rule sets – and yes, some of these are obvious. But for many organisations, the advantages of customising your SAP access risk rule set aren’t immediately apparent.

Here are some reasons to customise your SAP access risk rule sets that you might already know about (and some you might not have considered).

Benefit 1: Reduce the cost and effort of managing irrelevant risks

The out-the-box rule set has been defined for all industries and chances are these are not all going to be applicable to your organisation’s needs. Every access risk in the rule set requires some level of effort (which has a cost implication) to manage.

By removing risks that are not applicable to your organisation, you will reduce the effort and costs involved in managing those risks.

Benefit 2: Get better coverage of all your processes

The out-the-box rule sets generally cover the main business processes such as Procure to Pay, Order to Cash, Finance, Materials Management, and Hire to Retire. But some of the not-so-common business processes such as IS Health, Media, Insurance, and Global Trade Services are not included in many of the out-the-box rule sets. By adding these risks to the rule set, your organisation has better coverage of all your processes.

The more common scenario with regard to updating the rule set is adding custom functionality. As out-the-box rule sets do not contain any custom (Z tcodes) transactions, it is important to add these to the rule set. For example, if the organisation has created a custom version of VA01 (e.g. ZVA01) if this performs a similar function to VA01 and allows the users to create Sales Orders, it should be added to the rule set.

Benefit 3: Get more business buy-in for GRC activities

As detailed above, when using an out-the-box rule set, many of the risks are not relevant to your organisation. What often happens is business users lose confidence in GRC activities because they don’t agree with the risk that they are being asked to monitor.

For those organisations who struggle to get the necessary business buy-in and participation from their business users in GRC activities, a rule set customisation exercise has significant benefits to addressing this challenge in several ways:

At Soterion, a study was recently conducted to find out how many organisations have customised their SAP access risk rule set.

Surprisingly, it was discovered that more than half of the companies surveyed haven’t customised their rule sets and are still using the vendor’s out-the-box standard rule set. This comes as a surprise considering SAP access risk rule set customisation is a common recommendation by many of the Big 4 audit firms.

SAP access risk rule sets typically contain risks for the following categories:

• Segregation of Duties (SOD)
• Critical Transactions
• Data Privacy

There are a number of benefits to customising these rule sets – and yes, some of these are obvious. But for many organisations, the advantages of customising your SAP access risk rule set aren’t immediately apparent.

There are a number of benefits to customising these rule sets – and yes, some of these are obvious. But for many organisations, the advantages of customising your SAP access risk rule set aren’t immediately apparent.

Benefit 1: Reduce the cost and effort of managing irrelevant risks

The out-the-box rule set has been defined for all industries and chances are these are not all going to be applicable to your organisation’s needs. Every access risk in the rule set requires some level of effort (which has a cost implication) to manage.

By removing risks that are not applicable to your organisation, you will reduce the effort and costs involved in managing those risks.

Benefit 2: Get better coverage of all your processes

The out-the-box rule sets generally cover the main business processes such as Procure to Pay, Order to Cash, Finance, Materials Management, and Hire to Retire. But some of the not-so-common business processes such as IS Health, Media, Insurance, and Global Trade Services are not included in many of the out-the-box rule sets. By adding these risks to the rule set, your organisation has better coverage of all your processes.

The more common scenario with regard to updating the rule set is adding custom functionality. As out-the-box rule sets do not contain any custom (Z tcodes) transactions, it is important to add these to the rule set. For example, if the organisation has created a custom version of VA01 (e.g. ZVA01) if this performs a similar function to VA01 and allows the users to create Sales Orders, it should be added to the rule set.

Benefit 3: Get more business buy-in for GRC activities

As detailed above, when using an out-the-box rule set, many of the risks are not relevant to your organisation. What often happens is business users lose confidence in GRC activities because they don’t agree with the risk that they are being asked to monitor.

For those organisations who struggle to get the necessary business buy-in and participation from their business users in GRC activities, a rule set customisation exercise has significant benefits to addressing this challenge in several ways:

• Monitoring relevant and applicable risks:
  Monitoring risks that the business believe in will enhance their participation and buy-in. This will raise the organisation’s risk awareness.
• Building understanding of business impact:
  A big challenge for many organisations is that business users do not understand the SOD access risks, resulting in actions being taken without fully understanding the consequences or impact it will have on the business. Rule set projects are usually workshop based where business users and functional consultants discuss and analyse each risk. This is a useful educational exercise where each SOD risk is explained in detail and how fraud can potentially be committed with the conflicting combination of access. Once business users understand the SOD risk, they will have a better understanding of the impact of these risks on the organisation, and thus be able to make a more informed decisions as to whether users should have that particular access or not.
• Defining a Standard Operating Procedure (SOP):
  As it is unlikely that the organisation can operate without any risk violations, there will be a number of end users who will have access risks. When a user requests additional access that is in conflict with access they already have, it’s unclear whether the access requested can be approved. As a result, these types of requests often sit in the reviewer’s inbox for several days

  It’s important to define a policy for risk levels i.e. what is the rule for a simulation for each risk level? Part of the rule set customisation is to define these rules (SOP).

  An example here is:

• • If risk = Critical – access cannot be assigned
  • If risk = High – access can be assigned but with Mitigating Control
  • If Risk = Medium – access can be assigned without Mitigating Control

By defining these types of guidelines, your business users are able to make quicker decisions on whether the additional access requested can be approved. This reduces the time that SAP access change requests sit in a manager’s inbox waiting to be approved, which ultimately reduces the business downtime (end-user waiting for requested access) saving your organisation valuable time and costs.

Whether you need assistance with customising your out-the-box SAP access risk rule set or advice on where to start, Soterion’s team of SAP experts can assist with your unique requirements and help you implement more effective GRC.

How can Soterion Help You?

Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.

Feel free to email us on info@soterion.com. Let us help you take your GRC to the next level.

This article is sponsored by Soterion

The post The Hidden Benefits of Customising Your Organisation’s SAP Access Risk Rule Set appeared first on InsideSAP Asia.

• SAP Access Risk Simulations (approval / rejection done by line managers)
• User Access Review

Organisations have been asking their business users to review SAP access change requests for quite some time now. However, even with regulations such as SOX / JSOX being in existence for almost 20 years, the requirement to perform a User Access Review is a more recent requirement for many organisations.

In this article, we will take a look at the purpose of a User Access Review and discuss six technical aspects that organisations should consider in order to make the process easier and simpler for the business users.

Why is it Becoming so Important?

The primary driver behind a User Access Review is usually for audit reasons. Many audit regulations such as Sarbanes Oxley (SOX) Act and JSOX require listed organisations to perform a User Access Review on a periodic basis, usually annually.

Before we go any further, let’s remind ourselves of the purposes of the User Access Review:

During the course of a specific year, SAP access change requests will be simulated using an access control solution. Line Managers / Business users will be required to review these proposed changes, with approved requests being applied in SAP.

The function of the User Access Review is to review whether that SAP access is still valid at a later point in time. For example, if a person requests access to Create Purchase Orders (ME21N), if approved, the appropriate role will be assigned to the user. If this assignment was done on 1 January 2020, who is to say that the access is still relevant for that user on 1 January 2021.

The User Access Review, therefore, provides the organisation with an opportunity to re-look at the user’s access to confirm whether it is still relevant and applicable (as the user may have moved to a different job function, or their role may have changed since the role assignment was done). One of the great advantages of a User Access Review is that it limits SAP authorisation creep.

The downside for many organisations is that a User Access Review is done merely to appease audit, and the value of the activity is questionable, especially when you consider the amount of effort required by the business users to carry out a User Access Review.

There is a need to shift the mindset of the business users from it being an audit tick-box exercise to a valuable activity in remediating access risk. The reasons for doing this should not be to appease audit, but rather as a valuable access risk management activity. However, to support this shift in thinking, organisations need to consider several process changes to support the business. It is important for organisations to understand the challenges facing the business users who perform the SAP User Access Review. If the business users find the User Access Review process onerous and/or challenging, they will push back on the process and treat it as a tick-box exercise. The result: The organisation will extract minimal value for the User Access Review.

How do You Facilitate This Shift in Thinking?

Besides garnering senior management support for the User Access Review, it is critical that a number of technical aspects are considered to make the process easier and simpler for the business users. Here are a few considerations:

1. Role Design

Does the organisation’s SAP role design make it difficult for the business users to know what access users have i.e. are SAP roles non-descriptive? Are SAP roles large and contain many transaction codes?

To make the User Access Review process as simple as possible for the business users, ensure that the SAP role design lends itself to making the process easy. Functional role designs typically have more descriptive role names, making it easier for business users to understand what is contained in the SAP roles being reviewed. This will allow the business users to make more informed decisions as to whether the access is appropriate or not for the user.

Updating the role design to be descriptive may in fact require a complete role redesign. As organisation’s move to S4HANA, this could be a great opportunity to re-look at the organisation’s security framework and consider a role redesign that is more business friendly and made simpler, thereby reducing the effort required in a User Access Review.

2. Role Methodology

Unfortunately debating SAP role methodologies is like debating religion and politics. People become familiar with a role methodology and do not fully appreciate any other methodology. Most SAP security administrators understand a derived role methodology and have a limited understanding of a task and value (functional / enabler) role methodology.

A task and value role methodology is where you split your transactional access from your Organisational level access. This results in far fewer roles needing to be created – which also means users are assigned fewer roles. Choosing a role methodology that has fewer role assignments will reduce the effort required by the business users to carry out a User Access Review.

3. Rule Set Customisation and Business Education of Access Risk

Business users performing a User Access Review are likely to pay more attention to those SAP roles assigned to their users that contribute to access risk violations. If the organisation has performed a rule set customisation project, they are likely to have defined a more appropriate and refined rule set.

The access risk rule set project serves as a great tool for educating the business users on the access risks applicable to their area. By having a better understanding of each of the access risks in the rule set, the business users can make more informed decisions during the User Access Review as to whether a risk bearing access for a particular user is acceptable or not.

4. Use a Tool to Facilitate the User Access Review Process

Performing a User Access Review in a spreadsheet often proves challenging. Although the reviewer can see the roles assigned to the users, spreadsheets often do not include usage and risk information. This results in roles being removed from a user that contain transaction codes that are being used by that user i.e. he / she requires that access to carry out their job function. This causes business disruption, and most of the removed access gets assigned back to these users immediately after the User Access Review.

By using a commercial solution for the User Access Review, the business users can make more informed decisions due to having User-Transaction usage and access risk information.

A huge benefit of using a tool to facilitate the User Access Review is that it can be configured to speed up the process. As an example, a User Access Review can be created to only include roles that contribute to access risk, thus reducing the number of role assignments that need to be reviewed. Another example is to create a User Access Review that flags roles previously ‘approved’ so that the focus can be on new assignments since the last review. To get the reviewers to perform a User Access Review well, it is important for the solution to convert the technical SAP role language into a language the business users can understand.

5. Split Reviews

If you make use of SAP Composite or Business Roles, consider splitting the review into a User Access Review and a Role Content Review.

• Role Content Review: A role owner reviews the content of the SAP Composite or Business Role.
• User Access Review: A line manager reviews the role assignments at the SAP Composite or Business Role level. They do not review the underlying SAP single roles – but simply whether the Composite or Business Role is appropriate for the user.

6. Iterative Reviews

Instead of having one large annual User Access Review, where all users access is reviewed, see whether it is possible to split this into smaller iterative reviews in the year. This can be split by:

• Geography: User Access Review done by region.
• Risk Level: User Access Review done by risk level.
• SAP module: User Access Review done by SAP module.

It is important to keep in mind the challenge of certification fatigue. This is where the reviewers complain about the time and effort required to carry out a User Access Review.

How can Soterion Help You?

Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.

Soterion’s Periodic Review Manager allows the review to be done at the business process level, making it easier and quicker for the business users to carry out their access risk management activities. This allows the business to make more informed decisions and reduces the time it takes to complete the User Access Review, saving the organisation time and money.

Feel free to email us on info@soterion.com. Let us help you take your GRC to the next level.

This article is sponsored by Soterion

The post SAP User Access Review – Top 6 considerations for a more effective outcome appeared first on InsideSAP Asia.

Soterion’s GRC Solutions

Soterion’s solution suite enables organizations to gain visibility and effectively manage their access risk exposure. Download our brochure for more details on all of the following solutions.

• Access Risk Manager

The Access Risk Manager includes core access risk control features to manage SAP access risk. These include identification (Identify Risk), risk remediation (Get Clean), user access change management (Stay Clean simulations), and risk mitigation (Stay in Control).

• Elevated Rights Manager

The Elevated Rights Manager grants sensitive fire-fighting access in an automated workflow-driven process, and enables your management team to perform a structured review of any activities that were performed during the Elevated Rights Access period.

• Periodic Review Manager

The Periodic Review Manager allows business users to review access in the context of risk and business processes, ensuring informed and effective decision making. This business-friendly process is easily managed using progress dashboards to expedite the review process. This process will significantly enhance the insight into your GRC environment, as well as being an audit and statutory requirement for many organizations.

• Central Identity Manager

The Central Identity Manager introduces the Business Role concept to improve efficiencies in the SAP user provisioning process. Standardization of job functions across the organization reduces complexity and the effort required to manage and review SAP user access. The Central User Administration functionality further reduces the support effort and cost to manage user access across the SAP landscape, including non-productive SAP systems.

• Data Privacy Manager

Manage personal data in SAP and monitor which SAP users have access to sensitive personal information. The Data Privacy Manager analyses all tables in SAP and highlights those that contain fields with personal or sensitive information, categorizing the data by Data Domain (such as bank details, email addresses and ID numbers) and per Data Subject (business partner, vendor, customer, employee and SAP user).

• Password Self-Service

Soterion provides users with the ability to reset their SAP passwords. This vastly reduces the burden on the authorization support team, saving cost and time. The self-service functionality reduces business down-time by empowering users to reset passwords instantly.

• Basis Review Manager

SAP Basis Configurations provide system-level controls to secure an SAP system. The Basis Review Manager compares your SAP Basis configuration to an industry best-practice set of rules. Since these configurations usually form part of an annual external audit, our Basis Review Manager will allow you to be prepared, and will establish complete compliance to avoid adverse audit findings.

• SAP License Manager

The SAP License Manager identifies under-utilized and incorrectly classified SAP User accounts by monitoring user activity in SAP for effective license optimization. This ensures optimal contract management and compliance whilst reducing unplanned and excess costs.

Feel free to email us on info@soterion.com to discuss your organization’s GRC needs.

Soterion SOD Risk Trends Graph

Soterion SOD Risk Detail Business-Friendly Reporting

Soterion SAP Access Change Request Simulation

Soterion Dashboard

Innovation in User Experience for Automated Controls

GRC2020 Research, LLC, recognized Soterion with the 2019 GRC User Experience Award. Download the report to find out why our solutions were chosen above the rest.

About Soterion:

Soterion is a leading provider of SAP governance, risk and compliance (GRC) solutions. Soterion’s user-friendly GRC solutions provide SAP customers with in-depth access risk reporting in business-friendly language. This allows organizations to effectively understand and manage their access risk exposure. Soterion is passionate about simplifying the governance, risk and compliance processes, with a focus on enhancing better decision making and business accountability.  

Soterion’s plug-and-play GRC solution is easy to learn, S/4HANA ready and boasts an award-winning user experience. Organizations running SAP can make use of Soterion’s GRC security suite either as an on-premise or a secure cloud offering.

As access risk is business risk, Soterion believes that effective GRC is measured by how well the business users can carry out their access risk management activities. Our business-friendly GRC solution enhances the organisation’s overall risk awareness by empowering business buy-in and accountability of access risk.

This page is sponsored by Soterion

The post Is Your Organisation Managing SAP Access Risk Effectively? appeared first on InsideSAP Asia.

The vast majority of organisations that have implemented a GRC or access control solution are not seeing the value they should from their GRC investment.

Why is This?

By their nature, GRC solutions are very complex and technical solutions. They have been developed to analyse transaction codes, authorization objects and fields available in an SAP user’s ‘user-buffer’. Many of these solutions were developed from a technical audit perspective with very little consideration for its use by business users.

Generally, the more complex the solution, the less uptake from business users. Business users are at full capacity performing their daily jobs, and therefore asking them to perform onerous or cumbersome compliance tasks with complex solutions often leads to business resistance. Business users will keep pushing these activities back onto IT, with the end result being that the GRC solution will be used predominantly as a back-end solution by the security and GRC teams, with minimal business involvement.

It is important to note that access risk is business risk. An organisation cannot manage their access risk effectively without significant business involvement. Therefore, organisations need to ensure that they implement a business-centric GRC solution if they are serious about managing their SAP access risk.

What Is Business-Centric GRC?

Business-centric GRC is putting the business user at the centre of the process. It is all about enhancing business-accountability of access risk through a business-first approach to all SAP security and GRC activities.

By enhancing business accountability of risk, an organisation will become more risk-aware and more effective in their risk management activities. This can be illustrated by using the audit principle covering the three lines of defence.

The first line of defence is your business or operational user. The second line of defence is your risk and compliance department, and the third line of defence is the audit and assurance department.

The first line of defence should be the strongest. These are people who have been in your organisation for 15 – 20 years and understand your business better than anyone else. Yet, this is often the organisation’s weakest line of defence – not because users do not know the risks or the processes involved, but because the current solutions and processes do not lend themselves for the business users to take ownership and become accountable.

As mentioned, to facilitate business buy-in, it is important that the solution is business-centric. Business-centric GRC converts technical GRC language into business-friendly language, allowing the business users to not only understand the risks in their area of responsibility, but also facilitate quicker decision making. More informed and quicker decisions reduce the business downtime of SAP users waiting for SAP access requests to be approved and assigned.

Soterion is a leader in business-centric GRC solutions. All features and functionality has been developed from the perspective of the business user. Soterion also recommends that the access risk management processes are practical for the business users to execute/perform. 

To illustrate this, consider the User Access Review process. This is where business users review their users’ SAP access to determine whether this access is still relevant for their job function. The process typically takes the reviewers many hours to perform the review. In addition to the effort required by the business to carry out the user access review, it is often the case that the effort does not justify the value of the exercise.

Challenges such as non-descriptive SAP role names make it difficult for the reviewers to know exactly what access/functionality the role users are entitled to. Soterion enables the User Access Review to be performed by business process, thus eliminating any deficiencies in the SAP role naming convention. Business users are able to perform a more effective review that has a desirable business outcome. A review will take far less time and will have a significant cost savings to the organisation.

Enhancing business accountability of access risk with the use of a business-centric GRC solution will improve the organisation’s overall risk awareness and their ability to manage their risk. Every organisation should therefore be looking to improve their first line of defence by embracing elements of business-centric GRC.

For more information, please contact us on info@soterion.com

Soterion SOD Risk Trends Graph

Soterion SOD Risk Detail Business-Friendly Reporting

Soterion SAP Access Change Request Simulation

Soterion Dashboard

This article is sponsored by Soterion

The post Business-Centric GRC – The Future of Effective Access Risk Management appeared first on InsideSAP Asia.