Skip to Content

Surely 2014 was the year of simplicity with SAP’s emphasis on simplification, simplicity, “Run simpler,” or any of the variations on that theme trumpeted loudly and clearly at every SAP event and opportunity. This new emphasis seemed to be well received by customers, and why not? Who *wouldn’t* want their SAP landscape to be simpler and easier to support and sustain? Security is no exception: doing more with less, squeezing a lean team harder to support more projects, more systems, and more users is just the given these days. Assuming that we start with at least a minimum number of well trained and competent SAP security staff, what does it take to simplify security to make it sustainable and bring about sustainable compliance? Here are some suggestions for your consideration.

 

Consistent security design

In my experience, there is not a “one size fits all” of security design except to say that sustainable results are more likely to be achieved with a consistent design. Are your security roles built using the derived role functionality, the enabler role model, or a haphazard mix of both? Is the design task-based, job-role based, or not clearly one or the other? If Business Role Management (BRM) is in use, is the model easy for the business users to understand? Is it your organization’s practice that security roles have standalone integrity, or do some unknown number of them not fully functional unless some other functional role is assigned, which is not documented but “everyone in the plants knows that?” Are end user roles restricted from assignment to the SAP support team, or are exceptions frequent? Whatever approach the organization takes, taking it consistently and documenting it thoroughly will make your security much more sustainable in the long run, reducing the confusion among the people requesting access and the demands on the security resources to maintain and explain it.

Security design aligned with the business model

Whatever the basis of your security role designs, aligning the designs with the business is imperative for simplification. Otherwise, the requesters and role approvers will find themselves in an endless cycle of submitting requests to the security team for adding and removing roles from the users, and adding/ removing access from roles,  in frustrating attempts to get the access levels just right. But what if the jobs are not defined in a consistent manner? Then there is really very little the security team can do until the HR function works with the business to review the job  and task descriptions to improve the consistency.

Organizational standards

In my experience and observation, it is often the case that the organization’s management wishes to have users’ access restricted organizationally, often for compliance reasons. Whether the division is geographically based, product/service line based, data sensitivity based, or some other reason, sustainable security and compliance is much easier to achieve when the rules are documented, applied consistently, and enforced via automation. There is not much point in stating that users with access to one business unit should not have access to data of another business unit, when one functional area has a different idea from another of what organizational values represent each business unit, and end users are frequently granted roles from more than one functional area.

 

Furthermore, when the rules must be enforced manually, and approved exceptions are kept in a spreadsheet or file drawer instead of in a GRC toolset, compliance is anything but sustainable.

Governance model
So how does an organization that is lacking in any of these areas bring about the changes that are needed for sustainable security and compliance? In my experience, governance is the key. Role designs should not only be required to meet a documented standard, they should also be subject to periodic governance review. If role designs are any which way that the role owner and/or his/her business lead wish, if organizational standards are only a suggestion instead of a policy, if exceptions are numerous and monitored manually,  the security team will find themselves in an endless cycle of role and user modifications, which can take so much time and effort that value-added proactive initiatives, such as automating the user access review or some of that manual monitoring, are forever on the back burner. Without a governance model that has teeth, the security team may find themselves the scapegoats for the breaches and non compliance that are almost inevitable.

 

I hope that some of these suggestions spark improvement ideas that help bring about simpler and more sustainable security and compliance in your SAP landscape. Are any such initiatives already in the works for 2015 at your organization or among your clients? I welcome your comments and observations. What did I miss that you have found to be key to sustainable security and compliance?

To report this post you need to login first.

15 Comments

You must be Logged on to comment or reply to a post.

    1. Gretchen Lindquist Post author

      Tammy,

      No, I somehow missed that blog from Steve Lucas, so thanks for the link. I, too, expect security and standards to be key to successful IoT initiaves.

      Thanks for reading, and Happy New Year!

      Gretchen

      (0) 
  1. Colleen Hebbert

    Hi Gretchen

    nice blog to kick the new year off!

    Sustainable is a challenge of so many security and grc solution. From observation, I see too many questions in the GRC space about trying to get a solution to work. Based on the questions and wording, it feels like there is too much focus on a technical question without little thought to the process, governance and implementation of such a solution.


    When I design security and grc solutions, my primary focus is supporting the solution. How do we devise a robust solution that can be transitions to operations and maintained to a high level long after the project team packs up and moves on.

    You are 100% right that a clearly defined governance model is necessary. GRC solutions need to be positioned as more than a technical product. Access Controls needs to be seen as more than managing user access. The awareness must come back to business risk and integration with job functions. Establishing governance needs to clearly define who is responsible and accountable for the design of the solution (system owner where the buck stops here).

    But as well as that, the procedures and training of Approvers need to clearly define their expectation to avoid a tick and click approach to approval. In addition to governance, clearly defined consequences of non-compliance must be defined, communicated and enforced. This challenge is well and truly beyond a technical resource who comes in and configures GRC.

    So my addition, would be consequences of actions are needed in addition to governance.

    Regards

    Colleen

    (0) 
    1. Gretchen Lindquist Post author

      I like your suggestions, Colleen. I agree completely that training for the approvers and understanding of the consequences of non-compliance are essential for sustainable compliance.. Rubber stamp approvals defeat the whole purpose of implementing a GRC solution and process. Thanks for your observations!

      Gretchen

      (0) 
  2. Faisal Khan

    Gretchen,

    I see one more challenge that organizations are not that well equipped with the Governance knowledge. Secondly, they are not well receivers for GRC solutions.

    There has been a big gap in the source itself which makes it very difficult to design any sustainable solution for them.

    I would add that, lack of Governance knowledge is another challenge.

    Regards,

    Faisal

    (0) 
    1. Gretchen Lindquist Post author

      Faisal,

      I like your suggestion. Yes, certainly, a lack of understanding of governance, often accomplanied by an assumption that the GRC tool itself is going to do it all, auto-magically, is a roadblock to sustainable compliance. Thanks for sharing your thoughts.

      Gretchen

      (0) 
        1. Gretchen Lindquist Post author

          Faisal,

          Good question. I think a lot of it is a matter of “tone at the top,” so depending on where you are in the organization, you may or may not have much influence over improving understanding of governance and its importance. If you have auditors at your disposal who are amenable to working with you to bring attention to the matter. you might be able to get inadequate governance written up as a control weakness. Yes, the auditors can be our friends 🙂

          If you are in a position to bring in a consultancy to do a controls review, that can be a good way to bring new focus to governance if it was lacking. Perhaps someone here has had success with improving understanding of governance at an organization and can comment.

          Gretchen

          (0) 
          1. Colleen Hebbert

            Gretchen is right

            Though it doesn’t make it any less frustrating to see a company willing to spend up big on GRC but not take the risks seriously or enforce the cultural change and accountability. These companies may be the type who react to negative audit reports and think purchasing a tool is going to fix their problems without any change in the business.

            Regards

            Colleen

            (0) 
            1. Faisal Khan

              Colleen,

              Thanks for your comment.

              I think we need to be ‘patient’ and keep preparing solution ‘pro-actively’ without much push to deploy them until a point necessitated by such business requirement comes. This will actually build their understanding ‘muscles’ correctly and let them absorb the solution.

              Hope this approach would work 😉

              Regards,

              Faisal

              (0) 
          2. Faisal Khan

            Dear Getchen,

            Of course, ‘influence’ has a very big impact on rolling out the solution. Lacking of it may have incomplete results.

            Secondly, making auditors point-of-contact sometimes creates a friction. This does not go well with business departments as they always maintain distance with them.

            At times, access to auditors for the very purpose of designing complete solution is not well received by an organization. Again, as you pointed, ‘influence’ may have here a very big role to play.

            Regards,

            Faisal

            (0) 
            1. Gretchen Lindquist Post author

              Faisal,

              Certainly sometimes there is friction between the business and the auditors, but it has been my experience and observation that the business has, on occasion, taken the message more seriously when it is written up in an audit finding  of control weakness compared to the same message coming as a recommendation from the SAP security team. That may not be the case every time, but it has worked for me.

              The analogy that might resonate is to relate building a compliant security model and effective controls environment to building a house. Saws, hammers, and paint brushes are all tools that are used in building a house, but without well trained tool operators following a good process and a solid plan, a house fit for human habitation will not necessarily be the result, and without a good plan for ongoing maintenance, even a very good house will fall into disrepair. Likewise, the SAP GRC suite is a great tool for building a compliance program, but without skilled and trained practitioners and a well thought out process for sustaining the effort including governance, sustainable compliance is not necessarily going to result. In both cases, the tools alone in a one time effort are not enough.

              Gretchen

              (0) 
          3. Gary Prewett

            Gretchen,

            Wading into the conversation a bit late but great blog. Echoing on both your an Colleen’s sentiments on tools, standards and process: all too often I’ve also seen security policies set at the CIO level or, heaven forbid, the Security Team level.  How you get that top-down buy-in is a challenge; you can as mentioned leverage your auditors but I think the key is to help the executive team and/or board of directors understand the business case for a given top-down security policy. In my experience, executives are sometimes reluctant to adopt security policies because they aren’t sure what adoption of a given security policy will cost them; they’re afraid of “Trojan horse” policy requirements that require large capital investment to comply with. Giving them guidance on both the technical policy aspect and and a pragmatic understanding of impact to the organization is often helpful in getting a corporate security policy adopted.


            I do see regulatory compliance becoming more prescriptive and less risk-based (similar to the PCI Data Security Standard), and expect more compliance mandates around executive-driven security policy in the future.

            (0) 
            1. Gretchen Lindquist Post author

              Gary,

              Thank you for joining the conversation; it is never too late to discuss sustainable security. I absolutely agree that top-down executive buy in is essential, and yes, sometimes a capital investment is needed to correct a control weakness. These days there have been so many high profile security breaches involving data loss and the resultant loss of consumer and/or investor confidence (e.g. Target), one would hope that  executives would be more open to pragmatic recommendations. It may a little now, but inaction could cost even more.

              Thanks again for sharing your observations.

              Gretchen

              (0) 

Leave a Reply