Product Information
GRC Tuesdays: What really is SAP Governance, Risk, and Compliance (GRC)? – Focus on the Cybersecurity, Data Protection, and Privacy pillar
Data privacy and data protection regulations, and best practices, require organizations to implement both technical and organisational measures appropriate to the nature of data access and processing, and the associated risks of course.
Organizations need to ensure there are appropriate processes in place to test the effectiveness of both technical controls and policies, but also to undertake any required improvements.
This fourth blog on the “What is really SAP Governance, Risk, and Compliance (GRC)?” series will focus on the cybersecurity, data protection and privacy aspects of the portfolio.
Managing data protection and privacy
With that in mind, SAP solutions for Cybersecurity and Data Protection help customers:
- Develop, maintain and implement policies and regulatory compliance, with auditable evidence of gaps and remediation
- Provide technical access, masking and logging controls, geopolitical fencing, and management of digital identities
- Protect system and landscape security, and perform early watches
- Perform risk analysis and records of processing activities, linked technical measures, and data protection events to document and manage the appropriate and legal response
- Implement security frameworks such as the one from the National Institute of Standards and Technology (NIST)
SAP Enterprise Threat Detection – Address cyber-threats with real-time intelligence
|
Features and functionalities: * Analyze and efficiently enrich and correlate logs for review * Evaluate for automated detection of attack patterns with real-time alerting * Investigate with forensic analysis and modeling of existing and new attack detection patterns and dashboards * Integrate to collect SAP and non-SAP log data |
 |
SAP Privacy Governance – Manage and comply with evolving data privacy regulations
 |
Features and functionalities: * Manage policies by creating, disseminating, and acknowledging data protection and privacy (DPP) policies * Survey and track to gather and report on records of processing activities (RoPA) * Access business impact by performing data privacy (DPIA) and cybersecurity business impact analysis * Manage risks and controls to identify and audit related risks and mitigating controls * Monitor and report on status and details via a unified cockpit |
SAP Data Custodian – Gain greater visibility and control of your data in the public Cloud
|
Features and functionalities: * Data transparency to monitor and report on data access, storage, movement, processing, and location in the public Cloud * Data control to create and enforce public Cloud data access, location, movement, and processing policies |
 |
SAP UI Logging – Data access transparency and analysis
 |
Features and functionalities: * Log data access for coherent log of users’ input and system output on the user interface level, enriched with meta information for analysis * Gain insight to understand how and which data is accessed, and set up alerts in case of access to critical or sensitive data * Investigate by receiving alerts to specific, questionable activities, and enabling deep-dive into the log file to identify and prove improper data access * Report to draw on comprehensive access data to report internally and externally * Integrate with SAP UI Masking for better data protection, and with SAP Enterprise Threat Detection for advanced and automated analysis of access |
SAP UI Masking – Protect sensitive information in the user interface layer
|
Features and functionalities: * Secure access by determining sensitive fields and applying protective actions in runtime based on users’ authorizations * Automate authorization by determining users’ special authorization in runtime, based on static roles or dynamic attribute-role settings * Gain insights to understand who tries and who succeeds in accessing sensitive data, and whether to refine the solution setup * Integrate by leveraging SAP UI Logging and SAP Enterprise Threat Detection to identify potential data abuse |
 |
I hope this helps in introducing the cybersecurity, data protection, and privacy offering from SAP’s Governance, Risk, and Compliance portfolio.
As a reminder, you can find all the other blogs in this series listed below:
- GRC Tuesdays – What really is SAP Governance, Risk, and Compliance (GRC)?
- GRC Tuesdays – What really is SAP Governance, Risk, and Compliance (GRC)? – Focus on the Enterprise Risk and Compliance pillar (released on 20/04/2021)
- GRC Tuesdays – What really is SAP Governance, Risk, and Compliance (GRC)? – Focus on the Identity and Access Governance pillar (released on 04/05/2021)
- GRC Tuesdays – What really is SAP Governance, Risk, and Compliance (GRC)? – Focus on the International Trade Management pillar (released on 01/06/2021)
I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard
Hi Thomas,
Thanks for the doucument.
Would you have the DPIA controls that can be mapped in GRC Process Controls.
Regards
Plaban
Hello Plaban Sahoo,
First of all, thank you for your comments on this blog.
Currently, there is no control mapping between SAP Privacy Governance and SAP Process Control. As a result, this is not a content that we provide.
Nevertheless, you will be able to find more information about the predefined content in SAP Privacy Governance – including DPIA, in the Quick Start Guide: Compliance Requirements, Records, and Risks
As you will be able to read at the bottom on the page, there is a reference to the “Privacy Risk Detection with SAP Privacy Governance (3KX)” package available from the SAP Best Practices Explorer. I believe this is what you are looking for.
For your convenience, I have pasted the direct link here as well: https://rapid.sap.com/bp/scopeitems/3KX
Finally, if you are also looking for manual and/or automated controls that can be leveraged in SAP Process Control, then I would suggest having a look at the blog on this topic: GRC Tuesdays: Fast Track Your Internal Control Project
I trust this helps.
Kind regards,
Thomas