Visit our website here
https://www.aglea.com
00:00 - Intro
00:28 - Managing a SoD process
00:45 - SoD management project steps
01:14 - Remediation activities
02:09 - Mitigation phase
02:56 - Risks without defining continuous compliance processes over time
04:02 - Follow us
04:15 - Find out more
Managing the Segregation of Duties in SAP
Self-help is the best help! I am in charge and therefore I must have all the authorizations of my co-workers!
Perhaps you already encountered similar attitudes in the company. However, all of this goes against the principles of separation of duties.
Let's find out in this video how you should approach a segregation of duties project in your company, particularly in the SAP environment!
INTRO
Hi my name is Fabio and today we’re going to take a look at how you should deal with and start the management process of the separation of duties in your company.
Where should you begin from? How long does it last? Is it a project or a process? How should you start?
A SoD management project involves the following steps:
1) Defining the business risk matrix
2) Risk Analysis of the systems involved
3) Remediation activities downstream of risk analysis
4) Mitigation activities or risk mitigation
5) Defining continuous compliance processes over time
Let's go into detail about each of these steps to understand what the focus points are and how it is appropriate to approach them.
Let’s continue with the remediation and mitigation part.
Remediation
In this phase, right after the risk analysis, we need to “clean” the objects of analysis meaning the technical roles and finally the users.
How can a comprehensive risk remediation be carried out? For example, by going to see how the system is used by users. Remember not to violate their rights.
It is often common to achieve as much as 40 percent risk reduction by simply cleaning up, that is, removing what is authorized but not used.
Focus on the actions that bring greater results and then finish up with what remains.
It is very unlikely to be able to fix all risks with the remediation phase alone.
It certainly can be relatively easier in large companies, in terms of number of employees/SAP users. In medium-small companies, again in terms of the number of users in the system, it is more difficult to be able to reclaim all risk cases.
Often, in the latter case, personnel backup issues or processes that cannot be changed lead to the need to introduce mitigating controls. Let us then look at the fourth phase of SoD management.
Let's talk about the Mitigation phase. What does it mean? If in the previous phase i.e. remediation, it has not been possible to solve all risk situations, then compensatory or mitigation controls need to be evaluated.
That is, the risk situation is accepted but a control must be introduced to allow monitoring of the risk situation.
The mitigation phase can be the most complicated because it is necessary to properly identify, even technically, the actual evidence of risk, often defining ad hoc reports or programs, and submitting them to the relevant control owners.
Well, we have come to have the situation under control, that is, we have removed all risks and those that remain have been mitigated.
But what happens if we do not put constant checks in our processes? Well, experience leads us to say that after a few months, without checking, you risk returning very quickly to the initial state.
It is for this reason that it is necessary to establish procedures to monitor daily and periodically the changes made in the system, in terms of new authorizations or changes to authorizations already issued to users.
Yes, each new request must be analyzed to understand its impacts on the SoD, for example:
• When you define a new custom SAP transaction do you carry out an SoD evaluation?
• If you activate a new process, even standard, do you carry out an SoD evaluation?
• You’re introducing SAP S/4HANA, have you adjusted the SoD matrix?
• Also the edits to roles and existing roles assignments to users are subject to this evaluation
Lastly, a periodic re-validation of authorizations to users can be important to guarantee the conformity to the segregation of duties.
I hope I was helpful, remember to subscribe to our channel if you still haven’t done it, follow us on LinkedIn, visit and don’t forget to subscribe to our blog www.aglea.com/blog if you want to get periodic updates.
Contact us if you want to discover how to improve you SAP system’s security.
See you soon, bye!
#SAP #SAPSecurity #AGLEA
=======================================================
*Subscribe to our channel here
https://bit.ly/2UC2LwG
*Visit our website here
https://www.aglea.com
*Follow us on LinkedIn
/ aglea-s.r.l.
Информация по комментариям в разработке