Expand +



Creating a benchmark for an effective GRC strategy

by Richard Hunt

April 27, 2010

Over the past few months my company has undertaken a research project with over 100 companies, and the resulting data has been used to inform a 'GRC Benchmark Report'.  Our aim is to set the standard for SAP best practice and help our clients tackle key security risks in their organisations.  We also wanted material that we could share and discuss with communities of industry experts – again with the objective of addressing the issues faced in today's business environment.

I thought the benchmark findings would make an interesting topic for my first ever blog posting - I hope you find it useful.

One of our key findings was that, although organisations are investing to improve their security processes, very few have automated their compliance procedures.  88 percent of respondents operate documented change processes which require strong approvals, are deemed effective and are adhered to by staff involved.  65 percent have SLAs for their change management procedures that are measured and reported against.  However, only 48 percent deployed automated workflow approval to streamline the activity.

We also discovered that:

- 73 percent of organisations maintain a segregation of duties (SoD) matrix for their SAP applications, with 68 percent of these configuring the matrix to suit the specific requirements of their business and regularly reviewing it for suitability.

- 87 percent have a dedicated team responsible for user administration.  However, only 60 percent of these perform regular reviews of user mapping in conjunction with business role owners to determine whether the user access is still appropri ate for that person/role.

- 70 percent of organisations have a defined policy in place which drives their application security, with 69 percent regularly reviewing their security settings to ensure compliance with corporate standards.  However, only 55 percent of companies record security logs and have a process in place to analyse these and respond when a threat or vulnerability is identified.

- 80 percent of respondents have processes in place to manage role changes and 85 percent of these require business involvement in the process.  But only 47 percent test the changes before they go live.

- 68 percent have defined and documented authorisation designs, with 63 percent basing this on processes agreed with the business.  However, only 40 percent had a risk register for their SAP application security and only 34 percent believe that the business understands security.

- 50 percent of organisations use Solution Manager to help manage their SAP environments, with 48 percent using CUA and SSO to simplify user management and access to multiple systems.

- 89 percent of respondents had defined roles for their support staff, with 58 percent reporting that their support team were able to process business transactions.  59 percent have procedures in place for privilege escalation, with half of these using an automation tool for this.  28 percent of customers have some support users with SAP_ALL access.

Overall, we were encouraged to see that many security processes have a high level of take up.  Where the report is also useful is in flagging up the areas on which we – as an industry - need to focus attention.  For exa mple, the next step for a lot of organisations to take is to automate many of the controls that they are putting in place, which would improve the efficiency of the control and ensure continuous compliance.

If you would like to read more about the findings of our research, a free copy of Turnkey Consulting's GRC Benchmark Report is available to download from our website:

An email has been sent to:

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!