"A good audit does not just look at security data, but also analyzes how your compliance tools are configured!" That's the advice from James Roeske from his session at GRC 2012 "An In-Depth Analysis of What to Audit — and How — Within Your GRC Landscape"
The session covers specific SAP GRC strategies, challenges, and technologies to effectively audit your SAP BusinessObjects GRC environment.
Here are just a sampling of two tips from James Roeske's session, for avoiding SoD violations: check your rule configuration to elminate SoD violations (so that mitigation is a last resort), and review CUP configuration to maintain SoD compliance.
Incorrect Rule Configuration Is Always the Top Priority
> The purpose of remediation is to determine alternatives for eliminating SoD violations.
> These alternatives should be explored in the following order:
- Is this SoD violation caused by an incorrect rule? If yes, then modification to the rule is required to resolve the false positive.
- Can access be removed from the role or user to resolve the SoD violation?
- Can this SoD violation be addressed using other alternatives, such as utilizing SAP Workflow, user exits, configuration modifications, or business process change?
- Can this access requirement be addressed using GRC Superuser Privilege Management for SAP fun
- If the SoD violation is not resolved in steps 1-4, then Mitigation is required
CUP Configuration Critical to Staying SoD Compliant
> CUP Review
- Is your CUP system configured utilizing suggested SAP GRC best practices?
- Are SoD violations still able to slip into your system through user access requests?
> Verification of the Stage Configuration
- CUP is a critical component to maintain a SoD free environment, only if it is configured correctly
> Verification of escalation is being used to support compliance and proper approval, or just to speed up the provisioning approval process
> Validation of the CUP configuration for RAR integration to close SoD loopholes during the provisioning process
For more tips on SAP GRC configuration and SoD compliance, visit the GRC Group and www.grc2013.com