How do you not only ensure that your implementation is compliant, but that it remains so over its lifetime?
This is the question addressed in the GRC 2012 session “Lessons for Ensuring Your Newly Implemented or Upgraded SAP System Remains Compliant Over Time” presented by Alex Ayers of Turnkey Consulting, who offered extensive tips for designing and building your SAP system for sustainable success – covering everything from user management and access controls to IT monitoring.
Here are just a few of the tips from the session, specifically covering IT controls:
Ensure Appropriate IT Controls Are in Place
- Environment-build standards are in place and are followed:
> System parameters
> Security components and audit logging
- Technical change and release management processes are followed:
> Impact assessment completed by appropriate skilled staff
> Changes are tested
> Approvers are defined
> Changes are documented
> Alignment between production stack & project stack (QA and Prod in sync, regression testing)
Don’t Forget Patching!
- Process established for managing patches:
> Security patching should be one element in overall patching approach
> Where support is outsourced, contract may be “patch on fail”
?> Assess potential vulnerabilities
- Use EarlyWatch alerts to flag when security-critical notes have not been applied
- Assess and test security notes in a timely manner:
> Use monthly SAP Security Patch Day to drive review process
- Apply patches following standard change and release management process
Ensure that Monitoring Practices Are Implemented
- Identify key risk areas to be monitored, especially existing weakness or high-impact areas
- Develop KPIs based on good practice and reality of environment:
> Audit/Compliance input
> Only measure what you intend to action
- Agree on owners for KPIs:
> Who will investigate and take action over variances?
> How do you prioritize activities?
> Number of dialog or service users with SAP_ALL
> Number of times Firefighter access has been invoked
> Number of end-user roles with direct table access
> Number of security incidents logged in a reporting period
- KPIs will vary by organization
> Do the KPIs provide useful information to your organization?
> Can you measure them?
> Do you plan to resolve the issues that are identified?
Be prepared to change your KPIs as new areas of risk are identified!
find more advice on SAP compliance at the next GRC 2013 US conference, Las Vegas, March 19 - 22 - registration information & more details are here. And follow Insider Learning Network for more tips and updates on the conference sessions, along with speaker tips, interviews and discussion forums.