Editor's note: Data compliance experts and GRC 2011 speakers Richard Hunt and Heinrich Wilking of Turnkey Consulting recently took questions in an HR Forum on protecting HR data privacy, ensuring data compliance in your SAP HR systems, and mitigating data privacy risk.
Richard and Heinrich are featured speakers at the GRC 2011 in Amsterdam, June 7-9; Allison Martin of SAPinsider's GRC 2011 conference moderated the event.
For the full Q&A, view the posts in the HR Forum, or read this transcript of the Q&A here:
Allison Martin: Welcome to today's forum on securing and monitoring your HR data!
Richard and Heinrich, thank you for joining us today!
Before you respond to questions, I'd like to start with one that stems from your session at GRC 2011:
Those who registered for this Forum can also access your guide to creating a data privacy popup [from Richard Hunt’s GRC 2011 presentation “Improve Data Privacy Compliance and Segregation of Duties (SoD) Controls in an SAP ERP Human Capital Management Environment”] .
Could you talk about what it is, and when and why an HR team should use this popup?
Richard Hunt: Thanks Allison. The Forum is a new format for us so we are looking forward to trying it out.
The data privacy popup is a custom notification that you can define to ensure all users of your system are aware of the Data Privacy obligations of the organisation and their personal responsibilities in this regard. It also allows the organisation to pass on some of the responsibility to these individuals by forming a 'virtual contract for data use' with the users of the system.
The popup and its usefulness can be strengthened by forcing users to confirm acceptance of these responsibilities with a checkbox and embedding consequences for users who do not accept (e.g. removal of access to personal data).
Heinrich Wilking: The pop up provides trust to the user of the service how personal data provided by the user or the browser is used by the company
Gail Benefield: How is this configured? Via the IMG?
Richard Hunt: There is not currently a standard configuration m
echanism in SAP.
The popup can be configured using an SAP-delivered customer exit in the logon routine: EXIT_SAPLSUSF_001. It is customisation using a modification exit via transaction CMOD.
If you look at the details available for download as part of this forum there should be some information in there.
Amy Thistle: Do you have any best practices for companies trying to reconcile EU and US data privacy laws when managing their HR data?
Heinrich Wilking: Amy, there are specific requirements within the EU and German Data protection acts with specific guidelines on how data of European or German citizens have to be maintained when processed outside.
We do have some of the best practices e.g. how List Privileges and General Consent requirements in Germany need to be organised.
All those requirements are not really part of the IMG as they do not only refer to authorizations. They are more on the process control level regarding how personal data is processed, has personal data been sent with or without consent and agreement of the individual, etc.
Richard Hunt: Hi Amy,
One of the most challenging aspects of data privacy is that each company must make its own interpretation of the law and how it applies to their circumstances. Of course you can and should take legal advice in this regard, but ultimately this will still be opinion.
What I can say is that there are some specific requirements in the US that need to be met around EEO (Equal Opportunities), and that compliance with this -- together with the European Directive -- should give you reasonable coverage. Remember that in the EU each country has to implement the Directive into their local law and that this again means interpretation. As a consequence you need to not only think about Europe, but also which European countries you are operating in and how their local legislation implements t
Dave Hannon: Thank you both for taking our questions. Any thoughts on the pros and cons of letting employees update their own HR information in SAP? Any caveats or things companies should be aware of in moving to this model?
Heinrich Wilking: The pros that user maintain their own data are
- that it reduces the maintenance
- users confirm that it is data they have publicised themself which is like an agreement about the publication
- how true and valid is the data
- does that data compromise any corporate information or management information
- is data being publizised that is only available internally or by management
Richard Hunt: Dave - you obviously need to ensure that you restrict users to only changing the data that is personally relevant to them.
There are some tips on configuring this using P_PERNR authorisations here.
Jose Ernesto Ramirez: Is it any standard configuration for warning somebody in the organization when some data has been change in HR?
Richard Hunt: Hi Jose,
You can use the Infotype Logging report to configure infotypes you want to track changes to and retrospectively report on them.
There's some more information on this here. Combining this report with a Continuous Controls Monitoring (CCM) solution would allow you to make more use of this information and configure some form of alert or proactive monitoring.
there any one country which if you satisfy its requirements, you are relatively assured that you are close to the requirements in others? We have mentioned Germany here, how about Italy?
Heinrich Wilking: Todd,
Across Europe all countries have more or less the same level. Germany's requirements are probably a bit further detailed with more strict regulations due to recent cases in Germany.
There is a difference between the US and Europe and other countries.
If it comes to specific questions every country's regulation needs to be analysed. Having said that, the western oriented countries allow e.g. outsourcing of data processing.
Laura Casasanto: Hi Richard and Heinrich. Thanks for taking these questions! Can you tell me the best/most common ways to improve the performance of structural authorizations in SAP HR?
Richard Hunt: Hi Laura,
For this you need to index your structural authorisations.
There is some information on how to configure this here.
Kir Chern: Hi Richard, May I ask how an organization should effectively do an audit or take stock of an existing complex HCM authorization setup (encompassing several HCM modules) already in place, and identify potential conflicts for roles already assigned to users, given that there is currently no formal practice in place? Is there any good tool, standard SAP transactions, or 3rd party tool to jump-start?
Heinrich Wilking: Hi Kir,
Auditing a complex HCM authorization set-up is not a trivial thing. There are different aspects and it should really be focusing on segregation
of duties, e.g.
- master data maintenance is separated from transaction data: e.g. somebody maintaining bank accounts should definitely be separated from payroll maintenance
- the authorizations and profiles should really be tested before being transferred into production (a more general control)
- HR functions should be separated from the other HCM functions
- there should be a rotation of HR staff so that HR staff should not be responsible for the same group of employees for a long period
and many more
There is an SAP HR Audit Guide from the German SAP User Group which provides a really good overview. The guide can be downloaded free of charge from their website -- unfortunately it is in German language only.
HanneNickelsen: Regarding ESS: Are the any differences in the protecting settings if one uses a portal solution or the business client solution, which I am told is possible with EhP5?
Richard Hunt: Hi Hanne,
This is a pretty technical question so some research would be required to answer your question fully.
What I can say is that there are definitely some specific authorisation objects in place (in the backend) for calling of web services via the portal. You can of course open these up with a '*' value but using specific values in this objects(s) will allow you to add some further security around your portal content.
Hope that helps.
Kir Chern: Hi Richard, You mentioned about CCM. Is this a SAP facility/tool and how/where can I access it ? Thank you.
Heinrich Wilking: Kir,
CCM is Continuous Controls Monitoring. This is usually part of SAP's GRC software that allows to automate controls testing as preventive or detective controls.
GRC allows to enforce controls are checked or tested on a regular basis when they are of detective nature, e.g. on a daily basis for very critical situations or monthly
, quarterly etc.
Preventive controls are those that would stop a process before a controls breach would occur until somebody approves that the risk is acceptable or if the person denies that the process is progressed.
Scott Priest: Hi Richard...would you mind talking in a bit more depth about CCM -- I'm not sure everyone is familiar with it as a concept at this point. Is it solution-specific, or something you can achieve with a variety of software? Is it more strategy/planning or an IT process?
Richard Hunt: Hi Scott (and Kir, as this answers your question, too):
Continuous Controls Monitoring (CCM) is a concept rather than a specific tool. The idea is that you are monitoring controls on an ongoing basis, automating wherever possible. In doing so, you strengthen the control and can act upon control failures more quickly, hopefully reducing the consequences and business risk.
Personally, I like to think of it as a convergence of detective and preventative controls.
The relevant SAP tool used to support CCM is SAP GRC Process Controls but you can still start to embed CCM concepts using standard SAP reports, workflow and BI tools.
Thank you all again for joining us. We have time for 2-3 more questions before the forum ends.
Kir Chern: Hi Richard and Heinrich, Can you advise on how SAP can prevent other reporting tools including Crystal Report (or third party) from accessing the transparent table directly e.g. PA0008 (or other sensitive transparent tables) , as the PA authorization control will not be enforced (bypassed) in this case? Thank you.
Heinrich Wilking: Hi Kir,
The answer is two-fold: SAP/internal reporting, and outside reports
ABAP reports should have the authority check - that would allow that only authorized users could access data via ABAP reports.
Tables can be protected by grouping the relevant tables in "security gr
Crystal Reports has an authorization concept to set up access to protected data. Crystal Reports is focusing on Business Objects data that has previously exported from the ERP application (incl. HR). So make sure only that data is exported into Business Objects or a data warehouse that you want to - use the authorizations of Crystal Reports to limit access to that data then.
You should never allow direct access to the database via SQL.
Other external tools require a specific view of they can be limited to report on specific data.
Debbie Bouhenguel: Has SAP come up with a way to restrict the search function available for HR transactions (such as PA20) which allows access to SSN, Birth Date, etc? There is a need for a search using Name to access a PERNR, but not see the other types of sensitive information.
Richard Hunt: Hi Debbie,
Yes, I've seen this issue at one of my clients on upgrade to ECC 6 and it's a good point.
The matchcode authorisation ('M' value in your P_ORGIN, P_ORGINCON and P_PERNR auths) does not apply the necessary restriction, as the data is visible even before you've put the data into the search.
I cannot recall a solution was found, but I know we were looking to the config team to restrict the way the search was set up rather than an authorisations solution. I'll try to find out what the solution was and post it in our FAQs for you.
The answer will be posted here if I manage to find it and I'll also try to post a response in the forum.
Richard Hunt: I have to sign out now but thanks for all your questions.
Hope to meet some of you at SAP GRC in Amsterdam!
Debbie Bouhenguel: Is there a timeline for when ma
sking/encryption of sensitive data (SSN, BD, Bank Details) will be made available by SAP?
Heinrich Wilking: Debbie,
I am currently not aware when there is such encryption available from SAP. Currently, it depends on the underlying database and the encryption features offered there.
This currently requires a protection of the database - which is part of IT general controls.
Todd: Thanks to Richard and Heinrich for your time.
As far as removing the birthdates & SSN from the name search helps, we have done that via updates to the search help in the IMG, but I will have to look up our notes since its been a while.
I also heard about SAP building the ability support masking last week at the ASUG conference in the US, but was not given a commitment on the timeline.
Allison: Thanks to all who posted questions and followed the discussion!
A full summary of all the questions will be available here in the HR Forum and in the HR Group and the Compliance Group on Insider Learning Network. I encourage you to join these groups for ongoing information and additional resources.
And finally, thank you to Richard and Heinrich for taking the time to respond to these questions.
Both Richard and Heinrich will also be speaking at the upcoming GRC 2011 conference, June 7-9 in Amsterdam. I encourage you to introduce yourself to both of them during the conference!