The governance, risk, and compliance (GRC) market has expanded dramatically in recent years, with an array of options now available to speed the GRC process and help companies manage compliance in an effective and efficient way. Investing in the correct GRC solutions can yield a high return on investment and greatly enhance an organization’s security.
To achieve benefits, you need to make sure your solution can handle your GRC needs. The best GRC solutions stand out from the competition with 13 key components:
- Remediation. GRC reporting is not only about segregation of duties (SoD) conflicts. It is also about the remediation of these conflicts. You can’t mitigate risk without insight into its underlying causes, therefore, the GRC solution must provide the answers to questions like: Is the access appropriate? How is the user getting access to these conflicts? Is the user really using this critical functionality?
- Flexibility. Organizations are dynamic and it’s essential that solution elements (such as rule sets) are easily adjustable. Changes made to an element of the rule set must be inherited automatically to all related layers of this element to maintain consistency.
- Fast, relevant results. The analysis is a snapshot of the SAP system and must contain relevant, timely data.
- Independence. The audit department must be able to perform independent audits, using an independent tool with an audit rule set.
- Short implementation time. Within one week after implementation, the first results should be reported.
- Reporting of real issues. Focus on data elements rather than on transaction codes to report the real issues in understandable and aggregated reports.
- User-friendliness. To save time and reduce errors, tasks must be easy to perform and automated if possible.
- Efficient role building. Build SAP roles automatically to reduce errors and save time. Use reverse engineering and information about the transactions that were used (STAD data).
- On-the-fly documentation. You need to be able to simultaneously implement and document the business process with risks and controls, step by step.
- Simulation. Change requests for the users and roles can lead to new GRC implications such as SoD conflicts and unwanted access to critical data. Before implementing changes, the GRC implications must be simulated.
- Trending information. Clear insight into the audit results and analysis must be available over time.
- Full scope. All SAP systems, even smaller ones, should be included in the scope of the GRC process.
- Mass changes. Besides the small changes such as user requests, it is also possible that mass changes to the authorization concept (e.g., implementing new modules or merging organizational levels) are needed. These mass changes must be fully supported.
An Evolving Approach
CSI tools has been providing targeted products for SAP solutions for GRC since 1997. CSI has kept pace with an evolving market, releasing an entirely new software suite in 2014 consisting of CSI Authorization Auditor 2014, CSI Role Build & Manage 2014, CSI Integrate & Collaborate 2014, and CSI Automated Request Engine 2014. The 13 features recommended above are all included; with supporting rule sets, frameworks, options to automate tasks and change requests, dashboards, trending reports, remediation information, integration with SAP Identity Management, active directory integration, and more. The GRC rule set can also be checked for errors using CSI tools.
CSI tools’ products are designed to help companies become and remain compliant in all areas. The CSI tools have been adopted by internal and external auditing companies, GRC consultants, and multinationals for use with SAP solutions for GRC. Consider these two sample scenarios in which CSI tools display key GRC features.
Sample Scenario 1: Remediation
The SAP user ID “User002” is used by Jeroen Jacobs. This user has access to critical functionality, causing an audit issue. The report in the system shows the single roles and profiles causing the access, via which composite roles the user has the authorizations or transactions assigned, and if the user is using transactions from these roles (see Figure 1). The report shows that the user is using the transaction codes from the composite role, not the single role. To solve this issue, the single role could be removed from this composite role because the transactions from the single roles are not being used.
Sample Scenario 2: Checking for Errors in GRC Rule Sets
The results of an analysis show that a user has access to critical functionalities (see Figure 2). For some functionality the user is assigned authorization, but is not assigned the transaction code. This shows an inconsistency in the rule or the role because the user has access to the data but cannot use the audited transaction code. There may be a custom transaction code missing in the rule set. It also shows that a user has access to some critical functionality because the transaction code and authorizations are assigned. But because the user did not execute the transaction codes for this critical functionality, the access rights for this functionality should be removed from this user.
CSI tools has developed dynamic analytics tools that deliver intelligence to and from SAP environments. Our cockpit and engine provide insight into vulnerabilities, streamline SAP roles, and deliver practical solutions to improve risk and security posture, including automated role building and reverse engineering. For more information or to request a demo of our tools, visit www.csi-tools.com.