1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations
Dec 19, 2015
1
SAP Security and Controls
Use of Security Compliance Tools to Detect and Prevent Security and
Controls Violations
2
Agenda
• Increased Focus on Security & Controls• SAP R/3 Security Risks & Controls• Security Management• Security Compliance Tools• Questions
3
Increased Focus on Security and Controls
• Fraud (Barings Bank,WorldCom, Enron,...)• Security Breaches (UCs, BC, Stanford...)• Regulatory Compliance
• Sarbanes-Oxley (SOX)• Family Educational Rights and Privacy Act
(FERPA)• Gramm-Leach-Bliley Act (GLBA)• Health Insurance Portability and Accountability
Act (HIPAA)
4
Security Risks• Access Control
• Do some users have too much access?• Sufficient access restrictions to private
information?
• Segregation of Duties (SoD)
5
Security Compliance Tools – Internal Controls
• “Internal Controls are processes designed by management to provide reasonable assurance that the Institute will achieve its objectives” (From MIT’s Guidelines For Financial Review and Control)
• Cost of implementing control should not exceed the expected benefit of the control
• “Security is a process not a product”
6
Security Compliance Tools
Who has access to sensitive transactions?
Are there any SoD violations?
• Real-Time Monitoring• Remove access or assign mitigating controls• Reduce time and effort when providing
information to auditors• Used during implementation of new modules
7
SoD Rules Matrix• Predefined SoD Rule Set
• Can Add Custom Transactions to Rule Set
8
Virsa-Compliance Calibrator
9
Virsa-Compliance Calibrator
10
Virsa-Compliance Calibrator
• Resolve SoD Issues
11
Security Compliance Software Vendors
• Virsa• Approva• Oversight Systems• Big 4 (E&Y, PwC, KPMG, Deloitte)
12
Benefits of Security Compliance Tools - Summary
• Run with SAP R/3• Automate SoD analysis• Automate monitoring of critical
transactions• Quick assessment of authorization
compliance for business users, auditors, and IT security staff
• Used during development/project efforts• Avoid manual analysis and false positives
13
Questions