Time to Remediate? Here are Six Easy Steps to Get You Started25, January 2016
OK, so your year-end audits are over. The pressure is now on the IT audit teams to fix, or remediate, any access-related risks that were flagged as a result. The problem? There is just too much information – and actions – generated as a result of the audit, which can leave those responsible a bit overwhelmed and wondering where to start. Not only do you want to get the immediate issues fixed, but you want to try to get to the root of the problem to minimize risks over time. Head spinning yet?
In our latest e-book, Six Steps to Remediation with ERP Maestro, we help to clarify and break down the process of remediation by outlining how you can use technology to easily identify segregation of duties (SoD) conflicts, prioritize those “low-hanging fruit” conflicts to remediate, mitigate your access controls properly, and even set up a framework for preventative controls.
Following is a sneak peek with the first three steps from the e-book. For more, you can download the entire document here.
Step 1: Review the Rulebook
ERP Maestro provides a library of 250+ rules based on Big 4 best practices. Take a good look at all of these rules and determine relevancy to your business. Most, if not all of them, may be relevant to your organization. However, if some do not apply, then they should be disabled. For example, if you are not using SAP HR then any rules related to SAP HR should be disabled.
Step 2: Review SoD Conflicts in SAP
Using the Role Conflict Matrix report, you will see any inherent role conflicts in your existing roles. Why start with role conflicts first? The reason is that if roles with SoD conflicts get assigned to hundreds of users, all of those users will inherit the conflicts.
It’s likely that not all of your SAP roles will have SoD conflicts. The Role Conflict Matrix report identifies which roles do have conflicts, allowing you to spend time redesigning specific roles instead of redesigning each and every role in your system. For those roles with conflicts, remember that it always best practice to have each single role align to one single business process (not have transactions from multiple SoD processes).
Step 3: Review Usage on Roles
Some users may not even be using the roles to which they are assigned. The Security Roles report allows you to identify which users are using transactions within each role. This view of usage allows you to take your remediation a step further. For example, if you discover that some users have not executed any transactions in a role, you may want to remove the role assignment for those users.
Get more expert insights on remediation via our recorded webinar
If you could use more guidance on how to tackle your remediation project, check out our on-demand webinar Rampant Access Risks & Your Path to Remediation. In less than 30 minutes, our Director of Sales Engineering Alex Gambill will take you through best practices and proven processes to use when addressing risks related to user access and roles in SAP. Watch Here.