Segregation of Duties, or SoD, in short, is the buzz word in many companies. Most of the enterprises utilize applications such as SAP GRC to avoid the potential Segregation of Duties. However, with that, all the SoDs can’t be avoided and not every company is successful in avoiding them. The reasons are manifold, ranging from the availability of resources to poor SAP security strategy (user/role management).
Check this article written by our SAP Innovation Director – Raghu Boddu. Organizations can fit in themselves in one of the 5 levels of the maturity model. This applies to the Segregation of Duties as well. Organizations that are not using even manual ways of managing SAP SoDs such as Sod Matrix etc. fall into the Unplugged Category and the last level is Facebook of Machines where all the processes are automated with solutions such as SAP GRC Access Control, SAP GRC Process Control, Risk Management, Fraud Management, etc.
To further simplify, evaluate the following questions to know the maturity level of your organization:
Is a review of the rule-set carried out?
Most of the organizations will simply use the ruleset that is delivered by the application. In some cases, multiple rulesets are created to accommodate the organization’s needs. It is highly recommended to derive one ruleset which is useful and best fits the organization. It should contain the risks from the customizations too.
Also, the ruleset should be an organization-wide consideration rather than a specific company-wide consideration.
If you have implemented some automated solution and still using the pre-delivered ruleset, it’s time to revisit.
Has your audit firm recommended you delete rules that are not relevant to your organization?
If yes, wait!! It is never recommended to delete the rules that are not relevant to you. These rules might be relevant at a later point in time. Hence, it is recommended to deactivate them instead of deleting them.
Who is responsible for maintaining the ruleset? Is it only the IT department? Are other departments only informed about SoD-analysis results?
Here, your risk management strategy may be faulty. The IT department can be the owner of the application, but they can’t alone determine or define the risks. The entire risk management cycle, starting from risk identification to redressal, has to be handled by the respective departments. The IT department should be involved in creating and managing them effectively in the application.
Are there escalation mechanisms that are used to eliminate SoD conflicts?
How sure are you that you have a proper escalation mechanism? And when this mechanism is required to eliminate the SODs? When SoDs are identified, they have to be reviewed properly and addressed in the best possible way.
Is the regular reporting adequate?
How are your users reporting the risks? How frequently do you execute a Segregation of Duty (SoD) review? How are your authorizations managed? Does your IT team validate the potential risks before making changes to the authorizations?
SAP security should be well-managed considering these questions! The risks have to be identified at the right time and proper mitigations should be in-place. Regular reporting and review will help you to keep your SAP security effective.
Is there a separate process for special user rights like “Super-User / Config ID”?
If you are not using SAP GRC application, then you might need to separate the most critical and risky authorizations. These authorizations shouldn’t be assigned to regular users. SAP GRC Firefighter or the Emergency Access Management provides the right way of handling this privileged access. In the absence of SAP GRC application, you can utilize third-party applications such as ToggleNow’s Orange Envelop.
A well-defined approval process should be set up to provide access to these Config IDs.
Is the management regularly informed about the development of SoD conflicts?
How many times you have updated your ruleset? Did you know SAP releases a new set of transaction codes, authorization objects, etc. which require the ruleset to be updated regularly?
It is highly recommended to check the updates and update the SAP SoD ruleset. Further, it has to be in alignment with the management decision as well. The senior and middle management should be aware of the ruleset changes, SoD conflicts at both the user and role level. Also, keep these stakeholders updated on mitigations being carried out and the way these mitigations are handled.
Remember, if a proper Segregation of Duties is not implemented, it causes financial loss and may lead to a data breach. As the first step, it is highly recommended to have a proper Segregation of Duties implemented. This might not eliminate the data thefts or financial risks, but it can become a starting point to address risks.
!@#$sod segregation of duties,SAP SoD,sap sod,sod matrix,sap segregation of duties,SAP security strategy!@#$