“For many organizations, their external audit is the only time in the year where an access risk assessment is performed on their SAP system. As a result, these organizations have very little visibility into their SAP access risk exposure for the majority of the year, placing them at unnecessary risk,” explains Dudley Cartwright, CEO of Soterion.
Soterion is an international software solutions company assisting organizations to extract maximum value from their Governance, Risk and Compliance (GRC) investment in the SAP environment by implementing the correct tools and methodologies.
“The appropriateness of an SAP authorization solution degrades over time, primarily due to SAP authorization creep. Authorization Creep is where users inherit more access over a given period than the access removed from them as they move to different job positions internally. This also happens when they require a single transaction code but are assigned a role with many transaction codes,” Mr Cartwright adds.
It is impractical, he notes, for the SAP security team to identify all technical mistakes that may occur during the SAP role build. The complexity of SAP authorizations not only means that mistakes are relatively common, but the sheer volume of data makes it very difficult to identify any issues. It is like finding a needle in a haystack.
“With a number of vendors who have developed a cloud offering, performing an access risk assessment is simple and easy. The data extraction can typically be done in less than an hour, which is the only effort required by the company. The vendor will perform the assessment and send the company their access risk results.”
“Performing more regular access risk assessments can be a more failsafe way to ensure the SAP authorization solution has not provided in-appropriate access to the users during the course of the year,” he says.
Soterion SAP Access Risk Assessment
Mr. Cartwright concludes: “Soterion can be used to perform SAP access risk assessments on the organization’s SAP environment by, either using the Soterion standard ruleset, or the customer is able to import or customize their own ruleset.”
Contact [email protected] if your organization is interested in having ad hoc assessments.
Media ContactCompany Name: SoterionContact Person: Caryn Pretorius Email: Send EmailPhone: +27 11 540 0232Address:Block A, Wedgefield Office Park, Muswell Road South City: BryanstonState: JohannesburgCountry: South AfricaWebsite: https://soterion.com/