Segregation of Duties (SoD) is one of the most important concepts in the organizational context. In order to avoid the potential Segregation of Duties, most companies use applications such as SAP GRC. However, it is not possible to do away with all the SoDs, and not every business is effective in avoiding them. The explanations are manifold, ranging from resource availability to weak SAP security (user/role management) strategy.
Organizations should fit themselves into one of the five stages of the maturity model. This also refers to the Segregation of Duties. Organizations that do not even use manual methods of handling SAP SoDs such as Sod Matrix etc., fall into the first category. The last stage is where all processes are automated with solutions such as SAP GRC Access Control, SAP GRC Process Control, Risk Management, Fraud Management, etc.
Organizations can evaluate themselves with the following questions to know their maturity level:
Is the ruleset reviewed?
Most companies can simply use the ruleset that the application provides. In certain cases, several sets of rules are developed to satisfy the needs of the company. One ruleset, which is useful and ideally suited to the company, is strongly recommended. It should also contain the dangers of customization. Rather than a particular company-wide concern, the ruleset should be an organizational consideration. It’s time to reconsider if you’ve introduced some automated solution and only use the pre-delivered ruleset.
Have you been advised by your audit company to delete laws that are not applicable to your organization?
Do not delete. The rules which are not applicable to you are never suggested to be removed. At a later point in time, these rules may be applicable. Therefore, it is recommended that they be deactivated instead of deleted.
Who is responsible for the maintenance of the ruleset?
Here the technique for risk control can be flawed. The IT department may be the owner of the application, but the hazards may not be calculated or identified by them alone. The entire risk management cycle needs to be managed by the respective agencies, beginning from risk detection to redressal. In the application, the IT department should be active in designing and successfully handling them.
Are there mechanisms for escalation which are used to eliminate SoD conflicts?
How sure are you that you have a suitable system for escalation? And when is there a need for this mechanism to remove SODs? Once SoDs are detected, they need to be carefully checked and handled in the best way possible.
Is daily reporting adequate?
How are the hazards reported by your users? How often do you review the Segregation of Duty (SoD)? How are the authorizations managed? Until making adjustments to the authorizations, does the IT team verify the possible risks?
Considering these issues, SAP security should be well-managed! The threats have to be defined at the right time, and there should be adequate mitigation in place. Daily reporting and review will help you keep the protection of your SAP effective.
Is there a different mechanism for “Super-User / Config ID” for unique user rights?
If you are not using the SAP GRC program, then the most important and risky authorizations may need to be isolated. Daily users should not be assigned these authorizations. The correct way to treat this privileged access is provided by SAP GRC Firefighter or Emergency Access Management. To provide access to these Config IDs, a well-defined approval process should be set up.
Is the management made aware regularly of the development of SoD conflicts?
How many times have you changed your ruleset? Did you know that SAP launches a new collection of transaction codes, authorization objects, etc., requiring regular updates of the ruleset?
Checking the changes and upgrading the SAP SoDruleset is strongly recommended. In addition, it must also be matched with the management decision. Senior and middle management should be aware of changes in the ruleset, SoD disputes at the role and user level. Keep these stakeholders informed about the mitigations that are being implemented and how these mitigations are handled.
If there is no Segregation of Duties, it not only causes financial loss but also leads to a breach of data. It is strongly recommended to have a proper Segregation of Duties enforced as the first step. This does not eradicate data theft or financial threats entirely, but it can become a starting point for addressing risks.