Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

SAP Security and Controls: Use of Security Compliance Tools To Detect and Prevent Security and Controls Violations

Download as ppt, pdf, or txt
Download as ppt, pdf, or txt
You are on page 1of 13

SAP Security and Controls

Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations
1

Agenda
Increased Focus on Security & Controls SAP R/3 Security Risks & Controls Security Management Security Compliance Tools Questions

Increased Focus on Security and Controls


Fraud (Barings Bank,WorldCom, Enron,...) Security Breaches (UCs, BC, Stanford...) Regulatory Compliance
Sarbanes-Oxley (SOX) Family Educational Rights and Privacy Act (FERPA) Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA)
3

Security Risks
Access Control
Do some users have too much access? Sufficient access restrictions to private information?

Segregation of Duties (SoD)

Security Compliance Tools Internal Controls


Internal Controls are processes designed by management to provide reasonable assurance that the Institute will achieve its objectives
(From MITs Guidelines For Financial Review and Control)

Cost of implementing control should not exceed the expected benefit of the control Security is a process not a product

Security Compliance Tools


Are there any SoD violations? Who has access to sensitive transactions?

Real-Time Monitoring Remove access or assign mitigating controls Reduce time and effort when providing information to auditors 6 Used during implementation of new modules

SoD Rules Matrix


Predefined SoD Rule Set Can Add Custom Transactions to Rule Set

Virsa-Compliance Calibrator

Virsa-Compliance Calibrator

Virsa-Compliance Calibrator
Resolve SoD Issues

10

Security Compliance Software Vendors


Virsa Approva Oversight Systems Big 4 (E&Y, PwC, KPMG, Deloitte)

11

Benefits of Security Compliance Tools - Summary


Run with SAP R/3 Automate SoD analysis Automate monitoring of critical transactions Quick assessment of authorization compliance for business users, auditors, and IT security staff Used during development/project efforts Avoid manual analysis and false positives 12

Questions

13

You might also like