SAP access governanceSAP access governanceSAP access governanceSAP access governance

practical practical practical practical guidelines to successfully manage value at guidelines to successfully manage value at guidelines to successfully manage value at guidelines to successfully manage value at riskriskriskrisk

Wouter Janssen, axl & traxWouter Janssen, axl & traxWouter Janssen, axl & traxWouter Janssen, axl & trax© 2014© 2014© 2014© 2014

SAP Security SAP Security SAP Security SAP Security 2014201420142014Protecting Protecting Protecting Protecting Your SAP Systems Your SAP Systems Your SAP Systems Your SAP Systems

Against Against Against Against Hackers And Industrial EspionageHackers And Industrial EspionageHackers And Industrial EspionageHackers And Industrial Espionage

topicstopicstopicstopics

introduction

moving from management to governance

common pitfalls & risks

practical guidelines

what’s next?

questions & answers

introductionintroductionintroductionintroduction

introduction: axl & traxintroduction: axl & traxintroduction: axl & traxintroduction: axl & trax

fact sheetfact sheetfact sheetfact sheet

17 years expertise

consultants, advisers, trainers and keynote speakers

over 20 dedicated GRC, IAM, authorizations and security experts

more than 250 customers served

Wouter Janssen

partner @ axl & trax

c-range advisory

consultancy

audit and security

governance, risk & compliance

training

tailor-made solutions

biometric authentication

identity and access management

authorization concepts

roles building

workflow

security/risk content (SOD)

ABAP coding security

vulnerability assessment

payment flow security

process controls

quality assurance

licensing (cost control)

our expertiseour expertiseour expertiseour expertise

affiliationsaffiliationsaffiliationsaffiliations partnershipspartnershipspartnershipspartnerships

affiliations and partnershipsaffiliations and partnershipsaffiliations and partnershipsaffiliations and partnerships

maturity in SAP securitymaturity in SAP securitymaturity in SAP securitymaturity in SAP security

doing the right thing isn’t enoughdoing the right thing isn’t enoughdoing the right thing isn’t enoughdoing the right thing isn’t enough

what’s the right thing?

what is considered in SAP secuity and by whom?

process? people? technology?

moving from heroic; to managed; to optimized & controlled

interesting mapping possible using the CMMI (process) maturity model levels

the challenge the challenge the challenge the challenge iiii

why are SAP landscapes treated

differently from other IS/IT?

the the the the challenge challenge challenge challenge iiiiiiii

safeguarding company assets against threats

things that make SAP security a worthy challenge:

thousands of users world-wide

business-critical system & process operation

different processes and configuration in different sites

multi-dimensional roles and responsibilities

standard is a concept, not practice

multi-layer, multi-component security

interconnectivity, customizing and custom developments

integrated systems, non-integrated organizations

“Uncertainty is the only certainty there is, and knowing how to live with insecurity is the only security” – John Allen Paulos

the challenge the challenge the challenge the challenge iiiiiiiiiiii

some of the problems we see:some of the problems we see:some of the problems we see:some of the problems we see:

business risk or IT risk?

integration of different technologies and OSI-layers

“not just an application running on a server”

information security experts work “around” SAP,

SAP experts work around established standards & good

practices

referencing frameworks for SAP access governance

governancegovernancegovernancegovernance

governancegovernancegovernancegovernance

define

• goals & Objectives

• tone in terms of values & standards

• timeline / Priorities

• risk appetite

delegate

• appoint leadership & major roles

• give orientation & preference

review• performance reviews

Patrick Sury’s Governance model, 1999

IT & security governanceIT & security governanceIT & security governanceIT & security governance

CobiT – Third Edition - 2000

access governanceaccess governanceaccess governanceaccess governance

SAP access governance strategy

access policies

access management

process

user management

role management

managing change

exception handling

security organization

tools & technology

QA & compliance

in SAP security governance

risks & pitfallsrisks & pitfallsrisks & pitfallsrisks & pitfalls

common pitfallscommon pitfallscommon pitfallscommon pitfalls

common misconceptionscommon misconceptionscommon misconceptionscommon misconceptions

we are in control of that because:we are in control of that because:we are in control of that because:we are in control of that because:

we have an SoD matrix

we run SAP GRC

we have a process, so don’t worry

we do the right things, so why bother

we did a security project 5 years ago

consultants of company X did that for us

that’s all outsourced to company Y

we act directly stuff when the auditors give red lights

we’ve never had any issues

… (not limitative)

practical steps towards practical steps towards practical steps towards practical steps towards SAP security governanceSAP security governanceSAP security governanceSAP security governance

practical guidelinespractical guidelinespractical guidelinespractical guidelinesiiii

stick to and adopt common standards & frameworkscommon standards & frameworkscommon standards & frameworkscommon standards & frameworks

define logical roles & responsibilitiesroles & responsibilitiesroles & responsibilitiesroles & responsibilities

start from what you readily havereadily havereadily havereadily have

document document document document what you have/do/control todaytodaytodaytoday

make an inventory inventory inventory inventory of today’s practice

learn learn learn learn from others/peers/externals/…

practical guidelinespractical guidelinespractical guidelinespractical guidelinesiiiiiiii

think big, start think big, start think big, start think big, start smallsmallsmallsmall

work toptoptoptop----downdowndowndown, don’t recreate Wikipedia

define a programprogramprogramprogram, not a project

stay in control, even when hiring externalsexternalsexternalsexternals

consider systemsystemsystemsystem----specificsspecificsspecificsspecifics, don’t forget or

overrate them

work cross-disciplinary

consider the “hands-off” principle

so where do we start?so where do we start?so where do we start?so where do we start?

first stepsfirst stepsfirst stepsfirst steps1. define the Governance model

2. ensure adequate quality of “as-is”

3. find out what’s missing & decide on those gaps

4. further optimize; define new; implement; improve what’s there

highhighhighhigh----level starting positionlevel starting positionlevel starting positionlevel starting position

questionsquestionsquestionsquestions????

Thank you for your attention Thank you for your attention Thank you for your attention Thank you for your attention

wouter janssenwouter janssenwouter janssenwouter janssenpartner axl & traxCISA CISSP CISM CGEIT CRISC CFE

E wouter.janssen@axl-trax.com

T +32 16 311 00 00