SAPSecurity

Planning Makes the SAP S/4HANA Journey Compliant and Secure

Manash SahaSteve Toshkoff
February 14, 2020
5 min read

“Data is the new water.” That observation by a chief information officer we met a few months ago really nails the way we think about data security and compliance today. He went on to say, “We have to reserve it. Preserve it. Share it. And make sure it’s clean.” Innovations in cloud, mobile, social media and big data mean the opportunity for increased risk. And that increased risk means that data security planning has to be more than just a check mark on a compliance report. In a recent webinar, we talked about how planning ahead for security can make the S/4HANA journey safer and more compliant.

When we work with SAP S/4HANA clients, we like to say that security is now an enabler that helps organizations weather market shifts, changing operating environments and the evolving regulatory environment. Since the introduction of SAP HANA, how organizations operate and secure their SAP environment has shifted significantly. We have left behind traditional security architecture for more collaborative business models. This evolution impacts how an organization defines, plans, implements, monitors and builds resilience around its security practices.

In today’s S/4HANA environment, how an organization is equipped to respond to cyber threats changes regularly, as new threats emerge. Many of our S/4HANA clients have elaborate security strategies. Yet they still see vulnerabilities, from access management and patch management to unsecured services and connections.

Keep this one rule in mind: security should not be an afterthought. Those who attended our recent SAP S/4HANA webinar series heard this message again and again. Organizations should plan methodically for security and controls in the same way that they plan infrastructure, integration, data governance and other key components of an S/4HANA implementation. Furthermore, it needs a holistic approach which requires a continuous improvement to ensure the organization is properly managing long term.

Next-Generation Processes and Tools for Audit and Compliance

During the S/4HANA planning process, there are several questions to ask to understand the organization’s current audit and compliance processes and where it intends to be in the future. By the way, getting senior executives from across the organization involved in setting these goals is our recommendation to ensure the objectives are understood and embraced by all. We also find it helpful to perform interviews or process walkthroughs, or risk ending up with an incomplete picture that may not capture ever scenario.

Ask:

  • Does the organization still rely on uniform and reactive risk assessments?
  • Does the organization still perform audits and reviews the same way as in years past?
  • Has the organization introduced new technologies to enhance the internal audit function?
  • Is the organization able to leverage enterprise data efficiently to conduct risk assessments and continuous monitoring?
  • Is the organization positioned to respond to changing business process and IT risks associated with S/4HANA transformation?
  • Has the organization added resources and skill sets to addressed increased expectations from internal and external stakeholders?

While these questions are among the thought starters that will drive the planning processes, remember that controls are only good if designed appropriately and at the right time in the S/4HANA journey. It is very important to design and identify controls early in the process versus trying to fit them in later.

As for tools, there are a range of next-generation GRC tools and processes available. For example:

  • Data analytics provides insights into processes and validates completeness of data extracts
  • Process mining provides a complete understanding of all processes that are actually being followed
  • Controls testing focuses on exceptional processes that can often be less well-controlled
  • Data privacy and protection software from companies such as BigID help secure customer data and satisfy privacy regulations
  • A next-generation approach provides a vision for continuous monitoring that is focused on process changes.

We work closely with our clients to ensure that everyone is up to date with the latest S/4HANA releases and covered by the next generation SAP compliance and audit tools.

Regardless of where the organization is with the S/4HANA journey or internal controls roadmap, these steps are critical:

  • Ensure the chief information security officer (CISO) is an integral part of your S/4HANA transformation project
  • Emphasize building a secure culture: security is everyone’s responsibility!
  • Security and controls should be business process enablers, not just a compliance check box
  • A next-generation approach provides a vision for continuous monitoring
  • Plan ahead: avoid retrofitting the S/4HANA controls environment.

And finally, as the S/4HANA implementation begins, remember that security is a program and not just a team or module. Ultimately, the critical pieces make up a successful holistic program:

We like to say we’re living in the “age of ‘with’,” which essentially means, work WITH the right tools and work WITH the right people, following the right processes, and success will happen.

To listen to the entire SAP S/4HANA webinar series, click here. Or, visit Protiviti’s SAP consulting services page for more information on our solutions.

Manash Saha

Director
Enterprise Application Solutions

View all posts

Steve Toshkoff

Director
Business Application Solutions

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
18 Apr

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More