Often, companies are so focused on getting to an optimal and secured environment across their SAP business applications and information systems landscape, they overlook the importance of connecting the dots to a broader identity access strategy, establishing the appropriate governance policies and ongoing processes to meet business, legal, security, risk, compliance and other organizational needs. A simple Google search quickly reveals the many household brands with recent security breaches, that more times than not, were the result of inappropriate internal or external access to enterprise applications and data. Which begs one to question, “how did these companies get it so wrong?”
Identity access management (IAM) governance is a key component to safeguarding digital assets. For companies that heavily rely on SAP (ERP) applications, establishing an SAP IAM center of excellence (COE) is essential to keeping a “clean” security and controls environment. This COE concept goes beyond just the SAP GRC and security role (re)design implementation projects and should include:
- A strategic vision for the COE that aligns with business requirements and risk tolerance
- Establishing the SAP identity access COE governance organization, including executive sponsor, governance committee members, governance lead and team and consulted parties
- Establishing key performance indicators (KPIs) and metrics that enable the governance committee to manage the governance process
- Documentation and buy-off of roles and responsibilities, as well as time commitment of governance organization members
- Policies that make SAP security and controls standards clear, as well as documented and communicated procedures to enforce those standards
- Honest assessment of the effectiveness of current SAP identity access management and security and controls trainings and actionable steps to improve future trainings
- Ongoing determination of key risks and mitigation plans to ensure effective governance over SAP security and controls that align with the overall identity access strategic vision
- Ongoing governance committee meetings to cover key discussion points, supported by a snapshot of relevant KPIs/metrics data, etc., and following up on any action items thereafter
- Ongoing monitoring for continuous improvement, including evaluation of new tools in the market, more automation, and integrations, etc. to cover operational efficiencies and organizational risks
Any good executive knows the importance of KPIs as a basis for decision-making and a mechanism for measuring what gets done. This is no different when governing an SAP (and non-SAP) IAM environment. The following are a few examples of key categories of KPIs that the COE should consider and monitor regularly for trends:
- Overall SAP security landscape – From a foundational perspective, having visibility to overall metrics such as a number of active SAP users, SAP master roles, Fiori applications/tiles activated, custom programs/transactions, etc.
- Segregation of duties (SoD) / sensitive access management – Using SAP (GRC) Access Control to understand the SoD environment including the number of roles with high-risk conflicts, unmitigated SoDs, tolerance for mitigating controls effectiveness, etc.
- Role management – Monitor and measure how the role is staying free of inherent risks/conflicts, SLA for creation and changes to SAP roles, etc.
- User provisioning – Establish Service Level Agreements (SLAs) (e.g., end-to-end KPI for create, change and remove) and escalation acceptance for the user provisioning process
- Elevated temporary access – Principles for temporary access for privileged SAP permissions and principles for ensuring managements after the fact review for appropriateness
- User access review – Monitoring of controls for the effectiveness of periodic user access reviews performed by management (e.g., number of outstanding UAR requests, SLA for completion, etc.)
- GRC tool maintenance/ change management – KPIs for ensuring that SAP GRC tools are kept updated and relevant (e.g., total number of SoD policies, and mitigating controls set to expire in the next three months, etc.)
- Governance (policies and procedures, training, communication) – Monitoring of training and enablement from a business user perspective
As one example of how KPIs help steer the security environment, we recently started working with a technology manufacturing giant to address their SAP user-level SoD conflicts and learned that there was no clear KPI around company-wide acceptance for known issues (e.g., 80 percent user-conflict free environment or another target). Once the steering committee weighed in on the balance expectation of SAP users with conflicts, this set the tone for any needed remediation discussions and significantly reduced the time needed from the business.
At Protiviti, we have developed an extensive library of key and non-key SAP access management governance KPIs (many with RPA bots used for snapshots in collaboration with SAP GRC, etc.). In addition, our Digital Identity practice spans across many solutions (such as SailPoint, CyberArk, Okta, etc.), which serves as a key integration to our clients’ overall IAM strategies.