This is an update of a blog originally posted in 2021, Establishing a Successful SAP Identity Access Governance Center of Excellence.
Many companies are balancing multiple IT projects simultaneously, promoting innovation and automation, and striving towards an optimal and secure SAP landscape. Often, governance is an afterthought to ensure the organization understands the results of a project and can continue the process going forward. Decisions are made ad hoc, and the results can potentially lead to security breaches, audit issues or other business risks.
So, what’s the solution? A broader identity access strategy. Identity access management (IAM) governance is a key component to safeguarding digital assets. For companies that heavily rely on SAP applications, establishing an SAP IAM center of excellence (COE) is essential to maintaining an effective security and controls environment.
The COE should be established to perform these three key governance activities:
Establish a strategic vision
- Define a strategic vision for the COE that aligns with the organization’s risk tolerance and business requirements.
- Assess the effectiveness of the current SAP Identity Access Management and Security and Controls landscape with actionable steps to improve.
- Establish key performance indicators (KPIs) that enable the governance committee to manage the governance process.
- Establish and document policies and procedures that drive clear SAP Security and Controls standards. Periodically communicate those procedures to applicable parties to ensure those standards are enforced.
Identify COE stakeholders
- Establish the COE governance organization, including executive sponsor, governance committee members, governance lead and team and consulted parties.
- Determine and document key roles and responsibilities within a RACI matrix, which includes obtaining stakeholder buy-in on those roles.
Perform ongoing monitoring activities
- Determine key risks and mitigation plans to ensure effective governance over SAP security and controls that align with the overall identity access strategic vision.
- Schedule governance committee meetings to cover key discussion points supported by relevant KPIs and follow up on any action items.
- Monitor for continuous improvements (including evaluation of new tools in the market, increased automation and integrations) to cover operational efficiencies and organizational risks.
Establishing and monitoring the right KPIs are critical to success. The following are several examples to monitor regularly for trends:
- Count of users and roles with high-risk segregation of duties (SoD) and sensitive access (SA) conflicts – Using SAP GRC to monitor SoD and SA conflicts, ensuring roles are SoD conflict-free and user-level SoD/SA conflicts are limited to appropriate personnel/departments.
- Timely review of privileged access and elevated user activity – Ensuring privileged access is reviewed periodically and elevated/firefighter activity reviews are completed within the time frame agreed upon with audit.
- Count of outstanding UAR requests – Using SAP GRC to monitor and report on the completion of periodic user access reviews.
- Service level agreements (SLAs) for user access assignment and escalations – Monitoring the time required from access request creation to assignment, and number of access requests escalated during a period.
- Validity of governance policies and procedures – Monitoring the validity of governance policies and expiration of controls to ensure all policies and procedures are up to date.
- Governance training completion percentage – Monitoring of training and enablement from a business user perspective.
Mature organizations have a solid governance strategy. An SAP IAM center of excellence ensures the SAP landscape is effectively maintained. The processes, risks, and controls are managed consistently, allowing for more congruent business operations as well as manageable audit cycles.
To learn more about our SAP consulting services, contact us.
