SAP

Maintaining an SAP Access Governance Center of Excellence

Kyle WechslerPragya BhararaSara Kenn
September 4, 2024
3 min read

This is an update of a blog originally posted in 2021, Establishing a Successful SAP Identity Access Governance Center of Excellence.

Many companies are balancing multiple IT projects simultaneously, promoting innovation and automation, and striving towards an optimal and secure SAP landscape. Often, governance is an afterthought to ensure the organization understands the results of a project and can continue the process going forward. Decisions are made ad hoc, and the results can potentially lead to security breaches, audit issues or other business risks.

So, what’s the solution? A broader identity access strategy. Identity access management (IAM) governance is a key component to safeguarding digital assets. For companies that heavily rely on SAP applications, establishing an SAP IAM center of excellence (COE) is essential to maintaining an effective security and controls environment.

The COE should be established to perform these three key governance activities:

Establish a strategic vision

  • Define a strategic vision for the COE that aligns with the organization’s risk tolerance and business requirements.
  • Assess the effectiveness of the current SAP Identity Access Management and Security and Controls landscape with actionable steps to improve.
  • Establish key performance indicators (KPIs) that enable the governance committee to manage the governance process.
  • Establish and document policies and procedures that drive clear SAP Security and Controls standards. Periodically communicate those procedures to applicable parties to ensure those standards are enforced.

Identify COE stakeholders

  • Establish the COE governance organization, including executive sponsor, governance committee members, governance lead and team and consulted parties.
  • Determine and document key roles and responsibilities within a RACI matrix, which includes obtaining stakeholder buy-in on those roles.

Perform ongoing monitoring activities

  • Determine key risks and mitigation plans to ensure effective governance over SAP security and controls that align with the overall identity access strategic vision.
  • Schedule governance committee meetings to cover key discussion points supported by relevant KPIs and follow up on any action items.
  • Monitor for continuous improvements (including evaluation of new tools in the market, increased automation and integrations) to cover operational efficiencies and organizational risks.

Establishing and monitoring the right KPIs are critical to success. The following are several examples to monitor regularly for trends:

  • Count of users and roles with high-risk segregation of duties (SoD) and sensitive access (SA) conflicts – Using SAP GRC to monitor SoD and SA conflicts, ensuring roles are SoD conflict-free and user-level SoD/SA conflicts are limited to appropriate personnel/departments.
  • Timely review of privileged access and elevated user activity – Ensuring privileged access is reviewed periodically and elevated/firefighter activity reviews are completed within the time frame agreed upon with audit.
  • Count of outstanding UAR requests – Using SAP GRC to monitor and report on the completion of periodic user access reviews.
  • Service level agreements (SLAs) for user access assignment and escalations – Monitoring the time required from access request creation to assignment, and number of access requests escalated during a period.
  • Validity of governance policies and procedures – Monitoring the validity of governance policies and expiration of controls to ensure all policies and procedures are up to date.
  • Governance training completion percentage – Monitoring of training and enablement from a business user perspective.

Mature organizations have a solid governance strategy. An SAP IAM center of excellence ensures the SAP landscape is effectively maintained. The processes, risks, and controls are managed consistently, allowing for more congruent business operations as well as manageable audit cycles.

To learn more about our SAP consulting services, contact us.

Kyle Wechsler

Managing Director
Business Platform Transformation

View all posts

Pragya Bharara

Associate Director
Business Platform Transformation

View all posts

Sara Kenn

Senior Manager
Business Platform Transformation

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
13 Sep

What’s one of the first steps to ensuring a successful transition to #cloud #modernization? Find out why Protiviti’s Kim Bozzella tells @Forbes that organizations should first conduct a thorough review of the current application state. https://ow.ly/GWnO50TlgsB #ProtivitiTech

Reply on Twitter 1834653642671943832 Retweet on Twitter 1834653642671943832 Like on Twitter 1834653642671943832 Twitter 1834653642671943832
protivititech Protiviti Technology @protivititech ·
13 Sep

#Cybersecurity leaders will learn how to effectively communicate their needs to business decision-makers and board members during this Protiviti webinar on Oct. 3, 2024. Register today! https://ow.ly/SKhf50Tlctv #ProtivitiTech

Reply on Twitter 1834623669366133212 Retweet on Twitter 1834623669366133212 Like on Twitter 1834623669366133212 Twitter 1834623669366133212
protivititech Protiviti Technology @protivititech ·
13 Sep

Keeping up with PCI compliance isn't just our 'card'io routine, it's the key to securing our transactions marathon! Hope you were able to connect with our team during the PCI Community Meeting in Boston. #PCICompliance #PCICommunityMeeting

Reply on Twitter 1834594016832233545 Retweet on Twitter 1834594016832233545 Like on Twitter 1834594016832233545 Twitter 1834594016832233545
protivititech Protiviti Technology @protivititech ·
12 Sep

Understand the potential hidden costs that may arise during ERP transformation and how to incorporate contingency into budget planning to avoid unexpected expenses or shortages. Read more from Protiviti’s Technology Insights: https://ow.ly/KsFa50TliUE #ProtivitiTech

Reply on Twitter 1834261382369325131 Retweet on Twitter 1834261382369325131 Like on Twitter 1834261382369325131 1 Twitter 1834261382369325131
protivititech Protiviti Technology @protivititech ·
10 Sep

After a seven-year process, #NIST has released the first standards for post-quantum cryptography. What does it mean for your organization? Join Protiviti's @KonstantHacker for a wide-ranging PQC primer chat with Dustin Moody of @NIST. https://ow.ly/S3r050Tkwql #ProtivitiTech

Reply on Twitter 1833603888118722787 Retweet on Twitter 1833603888118722787 Like on Twitter 1833603888118722787 Twitter 1833603888118722787
Load More