Technology Insights HOME | Perspectives on Technology Trends

Technology Insights HOME

Perspectives on Technology Trends

Search

ARTICLE

2 mins to read

Maintaining an SAP Access Governance Center of Excellence

Many companies are balancing multiple IT projects simultaneously, promoting innovation and automation,...
Kyle Wechsler

Managing Director - Business Platform Transformation

Pragya Bharara

Associate Director - Business Platform Transformation

Views
Larger Font
2 minutes to read

This is an update of a blog originally posted in 2021, Establishing a Successful SAP Identity Access Governance Center of Excellence.

Many companies are balancing multiple IT projects simultaneously, promoting innovation and automation, and striving towards an optimal and secure SAP landscape. Often, governance is an afterthought to ensure the organization understands the results of a project and can continue the process going forward. Decisions are made ad hoc, and the results can potentially lead to security breaches, audit issues or other business risks.

So, what’s the solution? A broader identity access strategy. Identity access management (IAM) governance is a key component to safeguarding digital assets. For companies that heavily rely on SAP applications, establishing an SAP IAM center of excellence (COE) is essential to maintaining an effective security and controls environment.

The COE should be established to perform these three key governance activities:

Establish a strategic vision

  • Define a strategic vision for the COE that aligns with the organization’s risk tolerance and business requirements.
  • Assess the effectiveness of the current SAP Identity Access Management and Security and Controls landscape with actionable steps to improve.
  • Establish key performance indicators (KPIs) that enable the governance committee to manage the governance process.
  • Establish and document policies and procedures that drive clear SAP Security and Controls standards. Periodically communicate those procedures to applicable parties to ensure those standards are enforced.

Identify COE stakeholders

  • Establish the COE governance organization, including executive sponsor, governance committee members, governance lead and team and consulted parties.
  • Determine and document key roles and responsibilities within a RACI matrix, which includes obtaining stakeholder buy-in on those roles.

Perform ongoing monitoring activities

  • Determine key risks and mitigation plans to ensure effective governance over SAP security and controls that align with the overall identity access strategic vision.
  • Schedule governance committee meetings to cover key discussion points supported by relevant KPIs and follow up on any action items.
  • Monitor for continuous improvements (including evaluation of new tools in the market, increased automation and integrations) to cover operational efficiencies and organizational risks.

Establishing and monitoring the right KPIs are critical to success. The following are several examples to monitor regularly for trends:

  • Count of users and roles with high-risk segregation of duties (SoD) and sensitive access (SA) conflicts – Using SAP GRC to monitor SoD and SA conflicts, ensuring roles are SoD conflict-free and user-level SoD/SA conflicts are limited to appropriate personnel/departments.
  • Timely review of privileged access and elevated user activity – Ensuring privileged access is reviewed periodically and elevated/firefighter activity reviews are completed within the time frame agreed upon with audit.
  • Count of outstanding UAR requests – Using SAP GRC to monitor and report on the completion of periodic user access reviews.
  • Service level agreements (SLAs) for user access assignment and escalations – Monitoring the time required from access request creation to assignment, and number of access requests escalated during a period.
  • Validity of governance policies and procedures – Monitoring the validity of governance policies and expiration of controls to ensure all policies and procedures are up to date.
  • Governance training completion percentage – Monitoring of training and enablement from a business user perspective.

Mature organizations have a solid governance strategy. An SAP IAM center of excellence ensures the SAP landscape is effectively maintained. The processes, risks, and controls are managed consistently, allowing for more congruent business operations as well as manageable audit cycles.

To learn more about our SAP consulting services, contact us.

Was this article helpful to you?

Thanks for your feedback!

Subscribe to the Tech Insights Blog

Stay on top of the latest technology trends to keep your business ahead of the pack.

In this Article

Find a similar article by topics

Authors

Kyle Wechsler

By Kyle Wechsler

Verified Expert at Protiviti

Visit Kyle Wechsler's profile

Pragya Bharara

By Pragya Bharara

Verified Expert at Protiviti

Visit Pragya Bharara's profile

Sara Kenn

By Sara Kenn

Verified Expert at Protiviti

Visit Sara Kenn's profile

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

The upstream oil and gas industry is characterized by complex operations and significant financial transactions. SAP S/4HANA supports these operations...

Article

What is it about

Growth is good. But too much of a good thing can present challenges to any well-established business. In this case,...

Article

What is it about

SAP Datasphere, previously known as SAP Data Warehouse Cloud, represents a significant evolution in data management and analytics solutions offered...