Guest Blog by: Vijan Patel, Director, Technology Consulting, Enterprise Application Services, Protiviti John Scaramucci, Associate Director, Technology Consulting, Enterprise Application Services, Protiviti
Click here to read the full blog on Protiviti’s web site
In today’s growing remote workforce, companies are faced with the challenge of scaling centralized authentication and user provisioning, while at the same time managing new or temporary assignments to accommodate for ill or quarantined employees’ workloads. Things change rapidly, and it may be tempting to bypass certain controls, but maintaining compliance is essential to managing security risks.
SAP’s commonly used access management tools, such as SAP Access Control, can help enable efficiencies in granting access to SAP environments without getting in the way of productivity. Speed of access provisioning needs to be an enabler and not a bottleneck to getting work done.
For users who require elevated or privileged access directly to end-user accounts, businesses need a way to provide this temporarily or on an extended basis, knowing that the access can be monitored and logged for further review.
Not every aspect of access can be automated (i.e., waiting on approvers and approvals required), but many can. For instance, the following aspects of an access provisioning workflow could be automated:
Automation can also be applied during periodic access reviews, which will occur especially if a business has a SOX compliance requirement. Terminations or job changes where access wasn’t removed during the normal course of business can be cleaned up using systems that automate the actions around these processes.
Use Continuous Monitoring Solutions to Quantify Actual Risk Exposure
Traditional detective controls for user access can be labor-intensive and time-consuming to perform, test and audit. These types of controls, such as manual reporting or transaction sampling, are often redundant and ineffective, and can even slow down a process or burnout employees. A good control acts as a caution or warning, indicating that a process may present a potential security risk or compliance issue. If defined with specific exception criteria, the control will identify the user or transaction and flag it for a manager or risk owner to evaluate further.
Good continuous monitoring controls aren’t limited to high risk events either; they can also be used to collect data on processes that show opportunities for improvement, in terms of optimizing for safety and efficiency. Reported exceptions can then be analyzed at a supervisor, compliance, or executive level, to allow for informed decision adjusting processes in the wake of resource and work environment changes. This approach lends itself nicely to a remote work landscape, by enabling standardization across access governance and control testing.
Solutions for continuous monitoring include:
Continue to Manage SAP Security Risks
Now is the time for businesses to revisit their approach to securing their application landscape. Clearer policy training and the right technical monitoring controls are key to staying secure with a virtual workforce.
As team members take on additional roles during the COVID-19 pandemic, now is not the time to get bogged down in manual access-management tasks. Instead, leverage access automation to streamline provisioning and firefighting processes. Security controls which utilize continuous monitoring solutions can be an enabler for business and audit processes, rather than an additional task that reduces efficiency.
Share
There is no escaping risk in today’s multi-application la...
The Securities and Exchange Commission's (SEC) new rules on...
The global shortage of skilled accountants has been making ...
Esteemed Colleagues in Internal Audit and Risk Management: ...