In order create a strong Cybersecurity program or to leverage an existing program for the benefit of securing the SAP Landscape, the first step is understanding the language used by Security Programs in general. One of the top road maps used to create a Cybersecurity program is the SANS Institute CIS Critical Security Controls. The SANS Institute is a research and educational organization focused on information security research and training. The recommendations made by SANS accepted world wide as the most important in the information security industry. Detailed explanations of each of the twenty critical controls are available at:
The controls ask important questions about connectivity, users, vulnerability assessments, maintenance, defenses, services, disaster recovery, data protection and security, penetration testing, and incident response. It is appropriate to levy these questions against an entire IT infrastructure, but the same questions should be drilled down into the application layer. Over the next few weeks we are going to publish a series of blog articles looking at each of the critical controls and discussing the application to the SAP landscape.
In this article we will start with the following two:
CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software
Authorized devices make sense, but how do unauthorized devices gain access to the SAP landscape? With the growth in the use of web based access to SAP via portal, reporting, HANA, FIORI and other HTTP delivered content, as well as the growth of NetWeaver Business Client (NWBC), more types of devices can connect to the SAP environment. Bring your own device policies allowing users to utilize personal computers and mobile devices for business use takes the control of the platform interacting with the SAP environment out of the hands of the IT department and introduces new risk into the landscape. Virus, Botnets, Worms, Hackers may already have access to these unauthorized or unmanaged devices, and the opportunity to drill into the SAP data.
Authorized software makes sense, but how does unauthorized software gain connectivity to the SAP landscape? All companies have a certain level of 'shadow IT'. Business areas running IT projects in order to solve a business need. These projects can create connectivity to the SAP landscape for data augmentation, cloud based access, remote access for consultants and whatever software they implement, along with many other scenarios. Projects like these give external access to SAP that goes through an Remote Function Call (RFC) connection that may have very broad access. If the ID associated to the RFC connection has expansive access in the system, then the content of the system is at risk and the ability for malicious code to be injected into the server increases.
These two controls are applicable at the overarching IT Architecture level, but also at the SAP Landscape level. In our next article we will talk about secure configurations and continuous assessment and monitoring.
Historically Enterprise Resource Planning (ERP) implementations have been secure inside the firewall but interconnectivity and data enrichment needs have evolved the threat matrix. Security Managers, Auditors and Compliance Managers need to look deeper than classic segregation of duties and Sarbanes Oxley (SOX) requirements when analyzing risk. The dialogue has recently expanded to include inquiry into how SAP, PeopleSoft, JD Edwards and other ERP software implementations can be folded into an overall Security or Cybersecurity Program. These large scale ERP software packages are the backbone of corporations, governments and supply chains across the world. They manage everything from human resources, financials, production creation and delivery, customer maintenance and archival.
Connectivity to internal ERP software has increased and the network firewalls and perimeter no longer defend the application. Cloud connectivity and data enrichment through sales, purchasing, human resource management and other applications in the cloud are new avenues for hackers. Mobile devices accessing core ERP data and the need for portions of the application to be available to the internet have opened new vulnerabilities. The risk to corporate intellectual property, customer, vendor and employee critical data is high and knowledge of how to protect against threats is low. Organizations need to understand and respond effectively step ahead of the hackers and protect the business critical data housed in ERP systems. Education and security are critical in order to reduce risk and train staff to maintain a Cyber Secure ERP implementation. Application level security is not the hot topic that chasing hackers on the network is, but it's a vital component of an overall Cybersecurity program.
The next generation of Cybersecurity Leaders will need to take a holistic view of the threat matrix; including network, firewall, server, application, and user level risks into account. A secure environment starts with strong and enforceable security policies, threat detection and response, patch and upgrade programs, and access management processes.
Many times consultants prescribe a role redesign for all your SAP security problems. In fact these are by far the most lucrative for consultants and not the clients. Many times the architecture is changed and new issues arise with the new role design structure. In the case of a large food processing company, the security process suffered from many years of fulfilling all requests using the model user approach. In this case, users acquired their access quickly however, the access contained multiple roles and excessive access needs. In addition the number of roles grew and exceeded the number of users. This became a maintenance nightmare as well as high-risk excessive access risks for both sensitive and powerful transactions from a control and audit perspective.
Because years of changes had resulted in multiple layers for user access, determining role changes and getting roles to be risk free was a monumental task. In addition, there was a need to revamp the security request process to avoid risks and excessive access on a pro-active basis. A parallel process to implement a new process using the GRC Access Request Management (ARM) process and a task based role design was initiated. The revamped process provides a leaner role population closer aligned with access needs. The task names are easily identified by business users and replace the risk prone “model” user approach.
A pilot of the approach was undertaken with three business areas. This enabled us to complete the proof of concept and to determine the benefits for an enterprise wide roll out. There was one global department, one with multiple areas located in the headquarters, and one group with multiple geographic locations. An Analysis of transaction usage among the users in each of the groups was used to determine necessary transactions. In addition controls by organizational areas where necessary were also analyzed from transaction history. A comparison of the new accepted, tested roles revealed a 44% reduction in access and 100% removal of access risks.
Most customers usually react when a new version of their product is available and while there are technical and business reasons to act on new versions, the question is always raised, “How does this add value?” The obvious reason is to maintain support for the product so you can get bugs and fixes when they arise. However our experience has produced several ways to improve the value you can gain on an upgrade. There are three cases and examples that might apply to you. Consider these items while building your case for an upgrade project.
Implement new features with the upgrade and eliminate manual processes
One customer had the bare bones SoD analysis and emergency access features of their GRC operating. However, most products have components that enable customers to automate their user access reviews and automate the security request process. In this case the additional functionality was added to the upgraded system and enabled the customer to reduce expensive manual methods for resolving manual analysis and mitigation options. They also replaced the arduous manual access certification process.
Rethinking how things operate
Sometimes the chance to upgrade provides the opportunity to ask how can we make our current process more efficient. Or in this case, can we use the upgrade to resolve some repetitive audit issues. There was currently no formal process to approve mitigating controls used to resolve SoD conflicts. As a result mitigating controls were often used to eliminate conflicts however, auditors found the procedures mentioned were not followed. In addition, many acquisitions and reorganizations had made the process even more complex because many changes to roles and assignments often created more conflicts. The existing reorg and consolidation process was not expected to change. In this case, there were limited resources to keep up with security changes and also resolve conflicts among users in a timely manner. By implementing the provisioning features with the upgrade, the team was able to use the feature to keep up with organization changes as well as automate a standard approval process for resolving conflicts.
Improving Rule Maintenance Process
The realization that GRC is not a project but a journey came to a customer who had not done anything to their rules since their initial installation project was implemented 2 years earlier. Unfortunately the implementer had not included a maintenance process to keep their business rules for access updated with business and technical changes. As a result the rule set had no custom transactions or new transactions incorporated since their initial project was over. There was no process in place to identify the magnitude of new transactions or business changes. In some cases there were important changes made and significant risks were not being identified. An upcoming audit started to raise the priority of this issue. When the upgrade was performed, the rule set was analyzed and updated. In addition, a rule maintenance process was put in place which enabled them to avoid audit deficiencies and keep up with business and technical changes in the future without consulting support.
Well the news is full of replays of the Ray Rice Video. Just a few months ago it was the replay of LA Clippers owner, Donald Sterling, discussion with his girl friend. In both cases the commissioners were forced to decide on the best punishment or position appropriate to save face to the public. The news media frenzy was full of opinions and analysts were busy to second-guess the decisions. And even other players get in trouble tweeting their opinions about the deplorable actions taken by the player or owner. There is no doubt in my mind that players’ are educated when they come into the league about how to protect their financial assets from scammers and what the rules for attending practices etc. Each of the teams do this to avoid loosing the services of personnel as well as making sure they are able to focus on the right things. Most of the behavior is predictable. So I ask why isn’t the negative behavior predictable? Seems as though organizations need to assess what the bad behavior is and make it well known what the costs are to owners as well as players. Why should this be one poor Commissioner’s choice? This is a good way to lead a Commissioner who is serving owners to failure.
A more pro-active approach would be to establish both positive and negative behaviors that will be acceptable and unacceptable. In addition the rewards or punishment appropriate for each should be derived as a policy so the decision doesn’t become a case-by-case issue. I know the Green Bay Packers take extra caution to research the characters of proposed players before they are added to a roster. The reason is because they don’t want the close-knit relationship to their hometown fans compromised. It is hard to injure the value of this very popular entertainment monopoly, but if incidents continue the devaluation could be huge. These instances are not new but now accentuated by our social media and news media thirst for emotional and controversial stories. Until the incentives and penalties are clear, negative publicity will continue to injure the organizations value.
This same issue could be also applied to organization that have disastrous events occur in their public domain. Biggest recent example is the huge oil spill of BP. They are now trying to repair the damage by telling the people about all the jobs they create as a result of their business. This doesn’t even approach the number of jobs that were destroyed when their imprudent judgment on well testing led to the biggest offshore disaster yet. They also experience other life threatening events at plants in Texas like refinery fires, explosions etc. This disregard for the environment will cost organizations. Organization leadership could avoid problems by building a behavioral ethics program. The pro-active program can avoid negative impact and at the same time improve performance by reinforcing the right behavior and penalizing the negative behaviors.
The time has come for all good leaders to come to the rescue and make pro-active ethics policy and programs a higher priority in organizations! I think it exists in organizations, which we don’t hear about on the news!!!
Many customers have been looking for the magic formula for their SAP Security Design. How can we give what is necessary but avoid Segregation of Duty conflicts and lots of maintenance work? This seems to be the magic question. This customer has tried many routes. The first was to use the SAP delivered roles. Certainly these have been developed with some insight to common tasks used by many companies. However, much to their surprise, these were quick and dirty roles developed to get quickly over the security hurdles in an implementation. As a result many SoD violations exist and in many cases the roles contain excessive access and make the maintenance process even harder.
The next magic formula sought out by this customer was to set up common job related roles. The idea was to match the access performed by people in the same job area so one role could be utilized by many people performing the same job. However over time many jobs are the same however, the activities often vary by person. There are many people who maybe assigned a job but get variable assignments for special projects or ad hoc activities as they arise. The standard role gets modified to meet these requirements and slowly but surely the number of roles grows because a special role is built for these situations to accommodate the individual needs. While some of these could be made a part of the standard role, many times they are unique and not appropriate for others. As a result, role creep sets in and now special activities or one-time assignments make the roles unique to the user. And the number of roles grows and grows and often gets to be more roles than users to maintain. Access limits may also make the roles different by job for the company codes or plant limitations that need to be added. One popular trend was to make a separate role for each plant or company code. Then each role was added to a person’s standard roles rather than making them unique to the users in that area. This has proven to be very complicated for some companies and creates some segregation of duty discovery issues.
The final approach taken was to have the business areas identify the major tasks that needed to be done and then organize roles based on the tasks the users needed. Many of the tasks could be equivalent to one transaction. This provided a lot of roles and the selection process for managers and users required quite a bit of training and intuition to make sure the right ones were selected for new users.
When the customer described their problems, there was a consultant ready for the answer. And after spending over $1 million, what the customer concluded is there are no “silver bullets” to solve these issues. There are just solid processes that need to be followed to create, change and test roles. And in most cases there wasn’t one right way, but a combination that was required.
After completing one of our projects, the customer was amazed that the project was actually completed in the original time frame. And many customers finish a project and then talk to another customer and find out that it was done in less time. But all customers are different, they say! Here is a story about a customer who did not do their homework before embarking on their upgrade project. In fact the company hired the least costly alternative. The project was completed but seemed to drag on and on. On the next upgrade, the customer started to look at independent consultants in addition to the familiar big firms. At first glance the independent consultant’s rate per hour was almost as high. However, the experience and know-how of the consultant required much less time to accomplish the upgrade. And there was only one resource not multiple resources. There were several firms who also quoted multiple resources. However, the project required only one resource and less time with the Smart Independent Consultant. The customer hired the independent consultant and remarked how quickly and inexpensively it was accomplished compared to the last upgrade.
We have seen variance in estimates for upgrades from $85,000 to $225,000. There is no difference in scope but do the rates really matter here?
The moral of the story is the firms who do their homework and get a good handle on how much time is required for a task will spend less money and have a better chance of succeeding. Working smarter enables the customer to get more for their money. The more the customer knows about the task , the better, because there are two factors at work the rate and the time to complete.
What is your experience with GRC AC implementations / upgrades? Did you require multiple consultants? Was the project completed in weeks or years?
This week I am giving one example of a customer who had unexpected audit findings on their existing GRC implementation. Many companies treat their GRC journey like a project. However, we know it is a journey and in need of ongoing processes to provide regular maintenance and enhancements to sustain alignment with changes in the business and technology deployment. In the absence of these ongoing processes, the customers’ rules, and procedures can become outdated.
In this case, their external auditors identified insufficient rules for Segregation of Duty and Critical Access monitoring. Some of the rules contained irrelevant risks and in other cases custom transactions and new transactions were not reviewed or evaluated for relevance. In addition, there were instances when users were shown with risks that were not correct. In these cases the standard rule set delivered by SAP had not been adequately tested. And changes were not documented or justified.
The rule deficiency led the auditors to challenge the analysis and they found erroneous results. Some risks were being erroneously reported. In addition, there were thousands of mitigating controls which had been created for risks. Many of these were found by audit to be bogus or not being executed. The mitigating controls were responsible for suppressing many legitimate risks from reports.
Rule Maintenance and Mitigating control processes are two important processes on most audit checklists. So don't get surprised!
After 18 months we are continuing to see progress at introducing our unique ways to differentiate ourselves from our competitors. This is another way. Not blogging on our opinions but rather results. We are starting a series of blogs this year to encourage discussions among customers. While starting to design this year’s content, I read many blogs. Company sites spend a lot of time on marketing spin and sales information. Then there are the career analysts that use their blogs to expose their opinions and lure new customers. Our blog is not about opinions or our services. We are going to talk about actual customer experiences. In my travels to over 200 customers, the one thing that interested all customers the most was to hear about what other customers were doing or experiencing. “Customer Results” is our theme for 2014.
Our series in 2014 will focus on real customer experiences. Actual results and problems will be described so you can use the information, comment, question or just share with others.
What is the business case for an Upgrade to SAP GRC 10?
Like many customers, this customer was on an older version of SAP GRC and their maintenance was to expire in 2014. The customer was faced with either paying a higher extended maintenance fee to stay on the existing version or upgrade to the newer version and pay the regular maintenance fee. In fact, the oldest version for some customers on the “Virsa” 4.0 version will no longer be supported as of December 2013. For the 5.x versions, the approximate increase in annual fees for extended maintenance amounts to about $3,000 per $100,000 of license costs for most customers. Taking this into account upgrading to the new version avoided an increased license cost of up to $40,000. This was the first part of their business case for their upgrade project.
In addition, there were two overdue tasks, which had been ignored but were necessary to bring their system up-to-date. One was the addition of custom transactions, which were added to their system, into their SoD matrix. Best practices call for this to be part of the change management process so new transactions can be added as they are implemented. However, there were many that had occurred since the original installation and catching up would take quite a bit of research and testing time. The approximate cost for research and testing were $300 per transaction based on internal IT and Business personnel costs. In this case there were 20 transactions and would make the cost $6,000.
Another area, which required some updating, was mitigating controls. Another best practice process is to provide a regular cycle to review mitigating controls to ensure they are still adequate to cover the users who have to execute SoD transactions. This is an area, which gets scrutinized during external audits. Common findings during audits often are mitigating control is ignored or inadequate for the risks. In addition, auditors are looking at controls over the rule changes. In the new version there are automated steps, which help track and approve rule changes. And the review and updating of mitigating controls could amount to $500 per mitigating control based on the internal costs of both IT and business personnel’s time to review and update. And the review of existing rules could involve at least a week and drafting a process for change control. Another key aspect is the integration with Process Control for mitigating controls. Older versions required duplicate maintenance for SoD mitigating controls. However, many times these are the same controls. And if Process Control is implemented the validation of the controls periodically is done as a regular part of the internal control testing. Another manual task for maintenance eliminated.
So both mitigating control reviews and rule change tracking are essential to pass upcoming audits. The internal costs associated with the review and updating of these two issues based on internal costs, which could be avoided and completed as part of the upgrade. The following were the principal costs against which the Return on Investment from an upgrade could be calculated:
Extended Maintenance Costs: $40,000
Rule Review, Enhancements for Custom transactions: $11, 000
Mitigating Control review and updating: $50,000
These costs will be higher the bigger the organization. The factors are the number of rules, and mitigating controls. Other customers may want to look at these costs when deciding to justify their upgrade to their management. Some of the same metrics apply to companies who have older versions on Process Control as well. Perhaps there are other costs that you might suggest to others as well. Please do so by posting a comment!
What is in your 2014 Budget?
It is that time of year when organizations are putting together plans for next year. Undoubtedly, what ever you wish for will be too much and in some cases you will be asked to do more with less. These seem to be the major factors everyone faces. I would like to take this opportunity to remind you some of the ways we can make you get more productivity for less money.
This is a unique service, which allows clients to leverage our knowledge and experience in order to augment their internal resources. The first situation is a major project that is new to you and your staff. In Many cases the best first step is education and planning. The best source to avoid pitfalls is to engage an expert and allow them to help you plan what the right next steps or projects. The insight from professionals who have already performed many successful projects will make sure you don’t waste valuable time learning as you go.
The second situation is having a project in place but just doesn’t seem to be getting to the finish line. Many projects involving consultants find the time just seems to go by but the desired results are short of what your expectations were. Or another scenario is the project was to resolve an issue but it reappears again and again regardless of the time and resources applied to resolve the issue. I place role redesigns often in this category. The sliver bullet approach promised by the consultant seemed right on but a short time after the completion the same symptoms reappear. For this situation, many times our advisory can enable you to perform the work and sustain the solution by addressing the process and design aspects of the solution rather than the technical symptoms.
The following are services we suggest you consider to conserve your budget dollars and maximize the utilization of your internal staff so you can sustain the process without continuous consultant fees.
Audit Assistance - Many Governance Risk and Compliance programs have been in place for many years. Most were in response to reported audit deficiencies. However, how well are these programs being maintained? In many cases, after their initial implementations were completed, only cursory inspections have been done, if any. Audit departments should make this a part of their audit universe. With expert assistance, key configurations and inspections can be identified without technical training to ensure the program is sustaining the organization’s promises for effective compliance assurance.
Training and assistance in building audit steps for key areas can be done using blocks of hours. The background and knowledge of the products as well as the technical areas can be supplied new staff members and assisting them will help establish some worthwhile audit programs which benefit the organization.
C0- Sourcing Projects– If there is a major project in your Governance Risk and Compliance area, we offer the alternative of supplying the project support to provide expert guidance in planning and answering technical or logistic issues as they might occur throughout the project. We believe this is a more cost effective way to complete the project as well as make sure the internal staff has the knowledge to maintain the processes after completion.
Fast Track Implementations – Many organizations are either upgrading or installing new GRC systems. We believe the traditional consultant approach is much too long and expensive. We accelerate the process by completing the steps on a pilot and then documenting the necessary processes and methods so internal staff can accomplish the rollout to other locations or systems. If necessary, advisory time for answering intermittent issues and questions can be used to support the rollout process as well.
In summary, we believe the traditional approach by big name consulting firms can be big budget eaters and make you consultant dependent instead of self-sustaining. Please consider the following for your 2014 budget needs. Contact us if you have any questions:
•Advisory Services == Get insight from the people who use the products not the people that sell the products,
•Implementations == Get your SAP GRC upgraded with Fast-Track Implementation,
•Training – Valuable SAP training you can apply and get CPE credits at the same time.
•Project Services – Professional IT infrastructure and project management outsourcing.