For one of our customers, TICTAC Services recently performed a SAP Governance, Risk and Compliance (GRC) audit.

Beyond the 28 audit findings and the 51 recommendations addressing data security and access management challenges, this audit highlighted common misunderstandings and gaps in security management and governance.

Contributing an effective data security governance

This because security is not just a matter of subject matter experts, but every stakeholder must be involved in data security at its own level. Otherwise one will eventually become the weakest link:

• System architects must include the security concepts from the get-go, and provide guidelines on their implementation,
• Developers (internal and external) should know and apply the basics of security and inform their customer of any existing security concern,
• IT department should regularly challenge its developers regarding security and audit the SAP system,
• Business must be aware of its own responsibility as data owner, thus setting its own security requirements. The business must define and run its own security controls (e.g. who is able to process transactions on a profit center?),
• Internal audit department, as third line of defense, shall regularly audit business processes and test the design as well as the operational effectiveness of security controls.

Without roles and responsibilities clearly defined and actively managed, data security cannot be ensured and enforced homogeneously throughout the organization.

Conclusions:

• Data security is not just a matter of IT: every stakeholder must act at its own level, and all levels must be coordinated,
• Even if you harden the technical part of data security, data will never be secured if the business side is not aware of its own responsibilities regarding the security of its own data.

Security is not a product, it is a process : once a security concept is defined, it needs to be maintained. Otherwise, your posture will slowly drift from a sound security concept to a security nightmare.

Failing to audit your security is like closing your eyes. Besides, external partners will help you identifying your shortcomings.

#SAPSecurity #DataSecurity #AccessManagement #GRC #DLP