Comprehensive White Papers
Minimizing the Cost and Complexity of Sarbanes-Oxley Compliance
Join our mailing list
Enter your e-mail address to receive product updates and news:

11.3.08
Security Weaver Opens Training Center in Downtown San Diego, California
The new training center is located in downtown San Diego and has ocean and bay views. Read more
10.15.08
Security Weaver Appoints Chief Operating Officer for India Operations
Responsible for all functions at Security Weaver India including research and development, p Read more
9.8.08
Security Weaver at SAP TechEd 2008 - Sept 8th thru 11th
Las Vegas, NV: Stop by booth 77 to see a live demo of Security Weaver Read more
Case Study: Louisville/Jefferson County Metropolitan Sewer District and Security Weaver
How Security Weaver Helped a Regional Utility Address Security Issues

  • Customer:
    Louisville/Jefferson County Metropolitan Sewer District

  • Customer Environment:
    mySAP ERP 4.7

  • Customer Challenge:
    Addressing security and user access issues in an SAP environment

PODCAST:
Improving Security & Accountability in the Public Sector

Podcast - Duration: 6:28
For: IT Security Managers, auditors, and others who are involved in managing business-critical SAP systems and are looking for a solution to automate Sarbes-Oxley compliance.
Topic: Automating Sarbanes-Oxley compliance and managing separation of duties in SAP systems
Contributors:
Joe Saylor, Host
Neil McConnell, COO, Security Weaver
Ed Hammerbeck, Applications Analyst and IT Security Manager for Louisville/Jefferson County Metropolitan Sewer District.

Subscribe

Background:
For the past 60 years, Louisville/Jefferson County Metropolitan Sewer District (LJCMSD) has built, maintained and operated quality waste water and storm water facilities for the people who live in Jefferson County, Kentucky. LJCMSD has over 200,000 customers throughout the greater Jefferson County metropolitan area.

Challenge:
LJCMSD implemented SAP R/3 in 1998 to support of all of the organization's back office accounting and financial reporting business processes. With about 200 users in the company, there were many employees who needed access to the system for various reasons. In contrast to many large enterprises, there were a limited number of IT staff available to manage user access issues to SAP, so in most cases employees were simply given access to SAP when they put in a request.

Though it's a public utility and not governed by Sarbanes-Oxley regulations, LJCMSD applications analyst Ed Hammerbeck realized that there were many vulnerabilities in their SAP user access permissions. For example, a payroll clerk should not have access to billing a customer and then accepting payment -- in other words, "they should not be in a position to handle cash from cradle to grave," says Hammerbeck. "We had been granting employees access to the network on an as needed basis but never looked at the access or our security from a 50,000 foot level. Who was being granted access? How long did they need access? Were there any conflicts of interest, like the payroll clerk example, going on?"

In order to try and address these issues Hammerbeck and the IT team had to spend time writing scripts to produce the types of reports necessary to monitor system access. In addition, auditors wanted assurances that security issues were being addressed before problems could arise. Hammerbeck and the rest of the IT team realized that they needed technology to augment their SAP user administration process that would help identify security risks, develop role-based authorization and address inactive users.

Requirements:
LJCMSD needed a solution that would address multiple issues with minimal IT involvement:
  • Examine user access rights to identify security issues


  • Run reports that would highlight conflicts-of-interest or inactive users

  • Implement role-based processes to grant SAP access to employees

In early 2006, Hammerbeck was tasked with determining the best way to address these issues in their SAP environment. He met with representatives from Security Weaver at the 2006 Sapphire/ASUG show and he was impressed with what he saw and heard. "I was pleasantly surprised to find that Security Weaver was able to address the exact security issues that we were having and how easy it seemed to implement."

Benefits:
Early in 2007 LJCMSD implemented Security Weaver and the software has already produced tremendous benefits. Hammerbeck was able to easily run reports which showed him which employees had access and which access might cause potential security breaches. "With Security Weaver, we're able to continually identify security issues, analyze the entire system and then implement a role-based approach to eliminate potential security issues. From an efficiency standpoint we're able to design roles that automatically grant or deny system access based on a person's job function, not on an ad-hoc basis."

Hammerbeck has also found other benefits from working with Security Weaver:

  • "In the past, when someone left the company, nobody on the IT staff would delete their user access rights. Now we can generate an inactive user report that highlights if a user has been inactive for 90 days and then automatically eliminate their access."

  • "Security Weaver allows us to identify and document roles for specific job functions. By granting permission on a role-basis, rather than on an individual request basis, we’re able to much more efficiently manage access to SAP."

  • "The people at Security Weaver have been very supportive and easy to work with. I've asked them technical questions and they've responded quickly. In addition they've incorporated some of our thoughts into how to engineer their product. I can't point to many software companies that offer that type of customer service."
Home Careers Site Map © 2004 Security Weaver