Comprehensive White Papers
Minimizing the Cost and Complexity of Sarbanes-Oxley Compliance
Join our mailing list
Enter your e-mail address to receive product updates and news:

3.23.10 - 3.25.10
Security Weaver™ at WIS Admin - March 23th thru 25th
Orlando, FL - Stop by our booth and say hello
3.16.10 - 3.18.10
Security Weaver™ at WIS GRC/FIN/HR - March 16th thru 18th
Orlando, FL - Stop by our booth and say hello
12.16.09
SAP® and Security WeaverTM Settle Lawsuit
Security Weaver and SAP® have reached mutually agreeable terms of settlement Read more
Case Study: Louisville/Jefferson County Metropolitan Sewer District and Security Weaver
How Security Weaver Helped a Regional Utility Address Security Issues

  • Customer:
    Louisville/Jefferson County Metropolitan Sewer District

  • Customer Environment:
    mySAP ERP 4.7

  • Customer Challenge:
    Addressing security and user access issues in an SAP environment

PODCAST:
Improving Security & Accountability in the Public Sector

Podcast - Duration: 6:28
For: IT Security Managers, auditors, and others who are involved in managing business-critical SAP systems and are looking for a solution to automate Sarbes-Oxley compliance.
Topic: Automating Sarbanes-Oxley compliance and managing separation of duties in SAP systems
Contributors:
Joe Saylor, Host
Neil McConnell, COO, Security Weaver
Ed Hammerbeck, Applications Analyst and IT Security Manager for Louisville/Jefferson County Metropolitan Sewer District.

Subscribe

Background:
For the past 60 years, Louisville/Jefferson County Metropolitan Sewer District (LJCMSD) has built, maintained and operated quality waste water and storm water facilities for the people who live in Jefferson County, Kentucky. LJCMSD has over 200,000 customers throughout the greater Jefferson County metropolitan area.

Challenge:
LJCMSD implemented SAP R/3 in 1998 to support of all of the organization's back office accounting and financial reporting business processes. With about 200 users in the company, there were many employees who needed access to the system for various reasons. In contrast to many large enterprises, there were a limited number of IT staff available to manage user access issues to SAP, so in most cases employees were simply given access to SAP when they put in a request.

Though it's a public utility and not governed by Sarbanes-Oxley regulations, LJCMSD applications analyst Ed Hammerbeck realized that there were many vulnerabilities in their SAP user access permissions. For example, a payroll clerk should not have access to billing a customer and then accepting payment -- in other words, "they should not be in a position to handle cash from cradle to grave," says Hammerbeck. "We had been granting employees access to the network on an as needed basis but never looked at the access or our security from a 50,000 foot level. Who was being granted access? How long did they need access? Were there any conflicts of interest, like the payroll clerk example, going on?"

In order to try and address these issues Hammerbeck and the IT team had to spend time writing scripts to produce the types of reports necessary to monitor system access. In addition, auditors wanted assurances that security issues were being addressed before problems could arise. Hammerbeck and the rest of the IT team realized that they needed technology to augment their SAP user administration process that would help identify security risks, develop role-based authorization and address inactive users.

Requirements:
LJCMSD needed a solution that would address multiple issues with minimal IT involvement:
  • Examine user access rights to identify security issues


  • Run reports that would highlight conflicts-of-interest or inactive users

  • Implement role-based processes to grant SAP access to employees

In early 2006, Hammerbeck was tasked with determining the best way to address these issues in their SAP environment. He met with representatives from Security Weaver at the 2006 Sapphire/ASUG show and he was impressed with what he saw and heard. "I was pleasantly surprised to find that Security Weaver was able to address the exact security issues that we were having and how easy it seemed to implement."

Benefits:
Early in 2007 LJCMSD implemented Security Weaver and the software has already produced tremendous benefits. Hammerbeck was able to easily run reports which showed him which employees had access and which access might cause potential security breaches. "With Security Weaver, we're able to continually identify security issues, analyze the entire system and then implement a role-based approach to eliminate potential security issues. From an efficiency standpoint we're able to design roles that automatically grant or deny system access based on a person's job function, not on an ad-hoc basis."

Hammerbeck has also found other benefits from working with Security Weaver:

  • "In the past, when someone left the company, nobody on the IT staff would delete their user access rights. Now we can generate an inactive user report that highlights if a user has been inactive for 90 days and then automatically eliminate their access."

  • "Security Weaver allows us to identify and document roles for specific job functions. By granting permission on a role-basis, rather than on an individual request basis, we’re able to much more efficiently manage access to SAP."

  • "The people at Security Weaver have been very supportive and easy to work with. I've asked them technical questions and they've responded quickly. In addition they've incorporated some of our thoughts into how to engineer their product. I can't point to many software companies that offer that type of customer service."
Home Careers Services Training Site Map Support Login  WebEx © 2009 Security Weaver  
SAP® is used solely to describe software produced by SAP. Security Weaver is an independent software solutions provider, which is not affiliated with SAP. Security Weaver does not claim any endorsement, affiliation, sponsorship or approval of SAP.