For the past 60 years, Louisville/Jefferson County Metropolitan Sewer District (LJCMSD) has built, maintained and operated quality waste water and storm water facilities for the people who live in Jefferson County, Kentucky. LJCMSD has over 200,000 customers throughout the greater Jefferson County metropolitan area.
LJCMSD implemented SAP R/3 in 1998 to support of all of the organization's back office accounting and financial reporting business processes. With about 200 users in the company, there were many employees who needed access to the system for various reasons. In contrast to many large enterprises, there were a limited number of IT staff available to manage user access issues to SAP, so in most cases employees were simply given access to SAP when they put in a request.
Though it's a public utility and not governed by Sarbanes-Oxley regulations, LJCMSD applications analyst Ed Hammerbeck realized that there were many vulnerabilities in their SAP user access permissions. For example, a payroll clerk should not have access to billing a customer and then accepting payment -- in other words, "they should not be in a position to handle cash from cradle to grave," says Hammerbeck.
"We had been granting employees access to the network on an as needed basis but never looked at the access or our security from a 50,000 foot level. Who was being granted access? How long did they need access? Were there any conflicts of interest, like the payroll clerk example, going on?"
In order to try and address these issues Hammerbeck and the IT team had to spend time writing scripts to produce the types of reports necessary to monitor system access. In addition, auditors wanted assurances that security issues were being addressed before problems could arise. Hammerbeck and the rest of the IT team realized that they needed technology to augment their SAP user administration process that would help identify security risks, develop role-based authorization and address inactive users.
LJCMSD needed a solution that would address multiple issues with minimal IT involvement:
In the past, when someone left the company, nobody on the IT staff would delete their user access rights. Now we can generate an inactive user report that highlights if a user has been inactive for 90 days and then automatically eliminate their access
Early in 2007 LJCMSD implemented Security Weaver and the software has already produced tremendous benefits. Hammerbeck was able to easily run reports which showed him which employees had access and which access might cause potential security breaches. "With Security Weaver, we're able to continually identify security issues, analyze the entire system and then implement a role-based approach to eliminate potential security issues. From an efficiency standpoint we're able to design roles that automatically grant or deny system access based on a person's job function, not on an ad-hoc basis."