Some seasoned access management professionals are starting to wonder if the way they manage segregation of duties (SOD) is hurting their organization’s bottom line. They understand the need for proper SOD management, and they also understand that every organization has a few (hundred? thousand?) SOD conflicts. However, when they sum up all the time spent each month performing manual mitigations to see if anyone exercised one of those conflicts, they feel bad about all the time spent just to discover that no one had exercised a material SOD conflict.
Furthermore, because the individuals required to mitigate conflicts spend so much time each month doing work that results in finding nothing of value, there is often a push by business leaders to have IT own the work. After all, if there are no real business issues arising from these reports, isn’t this work really about managing application risks? Also, since auditors will be going directly to IT to see how well access is being managed, why can’t IT run the reports, catch when the technical permissions they provisioned are abused, and only then alert (or bother) the business users?
Seasoned IT security managers know that SOD risk management needs to be owned by the business, but how can IT encourage the business to be more enthusiastic about managing SOD risks?
On the surface, it is simple: automate the discovery and alerting of material transactions that violate SOD rules and let risk owners prioritize their work.
Implementing such a solution, up until now, has been a challenge – which is why Security Weaver developed its Automated Mitigations solution. This application runs within SAP – it’s written in ABAP and is a simple add-on to R/3, ECC, or S/4. It identifies any suspicious transaction pairs, as defined by your SOD ruleset, and alerts the appropriate risk owners. Since risk owners know they actual financial exposure, they know the risk is material and, since they can easily click into the actual transactions in SAP, they can immediately and efficiently remediate it.
With Automat Mitigations, whenever a material violation is found, a case is automatically created. Because of this, managers and auditors can see every risk that has occurred due to access violations, the exact exposure of the risks, and what was done (or not done) to address the risk.
Because of its strong case management capabilities, auditors have the luxury of knowing every material SOD violation was caught and documented. From there, a simple report can quickly identify any violations not properly addressed. Not only does this reduce audit risk for internal and external auditors, but it also helps risk owners learn and share best practices for mitigating risks so that the risk of fraud is also reduced.
The cost of access controls can be excessive. Sometimes this is due to risk management activities being more theoretical than pragmatic. However, with Automated Mitigations from Security Weaver, risk managers know exactly the risks they are handling, can easily click down to the actual transactions, can avoid the hassle of applying theoretical values to prioritize their risk management activities, and have a single place to document their findings and actions. Auditors know where to look to see how risks are being managed and can prioritize their reviews based on the actual value at risk. And, perhaps most importantly, IT can better engage business users to manage and mitigate the access risks business managers had previously reviewed and had felt were necessary to take.
To learn more about Automated Mitigations and some exciting announcements about our new Role Guru solution, please visit with our CEO at the upcoming Sapphire event in Orlando, Florida June 5th-7th, 2018. Our CEO, Terry Hirsch, will be announcing a new product that automates designing and building SAP roles. He will also be discussing how to improve the ROI of compliance. Stop by our booth, 889A, to say hello and see firsthand how we can help you use Automated Mitigations to reduce the costs of compliance!
If you have any questions about Security Weaver’s Automated Mitigations product, click here for more information.