Support  |  1-800-620-4210  |  
May
26
2020

Webinar: Can you manage cross-application access risk?

Are you running SoD analyses across multiple platforms, including non-SAP applications, legacy platforms, and in-house systems? Managing access risk across such a diverse application landscape means added complexity and manpower. Centralizing access risk management can streamline your system and significantly reduce the workload on IT.

Managing your entire environment from one central hub means you can normalize rules and authorizations and centralize mitigation management, reporting, and requests/approvals. It means removing toxic transaction combinations, eliminating duplicate processes, and ensuring that your SoD rules will still be relevant when you migrate to SAP S/4HANA.

Join Dries Horions, Senior Product Manager with Security Weaver, for a free webinar to learn how to use SAP ERP as a single control cockpit to manage cross-application access risks.  He will discuss access management best practices and how access rules can be defined and harmonized across different applications. He will also cover how a single provisioning process for access control across a heterogeneous application landscape can be supported as well.

Option 1: Thursday, June 4th at 8:00am GST/ 9:30am IST/ 2:00pm AEST

Option 2: Thursday, June 4th at 8:00am PDT/ 11:00am EST/ 5:00pm CEST

For webinar details, click here.

Security Weaver
Support  |  1-800-620-4210  |  
May
20
2020

Webinar: SAP Access Risk - Do you know where the bodies are buried?

Executives whose companies run SAP know that the quality and integrity of their financial reporting is dependent on SAP, but the complexity of the platform forces them to rely on sub-certifications and insurance policies to safeguard against personal liability, hoping the effect will be to protect the integrity of their financial reporting.  How can executives abstract away the technology, know where to focus in order to build additional credibility, and provide much needed guidance – in effect leading from the trenches?

Join Terry Hirsch, CEO of Security Weaver, to learn the questions every C-suite leader should be asking about SAP access-related risks. Learn how executives can lead their organizations to get clear answers to those questions and to mitigate emerging risks in real-time. Learn how leaders can avoid getting mired in the technical complexity of SAP and instead understand where the actual, imminent, and real risks are due to SAP user access. Leave knowing how to lower the risks, quantify the actual financial exposure, and protect both your company's and your own reputation.

Webinar Option 1: Thursday, May 28th at 8:00am GST/ 9:30am IST/ 2:00pm AEST.

Webinar Option 2: Thursday, May 28th at 8:00am PDT/ 11:00am EST/ 5:00pm CEST

For webinar details, click here.

Security Weaver
Support  |  1-800-620-4210  |  
May
13
2020

Webinar: 10 Keys for Cost-Efficient SAP Access Management

What is access management, what constitutes the access management lifecycle, and how can you reduce the amount of resources involved in managing your SAP access without increasing risk? Join Kapish Rathi, Senior Product Specialist, as he outlines 10 keys to understanding the access management lifecycle and explains how, by using proven processes, data, and technology, you can achieve best-in-class security and compliance with the least possible cost in time, money, complexity, and staff.

In this informative webinar, you will learn how to do the following:

• Use a dynamic ruleset
• Utilize the right GRC architecture
• Automate mitigations
• Reduce licensing costs while reducing access risks
• Minimize manager bandwidth
• Automate provisioning for both persistent and temporary access
• Streamline authorization related incidents
• Streamline role management
• Provide the right data to the right people
• Reduce the workload on IT

Webinar option 1: Thursday, May 21st at 8:00am GST/ 9:30am IST/ 2:00pm AEST.

Webinar option 2: Thursday, May 21st at 8:00am PDT/11:00am EDT/ 5:00pm CEST.

For webinar details, click here.

Or to learn how Security Weaver can help you better manage your SAP access, click here.

Security Weaver
Support  |  1-800-620-4210  |  
May
7
2020

Webinar: What every CISO needs to know before running SAP S/4HANA

In the last year, 88% of companies experienced at least one cyber-attack and 84% of companies discovered fraud. Every year, five percent of revenue is lost to fraud and abuse. These are the things CISOs lie awake worrying about at night. And as the technology needed to run a secure enterprise becomes more complex, and the data more ubiquitous, the mandate of a CISO continues to grow.

It is vital, therefore, that CISOs understand how to effectively control their security landscape, especially when running SAP S/4HANA. And while technology is an important way to address this challenge, exceptional CISOs know that in order to effectively control their SAP S/4HANA environment, they must guard against too much initial focus on technology and first build a compelling business case for security.

Join Security Weaver’s Executive Vice President, Stephen Dubravac, to learn how leveraging proven frameworks, gaining a sound understanding of the nature of controls, and including both process improvements and compliance mandates in your security roadmap will help you build a solid business case.

Webinar Option 1: Thursday, May 14th at 8:00am GST/ 9:30am IST/ 2:00pm AEST. 

Webinar Option 2: Thursday, May 14th at 8:00am PDT/11:00am EDT/ 5:00pm CEST.

For the webinar details,click here.

Security Weaver
Support  |  1-800-620-4210  |  
May
1
2020

Webinar: 4 ways you are (or will be) overspending on SAP licenses

Thursday, May 7th, 2020

Everybody likes surprises, right? Well…not exactly. Especially when those surprises involve unexpected licensing costs. Predicting SAP licensing costs is no small task, and when your predictions are off it can mean budget adjustments that nobody wants.

But when you are manually managing SAP and other complex licenses across your enterprise, predicting future licensing costs (accurately) can seem impossible. You are likely spending hours and hours on research and assignment changes. You must understand how each user interacts with SAP and what authorizations they have. You must also understand how each license type is contractually defined in terms of user activity and user access rights. And whenever a user changes jobs, takes on new responsibilities, or changes their SAP usage patterns, their license assignment has to be reevaluated and possibly changed. And this only covers direct users. For indirect use, you must now track the number of documents created, which is an entirely new level of complexity.

It is no wonder, then, that optimizing licenses and accurately predicting licensing costs can seem unachievable. And moving to SAP S/4HANA only intensifies licensing challenges with changes to licensing contracts and increased complexity. In our upcoming webinar, we offer a solution.

Kevin Kuestermeyer, Senior Product Manager at Security Weaver, will discuss how to optimize your current SAP licenses and ensure you are not overspending on licenses when you move to SAP S/4HANA. He will also share best practices for how to efficiently pass SAP license audits and ensure there are no surprises.

Webinar option 1: Thursday, May 7th at 8:00am GST/ 9:30am IST/ 2:00pm AEST

Add to Google Calendar here

Add to Outlook Calendar here

Join Webinar here

Webinar option 2: Thursday, May 7th at 8:00am PDT/11:00am EDT/ 5:00pm CEST

Add to Google Calendar here

Add to Outlook Calendar here

Join Webinar here

Security Weaver
Support  |  1-800-620-4210  |  
April
22
2020

Webinar: Continuous Controls Monitoring of SAP

April 30th 8:00am GST/ 9:30am IST/ 2:00pm AEST.

Keeping up morale on your audit team can be a challenge when you must rely on sampling to produce results. Even after the long process of documenting, testing, and reporting on processes and controls has been completed, there is always a good chance that things have fallen through the cracks. It just isn’t a foolproof system.

If you have a small team and are running manual controls in an SAP environment, the situation is even more challenging. Controlling and auditing SAP environments can overwhelm even the most capable internal audit teams.

Join us for a free webinar to learn how to effectively orchestrate risk management while improving processes and mitigating security concerns, even with a small team. Shweta Jain, (CA, CISA, CFE), Head of SAP Audits and Controls with 16+ years of experience, will demonstrate how the Process Auditor module from Security Weaver enables small Internal Auditor teams to automate audits and efficiently control SAP configurations, master data, and transactions. She will share a proven methodology for success, pinpoint three critical control targets, and explain how to design controls that reduce risk and audit costs.

Add webinar to your Google calendar here.

Add webinar to your Outlook calendar here.

Join webinar here.

Security Weaver
Support  |  1-800-620-4210  |  
April
22
2020

Webinar: How your controls platform can mitigate SAP and business risks during the COVID-19 crisis

April 28th 8:00 am (Pacific)/11:00 am (Eastern)/5:00 pm (CEST)

With reduced staff and shoestring budgets, many companies are struggling to maintain the same level of compliance and security as before the COVID-19 crisis. If you are working with manual controls, the challenge is even greater.

Manual controls make it difficult to track risks quickly or effectively, and often alerts on security issues come too little, too late. It is almost impossible to manage overlapping regulations, maintain complex system configurations, and detect fraud and material misstatements early enough for effective intervention.

In addition to risk management, the process of documenting, implementing, executing, testing and reporting on controls takes more time and bandwidth than most organizations have at the moment.

The answer is a continuous controls platform. A good controls platform can improve compliance and business operations while mitigating business disruptions.

In our upcoming webinar, Gerald West, Head of Application Security and Controls Assurance at Serco Group, will share his experience and practical tips for flexing a controls platform on SAP. He will outline how Serco was able to improve business processes while simultaneously preserving controls in areas like vendor payments, data protection, and system security. He will also discuss how a controls platform can help mitigate some of the current business challenges caused by COVID-19.

Add webinar to your Google Calendar here.

Add webinar to your Outlook Calendar here.

Join Webinar here.

Security Weaver
Support  |  1-800-620-4210  |  
October
8
2019

Enabling Successful SAP S/4HANA Migrations

SAP S/4HANA is getting a lot of discussion these days. Control is key for a successful S/4HANA Migration. There are several ways Security Weaver can help.  Below is a simple outline of some areas where Security Weaver can help organizations reduce the risks associated with migrating to SAP S/4HANA and ensure they are always in control and meet compliance requirements before, during, and after migrating to SAP S/4HANA.

Licensing costs: Don’t be surprised by what it will ultimately cost to run SAP S/4HANA. Changes to indirect licensing can be trivial or material. Don’t be surprised by what it will cost you this year, next year, or the year after you move from counting indirect users to counting different document types. In addition to changes for how indirect access is licensed, many companies are also considering moving from activity-based licensing to access based licensing. What will that cost you? Click here to learn more.

User access risks: Whether doing a green field, brown field, or blue field migration, with thousands of new transaction codes and different tables, get the SAP S/4HANA matrix you need to understand your user access risks for your new SAP platform. Security Weaver is continually updating its Segregation of Duties (SoD) ruleset and has one that can help you manage SAP S/4HANA risks.  Click here to learn more.

User transaction history and RFC calls: When migrating to SAP S/4HANA, know what to test, who should test particular areas of SAP S/4HANA, and, equally important, know what doesn’t need attention and who shouldn’t be assigned to test something. At Security Weaver, we call this building a Goldilocks test plan – a test plan that does not test too much nor does it test too little. A Goldilocks test plan also ensures the right block of testing is assigned to the right tester. Further, knowing what integrations exist and are active in your current ERP and knowing if your ERP integrations are working as expected after cutting over to S/4HANA is a critical success factor for any migration project. Click here to learn more.

Business and technical role management: With the thousands of new transaction codes in SAP S/4HANA as well as the many table changes, inevitably roles will need to be resigned. But, how can organizations redesign roles efficiently and effectively so that the right access is provided to the right users? Security Weaver offers multiple capabilities to help companies accelerate and control their role design projects. Click here to learn more.

Streamline migration testing: Moving to SAP S/4HANA, means new roles and modifying existing roles. Once a new role is created or an existing role is modified, it needs to be tested, but testing takes time and is often not done properly by those assigned to test roles. When roles are not properly tested, they often fail to provide the access required. However, without clear test documentation, it is hard to know where the testing process failed and how to improve it and who to hold accountable. Security Weaver automates test documentation and even automates some testing activities, consequently, it ensures new roles are properly and efficiently tested. Click here to learn more.

Quickly resolve authorization incidents: With new transaction codes, new tables, new roles, and modified roles, the move to S/4HANA might impact users. Streamline resolving access related incidents by automatically creating help tickets, standardizing data collection, and simplifying research. Click here to learn more.

Eliminate password reset requests: Why have your staff distracted during one of the most important projects they will undertake this year? Moving to SAP S/4HANA requires diligent attention and daily interruptions by users who have forgotten their password hinder this. Instead implement a self-service tool that eliminates password reset requests. Click here to learn more.

There are other areas where Security Weaver can help. If you would like to talk with a Security Weaver consultant on these or other strategies and tactics for ensuring a successful move to S/4HANA, contact us today.  Click here to request an advisory session for migrating to S/4HANA.

Security Weaver
Support  |  1-800-620-4210  |  
May
28
2019

What is segregation of duties and why is it important?

If you’ve recently implemented an SAP ERP platform, congratulations! It means your company is growing and you now have a fantastic ERP tool at your disposal. Your approach to how you manage access to this platform, however, is vital. It can mean the difference between a secure, well-run organization and an enterprise that suffers fraud and material misstatements of its financials.

Many new SAP ERP administrators start out granting broad access to users in order to ensure the system can be fully utilized. But there is great risk involved in easy, broad access – the risk of fraud, accounting errors, and general mismanagement; all of which can cost millions of dollars. And when auditors come knocking, they want to see a strong balance between access and control. Auditors like to say, “trust is good, but control is cheaper.”

An important control to implement in your SAP environment is segregation of duties (SOD). SOD ensures that key processes are performed by different people to prevent fraud and financial misstatements. For example, if an employee is responsible for both creating and paying vendors, it would be easy to create fake vendors and route the payments to her own bank account. Separating these two tasks and assigning them to different people creates a natural barrier to fraud.

Establishing rules that identify SOD violations can be a complex and time-consuming process but is essential for assessing access risk and properly segregating functions. In SAP ERP environments the SOD ruleset (a.k.a. SOD matrix) must handle authorization objects and not merely look at transaction codes available to a user. Otherwise false positives will occur and make the reporting questionable.

False positives occur when a report shows SOD violations that are not really violations. For example, perhaps a user has access to two or more transaction codes that together would constitute a violation, but because the user only has the authorization objects with field values for display access for those transaction codes, the reported conflict is an error.

Often auditors have unique requirements based on a company’s unique operations, market factors, or regulations, and the ruleset must accommodate these auditor specific requirements. SOD-relevant custom transactions as well as SAP standard transactions must be accounted for by the ruleset. These complexities mean that when done manually, identifying, updating, and enforcing SOD rules can be expensive in both staff time and service fees.

Fortunately, there are tools that can eliminate much of this work. Security Weaver’s Separations Enforcer is particularly effective in helping to manage access risk in SAP. It enables rapid analysis of users across the entire SAP landscapes for both SOD conflicts and sensitive access risks, offers a function -based SOD matrix that is easily customizable and can automatically report on SOD-relevant custom transactions even if those transactions are not explicitly included in the ruleset, and provides reports that are fast, readable, comprehensive, and avoid false positives.

Security Weaver’s internationally proven and well-documented rules matrix makes it easy for organizations to rapidly implement a complete solution. Rules are easily maintained and updated and can handle complex logic at both the transaction and authorization level, and the solution can manage a wide variety of concurrent rule sets, making it adaptable for any organization structure.

Veteran managers of SAP ERP environments know they need a way to reduce access risks without causing productivity issues. Separations Enforcer is the solution to that challenge. For more information on this and other access management solutions, visit www.securityweaver.com or request a free demo here. Don’t leave the security of your new SAP ERP environment open to unnecessary and unacceptable risk. Put SOD safeguards in place today to keep your data secure, your reporting correct, your assets safe, and your auditors happy.

Security Weaver
Support  |  1-800-620-4210  |  
May
7
2019

How to make better management decisions with user data

With the SAPPHIRE NOW and ASUG annual conference underway  – and the theme of “Building an Intelligent Enterprise in the Experience Economy” – I have been thinking a lot about the intelligent enterprise.

One thing intelligent enterprises know how to do is make good decisions. But being decisive is not enough –decisions must be right. Going with the gut doesn’t cut it anymore. Good decisions need data. Decisions about what to sell, how to sell it, and how much to sell it for need market data. Decisions about how to make something and what tools to use to make it need operational data. And, decisions about how to manage SAP access, how to design a new role or change an existing role, and whether someone should retain their access, all require data. User activity data is especially useful when making decisions about SAP compliance and security.

User activity data enables businesses to make better decisions, faster, with regard to their SAP applications while simultaneously avoiding:

• unacceptable risk
• higher costs
• confused managers
• angry (and waiting) end users

Unfortunately, even when user activity data is available, it can be challenging to interpret and use effectively. Two management gurus, Megan MacGarvie and Kristina McElherann, in their book HBR Guide to Data Analytics Basics for Managers, explain that where there is an abundance of data but insuffient time or resources for extensive analysis, people rely on simplified procedures to help them make decisions. These shortcuts often lead to poor decisions and systematic mistakes.

It doesn’t have to be this way for SAP user management. Security Weaver’s Transaction Archive offers a solution to the challenges of gathering, analyzing, and archiving user activity data. 

First, it captures detailed user activity transaction histories and then allows managers and auditors to see, over years, detailed records for each user based on the transactions exercised in a given time period. Data can also be presented based on user group membership and other criteria. This provides an unprecedent level of data for detailed forensic reviews. Which means better decisions by security and compliance managers.

Second, Transaction Archive uses detailed user activity history to analyze the existing role environment. Transaction Archive determines which users are assigned a given role and what percentage of the role’s transaction have been executed by a single user, a group of users, or across the entire user population. Through advanced role analytics, administrators can understand role utilization based on the historical data. Using this data, administrators can confidently redesign or alter roles knowing that SAP end-users will not have their work impacted. In other words, with Transaction Archive administrators can make decisions about how to improve security and compliance without users feeling their freedom and productivity are, once again, being sacrificed in the name of security and compliance.

In short, better data = better decisions. And better decisions are at the heart of transforming an average company into an intelligent enterprise. 

For more information on how Transaction Archive can help you make better security decisions for your organization, visit http://www.securityweaver.com/solutions/role-lifecycle-management/transaction-archive.

Security Weaver
Support  |  1-800-620-4210  |  
April
17
2019

Prevent $1.77 billion in fraud with automated controls

India’s banking community was rocked last year with the news that Punjab National Bank (PNB), India’s second largest government-owned bank, was defrauded of $1.77 billion over a seven-year period. It is the biggest case of bank fraud in India’s history.

It started when Nirav Modi, an international businessman and high-profile jeweler to the stars, needed loans to purchase oversees diamonds and other precious stones for his business.  His company requested LoUs from PNB to secure these low-cost foreign loans to pay suppliers across the globe. The Brady House branch in Mumbai, managed by Deputy Branch Manager Gokulnath Shetty, granted him LoUs with no cash margin (it is usually 100%), no credit limit, and no required 90-day repayment terms.  When the loans came due, rather than pay them off, Modi simply requested another LoU from PNB and Shetty would send it, allowing Modi to continue to receive funds to import his goods.

Because Shetty operated directly through the SWIFT system without registering the transaction with PNB’s Core Banking System (CBS), there was no history of any of these transactions. Furthermore, Shetty was responsible for both making and checking entries, a segregation of duties conflict that allowed him to operate undetected. This could have been prevented with a segregations of duties tool such as Security Weaver’s Separations Enforcer.

There were multiple additional violations, including Shetty sharing SWIFT code passwords with other employees to approve transactions while he was on leave, and Shetty’s multiple transfer orders to other branches being ignored or overturned. This went on for seven years, with no repayment of the loans and the oversees banks continuing to accept LoUs on the promise of PNB’s good name.

The internal controls PNB was using to manage its banking processes were inadequate. There was no mechanism in place, for example, to ensure that SWIFT transactions were being recorded in the system, and no way to check that those transactions were matched to the appropriate LoUs. Here are a few more examples of some controls that, had they been implemented and monitored appropriately, would have prevented PNB’s $1.7 billion loss:

1. Flag any LOU issued without collateral
2. Flag any LoU issued with more than a 90-day repayment period
3. Flag frequent release of LoUs to the same beneficiary
4. Flag a high number of LoUs issued to the same beneficiary
5. Flag any SWIFT transactions for LoUs without collateral

How many other banks are sitting on a similar time bomb? Beyond their own losses, how will that affect their supply chain? Remember, PNB’s partners are potentially on the hook for some of those losses. Do you know If the partners you do business with have adequate controls in place? What will it cost you if they don’t? And are your controls sufficient to protect your company from similar cases of fraud or mismanagement?

Security Weaver’s Process Auditor offers an automated, continuous controls platform designed to help organizations visualize and catch risk patterns within their system at the core process level. Process Auditor’s 130 out-of-the-box templates allow companies to streamline the design, development, and documentation required to deploy process controls for Order to Cash, Procure to Pay, Development to Production, Hire to Retire, and Financial Reporting. For example, enterprises can immediately detect and prevent duplicate payments or detect and alert whenever an employee and a supplier have the same bank account.

Click here for more information about how Process Auditor can help you create a secure, continuously monitored controls environment.

Security Weaver
Support  |  1-800-620-4210  |  
April
3
2019

How could automated controls save you $122 million? Ask Google.

Through a sophisticated and increasingly common scam called “Business Email Compromise,” Evaldas Rimasaukas, a Lithuanian national, recently tricked Google and Facebook employees into wiring $122 million dollars to fraudulent bank accounts.

First, Rimasaukus registered a company in Lithuania with the same name as Quantas, a computer hardware company out of China that does legitimate business every year with Google and Facebook. Rimasaukas then opened bank accounts associated with his fictional company and sent emails to Google and Facebook employees that appeared to be from employees of Quantas, followed by invoices and wiring instructions to the fake accounts. The emails and invoices sufficiently mimicked previous Quantas invoices – enough to fool the Google and Facebook employees – that they complied with the requests. Once the funds were wired, Rimasaukas quickly siphoned them to various accounts around the world.

How could this happen to two such large and presumably well-run companies? Both Google and Facebook were using manual controls in their ERP system – manual controls that could not prevent major fraud.  When Rimasaukas created fake bank accounts for his fake company, he made sure that the account numbers were close enough to actual Quantas account numbers that the differences were difficult to detect without close inspection. He counted on the accounting department using manual controls and being overwhelmed by work.

Had the process involved sufficient controls, the fraud would have been detected immediately and prevented. A great strength of automated controls is that they work well for small companies and can scale to companies as large as Facebook or Google. Not only do automated controls reduce time spent on conducting and supervising financial processes, but they also eliminate human error.

Automated controls have several additional benefits beyond employee time and error prevention. They ensure that processes are better defined, they enable companies to measure important quality metrics for their processes, and they help process owners improve them. They also reduce the time and costs of audits because auditors can test the controls which can materially reduce the substantive testing (sampling) requirements.

Process Auditor from Security Weaver provides an imbedded continuous control monitoring platform that supports custom control and risk management requirements. It offers an extensive template library of over 130 controls with a workbench to change existing controls or develop new ones. Process Auditor functions across both complex and heterogeneous environments and allows companies to leverage their existing expertise in ABAP and Java technologies. As it supports environments from SAP R/3 to SAP S/4 HANA, there is no need to buy, deploy, manage, or secure a separate database.

Visit http://www.securityweaver.com/solutions/continuous-controls/process-auditor/ for more information on how Process Auditor can strengthen your controls environment and prevent business losses.

By the way, how much of the $122 million did Facebook and Google recover? Less than $50 million. Bummer. If only there had been $300K in the budget for automated controls a couple of years ago.

4 Comments

Security Weaver
Support  |  1-800-620-4210  |  
March
11
2019

Mastering SAP Sydney: Don’t miss out!

Security Weaver is pleased to announce our sponsorship at Mastering SAP this year in Sydney Australia on March 19th - 20th. Don't miss out on the exciting line-up of speakers, including two presentations sponsored by Security Weaver:

Tuesday March 19th at 1:05 pm: Jitendra Singh, CIO of JK Cement

Join Jitendra Singh as he shares how his company tackled the issue of internal risk by implementing an effective and user-friendly tool that allowed them to automate risk management tasks - including proper provisioning, eliminating SoD conflicts, capturing and maintaining an audit log, and periodical review of roles and responsibilities of users in the system – resulting in easier and less expensive risk management within the organization.

Tuesday March 19th at 4:00 pm: Kapish Rathi, Senior GRC Implementation Leader at Security Weaver

Kapish Rathi will demonstrate how near real-time detection combined with case management and rich analytics offer unparalleled productivity and a robust audit trail. Kapish has almost a decade of experience with GRC solutions and implementations.

Security Weaver
Support  |  1-800-620-4210  |  
June
4
2018

Are manual mitigations killing your ROI around access controls?

Some seasoned access management professionals are starting to wonder if the way they manage segregation of duties (SOD) is hurting their organization’s bottom line. They understand the need for proper SOD management, and they also understand that every organization has a few (hundred? thousand?) SOD conflicts. However, when they sum up all the time spent each month performing manual mitigations to see if anyone exercised one of those conflicts, they feel bad about all the time spent just to discover that no one had exercised a material SOD conflict.

Furthermore, because the individuals required to mitigate conflicts spend so much time each month doing work that results in finding nothing of value, there is often a push by business leaders to have IT own the work. After all, if there are no real business issues arising from these reports, isn’t this work really about managing application risks? Also, since auditors will be going directly to IT to see how well access is being managed, why can’t IT run the reports, catch when the technical permissions they provisioned are abused, and only then alert (or bother) the business users?

Seasoned IT security managers know that SOD risk management needs to be owned by the business, but how can IT encourage the business to be more enthusiastic about managing SOD risks?

On the surface, it is simple: automate the discovery and alerting of material transactions that violate SOD rules and let risk owners prioritize their work.

Implementing such a solution, up until now, has been a challenge – which is why Security Weaver developed its Automated Mitigations solution. This application runs within SAP – it’s written in ABAP and is a simple add-on to R/3, ECC, or S/4. It identifies any suspicious transaction pairs, as defined by your SOD ruleset, and alerts the appropriate risk owners. Since risk owners know they actual financial exposure, they know the risk is material and, since they can easily click into the actual transactions in SAP, they can immediately and efficiently remediate it.

With Automat Mitigations, whenever a material violation is found, a case is automatically created. Because of this, managers and auditors can see every risk that has occurred due to access violations, the exact exposure of the risks, and what was done (or not done) to address the risk.

Because of its strong case management capabilities, auditors have the luxury of knowing every material SOD violation was caught and documented. From there, a simple report can quickly identify any violations not properly addressed. Not only does this reduce audit risk for internal and external auditors, but it also helps risk owners learn and share best practices for mitigating risks so that the risk of fraud is also reduced.

The cost of access controls can be excessive. Sometimes this is due to risk management activities being more theoretical than pragmatic. However, with Automated Mitigations from Security Weaver, risk managers know exactly the risks they are handling, can easily click down to the actual transactions, can avoid the hassle of applying theoretical values to prioritize their risk management activities, and have a single place to document their findings and actions. Auditors know where to look to see how risks are being managed and can prioritize their reviews based on the actual value at risk. And, perhaps most importantly, IT can better engage business users to manage and mitigate the access risks business managers had previously reviewed and had felt were necessary to take.

To learn more about Automated Mitigations and some exciting announcements about our new Role Guru solution, please visit with our CEO at the upcoming Sapphire event in Orlando, Florida June 5th-7th, 2018. Our CEO, Terry Hirsch, will be announcing a new product that automates designing and building SAP roles. He will also be discussing how to improve the ROI of compliance. Stop by our booth, 889A, to say hello and see firsthand how we can help you use Automated Mitigations to reduce the costs of compliance!

If you have any questions about Security Weaver’s Automated Mitigations product, click here for more information. 

Security Weaver
Support  |  1-800-620-4210  |  
June
1
2018

Ask our CEO how SAP License Management makes a difference when migrating to S/4 HANA

Companies have been weighing the costs and benefits of migrating from ECC to S/4 HANA. While S/4 HANA promises many benefits, some companies have concerns about the costs and risks they could incur. The good news is, having a solid license management program in place can reduce the costs and risks of migrating, and make the S/4 HANA platform even more compelling.

Here’s how:

  • First, a strong license management program means you won’t pay more than you need for S/4 HANA licenses.
  • Second, a strong program allows you to predict the financial impact of any changes to your licensing terms once on the new platform.
  • Third, a strong program reduces user access risk.
  • Fourth, a strong program reduces migration project risk.

If you are overpaying for user licenses on your current platform, you will continue to overpay when you move to S/4 HANA. But, if you have optimized your licenses on your current platform, then you will pay for only what you need. Furthermore, as you forecast your S/4 HANA budget requirements, you can confidently predict how many user licenses you will need, what kind of user licenses you will need, and when you will need them.

A weak or manual license management program often results in over-licensing.  Compliance reports often inappropriately include expired or locked users and expensive license types are often assigned to users that would be adequately covered with a less expensive license type. For example, someone may have a Full Professional license assigned to them, but upon closer inspection of their past activities or current authorizations, they may only require a Limited Professional license.

The skills and tools for optimizing user license allocations can be utilized to predict the financial impact when changes happen to the licensing model. So, those with a strong license management program can foresee the cost implications of moving to S/4 HANA.  This means budget surprises are avoided. Additionally, customers have the information they need to be powerful negotiators since they understand the full cost of migrating as well as any benefits from new or custom license terms.

When considering the move to S/4 HANA, many companies wonder if they should move from an activity-based licensing model to an authorizations-based model. There are significant benefits in doing so: 1) license costs become more predictable, 2) licensing and access control processes can be efficiently combined, and 3) there is a quantifiable financial benefit for implementing the principle of least privilege across all users. However, such a move could be a costly decision if the change from activity-based licensing is not understood.

A strong license management program automates the discovery and management of indirect SAP users. Thus, a strong program helps architects understand the integration landscape relative to their ERP application. The same discovery capabilities that identify license-relevant integrations can be used to help architects understand which applications and business processes might be impacted by moving to S/4 HANA. Understanding the complex application landscape means migration plans are more informed, expectations are better set, and project risks are lower.

Please visit with our CEO at the upcoming Sapphire event in Orlando, Florida June 5th-7th, 2018. Our CEO, Terry Hirsch, will be announcing a new product that automates designing and building SAP roles at this year’s event, and will also be discussing how to best move to S/4 HANA. Stop by our booth, 889A, to say hello and see firsthand how we can help you use license management to reduce the costs and risks of migrating to S/4 HANA!

To learn more about Security Weaver’s License Management solution, how it automates and optimizes user license allocations, how its simulation capabilities empower companies to predict their future licensing needs along with the value of custom licensing terms, and how its support for indirect users can help architects better plan their migration projects, click here.

Security Weaver
Support  |  1-800-620-4210  |  
March
20
2018

How EIS successfully mobilized organization-wide SAP access management improvements

Join our webinar on March 28th at 8:00 am (Pacific Time) to learn how Hiba Dagash, Security Analyst at EIS, leveraged the power of data and enhanced reporting tools to set realistic timelines for role re-design projects, build consensus about the work involved, and get business on board with needed changes.

Hiba’s story involves access management issues shared by many Security Analysts and IT Administrators. She needed to create SAP security guidelines and processes, create a shared vision for identifying and addressing Segregation of Duties (SoD) violations across her company’s SAP environment, and help EIS efficiently pass its upcoming SAP license audit.

She attacked these challenges by installing Security Weaver’s software modules: Transaction Archive, Separations Enforcer, Emergency Repair, and License Management. These tools gave her the information she needed to align the company, and the automation she needed to be efficient.
A comprehensive understanding of user activity and access risks provided by these tools enabled Hiba to define the scope and timeframe for a role redesign project to address structural access risks.

Before she started the role redesign project, she knew she wanted a fail-safe that would provide a hassle-free way to keep users happy and the business running smoothly during the project in case any single role was too restrictive. She solved this challenge with Emergency Repair, Security Weaver’s temporary access tool.

With the data she had collected and the roadmap she had designed, Hiba confidently approached stakeholders with her role redesign proposal.  She persuaded company stakeholders that change was necessary. She then successfully executed the much-needed role redesign project, increasing role efficiency and decreasing access risks for EIS.

Once she had access risks under control, Hiba deployed License Management to optimize the value of EIS’s SAP user licenses. This module gave her visibility into end user license costs and accounted for different license types. It is the latest example of how Hiba has leveraged understanding user activity patterns into a more efficiently run SAP landscape.

Click here to attend the webinar.

Or, for more information on Transaction Archive, Separations Enforcer, Emergency Repair, License Management, or any of Security Weaver’s other products, visit www.securityweaver.com.

Security Weaver
Support  |  1-800-620-4210  |  
January
3
2018

Looking to improve role design and risk management in 2018?

Visit the Security Weaver Booth at GRC Vegas!

We are excited to exhibit at this year’s SAPInsider GRC/Financials conference in Las Vegas, Nevada February 12-15. We get enormous satisfaction in helping our current and future customers improve security, increase productivity, and save time and money. This year, we anticipate that people will be very eager to learn how to:

• optimize the value of their SAP and other complex license types
• automatically catch and address suspicious transaction combinations that pose a material threat
• reduce the time and frustration of managing user access risk
• easily create custom process controls that address their organization’s specific access challenges

In the past, Security Weaver has been a leader in access management solutions. Over the years, our products have helped customers achieve control through automation without sacrificing flexibility or security. Our customers love us because our products provide a modular, comprehensive solution that is quick and easy to install and accelerates the value of existing processes.

For example, Multiquip used Emergency Repair to save roughly 60 hours per month in providing temporary access for more than 300 users. And they cut down their audit preparation time by approximately 40%.

After installing Separations Enforcer, JMC Steel identified 20,000 total company-wide SoD conflicts, and quickly reduced them to 100 per system. Within 5 months, 100% of their critical conflicts were removed or mitigated.

In addition to our tried and true products like Emergency Repair and Separations Enforcer, we have some exciting new product developments coming in 2018. These new products will offer leading-edge innovations in role management, role design, role analytics and other role related processes.

What will the new year bring for you and your business? Do you envision the types of changes and improvements that will propel you toward better role design, easier access management, and greater overall productivity?

Make one of your goals this year to attend the Security Weaver booth at GRC Vegas and find out about all the ways we can help you achieve your risk management goals in 2018.
Or, for more information about our products, visit www.securityweaver.com.

Security Weaver
Support  |  1-800-620-4210  |  
October
11
2017

Security Weaver demonstrates how to achieve mature, cost efficient IT compliance at SAP TechEd 2017

FOR IMMEDIATE RELEASE
October 11, 2017

Security Weaver Demonstrates How to Achieve Mature, Cost Efficient IT Compliance at SAP TechEd 2017

Automated Mitigations and License Management increase productivity and reduce compliance concerns

LAS VEGAS, NV – October 11, 2017 - At this year’s SAP TechEd event in Las Vegas, Nevada, Security Weaver demonstrated to attendees how to mature their IT compliance processes in a cost-efficient way. Attendees were especially enthusiastic about Automated Mitigations’ ability to quantify and reduce risks, improve audit documentation, and move beyond primitive segregation of duties management. “Increased complexity requires more reliable and cost-savvy solutions,” says Stephen Dubravac, Executive Vice President of Marketing. “We offer a product suite that enables organizations to quickly adapt to changes in their SAP environment without completely overhauling their systems. Our customers appreciate how quickly and easily our products are up and running and how much time and money they save in the process.” The response to Security Weaver’s products was extremely favorable due to the implications for increased productivity and financial savings.

Security Weaver also provided booth demonstrations of another popular solution, License Management, a role-based module that optimizes the value of SAP licenses. The solution not only improves compliance and reduces the work required to manage SAP licenses, it can also dramatically lower SAP license and support costs. License Management identifies compliance issues, charts consumption trends against the inventory of acquired licenses, automatically allocates the correct license type based on each user’s activities and roles, and allows organizations to more confidently and efficiently prepare for SAP compliance audits.

Click here for a custom demonstration of Automated Mitigations or License management. Or for more information about any of Security Weaver’s products, visit www.securityweaver.com.

###

Security Weaver is a leading provider of governance, risk and compliance management (GRCM) software. Our flagship software suite, Security Weaver is engineered to give customers a unified view of their enterprise-wide application environment so they can reduce the risk of fraud, accelerate the efficiency of operations, and ease the burden of ongoing compliance requirements. 

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries.
All other product and service names mentioned are the trademarks of their respective companies.

For more information, press only:
Rebecca Callahan
+1-385-216-5535
rcallahan@securityweaver.com