How does segregation of duties help protect your company data?
Every company has their regulations to refer to, whether on national, international level or area certifications. For example:
- ISO Certifications
- National Regulations like Dlgs. 231/2001 and Legge 262/2005
- Dlgs 101/2018 for the compliance to the European regulations (2016/679) regarding the GDPR personal data protection
- GxP for pharmaceutical companies
- Electronic Nota Fiscal
- SoX, JSoX
- Internal Policies
Each of these regulations brings a management effort in order to obtain the related certifications and their prolonged observance. It is very frequent to find the principle of Segregation of Duties in the aforementioned regulations.
How helpful can SoD when trying to follow these regulations?
What is the Segregation of Duties?
The Segregation of Duties is the method used in order to manage conflict of interests, and therefore, frauds. The objective is to reduce the possibility for the individual to work on more parts of the same organizational process. In the Italian legislation, Dlgs. 231/2001 art. 6 comma 2, it is written that it’s necessary to study all organizational processes in order to identify all activities in which it may be possible to commit violations.
SAP is an ERP (Enterprise Resource Planning) management system that makes it possible to preside over all the various organizational processes, for example the administrative and financial ones, logistics, purchases, production and maintenance and human resources.
In order to understand how to manage the Segregation of Duties (SoD), it is first of all important to think by process and then identify which IT or non-IT systems operate on these processes.
In most companies it is frequent, in order to hide an internal process (i.e. that of purchases), to work on different systems. For example, I might carry out supplier selection tasks in the first system, while carrying out all administrative tasks related to that process in a second system.
Thinking with SAP systems terminology, I might use SAP SRM Supply Relationship Management system for suppliers’ management and carry out all administrative tasks related to that process in SAP ECC (ERP Central Component) system.
It then becomes important to understand whether SoD Relevant processes are located inside the SAP ecosystem, outside of it or “Cross-System”, meaning that the SoD analysis takes place in more than one SAP system, or in an SAP system and a non-SAP system.
Segregation of Duties for protecting your intellectual property!
Why is it important to protect company data?
A lot of relevant and strategic information regarding the company exists inside of the information systems. However, due to this information being intangible, small attention is sometimes given to the criticality of such data.
Which are a company’s strategic data to which we don’t think about? Which are the cases in which damage could be made both money and reputation-wise?
Here’s a small list:
- Customer master data: imagine if this information was accessible to your competitors: they could start acting accordingly with focused actions in order to steal your customers!
- If all the discounts you apply to your customers were accessible by your competitors, it would be important information used to erode your company’s market share
- In the case of IT systems for the management of employees, if the employees’ salaries were accessible and visible by your competitors, they could
- The Bill of Materials of a certain product. What would happen if it were in a competition’s hands?
- Company products components designs documents of various technical company products are often archived in SAP
How easy can it be to extract the above mentioned information from a SAP system by having direct to SAP tables?
Always keep in mind that in SAP it’s possible to trace who exported what!
How can the Segregation of Duties help you?
The Segregation of Duties is most surely one of the most efficient methods to secure an administrative system.
Here’s how it can be useful:
- Identify which are the risky company processes, on a not-only single system level, but also company-wide.
- Define all the owners necessary to the daily management of the Segregation of Duties.
- Identify all the business criticalities and separate responsibilities
- Monitor periodically all accesses.
- Identify all the needed controls to be put in place in order to limit and verify/validate the insurgence of risks
- Valorize the internal control model
Do you need to implement a control model? Have you already defined one, but you’re not sure whether it’s really effective? Let’s talk about it!
Blog post originally translated from https://www.aglea.com/blog/come-la-segregation-of-duties-ti-aiuta-a-proteggere-i-dati-aziendali