The aim of the SoD is to make sure that only people with the right are of competence have access to sensitive transactions.
The objective, in fact, is to break down the process, in a way in which the user does not represent a fraud risk (by having a set of authorizations too wide).
This is not always easy to implement, that’s often because of organizational and technical reasons.
For this very reason we have created a methodology of managing the SoD that we call DARE. What is that?
SoD Management Project in your Company?
1. SoD DARE: what does it mean?
Let’s start from the name, DARE is an acronym which stands for:
- Define what is critical
- Analyze the state of your system
- Remediate and Mitigate your risks
- Eventual certainty of compliance over time
This is a methodology we developed and perfected through the first years 2000 (before the related regulation was put in place) until today.
We can help you manage, thanks to already made templates and project accelerators, the Segregation of Duties in your company through the various phases that it is constituted by.
2.When and Where it is particularly useful
From the definition of the incompatibilities matrix – which is often also outside of SAP – to the analysis of the various systems.
We’ve created our very own instrument of analysis called Security Analyzer which allows to conduct an accurate Segregation of Duties analysis in absence of other company tools.
The software can utilize an analysis matrix on SAP (or outside of it) and provide with results instrumental in taking a decision on whether to pursue a remediation or a mitigation.
We also defined, using a third-party software, a semi-automatic model of identification of custom transactions that have a SoD impact.
This is particularly useful for those customers that have many custom transactions in use, often not documented and/or unknown.
3. The importance of the Remediation and Mitigation phase, and how it is dealt with
We defined models that allows us to understand what to do inside the SAP system when users have risks linked to their authorizations.
One of the most frequent questions, during the remediation phase, - that is the phase in which risks need to be removed, - is how to remove risks without causing an obstruction to the business.
In this phase, if actions are not taken in an organizational way, it’s necessary to modify the authorizations owned by the users to remove the risks associated to them.
It’s then likely, due to the complexity of the SAP authorization concept, to cause blocks to the business departments.
We utilize specifically built algorithms to create what-if simulations.
The mitigation phase, in addition, is one of the most critical phases. We’ve seen many Segregation of Duties projects shut down during the remediation phase. That’s why we defined an already made- ready to use mitigation controls library, which can easily be used and adapted to the specific company necessities.
This allows for a decrease in the efforts needed for the definition of the mitigation controls. We also provide a mitigation controls service for some customers.
What does this mean?
By utilizing our software and having previously defined a library of control templates and procedures needed to test them, we can periodically produce (depending on the control frequency) all the needed evidence.
4. What to do as ordinary management?
Once the project is complete, the process of Segregation of Duties management is not complete: it must be carried on by the company.
For this reason, we defined a list of procedures and controls that the company can utilize for their ordinary activities management.
Some of these controls may be easily put in action by the usage of the Security Analyzer Software. This software makes it possible to include periodic controls in a SoD viewpoint. Among these functions of users and roles periodic re-validation via a web reporting function and approval workflows.
We also built, in our software, a preventive SoD check mode, in case an internal monitoring software wouldn’t be present.
In other words, for every change in the system it’s possible to preemptively analyze the effects that will occur on the Segregation of Duties.
Blog post originally translated from: https://www.aglea.com/blog/come-ti-aiuta-aglea-a-gestire-la-segregation-of-duties