5 Strategies for Faster Risk Remediation in SAP

Discovering access risks is one thing. Remediating them is another – and most security, IT, audit and compliance teams would agree that they don’t like remediation work. It can be tedious, time-consuming and even costly, especially if left undone. However, this necessary task closes the loop on access risk management in SAP and needs to be approached with the same urgency as discovering violations. It is timely to adopt some best practices to reduce remediation work as we are entering into annual audit season.

#1 Continuous Monitoring

One of the best defenses against risks and a way to manage remediation work is continuous monitoring. Too often companies focus more on annual audits as a control and remediation mechanism rather than analyzing risks all year long. This not only leaves a company open to costly incidents of fraud, data breaches and employee errors for the majority of the year but can also results in the discovery of a large volume of major threats at one time, leading to overwhelming remediation work. To counteract that problem, companies should ideally run weekly or monthly analyses that can reveal risk by user, role and business process. Additionally, periodic reviews should be conducted quarterly—not just at audit time.

#2 Analytics for Everyone

Remediation work doesn’t involve only security, IT, audit and compliance stakeholders. Managers play a big role in remediation efforts by determining who should have access, what level of access employees should have and if access permissions are still current and accurate. During periodic reviews, these managers review and approve employee access as a key part of the review process. To do this in a timely, efficient and accurate way, business owners need intuitive reports, metrics and streamlined approval channels that can be as easily understood and navigated without the highly technical skills of security and IT professionals.

#3 Risk Triage

With remediation, companies need a way to prioritize risk and the corrective work to fix them. When triaging risks, there are two common approaches that most businesses find best suited to their needs:

1. Focus on ‘High/Critical’ risks that are fully executed by users. Fully executed risks are those in which users have access to transactions on both sides of the risk (e.g., check processing and vendor management). These risks are often considered the most critical because they are not only potential threats but also actively utilized and, therefore, require controls to be operating effectively to address all compliance and monitoring concerns.
2. Concentrate on roles with executed inherent risks and clean up any excessive and/or unused transactions within the role that are adding to the risk results. By performing this cleanup, those risk reductions flow through to users assigned to each role and assist in limiting the user risk population to the “true risks” of the user rather than risks caused by excess transactions being present in roles.

Analytics, then, need to deliver a way for business owners to easily view the breakdown of roles by risk type (critical, high, medium or low) and the ability to drill down into the roles within a risk type, providing a simple view that helps the business determine which roles they want security to tackle first during risk cleanup.

#4 Rapid and Accurate Provisioning and De-provisioning

Just like continuous analysis, companies can help decrease remediation work if they are doing a better job of provisioning and de-provisioning while also tracking it in an ongoing way. Manual processes of provisioning don’t work so well to this end and can involve a lot of back and forth and spreadsheet tracking. This makes the case for automation, which can remove not just the work of provisioning but also the risk of failing to take away access when it is no longer needed for failure to track and take action at the appropriate time.

#5 Automated Controls and Governance, Risk and Compliance (GRC)

Of course, provisioning isn’t the only process that demands automation for easier remediation. All controls and GRC processes in this day and age should be automated and done so in a way that leaves little guess work to analysis, reporting, reviews and remediation. When risks can be shown and understood by risk level and according to user, role and business process with accompanying remediation advice, the steps to remediation can progress quite smoothly.

A Failure to Remediate Access Risks is a Failure to Control

In conclusion, all companies – large and small, public and private – should have an access control and remediation strategy in place for protection against fraud, insider breaches, employee mishaps, and negative audit and compliance findings. Automation to disclose risks is not enough nor is it an effective control strategy. Remediation is the final and equally important step, that can be done with far less work with the right tools and approach all year long and not just during audit season.