To learn more about challenges security teams face during implementations of SAP applications, I had Bill Oliver, founding partner at Winterhawk Consulting, answer a series of questions about his experience implementing SAP applications and what advice he can offer about securing them.

The growth of mobile devices has resulted in an increase in employees who use these types of devices within the workplace. What advice would you give to clients about developing bring-your-own-device policies to protect sensitive data at organizations?

With the advent of tablets, smartphones, and so on, we have the ability to gain great increases in employee efficiencies. However, with that we are increasing the risk of data being pushed and stored on these devices. Over the next couple of years, I feel we are starting to look at a paradigm shift from know your user to know your devices.

Companies need to design very well thought-out plans on what bring-your-own-devices activity looks like and what data you should and should not (not being key) be allowed on these devices. This would also include where in the world the device is. It may be okay to transmit the data if the device is in the US, but not if the device is outside the US, which can take us down location and privacy issues (as well as an international legal question).

Have you noticed any trends based on questions you’ve received from clients this year? For example, are you receiving more questions about securing cloud-based applications than you did last year?

Very much so, with new trends in cloud-based applications and mobile computing, the question turns very quickly to, How do we ensure security and confidentiality of our data and our customer’s data?

The key is to make sure you understand the technology and the application of that technology within your organization. As processes become more and more integrated and interconnected with vendors and customers, then the question of how data gets here is going to be more and more in play.

We are also seeing a trend in process controls as the next logical step in the implementation and rollout of a holistic GRC solution. Companies are looking for smart and cost-effective ways to continuously monitor exceptions with their business transactions.   

You’ve been involved in implementing security for SAP FI, CO, General Ledger, and Accounts Payable. What stage is the implementation undergoing now?

I am happy to say that the project went live on January 1 of this year. It’s been a very long ride. We went live with around 300 users and around 40 composite roles. Security and controls were pulled in at the early stages, which made this a long year, but also made it a very successful implementation.

Have you had to deal with any unexpected developments during this implementation so far? If so, what have you learned from these challenges?

In this implementation and with every one I have been in, you do see unexpected developments come up. If you get the implementation team to bring security and controls in early, then you have time to recover and ask the key questions to get to the right solution. However, when security and controls are an afterthought, you can find yourself behind the eight ball very fast.

Some of the key learning points I have taken away from some of my many implementations are:

1. Balance the way security can be implemented versus the cost of ownership. An example of this is that an SAP system allows you many ways to restrict what the user can update, change, or display, and there comes a time where the cost of restriction (including the risk) can be far greater than allowing the event. The key is to manage how far a company goes down the path of restricting SAP data elements within roles.
2. Staying ahead of custom development. I have had developers adding custom transactions and then not following up with the security team to ensure that the proper authorization checks are added to the code to ensure the correct security can be executed. A solution I have found that works is to have not only good quality code reviews, but also a member of the security team as part of your change control board. This way, the security representative can get in front of the custom development.

What measures did you take to ensure compliance during the implementation?

First and foremost, you must have a dedicated team to ensure controls compliance. Without it, it’s going to be someone’s part-time job, and at the end of the day, pieces will be overlooked.

Controls compliance and controls monitoring (including segregation of duties testing) must be part of any implementation plan. Without it, you are playing Russian roulette.

Another point is to make sure you map your current controls to your new controls to ensure you are not missing anything. Do not be afraid to have fewer controls in your post-go-live environment. The key is to have the right level of controls. If you can replace three old controls with one solid preventive control, then you are ahead of the game. The key is to work with both your internal and external auditors to make sure they understand and accept the new security and control structure.

And by far the last, but one of the most important, measures is to have security and controls testing as a part of your overall implementation testing strategy. Without it, your end users are not going to be able to execute effective controls after go-live.

During your role as a consulting senior manager at Approva, one of your tasks was developing and rolling out Approva’s BizRights continuous controls monitoring software, including designing segregation of duty rules and processes for several SAP applications, such as SAP ERP Central Component, SAP Supplier Relationship Management, SAP NetWeaver Business Warehouse, and SAP NetWeaver Portal. What was your toughest challenge during this project?

By far one of the toughest challenges in implementing any GRC solution, not just Approva, is to make sure the client understands the true value of the GRC solution and how it supports and works with your controls, but does not necessarily replace the controls.

Just a few years ago I would have customers say, “Now that I have GRC, I’m good with my controls, right?” and you don’t see them implement the full GRC suite, thus missing tremendous value.

At the end of the day, a good GRC solution will save any company money and will enhance any control environment, provided that the customers understand and embrace a holistic GRC implementation approach, which is a key element any consultant brings to the table.

According to an Institute of Internal Auditors’ Audit Executive Survey, internal auditors at several organizations are requesting larger budgets for 2013. Does this trend surprise you, or is it one that you noticed from your discussions with clients?

Not in the least. If you look at the current technological landscape (such as mobile computing and co-sourcing or outsourcing), companies are looking to leverage anything they can to create effective operations, and with that is the need to ensure the correct balance of risk and control. This places internal audit groups in the forefront.

The key for internal audit committees is to ensure the correct balance of risk and controls is in place as well as to make sure that the resources (human and technical tools) are in place to achieve this balance.

What advice would you give to clients who are assessing the quality of security of their SAP applications?

The key is to restrict security at the right level. Just because you can restrict every element does not mean you should. The cost of ownership (how much will it take to maintain the security model over time) versus the risk needs to be considered. Every one of my clients answers the question of right level differently, and just because you have been restricting access one way for the past 20 years does not mean that you should being doing it this way now.

We need to remember that companies implement an SAP system to have an enterprise resource planning platform to share business information and to make key decisions. We need to ensure that the security architecture does not prevent that from taking place.

Bill Oliver has been working in the field of SAP information security and auditing, which includes large-scale security and GRC implementations for the past 15 years. Bill has also held managerial roles in external audit firms as well as internal audit organizations.

You may contact Bill at boliver@winterhawkconsulting.com. Comments are always welcome.

Gary Byrne

Gary is the managing editor of Financials Expert and SCM Expert. Before joining WIS in March 2011, Gary was an editor at Elsevier. In this role he managed the development of manuscripts for Elsevier’s imprint responsible for books on computer security. Gary also has held positions as a copy editor at Aberdeen Group, a Boston-based IT market research company, and as an editor at Internet.com, a publisher of content for the IT community. He also gleaned experience working as a copy editor for International Data Corp., a Framingham, MA-based IT market research company. He earned a bachelor of science degree in journalism from Suffolk University in Boston. He enjoys traveling, sailing as a passenger onboard schooners, and helping his wife, Valerie, with gardening during summer weekends. He’s a fan of all the Boston sports teams and once stood behind Robert Parish in a line at BayBank. He felt small and didn’t ask for an autograph. You can follow him on Twitter at @FI_SCM_Expert. His online footsteps can also be found in the SAP Experts group on LinkedIn.

You may contact the author at gary.byrne@wispubs.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.