Global pharmaceutical organizations operate in complex environments and must manage regulatory, legal and reputational risks daily. For one of our clients, a pharmaceutical giant operating in a SAP environment, establishing a SAP security architecture that is both tightly controlled and flexible was paramount to managing these risks.
Why Protiviti: The company chose Protiviti for our expertise in aligning business processes and IT needs and for our recognized status as a leader in the SAP security and governance, risk and compliance (GRC) space. By partnering with us, the client also gained access to our proprietary risk assessment tools to help diagnose and benchmark SAP security risks, and our intellectual property, including SoD-compliant template roles.
The SAP security optimization project began with a current-state assessment of the company’s security environment. This assessment was instrumental in defining the key success factors of the project and building the internal business case.
In this initial assessment, key security metrics at the pharmaceutical company were compared against companies of similar size and industry. The results indicated that the company had an above-average number of SoD and SA issues, such as conflicts at the role level (inherited by the users who had those roles), “display” roles with Create or Update access, inappropriate organizational restrictions, duplicate transaction assignments, inconsistent role-naming conventions, and use of SAP-delivered roles and profiles (which gave excessive access to users).
Following the current-state assessment and benchmarking, the company faced two possible courses of action:
The company chose the comprehensive SAP role redesign approach, based on the project’s cost efficiency and risk reduction over the long term. The comprehensive approach would improve automation around SAP security provisioning and access certification processes, establish a global SAP governance program to improve SAP security administration, maintain the updated SAP security architecture, and ensure maintenance efficiency and reduced reliance on mitigating controls to manage SoD risks – all contributing factors to the decision.
The SAP security implementation team undertook a three-step approach to the project: Get clean, stay clean, and stay in control. This approach established a multiphase road map for implementing leading-practice SAP security processes and controls systematically to enable an organized, efficient and transparent framework for managing SAP security risks. It leveraged the SAP Access Control solution to standardize and automate provisioning processes across the SAP environment. SAP Access Control would also provide our client with increased visibility into SoD and SA risks and enhance user access provisioning and monitoring capabilities.
The value of this project for the pharmaceutical company goes beyond managing security in the SAP environment. By creating a clean security baseline and implementing leading security administration processes and advanced SAP supporting technologies, the company set the foundation for and achieved its goal of operational and regulatory compliance excellence. Achieving these objectives required capabilities from across the organization: The program was sponsored by the chief financial officer and chief information officer, and BPOs and SAP security role owners played a vital role in the successful delivery of the program.
Measuring key initiatives was important to provide insight into whether the business goal of optimizing SAP security was achieved, as well as where operational efficiencies were gained. A second benchmarking assessment was performed at the conclusion of the project, using the baseline data collected in the beginning, to show exactly how much was gained for each key metric. The results are outlined below.
Successful SAP security optimization projects require the participation, understanding of issues, and buy-in of a number of stakeholders within an organization. Executive sponsorship of the project is a must-have as it translates into broad support and accelerated decision-making. In an environment hyperaware of cost and regulatory issues, executive management needs a strong business case for the project. To this end, the two benchmarking studies performed in the beginning and end of the project provided the needed assurance to management by defining the key performance indicators up front and measuring against the baseline over the course of the project to demonstrate the continued value of the investment.
In addition, partnering with the right groups and individuals, such as auditors, BPOs and IT teams, made the difference in the success of this project. Throughout the role redesign phases, Protiviti’s SAP team worked with key stakeholders to determine access needs, evaluate the impact of the updated role design on business processes and secure proper approvals at each stage of the project.
We work with IT, finance and audit executives to help them increase operating efficiency and reallocate resources from the management of day-to-day security and compliance requirements to high-value business activities. Protiviti is a recognized leader in delivering security, GRC, identity management and control optimization solutions. Our partnership with SAP as a preferred GRC services provider enables us to deliver quick resolution of technical issues identified throughout our clients’ projects. Contact our GRC leadership team to learn more.
Content Contributed by: