Real Time Enforcement for Risk Management

By Anand Kotti,  Senior SAP Engineer, NextLabs

As companies grow and expand globally, there is an increasing number of enterprise application users, and with this growth, an ever increasing risk of security breaches and violations. As enterprises are becoming more susceptible to security risks and violations from internal users, businesses are moving towards implementing more preventative measures rather than staying in reactive mode.

SAP GRC enables organizations to establish effective internal controls, along with processes to make sure these controls remain consistent, updated and cost-effective to manage. Administrators can now use a single SAP GRC framework to monitor and enforce business, compliance and security policies across the enterprise. SAP has enhanced the GRC offering to include the SAP Dynamic Authorization Management  by NextLabs to ensure that companies can quickly adapt to changing policies and streamline enforcement and administration of those policies.

GRC customers can now integrate more fine-grained contextual information about the user. This information can include location, project, cross-departmental access, territory, and real-time segregation of duties attributes. The tight integration provides real-time risk enforcement to prevent misappropriation of information before it happens. Customers can monitor and track all activity.

USE CASE:

Segregation of duties violation example:

  • Charles can maintain a vendor master and post a vendor invoice payment.

Risk:

  • Charles can maintain his own vendors and transfer money to the vendors at any time without external authorization . It poses a huge financial risk for business.

Real_Time Enforcement Use Case

With SAP Dynamic Authorization Management implementation:

Case #2.1 – There are no mitigating controls in place in GRC rule set for SOD Violation:

  • When Charles performs the action of paying the vendor he created, he is blocked.

Case #2.2 – There are mitigating controls in place in GRC rule set for SOD Violation:

  • When Charles performs the action of paying vendor he created, Charles has an option to move forward by signing an NDA (SAP DAM self attestation feature).

In all the use cases discussed above, the activity performed by Charles is recorded and reported back to SAP DAM Analytical Dashboard.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s