Use Continuous Monitoring Solutions to Quantify Actual Risk Exposure

Guest Blog by:
Vijan Patel, Director, Technology Consulting, Enterprise Application Services, Protiviti
John Scaramucci, Associate Director, Technology Consulting, Enterprise Application Services, Protiviti

Click here to read the full blog on Protiviti’s web site

In today’s growing remote workforce, companies are faced with the challenge of scaling centralized authentication and user provisioning, while at the same time managing new or temporary assignments to accommodate for ill or quarantined employees’ workloads. Things change rapidly, and it may be tempting to bypass certain controls, but maintaining compliance is essential to managing security risks.

SAP’s commonly used access management tools, such as SAP Access Control, can help enable efficiencies in granting access to SAP environments without getting in the way of productivity. Speed of access provisioning needs to be an enabler and not a bottleneck to getting work done.

For users who require elevated or privileged access directly to end-user accounts, businesses need a way to provide this temporarily or on an extended basis, knowing that the access can be monitored and logged for further review.

Not every aspect of access can be automated (i.e., waiting on approvers and approvals required), but many can. For instance, the following aspects of an access provisioning workflow could be automated:

• How access requests are taken
• How they are routed for approval
• Routing for compliance checks
• Provisioning, once approved.

Automation can also be applied during periodic access reviews, which will occur especially if a business has a SOX compliance requirement. Terminations or job changes where access wasn’t removed during the normal course of business can be cleaned up using systems that automate the actions around these processes.

Use Continuous Monitoring Solutions to Quantify Actual Risk Exposure

Traditional detective controls for user access can be labor-intensive and time-consuming to perform, test and audit. These types of controls, such as manual reporting or transaction sampling, are often redundant and ineffective, and can even slow down a process or burnout employees. A good control acts as a caution or warning, indicating that a process may present a potential security risk or compliance issue. If defined with specific exception criteria, the control will identify the user or transaction and flag it for a manager or risk owner to evaluate further.

Good continuous monitoring controls aren’t limited to high risk events either; they can also be used to collect data on processes that show opportunities for improvement, in terms of optimizing for safety and efficiency. Reported exceptions can then be analyzed at a supervisor, compliance, or executive level, to allow for informed decision adjusting processes in the wake of resource and work environment changes. This approach lends itself nicely to a remote work landscape, by enabling standardization across access governance and control testing.

Solutions for continuous monitoring include:

• Access Violation Management (by Pathlock) monitors for actual exceptions of an SoD violation, acting as an extension of Access Control for ‘did-do’ analysis. As these exception transactions are collected, the owners of these risks or users can review them, provide approval, and identify if any fraudulent activity occurred. This then creates a repository of mitigating activities which can be reviewed by audit organizations and executive leadership.
• SAP Process Control automates the control environment at an enterprise level by acting as a repository for risks and controls. Continuous Control Monitoring (CCM) rules can be built in order to analyze for specific exception scenarios, such as configuration changes or unusual journal entries, and get real-time reporting and alerts that are remotely actionable.

Continue to Manage SAP Security Risks

Now is the time for businesses to revisit their approach to securing their application landscape. Clearer policy training and the right technical monitoring controls are key to staying secure with a virtual workforce.

As team members take on additional roles during the COVID-19 pandemic, now is not the time to get bogged down in manual access-management tasks. Instead, leverage access automation to streamline provisioning and firefighting processes. Security controls which utilize continuous monitoring solutions can be an enabler for business and audit processes, rather than an additional task that reduces efficiency.

Click here to read the full blog on Protiviti’s web site