1

SAP Security and Controls

Use of Security Compliance Tools to
Detect and Prevent Security and
Controls Violations
2
Agenda
Increased Focus on Security & Controls
SAP R/3 Security Risks & Controls
Security Management
Security Compliance Tools
Questions
3
Increased Focus on Security and
Controls
Fraud (Barings Bank,WorldCom, Enron,...)
Security Breaches (UCs, BC, Stanford...)
Regulatory Compliance
Sarbanes-Oxley (SOX)
Family Educational Rights and Privacy Act
(FERPA)
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and
Accountability Act (HIPAA)
4
Security Risks
Access Control
Do some users have too much access?
Sufficient access restrictions to private
information?
Segregation of Duties (SoD)
5
Security Compliance Tools
Internal Controls
Internal Controls are processes designed by
management to provide reasonable assurance
that the Institute will achieve its objectives
(From MITs Guidelines For Financial Review and Control)
Cost of implementing control should not
exceed the expected benefit of the control
Security is a process
not a product

6
Security Compliance Tools
Who has access to
sensitive transactions?
Are there any
SoD violations?
Real-Time Monitoring
Remove access or assign mitigating controls
Reduce time and effort when providing
information to auditors
Used during implementation of new modules
7
SoD Rules Matrix
Predefined SoD Rule Set
Can Add Custom Transactions to Rule Set
8
Virsa-Compliance Calibrator
9
Virsa-Compliance Calibrator
10
Virsa-Compliance Calibrator
Resolve SoD Issues
11
Security Compliance Software
Vendors
Virsa
Approva
Oversight Systems
Big 4 (E&Y, PwC, KPMG, Deloitte)
12
Benefits of Security Compliance
Tools - Summary
Run with SAP R/3
Automate SoD analysis
Automate monitoring of critical
transactions
Quick assessment of authorization
compliance for business users, auditors,
and IT security staff
Used during development/project efforts
Avoid manual analysis and false positives
13
Questions