www.pwc.

com

SAP security solutions

Is your business protected?
SAP security
overview

Background
SAP Security is becoming more difficult to control due to a constantly evolving compliance
landscape and increasingly complex business environments.

Restrictions required by legislation, upgrades to systems, centralization of functions within

businesses, and contiually changing role responsibilities increase the importance of having
a well-designed security management process.

The increasing complexity of SAP’s software applications, adds to the risk of security threats,
with evolving technology, new functionality, and web-based solutions.

Ultimately how can you ensure that your users have the information they need in a timely
manner yet comply with the challenges above in an efficient and optimal manner?

Opportunities and challenges

• Ensuring flexibility to • Opportunities for delivering

Integrate accommodate organizational improvements and efficiencies
Centralized
to new changes and underlying through GRC or other tools
processes
platforms
process variations
• Ensuring that the security
• Accommodating centralized controls are properly aligned
functions within old security with other configurable
designs and processes and manual controls in the
HR Process
SAP
SoD & GRC
SAP environment
Security • Reducing the amount of time
spent on technical • Remediating segregation
administration and end-user of duty (SoD) issues in the
security management by both most efficient manner
IT and the wider business
• Managing costs and
Technical Outsourced • Integrating the SAP Security commercial leakage from
development Processes structure and controls into outsourced administrators
the day-to-day operations of
the business • Effectively transition
to managing shared
• Key enabler for leveraging service center
GRC technologies

SAP security solutions 3

Our approach
high-level overview
PwC Transform – Security Design and Remediation process
Phases Assess Design III. CONSTRUCT IV. Implement Operate

Task Project Preparation Design Build Test Final Preparation Go-Live & Support

The project is initiated and supporting Business Risks Security requirements Deployment
SOD Compliance Deployed Security
Objective infrastructure is established are Identified are translated Package
Finalized Initial Cross-Application
Project Plan Business Risks Rule set(s) Built End User Mapping
Rule set(s) SOD Reports
Systems, Business Processes, Updated Policies Security Admin SOD Review and
Deliverables Action Groupings Rule set(s) Signoff
and Actions Analyses and Procedures Process Action Plan
Provisioning
Roles and Responsibilities Risk Rankings Tool Configured Reports Material Mitigated Conflicts
Process

Interfaces

Infrastructure

ERP

SAP security: Redesign to align

Implement
Assess Design Construct
& Operate

Assess and review Design an optimal Remediate issues or build Integrate your security
your access controls security model new technical solution design with GRC tools
and align with other
organizational controls

1 2 3 4
Assess and review Design an optimal security
1 access controls 2 operating model
During the assessment of the Security and SOD Building on the assessment work, we can assist in your effort to
“as is” position we focus on the following areas: transition to an optimized security design:

• Assess and compare how your individual • Provide the strategy and approach to deliver a security model,
business units are adopting existing controls. where compliance objectives are embedded into the design.

• Benchmark how your security issues measure
against industry standards.
• Implement PwC’s User Activity Analysis tool
to analyze your actual transactional usage.
• Map activity analysis output back to existing
security design and pinpoint areas for design
remediation.
• Map the Security Access controls design back
to SAP Security governance design.
• Develop a design that is flexible enough to accommodate
likely changes to the organizational structure while
integrating existing business controls.
• Devise a security blueprint that maximizes the sustainability
of the future security model.
• Address root causes of specific control and access issues at
the design phase to ensure a consistent and efficient “clean
up” effort.
• Design and develop a process for using accelerators
like SAP GRC in security build and maintenance phases
to maximize efficiency.

• Underpin technical aspects of the design with a robust SAP

security governance framework.
4 SAP security solutions
 Remediate or rebuild
3
We can assist in managing the integration of the risk and We provide this service by:
controls elements of the security design and build throughout
the life cycle of the engagement, from remediation of existing • Utilizing accelerators in the build phases to expedite
issues, to a complete rebuild of the technical platform. technical role build activities

The work focuses on ensuring your strategy design and build • Following a best practice iterative design/build/
are aligned to the long-term organizational requirements. re-analyze process to ensure that technical solution
is fit for purpose and SoD compliant

• Implementing PwC’s enabler technology for

rebuild activities

• Ensuring that security build at the template and local

levels doesn’t deviate from the overall strategy, reducing
the risk of your security design regressing back to being
localized or fragmented

Integrate your security design with GRC tools

4 and organizational controls
PwC can work with you to:

• Utilize GRC technology for structured, compliant, and accelerated role design and build.

• Integrate with GRC tools for SoD compliance at a technical role and user provisioning level.

• Integrate the SAP security model with IDM tools to provide single sign-on capabilities and controls.

• Provide assistance to design an operating model that fully utilizes the controls potential available in GRC tools.

SAP GRC Access Control Suite

Access risk Access request Business role Emergency

analysis management management access

SAP ERP Other SAP Non-SAP Active

systems systems solutions directory

Benefits realized by our clients:

• Significantly improved governance and management of access risks
• Business-owned and standardized access management processes
• Reduced business time spent on access reviews by 60%
• Greater transparency into who has what access
• Reduced complexity of roles leads to sustainable, lower-cost SAP
security processes
• Significant increase in business user support capabilities

SAP security solutions 5

Client citation
leading
automobile
manufacturer

Background
This client was struggling to meet
service level agreements related to
SAP provisioning and user maintenance.
Although the initial implementation
of SAP GRC Access Controls suite was
complete, the organization was using
only a small subset of the suite’s The PwC solution
capabilities.
The first phase of this project focused on assessing the current state and
designing of the future state. In our design of the future state, we included the
full deployment of the SAP GRC Access Controls suite to simplify and automate
the user provisioning processes, while remaining compliant. We worked with
the client to design and implement a new SAP security design following our tier
4 methodology. The implementation of the new SAP security design helped this
client reduce the number of roles in the SAP environment, which, combined
with the SAP GRC Access Controls application, facilitated the overall user
provisioning processes.

What has the client achieved?

After the completion of the SAP security design and implementation of the
SAP GRC Access Controls applications, this client was able to realize the
following benefits:
• 75% reduction of SAP security roles in the SAP production environment
• 99% reduction of transaction code duplication in SAP security roles
• 0 SAP security roles with inherent segregation of duties conflicts
• Reduced user provisioning time from 21+ days to 2.3 days (average)

6 SAP security solutions