Today we continue our blog series on digital transformation. (For an overview on the topic, be sure to check out the first post in the series.) In our most recent post, we walked through 2 of 4 key areas to consider when it comes to digital transformation: Network security and SAP capabilities. Now, let’s take a look at the remaining key areas: Governance, risk management, and compliance–collectively known as GRC–and physical security.
Consider these 3 main components to GRC: SAP Security, SAP Early Watch (pattern recognition), and Audit. Another way to think about GRC is establishing logical boundaries around roles and responsibilities and each employee’s related system access. In other words, no single person can complete all steps in the process. Here’s an example: If you cut the purchase order, you cannot be the one who approves the payment.
GRC can be difficult to design, implement, and maintain successfully. It requires someone–or a team–with experience. You need to ensure that the right people have the right access to be able to do their jobs. At the same time, it is vital that the “slice of the pie” each employee sees is necessary to their role, defined, and secured. Also, this is not a “one and done” scenario. As the business evolves and changes, so do the roles and the unique access that each of the roles has within the organization. Strategic role design and maintenance is an ongoing process which is critical to the security of your organization.
Uniquely, the concern around establishing best practices in GRC is not about “getting hacked,” as it is for many aspects of digital business management. The focus is on limiting scenarios where someone may see a vulnerability and use it to defraud you. Controlling employee access is critical to limit opportunities for fraudulent behavior– but that access control is not limited to only employees.
In today’s interconnected environment, your vendors, suppliers, and customers may all have access points into your system. These access points all need security roles assigned to them to limit the view to only the appropriate and relevant information for the actor’s role. As an example, an external actor could see proprietary information and sell it to a competitor. Each partner or vendor should only see what is most relevant to and required for their specific role in the larger process.
Within your organization’s SAP framework, BPML–Business Process Mapping List–establishes employee and vendor access. GRC creates profiles in such a way that it encircles all relevant functionality before linking that role to a person. The truth of the matter is that many companies give people way too much access by accident!
Standard SAP GRC risk detection and auditing settings compile reports and grant access to internal and external audits. This allows pattern recognition functionality to detect where key elements of your security infrastructure may have changed unexpectedly or where other gaps in the system may exist.
That brings us to Number 4: physical security. Identification procedures fall into this category–being sure that someone cannot get in, pretending to be someone they are not. Along those lines, when a consultant’s contract ends, it’s crucial to lock out their access immediately so that they can no longer access the premises, or the sensitive systems inside the premises. Whether you are building from the ground up, undergoing an expansion, or moving to a “new to you” space, make physical security a part of the discussion upfront.
As explored through our 3-part series, digital transformation and security is a broad-reaching topic that weaves into all aspects of your business. A successful digital ERP implementation or upgrade is based on a holistic view of security structure including external partners, project teams, and internal resources. Invest in bringing together these moving pieces to ensure a secure digital and physical environment for your organization’s assets. If you have questions about digital upgrades in SAP and Oracle, want to talk about staffing support options, or even need to fill a role immediately, be sure to contact us today. We look forward to helping you optimize your business operations as the digital world continues to grow and evolve.