Posted by SecExtra on April 27th, 2010

Organisations are investing to improve their security processes, but very few have automated their compliance procedures. This is one of the findings of the Governance, Risk and Compliance (GRC) Benchmark research report undertaken by SAP security specialist, Turnkey Consulting.

The report revealed that 88 percent of respondents operate documented change processes which require strong approvals, are deemed effective and are adhered to by staff involved. 65 percent have SLAs for their change management procedures that are measured and reported against. However, only 48 percent deployed automated workflow approval to streamline the activity.

Turnkey’s report analyses data gathered from over 100 organisations. The company aims to use the research to set the standard for SAP best practice and help its clients tackle key security risks in their organisations. Additional key findings include:

• 73 percent of organisations maintain a segregation of duties (SoD) matrix for their SAP applications, with 68 percent of these configuring the matrix to suit the specific requirements of their business and regularly reviewing it for suitability.

• 87 percent have a dedicated team responsible for user administration. However, only 60 percent of these perform regular reviews of user mapping in conjunction with business role owners to determine whether the user access is still appropriate for that person/role.

• 70 percent of organisations have a defined policy in place which drives their application security, with 69 percent regularly reviewing their security settings to ensure compliance with corporate standards. However, only 55 percent of companies record security logs and have a process in place to analyse these and respond when a threat or vulnerability is identified.

• 80 percent of respondents have processes in place to manage role changes and 85 percent of these require business involvement in the process. But only 47 percent test the changes before they go live.

• 68 percent have defined and documented authorisation designs, with 63 percent basing this on processes agreed with the business. However, only 40 percent had a risk register for their SAP application security and only 34 percent believe that the business understands security.

• 50 percent of organisations use Solution Manager to help manage their SAP environments, with 48 percent using CUA and SSO to simplify user management and access to multiple systems.

• 89 percent of respondents had defined roles for their support staff, with 58 percent reporting that their support team were able to process business transactions. 59 percent have procedures in place for privilege escalation, with half of these using an automation tool for this. 28 percent of respondents had support users with full access (SAP_ALL) to their systems.

Richard Hunt, managing director of Turnkey Consulting, comments: “It is encouraging to see that business security processes are improving. The next step for organisations to take is to automate many of the controls that they are putting in place. This would improve the efficiency of the control and ensure continuous compliance.”

A free copy of Turnkey Consulting’s GRC Benchmark Report is available to download here.