Archives

Archive for the ‘Guest Blogs’ Category

SAP Compliance Management Demystified

Posted on: August 22nd, 2017 by Daniella Lundsberg

This post comes from our partner Symmetry Corporation.

Executives often view compliance and compliance management with a mixture of confusion and dread. The word itself encompasses so much: financial controls and reporting (SOX), privacy and data protection (HIPAA), technological deployment (HITECH), FDA regulations (21 CFR Part 11), and even national security (ITAR and EAR). Although compliance management in an SAP landscape has a very specific meaning, it often eludes decision makers.

The tragedy is that compliance rules are designed to protect your assets, security, clients and reputation. When they use the threat of civil and criminal liability, it’s primarily to get you to do things you should be doing anyway. But to benefit from compliance, you need to understand how it’s structured, and how it fits into your SAP landscape and your business as a whole.

SAP Compliance Management and GRC

Compliance management refers to the controls put in place to restrict and monitor how users access, view and modify information within the SAP landscape. These tasks are handled by a Governance, Risk and Compliance program, such as ControlPanelGRC, or SAP GRC. Sarbanes-Oxley compliance management tasks include:

  • Establishing an internal control structure;
  • Validating the effectiveness of internal controls;
  • Certifying the accuracy of financial statements;
  • Preventing tampering;
  • Reporting detailed financial information;
  • Disclosing conflicts of interest.

GRC software monitors user access to identify potential segregation of duty and excessive access risks. For example, a single user shouldn’t be able to complete multiple portions of a business transaction (e.g. creating and paying a vendor), change the record of a transaction, or modify a financial report so that it excludes or differs from information in the database. Monitoring excessive accessis also a top priority; as critical business transactions should only be  granted to appropriate individuals to prevent both fraud and errors.

GRC programs also need to monitor financial controls, and verify all access and changes to documents in order to create an audit trail. This supports authentication of important records; helps admins and auditors spot suspicious activity and bugs in the system; and provides a powerful disincentive against fraud, leaks and tampering. Finally, the GRC program needs to be able to organize and report on effectiveness of controls, according to compliance rules, while maintaining proper access control. Auditors, investors and customers will all need access to different amounts of information, and much of the data auditors need could breach confidentiality or expose trade secrets if shared with other parties. Your compliance management program also needs to account for conflicts of interest and other mandated non-financial data.

Compliance management is crucial to nearly everything your company does. It’s how you verify payroll, sales or HR records, and protect information integrity and confidentiality. Whether it’s a trade secret, a 21 CFR 11 medical study, or HIPAA PHI, compliance management plays a role in keeping it safe.

Cyber Security and Compliance

At the risk of oversimplifying it, GRC prevents people from misusing your system; while cyber security prevents them from breaking in. We can illustrate this by picturing security in a museum. Standard (GRC) safeguards include:

  • Guards to enforce rules
  • Ropes and cases to prevent theft or damage to assets
  • Locked doors and alarms to restrict access to valuable assets
  • Cameras and motion detectors for monitoring

But what stops thieves from picking a lock and cutting the power to disable the alarm, or entering through a hatch in the roof? That’s where cyber security comes in.

People get confused by the different things each compliance regime says about cyber security. For example, PCI requires specific technical safeguards like encryption across open networks, firewalls and the elimination of default passwords, while HIPAA emphasizes broader principles, training and legal frameworks like BAAs.

But under a security best practices approach, the differences are actually pretty minor. HIPAA may not technically mandate encryption or firewalls, but they vastly reduce HIPAA compliance risks. Similarly, PCI might not require BAAs, but it’s in your company’s best interest to make sure your partners are adhering to stringent data protection standards.

Process Documentation and Quality Management

It may sound obvious, but cyber security and compliance management initiatives won’t go far, unless your company implements and consistently uses them — and that requires good process documentation. Everything from network configuration, to access control to daily system health checks and maintenance needs to be spelled out clearly and succinctly; the goal isn’t impressive, weighty tomes — it’s simple documents that spell out all necessary tasks.

This documentation needs to be incorporated into a quality management program. Although quality management doesn’t focus exclusively on security and compliance, many aspects have important functions in this domain, including technology policies, SOPs, auditing procedures, training, document control, and audit trails. Putting it all together almost always requires outside help.

Choosing an SAP Security and Compliance Partner

A provider needs to understand the compliance requirements of your industry, but doesn’t need to focus exclusively on them; often, experience across multiple industries is a better sign of a company that gets security and compliance.

It’s crucial, however, that your partner practices what it preaches. They should have a quality management program in place, and be able to show you things like:

Formalized Quality Policy, Quality Plan, and procedures

  • Audit trails
  • Version control
  • Sample Installation Qualifications

SOPs for critical systems should be recorded on controlled documents, approved by management, stored where no one can tamper with them, and trained and retrained regularly by anyone who does the work. And they should be ready to answer questions on anything from employee training and monitoring, to server hardening, to what happens when you call the help line.

In particular, they need good quality assurance, with separate task completion and verification staff. Finally, they should be ready to undergo regular 3rd party audits to assess and validate internal controls.

The Case for Bundling Security and Compliance with Managed Services

In the SAP hosting and managed services realm, companies that once had separate providers for hosting, IT project management, admin, DR/HA and so on, are moving to an integrated approach, citing benefits like lower cost, increased flexibility, greater knowledge base and less administrative overhead. In security and compliance management, however, tasks like IT security auditing, physical security auditing, GRC, monitoring and incident response are often farmed out to a web of different providers.

Forward-looking companies, however, are already starting to see the benefits of a unified managed services approach incorporating security and compliance. This approach lets you leverage your provider’s internal controls and knowledge base, along with their auditing framework. The people auditing, monitoring and hardening your system can work directly with the people running it, meaning better communication, quicker results and a lower administrative overhead. In an emergency, you won’t have to make frantic calls between your hosting provider, your DB admin and your network engineer — everyone is already working together, which means quicker resolutions, leading to better outcomes.

It also provides legal cover in the event of a breach, attack or outage. Successful hacks often simultaneously exploit weaknesses in hardware setup, software patching, GRC, training, monitoring and other domains. In a disaster, everyone goes into damage control mode, and you can end up with multiple agencies fighting it out in the courts (and in the press!) for years. If one provider handles everything, on the other hand, it’s their reputation on the line.

Getting SAP Security and Compliance Management Right

The most secure organizations don’t look at SAP compliance management and security requirements as onerous burdens, but as a way to protect their investments. Governance, risk and compliance provides a powerful framework to protect your organization from errors, corruption and costly mistakes, and industry-specific compliance regimes provide a similar bulwark against external threats.

But legal regimes and industry guidelines can’t account for every threat an organization faces. The right partner won’t view compliance regimes as boxes to check, but as one aspect of a program that includes risk assessment, training, auditing and monitoring, across your organization.

Interested in learning more about SAP Compliance, please contact Symmetry Corporation at 888-SYM-CORP.

How BusinessObjects Will Transform SAP

Posted on: July 22nd, 2017 by Daniella Lundsberg

This post is brought to us by Symmetry Corporation.

 

SAP HANA® gets a lot of attention for its blazing speed, but from a business perspective, raw power is never the most important consideration. Even HANA’s advanced analytic and real-time business intelligence are only as valuable as the insights companies can draw from them. And valuable insights require intuitive, mobile apps designed around the needs of the user — not the structure of the backend.

When SAP Fiori was launched, it showed that SAP understood the importance of excellent UX, and the growing importance of mobile devices for business users. Its innovative interface replaces archaic desktop menus with natural workflow, in a product that’s as attractive as it is functional.

Superficially, while SAP’s SAPPHIRE NOW 2016 BusinessObjects announcement may seem like a rebranding, the product will prove every bit as innovative as Fiori. By providing BusinessObjects as a complete business intelligence (BI) suite, SAP has taken another major step toward in helping businesses harness the power of SAP HANA.

The SAP SAPPHIRE NOW 2016 Keynote Address: Revealing the Future
SAP has sometimes been criticized for not being clear enough about its product offerings. As Gartner Research VP Cindi Howson put it, “BI and analytics is all I do, and yet, even for me, it’s a tough road map to keep track of.” At SAPPHIRE NOW, SAP CEO Bill McDermott directly addressed this criticism, pledging to make SAP more responsive to customers, with clearer product roadmaps and migration guidelines. But in that same speech, he emphasized the central role of design thinking that puts the end user experience above everything

“We feel strongly that design thinking and innovation is the way forward. So we truly have to understand that with every encounter with our customers means we have to understand their customers. We have to make the world run better, we have to improve people’s lives one customer at a time and that’s the commitment I give to you today.”

Offering analytics in a single package will certainly help SAP provide clearer roadmaps, and alleviate customer frustration. But how does SAP BusinessObjects help the end user?

Inside SAP BusinessObjects
SAP has combined all of its analytics into one tool in two main versions: BusinessObjects Cloud (formerly SAP Cloud for Analytics), and the on-premise version — BusinessObjects Enterprise. The enterprise version is offered in standard, pro and premium configurations, giving businesses the ability to select what features they need.

SAP BusinessObjects Cloud is a complete BI package, addressing everything from data curation through planning. For the first time, customers can get all their enterprise analytics in a single package — including modeling, visualization and mobile analytics.

Their mobile offerings are where things get innovative. SAP has included recently-acquired Roambi, a mobile-first app featuring beautiful visualizations, rendered on the fly to help users quickly draw the right conclusions from complex datasets.

Likewise, end users are about to get a lot more in light of another SAP SAPPHIRE NOW announcement: the partnership with Apple. By working together to offer an SDK, training and an iOS version of Fiori, the companies will accelerate the development of iOS Apps with SAP backend, leading to better mobile analytics.

SAP SAPPHIRE NOW 2016 is the start of a new age of end-user experience.
Often, learning how to make the most of a new invention is an even bigger challenge than inventing it. Now it’s up to designers and developers — supported by the cloud SAP hosting professionals who make everything work together on the backend — to show the world just how good SAP HANA can be.

 

Contact Us

Learn More About Us

Share