ERP Maestro has announced, at SAPPHIRE NOW in Florida, availability of Access Reviewer, a feature to assist business automate access compliance processes. ERP Maestro adds the managing of access risk, compliance and security to SAP solutions. It runs as a software as a service (SaaS) platform to automate the detection, prevention, remediation and monitoring of internal cybersecurity risks related to inappropriate access to sensitive data and transactions.
“User access reviews are a painstaking manual process for those who have to manage it within their organizations,” said ERP Maestro CEO Jody Paterson.
“To add to that, reviewers often do not completely understand what they are being asked to review, leading to rubber-stamp approvals that then cause inaccurate access certification reports. Access Reviewer solves the problems caused by manual processes by making reviews intuitive for reviewers who have to understand the risk behind the access they are approving – and painless for admins who have to manage the whole process.
“As a result, administrative time is cut to less than 20 minutes and business users are not asked to waste their time with data that they do not understand.”
ERP Maestro’s Access Reviewer
A recent ERP Maestro-commissioned survey of Americas SAP User Group (ASUG) members, when asked about the biggest challenges related to automation of governance, risk and compliance (GRC) processes, responded that user access review and role assignment as the most difficult to automate. They explained this as being due to the complexity of determining the right level of access for each user to perform their work.
Some 60% or more of cybersecurity threats occur within the walls of enterprises. Automating controls and processes has become critical to the prevention of:
- improper access to sensitive data
- mishandling of information.
Enterprises running SAP solutions have hundreds, or thousands or hundreds of thousands, of employees touching their systems. This exacerbates the risks. Ergo, periodic user access reviews are crucial, and critical for those organisations subject to Sarbanes-Oxley (SOX) compliance.
Access Reviewer includes the following ‘facilities’:
- easy review setup: this simplifies the review process for administrators to create new reviews, manage reviewers with automated reminders and assigned due dates and receive review status updates
- dashboard: this is a user-friendly interface for administrators to see the status of all reviews at a glance, create new reviews, modify review fields and delete reviews
- automated email reminders: administrators can notify and remind approvers about upcoming or pending reviews by scheduling automated emails.
- reviewer dashboard: an interface that provides reviewers and approvers a one-glance view of everything they need to know in order to approve, reject or delegate user access reviews
- automated access removal: once a reviewer rejects a role and records the reason, Access Reviewer automatically removes the user’s access
- certified auditor reporting: administrators can generate digitally certified reports with timelines and notated approval decisions for a detailed audit trail.
Other ERP Maestro complementing solutions
Besides Access Reviewer, Other ERP Maestro relevant solutions include:
- Access Analyzer – for use by audit and technology consulting firms on clients; a dashboard enables a drill down to find out how many SoD (segregation of duties) risks exist, by user, role and business process
- Financial Impact Analysis: this exposes which high or critical SoD risks involved when changing data in an SAP system (in effect it can point to potential for fraud, thereby enabling enterprises to address the risk)
- Remediation Advisor provides automated guidance on how to take action on each SoD risk
- Automated Provisioning allows for secure and compliant provisioning of roles and assignments (it can also help maintain a clean SAP environment with the detection of new risks during the creation of new roles)
- Emergency Access Management offers the ability to grant, and review, elevated access to users without unnecessary risks.
“Internal security breaches, whether malicious or not, all point to one thing: weak internal controls around access to programs and data,” adds Paterson. “With most cybersecurity attacks happening from the inside, technologies that make access controls easy, automatic and seamless are crucial to protecting companies’ assets, reputation and bottom line. I’m excited to be at SAPPHIRE NOW this year to show how ERP Maestro does just that and empowers our customers to take a preventative approach to access security.”
What does this mean
Accelerating remediation and minimizing exposure to potential breaches and fraud are enterprise requirements. In complex systems understanding where the risks are is rarely simple. In SAP environments the challenge, because of the scale of integration, is (arguably) even greater. Auditors and even security specialists need automated tools.
This is where ERP Maestro comes in. Access Reviewer should aid enterprises establish effective governance, risk and compliance processes. This matters, both internally and externally; auditors and other regulatory agencies will demand ever more evidence of action and observance.