Executives often view security and compliance management with a mixture of confusion and dread. The world itself encompasses so much: financial controls and reporting (SOX), privacy and data protection (HIPAA), technological deployment (HITECH), FDA regulations (21 CFR Part 11), and even national security (ITAR and EAR). Although security and compliance management in an SAP landscape has a very specific meaning, it often eludes decision makers.
The tragedy is that compliance rules are designed to protect your assets, security, clients and reputation. When they use the threat of civil and criminal liability, it’s primarily to get you to do things you should be doing anyway. But to benefit from compliance, you need to understand how it’s structured, and how it fits into your SAP landscape and your business as a whole.
SAP Compliance Management & GRC
Compliance management refers to the controls put in place to restrict and monitor how users access, view and modify information within the SAP landscape. These tasks are handled by a Governance, Risk and Compliance program. These compliance management tasks include:
- Establishing an internal control structure
- Validating the effectiveness of internal controls
- Certifying the accuracy of financial statements
- Preventing tampering
- Reporting detailed financial information
- Disclosing conflicts of interests
GRC software monitors user access to identify potential segregation of duty and excessive access risks. For example, a single user shouldn’t be able to complete multiple portions of a business transaction (e.g. creating and paying a vendor), change the record of a transaction, or modify a finanial report so that it excludes or differs from information in the database. Monitoring excessive access is also a top priority; as critical business transactions should only be granted to appropriate individuals to prevent both fraud and errors.
GRC programs also need to monitor financial controls, and verify all access and changes to documents in order to create an audit trail. This supports authentication of important records; helps admins and auditors spot suspicious activity and bugs in the system; and provides a powerful disincentive against fraud, leaks and tampering.
Finally, the GRC program needs to be able to organize and report on effectiveness of controls, according to compliance rules, while maintaining proper access control.
Auditors, investors and customers will all need access to different amounts of information, and much of the data auditors need could breach confidentiality or expose trade secrets if shared with other parties. Your compliance management program also needs to account for conflicts of interest and other mandated non-financial data.
Compliance management is crucial to nearly everything your company does. It’s how you verify payroll, sales or HR records, and protect information integrity and confidentiality. Whether it’s a trade secret, a 21 CFR 11 medical studiy, or HIPAA PHI, compliance management plays a role in keeping it safe.
Cyber Security and Compliance
At the risk of oversimplifying it, GRC prevents people from misusing your system; while cyber security prevents them from breaking in. We can illustrate this by picturing security in a museum.
Standard (GRC) safeguards include:
- Guards to enforce rules
- Ropes and cases to prevent theft of damage to assets
- Locked doors and alarms to restrict access to valuable assets
- Cameras and motion detectors for monitoring
But what stops the thieves from picking a lock and cutting the power to dissable the alarm, or entering through a hatch in the roof? That’s where cyber security comes in.
People get confused by the different things each compliance regime says about cyber security. For example, PCI requires specific technical safeguards like encryption across open networks, firewalls and the elimination of default passwords, while HIPAA emphasizes broader principles, training and legal frameworks like BAAs.
But under a security best practices approach, the differences are actually pretty minor. HIPAA may not technically mandate encryption or firewalls, but they vastly reduce HIPAA compliance risks. Similarly, PCI might not require BAAs, but it’s in your own company’s best interest to make sure your partners are adhering to stringent data protection standards.