By Shane Hubble of Komatsu, Australia, who discusses their experience of transitioning to Soterion’s GRC tool
Before Komatsu engaged with Soterion, we gained visibility of our SAP access risks through a service provider that sent our SAP access risk results in a spreadsheet. Komatsu was looking for a more efficient solution and implemented Soterion for SAP.
Soterion for SAP has improved our ability to view the company’s access risk. The process is simple. We use the Soterion Data Extractor to extract the relevant data from SAP. This enables as to view the results of the SAP access risk assessment in a user-friendly web application instead of trying to navigate through this information in a spreadsheet. Coupled with this, we have immediate, up-to-date, online access to the web application at any time.
Each risk assessment plots a point on a historical trends graph which allows us to monitor the risk change from our previous assessments. Soterion allows us to see which users have risk violations against our own access risk rule set. Coupled with this is the user’s risk that is displayed in relation to whether the user has used this access or not.
This reporting is extremely useful for the SAP security team as it gives them an indication as to whether the access can be removed without any disruption to the business. To ensure that the access risk reporting is relevant to the organisation, Soterion for SAP allows Komatsu to import its own risk rule set. This allows us to focus on risks that are relevant to our business, as well as grade them in terms of the perceived risk level. We are also able to identify risks that are specific to our environment.
Soterion has also helped us maintain a healthy access risk state by providing visibility not only into our SAP access risk exposure, but also highlighting the user’s redundant access.
Soterion also makes great use of the user transaction usage logs. This helps the security team to remediate the superfluous risks and focus on the real risks in our environment.
Soterion also enables Komatsu to run the risk assessment at minimal cost on demand. We started off with a plan to run it four times per year. However, after the huge improvement after the initial three assessments, we feel we can now reduce the number of assessments to a couple times per annum.
To read the full case study, click here
For more information please email us at [email protected]
Related Tag: Sap Security Tools