Choose your language

EN

Category: Customer Success Story

Customer Success Story

Driving Governance at Bridgestone

Discover how Bridgestone Australia use Soterion’s GRC solution to effectively maintain segregation of duties

For Bridgestone Australia, one of the most well-known tyre manufacturers in the country, dealing with risk is a daily reality. Part of their brand promise is reducing risk for their customers who trust them to manufacture high-quality tyres to keep their families safe on the road.

But when it came to managing financial risk in their SAP system, they faced challenges.
With a growing team, maintaining access controls within their SAP system had become time-consuming, inefficient and costly.


High growth and legacy ERP set-up no longer sustainable

Bridgestone Australia has used SAP since 1998 and over the years the volume of users has increased significantly. In 2008 they had a small number of SAP users due to running two systems within the company, namely SAP and iSeries. Due to the volume of users being fairly small, managing segregation of duties was relatively simple.

The turning point came in 2013/14 when all Bridgestone users needed to be migrated to SAP and many new processes were introduced.

With a large number of users and the complexity of the process, the team knew this process needed to move from the existing manual processes to automation.


The search for a commercial solution

Having investigated several options, Bridgestone decided that a custom solution was the way to move forward. Leading the charge for a fit-for-purpose solution was Jess Barnes, Senior Business Analyst in the SAP team at Bridgestone Australia.

Jess understood the complexity required to create a custom program that would handle the needs of the business and the plan was for her to write IT specifications for the program during the first quarter of 2015.

It was then at the Mastering SAP Conference Australia that Jess came across Soterion, and discovered their solution could do everything she needed it to do, presenting the data beautifully, and meeting budgetary requirements.

After three days of training, the Soterion team worked closely with Bridgestone’s infrastructure team to set up a Soterion server to talk to their SAP server. After a proof of concept, in 2016 Bridgestone Australia started using the Soterion solution.

The tool is very useful to us because it gives us a clear picture and transparency of our financial risk in the business and the team is able to present the stats to the risk committee and executive team providing peace of mind to all” – Jess Barnes, Senior Business Analyst,


Adjusting the solution makes it more powerful

Although Soterion’s solution can be used out-the-box, there were certain setups that Jess and the Bridgestone team needed to do to customise it to their specific requirements and integrate into the company’s risk and governance control policies.

1. Reviewing the rule set 

The first thing the Bridgestone team did was to review the risk level and relevancy of the standard rule set. They decided to create their own Bridgestone rule set so that they could add their own set transactions to the list.

The out-the-box solution shows low, medium, high or critical risk levels. In the system, Bridgestone found that certain risk levels which were marked as ‘high’ they saw as ‘medium’, however, a relevancy checkbox allowed the team to keep oversight of all risks regardless of the levels.

2. Segregation of Duties (SOD)

The second activity the team embarked on was to review all the risks that they have in the business by looking at all their users. They needed to define a mitigating control for each of them, something that the business and auditors would both agree on.

After running the SOD risk details within the Soterion solution, users who had a particular risk were highlighted together with a long description function that defined the risk. The team were then able to record a mitigating control.

Role simulation and user simulation were used on a daily basis. When creating a new role the team could instantly check whether there was any segregation of duties, look into their risk definition details and allocate a mitigating control, ready for audit.


Key lessons from Bridgestone’s implementation
  • Once a mitigating control has been decided on, it is a good idea to review it regularly. Bridgestone Australia does this on a yearly basis to ensure their mitigating controls are still relevant.
  • When setting up roles, ensure there are no conflicts in the same role. Revoking a role is difficult to do once the role has been set, especially with a large number of users. Setting this up correctly from the very beginning is crucial.
  • There is no need to develop a custom solution. Solutions such as Soterion’s GRC software can do everything and more, and brings with it expert knowledge which has been built up over years.

     

Click here to download the PDF of this Customer Story.

How can Soterion Help You?

Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.

Feel free to email us on [email protected]. Let us help you take your GRC to the next leve

 

 

Customer Success Story

Soterion for SAP improves Access Risk Management at Australian energy companies

United Energy (UE) and Multinet Gas (MG) provide energy to people across east and southeast Melbourne and the Mornington Peninsula in Australia. They are two separate businesses but are managed by the same head office.

UE distributes electricity to more than 650,000 customers, managing a network of 215,000 electricity poles and approximately 13,000 km of wire. MG distributes natural gas to 660,000 customers. MG’s network of 164 km of transmission pressure pipelines and 9,866 km of distribution mains, transports gas from a high-pressure transmission network operated by APA GasNet to residential, commercial and industrial customers.

Setting the strategy

UE and MG ran SAP enterprise software but had no SAP access risk tool in place. This meant the companies relied on SAP audit reports to highlight risks within their systems. The reports indicated that IT support users had wide access to the SAP system, which created a threat to the integrity of the entire system.

“There was a need for an SAP authorisation tool to provide better visibility of the SAP system on a continuous basis. The solution also needed to limit the access of unauthorised users to certain SAP functionality and to be a good fit for both businesses in terms of cost effectiveness and complexity.” said Basile Sepsakos, United Energy.

Soterion for SAP was chosen as the best fit and the most user-friendly solution. The installation and training took place over three days. Historical user–transaction data was imported into Soterion and the solution reported on the access risk that users had in relation to the functionality (transaction codes) they were using.

“The results derived from the Soterion solution allowed our SAP security team to easily identify the roles and transactions contributing to the access risk which were removed,” said Mr Sepsakos. “Next, we went on to identify the transaction codes in roles that users were not accessing. These transaction codes were also removed from the roles.”

“Some support roles were so wide that we could not clean them up very easily. We used Soterion’s Wizard functionality to build new roles for a group of users based on actual usage. This allowed us to create more specific support roles. The clean-up exercise allowed us to reduce our segregation of duties count by 98% without any impact on the business,” he explained.

PriceWaterhouseCoopers (PWC) provided UE and MG with a customised rule set which was imported into Soterion. This allows the company to monitor access risks that are relevant and critical to the business.

Business Benefits

“Soterion’s SAP authorisation solution prevents unauthorised users from having unnecessarily wide access in SAP. The tool is user friendly and has excellent business reporting functionality. Soterion for SAP also provides the risk visibility needed to make informed decisions, shifting responsibility for the SAP system’s authorisation security ranging from the IT support team to the company’s business leaders,” explained Johan van Noordwyk, director at Soterion Technologies,

He added: “Soterion for SAP assists companies to achieve SAP authorisation compliance in a cost-effective and systematic manner through Dynamic Authorisation Management. This is the on-going monitoring and adjusting of user access to ensure that the SAP authorisation solution is aligned to what users are actually doing in SAP. It allows our clients to differentiate between real SAP access risk and potential access risk, and empowers businesses to make more informed decisions relating to access risk. It enhances business ownership of SAP access risk through business-friendly reporting.”

Mr Sepsakos added: “We appreciate that managing SAP access risk will always take effort. The access risk rule set needs to be updated on a continuous basis to cater for new functionality, and there is a constant search for better and easier mitigating control reports. Soterion for SAP has allowed us to get to this point with minimal effort and at a far reduced cost than initially expected.”

“We initially started by renting the tool to allow us to evaluate it. After six months we quickly saw the immense value Soterion brought to our business and decided to purchase it outright,” said Mr Sepsakos.

To read the full case study, click here

For more information please email us at [email protected]

Customer Success Story

SAP GRC Managed-Service implemented at Cashbuild

Many companies who outsource their SAP security and authorisations are faced with the challenge of accountability. The question that needs to be addressed is: Who bears the responsibility for access-related changes that introduce risk?

Without an SAP access risk tool, the company as well as the outsource partner are flying blind when dealing with access risks. The company mistakenly assumes the outsource partner will flag potential access risks before implementing changes in SAP.

This led Cashbuild, South Africa’s largest retailer of building materials and associated products, to look for more than just an outsourced solution. They felt they needed the benefits of an on-premise access risk solution as well as access to Governance, Risk and Compliance (GRC) expertise in a cost-effective manner that was relative to their size and risk exposure. They found the right fit by upgrading their SAP authorisation outsource model to a GRC managed service model.

By implementing Soterion’s GRC Managed Service module, Cashbuild are now able to see the risk impact of each SAP access change request performed by the service provider prior to it being applied in SAP. This enhanced visibility provides reassurance to Cashbuild and the service provider that access risk is being managed effectively.

“Where the SAP authorisation outsourcing model is simply order taking, GRC as a managed service involves proactive risk management by the service provider. A much more value-add service,” says David Johnstone, Senior Manager – Financial Services.

Cashbuild Case Study

Companies are transitioning to a GRC managed service model for similar reasons:

  1. Although on-premise GRC tools are prohibitively expensive, business nevertheless require some tool to allow visibility into their SAP access risk exposure.
  2. Limited in-house GRC expertise, as well as challenges in retaining GRC specialists.
  3. GRC is complex and needs to be pro-actively managed with clear accountability.
  4. The need to limit exposure to fraud and address audit concerns in a way that is financially size-sensible.

For Cashbuild, this all came together in a GRC managed service relationship with Soterion allowing them to focus on their business, knowing that their SAP security is comprehensively taken care of.

To read the full case study, click here

For more information please email us at [email protected]

Customer Success Story

Komatsu Australia monitors SAP access risk with a SaaS offering

By Shane Hubble of Komatsu, Australia, who discusses their experience of transitioning to Soterion’s GRC tool

Before Komatsu engaged with Soterion, we gained visibility of our SAP access risks through a service provider that sent our SAP access risk results in a spreadsheet. Komatsu was looking for a more efficient solution and implemented Soterion for SAP.

Soterion for SAP has improved our ability to view the company’s access risk. The process is simple. We use the Soterion Data Extractor to extract the relevant data from SAP. This enables as to view the results of the SAP access risk assessment in a user-friendly web application instead of trying to navigate through this information in a spreadsheet. Coupled with this, we have immediate, up-to-date, online access to the web application at any time.

Each risk assessment plots a point on a historical trends graph which allows us to monitor the risk change from our previous assessments. Soterion allows us to see which users have risk violations against our own access risk rule set. Coupled with this is the user’s risk that is displayed in relation to whether the user has used this access or not.

Komatsu Case Study

This reporting is extremely useful for the SAP security team as it gives them an indication as to whether the access can be removed without any disruption to the business. To ensure that the access risk reporting is relevant to the organisation, Soterion for SAP allows Komatsu to import its own risk rule set. This allows us to focus on risks that are relevant to our business, as well as grade them in terms of the perceived risk level. We are also able to identify risks that are specific to our environment.

Soterion has also helped us maintain a healthy access risk state by providing visibility not only into our SAP access risk exposure, but also highlighting the user’s redundant access.

Soterion also makes great use of the user transaction usage logs. This helps the security team to remediate the superfluous risks and focus on the real risks in our environment.

Soterion also enables Komatsu to run the risk assessment at minimal cost on demand. We started off with a plan to run it four times per year. However, after the huge improvement after the initial three assessments, we feel we can now reduce the number of assessments to a couple times per annum.

 

To read the full case study, click here

For more information please email us at [email protected]

Related Tag: Sap Security Tools

Customer Success Story

Umeme choose Soterion for SAP as their access risk solution

Umeme, the largest energy distributor in Uganda, distributing 97 percent of all electricity used in the country choses Soterion for SAP as their access risk solution.

Umeme Limited is Uganda’s main electricity distribution company, listed on the Uganda Securities Exchange and cross listed on the Nairobi Securities Exchange. The Company operates a 20 year electricity distribution concession effective 1st March 2005, from the Government of Uganda. After the electricity sector reforms in 1999, Uganda adopted a single buyer electricity sector model, where Uganda Electricity Transmission Company Limited (UETCL) is the System Operator, responsible for the purchase of electricity from all Independent Power Producers, import and export of electricity and being Umeme’s sole supplier.

Umeme were looking for an access risk tool to assist them manage their SAP authorisations, and after seeing how user-friendly the Soterion application was,  Umeme choose Soterion for SAP as their GRC tool.

Customer Success Story

BUPA choose Soterion for SAP as their access risk solution

Bupa Chile – formerly CruzBlanca Salud –  offers an integrated model of healthcare services, delivering healthcare through accessible solutions and a quality service.

Bupa Chile is one of the country’s leading healthcare groups. Its companies includes the outpatient services network IntegraMédica and Sonorad, while its hospitals area has Clínica Reñaca, Clínica Bupa Antofagasta, Clínica San José, Clinical Service, and Clínica Bupa Santiago in La Florida. In insurance, it includes Isapre CruzBlanca and CruzBlanca Seguros de Vida. Bupa Chile also operates in Peru through IntegraMédica, Resomasa and Anglolab.

BUPA were looking for an access risk tool to assist them manage their SAP authorisations, and after seeing how user-friendly the Soterion application was, BUPA choose Soterion for SAP as their GRC tool.

Customer Success Story

Aberdare Cables choose Soterion for SAP as their access risk solution

Aberdare Cables is a 72 year old South African leading cable manufacturer. Aberdare  has 3 manufacturing sites in South Africa, with Customer Service Centres in each province and in Maputo.

Aberdare is a leading supplier of intelligent energy inter-connection products and services in Africa. The company has highly trained and motivated employees who make it the employer of choice. As a technology leader, it is driven by cutting-edge R&D, providing world-class innovative solutions, processes, products and customer service.

Aberdare were looking for an access risk tool to assist them manage their SAP authorisations, and after seeing how user-friendly the Soterion application was,  Aberdare Cables choose Soterion for SAP as their GRC tool.

Customer Success Story

SAP Security: Dealing with cross-division access in Saint-Gobain


Access control at a company in a class of its own

Access control in SAP is a challenge in any context.

Saint-Gobain

Having multiple companies within a shared SAP ecosystem created a unique set of access control issues for Saint-Gobain South Africa.

In this article, we’ll share the highlights of Saint-Gobain SA’s journey to SAP authorisation compliance, specifically how they managed cross-division access control.

SAP Access Control in a Group of Companies

Access control in a group of companies that use SAP presents a specific set of problems, namely:

  1. Consistency in role methodologies: Large groups like Saint-Gobain often suffer from inconsistencies in the way that SAP role design is determined and implemented. It is often a case of “too many cooks spoil the broth” and the use of outsourced resources.
  2. Cross-division access control: Users often retain access rights they should no longer have as they move between companies and roles. Risks can’t be effectively addressed if there is no regular user review to mitigate authorisation creep.

Saint-Gobain – a tradition of high standards

The Saint-Gobain Group was founded in 1665 as one of 25 royal mirror-glass manufacturing companies and has a rich history of over 350 years. Saint-Gobain expanded its operations into other materials and brands as the demand for glass and other building materials grew during after the industrial revolution.

Today, Saint-Gobain is present in 67 countries with more than 180 000 employees. The company designs, manufactures and distributes materials and solutions which are key ingredients in the wellbeing of each of us and the future of all. They can be found everywhere in our living places and our daily life: in buildings, transportation, infrastructure and in many industrial applications. They provide comfort, performance, and safety while addressing the challenges of sustainable construction, resource efficiency, and climate change.

The case of the leaky Chinese wall

Four divisions and surprise audits

Saint-Gobain SA consists of several business divisions. Four of the divisions (Weber, Gyproc, ISOVER, and PAM) access a single SAP ECC system with a requirement to restrict cross-business activity access. An employee of one business activity should not have access to any of the other business activities with this restriction in place.

As part of their efforts to maintain their high standards, Saint-Gobain has a powerful group-wide internal audit department. They are mandated to perform surprise audits on a regular basis with typically only one-month notice. Most of the attention in such audits is focused on user access (specifically wide and cross-business activity access) due to the nature of the group.

The company being audited receives a grade at the end of the audit based on one of the following process grades:

Grade Description
A Control in place, efficient and formalised. The risks are properly mitigated.
B Control in place but not fully efficient and/or issues noted in terms of formalisation. There is limited residual risk exposure.
C Control in place but incomplete. There is some remaining risk exposure.
D Inefficient control. There is significant remaining risk exposure.
E No control. There is ongoing high-risk exposure

The challenges of outsourcing and authorisation creep

Saint-Gobain SA initially adopted SAP in 2001 and faced several challenges, consistently failing their access control audits.

The first challenge was the access control methodology that was selected during the initial SAP implementation. The job-based roles were too broad and provided too much access to users.

Typical of most companies running SAP, Saint-Gobain SA also had a challenge with “authorisation creep” where users inherited additional access as they moved internally between jobs and business units within the group. As the user moved to a new position there would be a handover period where they would require temporary access to their previous role. However, since there was no access risk solution to highlight these risks, access would often remain in place.  This resulted in a “leaky Chinese wall” between the companies.

Saint-Gobain SA made use of an SAP authorisation outsourced provider to perform technical functions such as role changes. Using an outsourced provider yielded two unexpected challenges:

  1. The service provider operated on a basis of executing their approach only, and never offered any indication of best practices. As role changes were applied, many of the risky practices became ingrained in the system.
  2. The outsourced provider changed security resources a number of times. This caused inconsistencies in role methodologies as each resource had a preferred approach.

Without an access risk solution, there was no visibility of the access risk impact of the SAP access change request.

Taking on the GRC Journey

Strong foundations similar to a multi-storey building

After evaluating a number of possible SAP access risk (GRC) solutions, Saint-Gobain SA selected and implemented the Soterion solution in 2015. However, implementing an access risk solution was not the silver bullet that Saint-Gobain SA was expecting.

Saint-Gobain SA were still failing audits due to users having cross-division access even though an access risk solution was in place.

Saint-Gobain SA was passionate about implementing good SAP security. They realised that they needed more than just a technical access risk solution and approached Soterion for assistance in understanding and fixing the underlying problems.

Two critical issues were highlighted during the initial consultation with Soterion:

  1. Saint-Gobain SA had a mix of role methodologies which made the assignment of appropriate role access overly complicated.
  2. The risk assessment indicated many roles that had cross-division access, creating a “leaky Chinese wall” between the different divisions.

Robust access control can be compared to a multi-storey building. A strong foundation requires good role design for both business and technical roles. The organisation benefits from a GRC solution as soon as a strong foundation is in place. Once a solid role design and GRC principles are in place, the next level of Identity Access Management (IAM) can be implemented, promoting and ensuring fine-grained control of access.

A GRC turnaround roadmap

Role redesign

In SAP there are various approaches to role design, each with their own unique set of pros and cons. A comparison was done for Saint-Gobain SA between a derived role methodology and a task/value role methodology. The following outcome was determined based on Saint-Gobain SA’s requirements:

Role Design Methodology Pros Cons
Derived
  • Well-known methodology
  • If small (functional) roles are created, you end up with many roles derived for each Organisational Level or controlling field
  •  Support intensive
Task and Value
  • Fewer roles, better visibility of user access
  • Easier risk remediation for superfluous roles
  • Fine-grained or appropriate assignment of access
  • Not a well-known methodology
  • Requires more advanced security administrators to keep solution robust
Composite
  • Easy maintenance or support
  • Minimal flexibility, wider access (more risk)

A primary requirement for Saint-Gobain SA was to find a balance between flexibility and control in their role design. Saint-Gobain SA decided on creating smaller functional or task roles (e.g. Purchase Order Processing) to provide the necessary level of flexibility. The derived role methodology was rejected due to the vast number of roles that Saint-Gobain would have ended up with, based on the number of controlling field values (Company Codes or Plants, etc). Ultimately the role methodology chosen was based on “task and value” which would be applied to business and technical roles.

In line with the role types, the project was split as follows:

  1. Business End User roles: Using the User-Transaction logs (SM20), task roles were assigned to the users based on historical data in combination with line manager approval. A number of functional roles were identified and applied as business roles.  This allows for ease of change if required. Organisational level access was provided via value roles.
  2. Technical roles (Phase 1): Appropriate task roles related to technical job functions (e.g. Basis, authorisation administration, etc.) limited the risk of wide access given to internal support personnel and outsourced providers.
  3. Technical roles (Phase 2): Restriction of basis critical authorisation objects, with a special focus on implementing fine-grained Remote Function Call (RFC) access.

Rule-set customisation

Rule-sets are combined rules that are attached to identified GRC risks. They are implemented as a means to link mitigating controls to the risks associated with business processes. Soterion developed a standard rule-set that needed to be adapted to suit Saint-Gobain SA’s needs.

The Soterion solution was implemented with a market-leading access risk rule-set. However, as with all standard or out-of-the-box rule-sets, they are designed to be applicable to organisations across different industries and geographies. Customising the rule-set to be Saint-Gobain SA specific was an important step in the journey to ensure business buy-in.

Mitigations

As it is impossible to operate without any access risk, mitigations play a vital role in reducing the organisation’s risk exposure. It was important to mitigate those risks that were unavoidable and relevant to the organisation. Many controls already existed in the business. These controls were identified and documented into a central repository and mapped to risks in the customised rule-set.

Business Education

Part of the solution was educating line managers on risks and mitigating controls relevant to their area of responsibility, promoting ownership. Business unit heads were trained to understand what they were reviewing so that they can make informed business decisions, thus promoting a culture of risk awareness in the organisation.

Emergency Access Management

In certain circumstances, business and support users require temporary or ad-hoc (emergency) access to perform business-critical activities.

Saint-Gobain SA implemented Soterion’s Elevated Rights Manager to manage sensitive and emergency access. This module ensures both support and business users have access to sensitive functions when required in a controlled manner. Elevated Rights sessions are logged and their activity sent to owners for review.

Continuing the journey: Next steps for Saint-Gobain SA

Proper GRC management is an ongoing process. Every GRC journey has as its goal flexible, effectively controlled user access rights management.

The next steps in the journey for Saint-Gobain SA are:

  1. User access reviews: Implementing an access request, review and approval process.
  2. Identity management:  As an additional layer to provide fine-grained access control, Saint-Gobain SA will consider the business case for an identity access management solution.

GRC as a Managed Service

More than outsourcing

An SAP system is constantly changing as the organisation evolves. Employees move between departments, new employees join, and in the case of a group of companies, employees sometimes move to sister companies. User access needs to change with every movement of an employee, but without appropriate support, they often remain incorrectly assigned.

Saint-Gobain SA understands the reason for their SAP authorisation challenges prior to their GRC journey and wants to ensure that the solution stays in good shape. They understand that much of the integrity of their authorisation solution relies on the abilities of their outsourced provider to implement best practices in line with the new approach.

The failures experienced with previously outsourced providers highlighted that they are not just wanting to outsource authorisations. Instead, they are looking for a more comprehensive offering: GRC as a managed service.

What is GRC as a managed service?

GRC as a managed service is a relationship between the service provider and client that contributes expertise along with technology to fulfill certain needs. It isn’t just outsourcing technical activities – it is a partnership where the service provider looks after the client as if they are part of the organisation.

For SAP GRC, a managed service extends beyond standard SAP authorisations to include risk, controls and audit support.

As Saint-Gobain SA matures on their GRC journey, their internal expertise has allowed them to bring some of the activities in-house. This means that they no longer need to rely fully on the outsourced support to perform authorisations functions. Instead, only role content changes now need to be outsourced, while the allocation of roles is handled internally.

As part of this development, Saint-Gobain SA introduced an internal controls department. This has allowed ownership to move away from IT to the business, giving process owners better insight into, and control over, the risks within their domains.

Conclusion

For Saint-Gobain SA there was a constant challenge around access control to their SAP systems.  They didn’t have a clear view of their access risk and suffered from authorisation creep. The problems they experienced were further compounded by outsourced partners who performed technical functions on request, rather than guiding them towards best practices. In fact, with the change of every outsourced resource, different role design methodologies made it overly complicated to manage role access. All these issues were reflected in the results of surprise audits, which they often failed.

After engaging with Soterion, Saint-Gobain SA was prepared for audit success through the role redesign. With a better understanding of business risks, along with a higher degree of access control, process owners developed more business accountability. The Soterion solution provides business unit heads with more visibility, control, and management buy-in.

Governance, Risk, and Compliance is a continuous journey. With the support of Soterion, Saint-Gobain SA has established a sound basis for their authorisations and a clear roadmap ahead.

Customer Success Story

Lepelle Water choose Soterion for SAP as their access risk solution

Lepelle Northern Water (LNW) is a state- owned utility who provides water to over 500 000 households in the Limpopo province.

LNW were looking for an access risk tool to assist them manage their SAP authorisations, but they believed they did not have the internal expertise for the larger and more complex GRC solutions. After seeing how user-friendly the Soterion application was, LNW chose Soterion for SAP as their GRC tool.

Customer Success Story

Oceana Group choose Soterion as their preferred SAP security outsource provider

The Oceana Group is the largest fishing company in Africa celebrating 100 years as Africa’s most efficient converter of global fishing resources into shared value. The Oceana group is also a important participant in the Namibian, Angolan and US fishing industries.

Oceana incorporated in 1918 and is listed on the Johannesburg (JSE) and Namibian (NSX) stock exchanges. Over the past 5 years, Oceana has consistently been rated as one of the most empowered JSE-listed companies (Empowerdex Most Empowered Companies ranking).

Oceana chose Soterion as the SAP security outsource provider, in combination with Soterion for SAP as their access risk solution.

12