Recently, SAP Insider sat down with the SAP experts at Fastpath for webcast Q&A around building a security and compliance program for SAP landscapes. They panel covered topics from handling audits around non-SAP systems to who should own your security program…and its budget.
Security and Compliance for SAP, Part 5: Who Owns It, Who Implements It, & Who Owns the Budget?
This blog series, consisting of 9 parts, offers insights into easing the responsibility of security and audits. With the functionality within SAP, combined with technology like Fastpath and the support of experts in security, it doesn’t have to be a painful or daunting task. It all comes down to three things: implementing processes, taking a risk-based approach, and having the right controls in place to allow you to meet the demands of your auditors and ensure a solid security program. The series so far includes:
- Part 1: Using processes and a risk-based approach
- Part 2: How to handle custom transaction code
- Part 3: How to talk to auditors about non-SAP systems in an SAP landscape
- Part 4: Granting user access – who, why, and how much
In Part 5, we discuss ownership of your security program and its budget.
SAP Security: Who Should Own It… and Who Should Own the Budget
The question of who should own and implement your organization’s security program is an often-debated question. Consider drawing a parallel between that and your SAP implementation. Who owned the project? It probably wasn't an IT project or a finance project. It was a company wide initiative and had an executive steering committee in place overseeing it. A similar approach needs to take place with security. It's not just an IT function. It's not just a finance function. In reality, appropriate security processes, methodologies, and procedures include multiple departments.
There isn't one "owner."
That being said, IT is the department that typically is considered the owner because they provision the security, but provisioning is just one piece of the security equation. IT should be taking action to provision based on records and approvals they're receiving from business process owners—the business leaders in the organization who actually own the data. IT does not own the data; if the controls are designed correctly, the business process owners are the ones responsible for their data and defining and approving who has access to that data. That request gets passed on to IT, which then provisions it.
At a higher level, you can look at security ownership as a risk analysis that should take place to identify the most critical business processes in your organization. Do you have the right controls in place around those?
Ultimately, though, we recommend an approach that's spread out across the organization. If there has to be one owner defined, we believe security ultimately rolls up not just through the CIO organization, but even to the CFO. In our experience, however, there should be an executive steering committee that includes executives around finance operations and other critical business departments because security is not an IT exercise only. The appropriate pieces need to be owned inside the various departments.
In short, IT should not be considered the owner, and the responsibility for security should not be in a silo.
But what about the budget?
When it comes to budget specifically, typically it is split between IT and finance. It's important that both groups are involved because both groups are going to play a very significant role.
When it comes to budget dollars, which many times people equate to ownership, larger organizations might budget dollars to IT for the tools that are used, but that doesn't mean that those budget dollars can't be allocated and funded through different departments and organizations as well, including finance operations and the like.
The CFO signs off on the financial statements and the internal controls and puts his or her name on the bottom line from a Sarbanes-Oxley 302 perspective. At the end of the day, it is the person who could end up going to jail if they're doing something incorrectly that they don't know. The CFO is really important in getting them on board and including them in this conversation at all times.
In addition, most companies today have a CISO, or Chief Information Security Officer, which is within the IT department. Even if you don't have a CISO at your company, the IT department is typically the one who's making these changes and doing the provisioning. Very rarely do you want to actually have that person making the decisions for why somebody is being provisioned with a role, but they need to understand the basics of doing so, and they need to understand what the process is and the reason behind it, to be able to help prevent the risk associated with it.
There needs to be some sort of independence, but it's not necessarily the level of independence of external auditors related to internal audit. It's somewhere between these groups. The ultimate recommendation is that somebody within the CFO's organization has to take ownership of it, and somebody within the CIO's organization has to take ownership of it as well. It's a joint project.
To keep a security program on track, it is critical to understand who should own it and who should manage the budget. In short, it should be a responsibility that falls at various levels across the organization—not just the IT department—because each area is responsible for its own data.
Stay tuned for additional blogs in this series. Want them all at a glance? Check out the first blog which will have all 9 links once they are all published.