Wikileaks and data theft
Storing organisational data efficiently and securely using compliance management.
CDs containing thousands of customer records and their addresses, as well as classified documents, manage to find themselves relatively easily into the Internet. Now the Internet platform Wikileaks wants to publish controversial content relating to US banks.
Does this kind of thing only happen in the USA? Probably not. According to the Federal Office for Statistics, approximately 10% of German organisations have inadequate security measures in place for their IT systems.
The networked world makes our private life and our working life quicker and more efficient. People no longer just communicate with their direct environment; they chat, mail and tweet around the globe. This opens up fantastic opportunities for new business processes.
At the same time, in this new world, risks are increasing rapidly and exponentially. We no longer need to access data only from our own network. We access content stored on computers around the world. As long as data exists in digital format and is stored somewhere on a server, then with a little bit of effort, important and sometimes business-critical data is available to anyone, anywhere.
Sadly, top of the list is the theft of data by an organisation's own employees. Data is often easy to access. For SAP applications, organisations tend to hand out 'display only' authorisations quite readily: “Display creditors, that's only an authorisation for displaying information.” This is the kind of comment IT consultants hear frequently from their customers. “SE16 - it's just a transaction for displaying table entries.”
What authorisation access does a bank employee need to produce a CD full of customer data?
Compliance management is more than just having a segregation of duties process in place. It implies that the organisation takes account of even the most elementary aspects of data protection. Manual intervention in the monitoring of segregation of duties and the control of critical 'display only' authorisations is extremely restricted in SAP. To maintain an overview it is necessary to run supporting reports, tools and processes. It's not just about owning compliance products. Security is enhanced only when these products are used effectively.
The key to data security lies in the ability use the appropriate software correctly. It is important to implement a product in such a way as to cause minimal disruption to employees going about their work. The deciding factor is to implement processes that integrate seamlessly and intuitively into the existing business processes. As it is only then that a compliance product is really efficient and minimises organisational risk.
ConVista Consultants have specialised in the SAP Business Objects solutions “GRC Access Control”. This solution can be combined with appropriate authorisations blueprints, and with an optional redesign. Actual projects have shown that, in a majority of cases, redesigning the old authorisations profiles is necessary before GRC Access Control is implemented.
At the end of last year, the team started with a ramp-up of the latest version of SAP GRC, with topics such as access control, process control and identity management. This process will continue until the middle of 2011.