The global and independent platform for the SAP community.

Is Your Emergency User Concept Just a Carte Blanche?

When asked whether they ever check their emergency user log, most companies still respond with no. Experience from GRC practice shows that these logs usually gather dust in archives instead of being properly checked and documented.
E3 Magazine
June 5, 2024
avatar

Increased scrutiny from the BSI in connection with the NIS2 directive expected in the fall has put the issue of emergency users at the top of auditors' agendas, and not just for Kritis companies. In particular, they examine the extent to which the controls are integrated into the company's internal SoD (segregation of duties) concepts. This is because these are still rarely considered together and cause a significant and unnecessary security gap if super-users have far more permissions than they should according to the internal SoD concept. "This is neither sensible nor practicable for a holistic security strategy," explains Ralf Kempf, IT security evangelist and CTO of Pathlock Germany.

Monolithic or hybrid

"The complexity of IT systems, which are often no longer monolithic but hybrid, is growing rapidly, which means that SoD concepts are also becoming more extensive and less transparent. It is essential to keep them up to date, transparent, and harmonized. Contingency plans can no longer be viewed in isolation," emphasizes Kempf. It is important to consider the auditors' perspective. They are generally critical of super-user concepts because they can compromise the integrity of systems and financial data. To maintain confidence in the company's financial reports, they ensure that there are clear rules and controls on who is granted emergency user rights and how they are used.

As the task of harmonizing approaches, complying with requirements, and creating transparency through proper logging presents new challenges for organizations that have already struggled with the initial implementation of SoD. While there is no one-size-fits-all solution, there are a number of best practices that can help make the process more efficient. These include reviewing an existing set of rules for your own organization.

The review of the scope and relevance must take into consideration new developments and technological advances in the applications and, if necessary, lead to an individual adaptation of the rules and regulations. The necessity of each role and each T-code—including the currently valid authorizations—must be reviewed in relation to actual usage. If they are not assigned to a user or are being used by others, they should be removed for security reasons.

Relevance check

If the relevance check shows that an employee has not used an authorization for more than a year, it should be deleted from the profile. This sounds simple, but requires technical effort and expertise. After all, when you remove a user's privilege, you need to change the existing roles, which is not always easy to do manually. To streamline the process, it is common practice to remove the conflicting privileges first, and then remove the sensitive privileges in a second step. To prevent employees from feeling that their rights are being taken away, it is helpful to present them with the relevant statistical user data. Irrefutable evidence of non-use helps to overcome resistance and convince superiors. In this way, the policy remains clear and effectively adapted to the company's circumstances.

Closing ranks with auditors

It is crucial to see both internal and external auditors as allies with the same goal of a good security policy. Close cooperation and a lively discussion culture allow for compromise and flexibility on both sides. It must be possible to address specific issues if something in the regulations seems inappropriate. Auditors are often willing to accept an alternative if it does not change the level of security.

Integrate management

When in doubt, it makes sense to ask the auditor for appropriate solutions and to validate them with the goal of achieving quick success and gaining management support. The decision maker level should be motivated to ask if they need background information to understand and clarify certain SoD rules. If a role is deemed unnecessary, auditors may be tempted to remove it. With the right rationale behind a particular rule or requirement, managers are better able to evaluate changes and drive improvements. A well-informed management team can become a strong partner in the project. 

No matter how competent an internal audit team is, additional support from experienced experts should be sought. It is extremely important to proceed with caution and do your homework. As a general rule, a consulting firm should have at least the same level of expertise as the audit team. If both parties use the same terminology and share the same beliefs and standards, this can result in significant cost savings and more effective prevention of future fraud attempts.


To the partner entry:

Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024

Venue

Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT

Venue

Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024

Tickets

Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.