to the overview

Wikileaks and Data Theft

Storing organizational data efficiently and securely using Compliance Management.

CDs containing thousands of customer records and their addresses as well as classified documents manage to find themselves relatively easily into the internet. Now the internet platform Wikileaks wants to publish controversial content relating to US Banks.

Does this kind of thing only happen in the USA? Probably not. According to the Federal Office for Statistics approximately 10 percent of German organizations have inadequate security measures in place for their IT systems. The networked world makes our private life and our working life quicker and more efficient. People no longer just communicate with their direct environment; they chat, mail and tweet around the globe. This opens up fantastic opportunities for new business processes.

At the same time, in this new world, risks are increasing rapidly and exponentially. We no longer need to access data only from our own network. We access content stored on computers around the world. As long as data exists in digital format and is stored somewhere on a server then, with a little bit of effort, important, and sometimes business critical, data is available to anyone, anywhere.

Sadly, top of the list is the theft of data by an organization’s own employees. Data is often easy to access. For SAP applications, organizations tend to hand out display only authorizations quite readily: “display creditors, that’s only an authorization for displaying information.” This is the kind of comment IT Consultants hear frequently from their customers. “SE16 – it’s just a transaction for displaying table entries.”

What authorization access does a bank employee need to produce a CD full of customer data?

Compliance Management is more than just having a segregation of duties process in place. It implies that the organization takes account of even the most elementary aspects of data protection. Manual intervention in the monitoring of segregation of duties and the control of critical display only authorizations is extremely restricted in SAP. To maintain an overview it is necessary to run supporting reports, tools and processes. It’s not just about owning compliance products. Security is enhanced only when these products are used effectively.

The key to data security lies in the ability use the appropriate software correctly. It is important to implement a product in such a way as to cause minimal disruption to employees going about their work. The deciding factor is to implement processes, which integrate seamlessly and intuitively into the existing business processes. As it is only then that a compliance product is really efficient and minimizes organizational risk.

ConVista Consultants have specialised in the SAP Business Objects solutions “GRC Access Control.” This solution can be combined with appropriate authorizations blueprints and with an optional redesign. Actual projects have shown that, in majority of cases, redesigning the old authorizations profiles is necessary before GRC Access Control is implemented. At the end of last year the team started with a Ramp Up of the latest version of SAP GRC with topics such as Access Control, Process Control and Identity Management. This process will continue until the middle of 2011.

Download article as pdf