There are many companies that provide SAP consulting. Each of these, in most cases, also provides support in the SAP security area.
This is absolutely normal. But what is the degree of expertise on these issues?
What most frequently happens in these cases:
- Improvised people are often in charge of this area.
- These issues also need to be addressed within a larger project, but they are the least manned and important
- If you get over long on the project and run the risk of starting without SAP profiling
- The technical authorization structure turns out to be a failure and is difficult to maintain over time
- The customised developments that are carried out do not have the minimum security basis (secure software development rules are not applied)
Why do the least qualified people sometimes get involved?
Profiling users was (and to some extent still is) considered a task for technicians (systems engineers). Before involving technicians, however, an organizational analysis must be done by involving all the key players in the company in order to determine "who does what." Even today this key part is often left completely to the systems engineers.
The figure of the SAP security manager (or SAP Security consultants) today must have several skills:
- Security SAP technical knowledge, not just SAP profiling then. But also data security issues, governance, segregation of duties
- knowledge, albeit basic legal knowledge, Dlgs. 231/2001, Law 262/2005, Dlgs. 101/2018 (GDPR)
- communication skills. Translating technical details for the uninitiated becomes crucial at the time of training, education and security awareness.
What does it mean to be specialized in the Security SAP area?
Profiling is only the technological aspect of the problem. Before understanding how a user should be profiled, it is necessary to integrate the viewpoint of the HR department, the viewpoint of the business contacts and the business process managers. Most frequently, profiling and SAP security more generally are approached solely as a technical aspect.
Even more nowadays in case we have to deal with issues of segregation of duties (Segregation Of Duties) or protection of personal data (GDPR).
There are several elements that can compose a comprehensive SAP security management.
For example:
- Procedures/Policy
- Documentation of the authorization model
- Training and awareness (security awareness)
- Knowledge of best practices suggested by SAP
- Knowledge of business processes
- Knowledge of relevant regulations for the company
What are the suggestions for choosing?
- Does the company have certifications?
- Specifics in the area of SAP security? (Both at the staff and company level)
- ISO Certifications
- Does the company deal vertically with SAP Security issues?
- What are the percentages of revenues for SAP Security consulting or SAP auditing compared to the total?
- What are the references on data security issues?
- What is the company's seniority and how many years has it been dealing with enterprise data protection issues?
How can Aglea help you?
For several factors, first and foremost the experience. We have "launched" many tens of thousands of users by creating their profiles.
Second, having focused everything on one niche topic makes us particularly credible. Very often the "big" system integrators are amazed when they see that major Italian companies have chosen us and not them to handle this 'topic. This seems like an anomaly.
When you have to have very delicate knee surgery, you try to go to a hyper-specialized doctor.
We are the only Italian company that has been dealing, as its only core business, with security in the SAP environment, since 2003. Finally, we have done a lot of work on tools.
We use a special software (Security Analyzer SA) that allows us to revolutionize the approach and timing of projects.
P.S.: Are your suppliers certified? Read about our certifications here.
Topics: sicurezza sap, consulenza sap security, sicurezza dei dati sap, progetti sap security, aglea, sap consulenza security