Hello Mohammed,

The role of a Security consultant in any SAP product implementation (not just GRC) is wide enough and it's hard for anyone to sum up on a single forum post. Still I can give you some pointers.

Security consultants come from different backgrounds, some from networking, database administration, infrastructure and even development like me. They contribute enormously to any product implementation from scratch (landscape design) to go-live (and continuous maintenance) so they are active on every phase of the implementation.

Following are some of the activities they may perform (or participate)

-System Landscape Design (work closely with BASIS and DBAs)

-Check Infrastructure feasibility from security perspective (For Portals exposed to internet or extranet work closely with network providers for firewall security, VPS etc.)

-Propose security guidelines, access policies, disaster recovery plan, business continuity roadmap (work closely with information security consultants and internal auditors or risk management teams)

- Implement SAP solution specific Security measures (involves almost every SAP solution) for example: SAP R/3 security, GRC, BW/BI, HR, FI, Portal security etc.

- participate in application integration for example: LDAP, IDM, SAP UME, shared directories etc (User master records security is on high priority).

- Check for any possible backdoor access vulnerabilities (ex: open RFCs, function modules like ping_rfc), and it involves almost all SAP solutions and there are special procedures to analyze such vulnerabilities.

there are many such activities that a security consultant perform on day to day basis. Please do not interprete the above mentioned activities (entirely) as a criteria for any security consultant profile. There are many many possibilities for a security consultants to work from pen testing to SoD violation remediation. That's why I said it's not easy to sum up security.

Always remember, Security and GRC are two sides of a coin they work together. however GRC is more of a combination of policy, regulation, events and involves management participation whereas security is a purely technical practice.

You may also be interested to know what it takes to become a forensic security specialist. Take a quick look at [http://amudee.com/?p=378|http://amudee.com/?p=378]

Best Regards,

Amol Bharti

Hi,

Are you asking for SAP Implementation or SAP GRC implementation?

I assume it is GRC implementation.

The role of a security consultant is to design role and maintain authorization object. He is responsible to clean the system and make the system Risk free.

There will be Risks in the system and he will be remediate the risk where violation is there. (Remove the unnecessary authorization from roles).

And on the business needs he will mitigate risks.

If you want anything else then please let me know.

Thanks,

Sudip.