cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP GRC Ruleset update

Go to solution
Former Member

on ‎05-15-2014 3:46 PM

0 Kudos

hello everyone,

just a question regarding updating our ruleset as SAP have sent us a Q4 2013 ruleset update and it has around 12 updates from BASIS to Financial, some transactions we dont even have.  What i was wondering as i need to better understand is MUST i implement this ruleset? we have been live now and everything is fine, so why should we add these?

must i do an impact analysis on this and what must i look for, i need to be able to advice back so that the business is 100% confirmed whether they update it or not.

our ruleset is fine and we worked on it for months and now they send us this, and we just think must we add it if not why shouldnt we or shy should we?

much appreciated,

thanks

K

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

alessandr0
Active Contributor
‎05-15-2014 4:30 PM
0 Kudos

Dear Kevin,

basically this question must be answered by your internal control responsible (and/or organization) and cannot be answered from SAP or the SCN community. SAP only offers best practise and gives you a first impression how your rule set can be defined. In the end your organization is responsible for your rule set and the responsible person has to decide wheather he wants to update the current rule set by implementing the update or go ahead with the current.

From my point of view, as a responsible for internal controls, I review the proposed changes from SAP and verify if they are applicable for my organization. Generally our organization, for example, doesn't have all risks proposed by SAP as they are not defined as critical and can be neglected.

Hope this helps.

Best regards,

Alessandro

Show replies
Show replies
Former Member
‎05-15-2014 9:51 PM
0 Kudos

HI Alessandro,

firstly many thanks for getting back so promptly and full marks coming to you.

the reason why I posted this was I thought it was the job of a GRC CONSULTANT and fellow managers have been asking a SAP Security and Authorisation consultant too who all have gone blank.

iI was only thinking as the ruleset had a few tcodes for HR BASIS, and BASIS tcodes.  That's what I thought why would a sap security consultant be able to do a impact analysis and it didn't make sense why a SAP GRC consultant would also do a impact analysis before updating the ruleset.

Just of curiosity if the business do come to the SAP GRC consultant on advising on the update of a ruleset And whether they can advice on it, should they answer back to point at the internal auditors?

my final point, can we just ignore the ruleset and not update it has the transactions are already in our existing ruleset which went live 6 months ago?

Many thanks for your advice Alessandro

best regards

K

Colleen
Advisor
Advisor
‎05-15-2014 11:00 PM
0 Kudos

HI Kevin



Just of curiosity if the business do come to the SAP GRC consultant on advising on the update of a ruleset And whether they can advice on it, should they answer back to point at the internal auditors?

Your organisation needs to define the roles and responsibilities for managing risk (such as a RACI model).  Define who maintains the ruleset, who executes the reports, who reviews them, etc. 



my final point, can we just ignore the ruleset and not update it has the transactions are already in our existing ruleset which went live 6 months ago?

It's not a case of ignore or not. SAP provides the updates and this is most likely when they identify new risk or changes to existing. This could be driven by:

  • new functionality - SAP builds a new program and transaction code
  • change in code - development change made add additional authorisation checks that strengthen the security. If you have that transaction in scope you may want to check your function definition to reduce false positives if users do not have access
  • general review - they find other combinations or continue to tweak

The rule set is a starting point or guideline. Depending on what your company has done your ruleset will be different as it all depends on what you have implemented. You may have inherent system controls that remove the risk already and therefore do not need to report on it

Really, you're not ignoring the update - you review and determine if it is applicable to your system

Regards

Colleen

Former Member
‎05-16-2014 1:58 PM
0 Kudos


Colleen,

this is great! many thanks

Former Member
‎06-24-2014 9:10 PM
0 Kudos

HI Coleen,

sorry to ask again, I am seeking anyone who has updated there GRC SYSTEM with Ruleset update Q4-2013 ?

i am not sure if there are any risks and if there are risks in the update whether we should manually update our GRC system.

thank s

alessandr0
Active Contributor
‎06-24-2014 9:17 PM
0 Kudos

Dear Kevin,

I am not sure whether you have checked the note:

http://service.sap.com/sap/support/notes/1960531

Attached to the note you can find a summary of all changes which gives you a clear statement of what has been changed.

If the change is a risk for your organization has to be decided by your business.

Hope this helps.

Regards,

Alessandro

Former Member
‎06-24-2014 9:22 PM
0 Kudos

Hi Alessandro,

thanks for the response,

i cannot log in its asking for a username and password.

alessandr0
Active Contributor
‎06-24-2014 9:24 PM
0 Kudos

You can log in with your S-User.

Regards,

Alessandro

kevin_tucholke1
Contributor
‎06-24-2014 9:34 PM
0 Kudos

kevin

all ruleset updates are always manual.  You review the attachments to the sap note, and then you need to decide to add the info to your rule set.  There is no automated update for this

thanks

kevin tucholke

Answers (0)

Ask a Question