Organizations resist automated IT security processes

Organizations are investing to improve their security processes, but very few have automated their compliance procedures. This is one of the findings of a research report by Turnkey Consulting.

The report revealed that 88 percent of respondents operate documented change processes which require strong approvals, are deemed effective and are adhered to by staff involved. 65 percent have SLAs for their change management procedures that are measured and reported against. However, only 48 percent deployed automated workflow approval to streamline the activity.

Turnkey’s report analyzes data gathered from over 100 organizations. The company aims to use the research to set the standard for SAP best practice and help its clients tackle key security risks in their organizations. Additional key findings include:

  • 73 percent of organizations maintain a segregation of duties (SoD) matrix for their SAP applications, with 68 percent of these configuring the matrix to suit the specific requirements of their business and regularly reviewing it for suitability.
  • 87 percent have a dedicated team responsible for user administration. However, only 60 percent of these perform regular reviews of user mapping in conjunction with business role owners to determine whether the user access is still appropriate for that person/role.
  • 70 percent of organizations have a defined policy in place which drives their application security, with 69 percent regularly reviewing their security settings to ensure compliance with corporate standards. However, only 55 percent of companies record security logs and have a process in place to analyze these and respond when a threat or vulnerability is identified.
  • 80 percent of respondents have processes in place to manage role changes and 85 percent of these require business involvement in the process. But only 47 percent test the changes before they go live.
  • 68 percent have defined and documented authorization designs, with 63 percent basing this on processes agreed with the business. However, only 40 percent had a risk register for their SAP application security and only 34 percent believe that the business understands security.
  • 50 percent of organizations use Solution Manager to help manage their SAP environments, with 48 percent using CUA and SSO to simplify user management and access to multiple systems.
  • 89 percent of respondents had defined roles for their support staff, with 58 percent reporting that their support team were able to process business transactions. 59 percent have procedures in place for privilege escalation, with half of these using an automation tool for this. 28 percent of respondents had support users with full access (SAP_ALL) to their systems.

A free copy of the GRC Benchmark Report is available here.

Don't miss