Regional Semiconductor Company 

Regional Semiconductor Company

Business Profile 

Our client is headquartered in Singapore, with production facilities located in ASEAN and China. The client did not have a Segregation of Duties (‘SoD’) framework, which resulted in large number of SoD risk violations. This was highlighted in multiple audit reports and senior management mandated the IT team to identify and implement a comprehensive SoD framework supported by automated tools for ongoing SoD compliance. 

Objective

The client invited Hexadius to conduct a SoD workshop for its management team, internal audit team as well as key members of their SAP team to discuss a solution to address SoD compliance requirements. Based on the workshop, it decided to seek assistance to develop a SOD ruleset tailored to our client’s business risks, identify existing SoD risk violations and perform one-time SoD remediation to address existing SoD risk violations. 

The client also evaluated multiple 3rd party SAP SoD management tools and decided to implement a third-party solution to automate the SoD management.

The key objectives of the project were as follows:

  • Define SoD Ruleset to address its specific business risks.
  • Perform one-time clean-up of SAP authorizations to address SoD risk violations.
  • Identify and establish mitigation controls where SoD risk violations could not be removed.
  • Implement automated solution to enforce preventive SoD risk violation checks as part of user access provisioning.
  • Implement automated solution to provide ad-hoc SoD risk violation reports.
  • Establish procedures to manage SoD compliance on an ongoing basis. 

Work Performed

The client engaged Hexadius to develop a SoD Ruleset and perform one-time SoD remediation to address existing SoD risk violations. It also appointed Hexadius as its single point of contact to implement the automated solution. Hexadius worked with it to address the overall objectives through 2 different streams – one focused on implementation of automated solution and other focused on defining SoD ruleset and performing SoD remediation. The details are as follows:

  • SoD Ruleset Definition – Hexadius worked closely with Business Process Owners, Internal Audit (IA) team, and SAP functional consultants to understand key business process flows and relevant SoD risks. Based on this understanding, Hexadius proposed the SoD risks. The key business users and IA team reviewed the proposed SoD business definition, and the ruleset was customized to address the feedback. Hexadius team worked with the SAP functional consultants to develop the SoD technical definition (i.e., transaction codes and authorization checks) to ensure that all relevant transactions were correctly assigned. Custom transactions were also analyzed and appropriately added to the SoD ruleset, where applicable. The final SoD ruleset was approved by its business representatives.
  • Implementation of SoD Tool – Hexadius worked closely with product specialists and the client’s SAP support team for the installation of automated solution. The approved SoD ruleset was uploaded into the SoD Tool and was configured as the default SoD ruleset to address its requirements. Hexadius also worked with key users to establish governance processes around maintenance of SoD ruleset (such as ownership, approval of changes, etc.). The client’s key users were trained to use the tool effectively.
  • SoD Remediation Hexadius used the automated solution to identify the existing SoD risk violations. Hexadius analysed the violations and proposed remediation strategy. Hexadius worked closely with the SAP Security team, Business Process Owners and SAP Support team to review and identify authorization changes required to address the SoD risk violations. Where SoD risks could not be removed, Hexadius worked with business to identify mitigation controls to address the risks. 

Benefit

The successful completion of the project resulted in the following benefits for the client:

  • Strengthened internal access control by establishing a comprehensive SOD framework.
  • One-time clean-up of user access to address the SoD risk violations. 
  • Identification of mitigation controls required to address SoD risk violations, which could not be removed.
  • Enhance user access provisioning process to include preventive SoD risk analysis to avoid new SoD risk violations. 
  • Sustainable procedures to ensure ongoing SoD compliance. 
  • Reduced the manual burden on the SAP team and ensured SOD compliance through automated tool to identify SOD risks violation issues before granting access to users or creating new roles. 
  • Efficient and effective governance of potential SoD risks violations in a timely manner through automated SOD reports and dashboards.
Table of Contents
close

CONTACT US

Not sure what you need?
We'll help you find the best cybersecurity solution.

    hexadius cybersecurity

    Follow us on

    COMPANY

    RESOURCES

    SERVICES

    Simplify your complex cybersecurity challenges with us

    SCHEDULE A CONSULTATION

    © 2024