Audit/SoD (ACS) SIG

Our Audit, Control and Security (ACS) SIG is a well-supported group attended by a cross-section of professionals working with SAP and representing the following business areas: IT Security; (including SAP Basis experts) IT & Financial Audit and Risk Management.

Learn Why Security is Key to a successful migration to S/4HANA

Security should always be a key part of a successful SAP system, and if you are making the move to S/4HANA involving the security team all the way through will make that transition go as smoothly as possible. S/4HANA can look and be used differently to SAP ECC, so to really maximise the investment of implementing or migrating, processes could be updated to better practice and the Fiori user interface be fully utilised.

All phases of the change process require good security, being an enabler for process workshops and to control the phases of whatever transformation process and methodology is being followed. Deployment scenarios and architectural considerations bring different security considerations into your project.

Security will need to partner with every team on the project, all the time – enabling access to new functionality like process changes or using Fiori apps instead of transactions, but doing this securely and right first time, to avoid pain later with data migration, performance tuning, testing, training and go live.

During this session Chris Haigh from Turnkey Consulting UK will cover:

• The key security and compliance differences between SAP ECC and SAP S/4HANA
• How to avoid the common pitfalls
• Implementation and migration best practices
• Why security need to be involved

Chris will also provide you with frameworks to help you with the development of effective Fiori and S/4HANA role design, access controls and process change - while showing you how to accelerate the security and compliance components of your SAP S/4HANA transformation programme.

Tom Venables from Turnkey Consulting present Beyond the Application – securing the whole SAP estate

Securing SAP systems is about much more than just the roles and authorisations maintained within the application. You must consider the wider threat landscape, which is more prevalent with the modern SAP estate than ever before. Ransomware, penetration, account takeover, data exfiltration, lateral traversal – all of these terms are becoming increasingly visible and SAP is not immune from the cybersecurity challenge. It is no longer valid to say “SAP is within the network, so is safe” – zero trust means that you must assume a breach will happen, and how you’re set up to deal with that is essential in securing yourselves and your operations.

Tom will discuss the evolving threat landscape to the SAP estate and the key integration points between securing SAP the application, and the IT components on which the application is running. We will explore the kinds of protections which are applied to other IT systems and explore the integration points which allow you to take advantage of those protections around your critical business applications.

He will explore some of the initiatives you can undertake to minimise this risk and, importantly, how to involve your stakeholders in understanding and addressing risks which impact their operations, whether those be business application owners or the wider IT security organisation within your company. Cavan will show how common approaches to layered defense can help to break down silos between business applications and IT security functions to achieve a coherent, integrated approach to defending critical assets.

At the end of this session, you should have an understanding of the changing nature of the threat landscape, an appreciation for some of the techniques used to exploit vulnerabilities within the estate and some key points to discuss with the business and IT leadership to ensure your SAP systems are integrating with (and integral to) your cyber defense strategy.

Paul Lloyd Smith and James Wainaina from SAP will present the following two sessions:

• Considerations for moving Access Governance to the cloud

In this session find out how SAP Clients are adopting SAP cloud applications and ensuring effective segregation of duties across their holistic landscape. SAP will identify solutions currently being supported and indicate when is the right time to plan your access governance enhancements as part of a hybrid or cloud strategy.

• Activating a layer of assurance and system security for the SAP Landscape

This session will focus on how SAP customers are enabling an extra layer of security specifically targeting the SAP application logs to identify where threats are occurring and enabling real-time analysis and response.

Our UKISUG Audit Control & Security SIG Chairs:

Brian Froom has 21+ years’ experience as an IT Auditor across different sectors. He is currently involved in the security and monitoring of Tata Steel’s SAP installations across UK and Europe.

Rhian Parry has been leading Welsh Waters IT External Audits since 2012 along with the SAP Access and Authorisations Annual user reviews with SAP licence Management now in her remit as Dwr Cymru Welsh Water’s SAP Assurance Lead within the SAP Centre of Excellence.

THIS EVENT WILL TAKE PLACE ON ZOOM