Prevention Is the Best Medicine: A Guide to SAP Security Health Checks
Preventative ongoing maintenance and monitoring of your users’ SAP security access is critical to avoiding significant deficiencies or control weaknesses. A governance, risk, and compliance (GRC) tool (such as SAP GRC, Control Panel, ComplianceNow, ERP Maestro) is a great start, but there is more to monitor! System parameters and client settings are also part of your audit but are outside the monitoring scope of most GRC applications.
Regular security health checks are key to (1) identifying these access issues before they spiral out of control, (2) mitigating the risk from control deficiencies, and (3) ensuring your security administrators are following best practices. In an SAP environment, security health checks are periodic assessments of key application-layer ITGC controls related to user access. They should cover sensitive access monitoring, general access monitoring, and mitigating control assignment, as well as any other ITGC controls your external auditor may assess.
Understanding the Differences between PIAs and the GDPR’s DPIAs
Since May 25, 2018, organizations have been required to perform data protection impact assessments (DPIAs) under the General Data Protection Regulation (GDPR). Organizations use DPIAs to assess whether certain data processing activities are a risk to the rights and freedoms of individuals. However, because DPIAs are similar in name to the much more familiar PIA (privacy impact assessment), there has been some confusion among privacy and risk management teams, who have mistakenly considered them the same type of assessment. But DPIAs and PIAs are actually very different, helping teams achieve separate goals and assess different areas of privacy. This post focuses on the key differences between these two types of assessments and the roles they each play in a GDPR-compliant privacy program.