Q&A: Automating Security Controls for Compliance
Can companies use built-in ERP capabilities to better automate their IT controls?
When dealing with regulatory compliance, are your enterprise applications working for you or against you?
Numerous regulations require organizations guarantee the integrity of discrete business processes. For example, Sarbanes-Oxley requires companies ensure the accuracy of their financial statements, and that they know who can access or alter the underlying information. Meanwhile, HIPAA requires private patient data remain private.
To secure such processes, organizations are increasingly using IT controls and automating them whenever possible to make ongoing compliance easier and more cost-efficient, and to make the controls themselves more effective.
One control-automation option is to use what you already have. For example, numerous enterprise resource planning (ERP) applications include innumerable settings and possibilities for control automation. Yet how effective are controls when applied to a particular ERP application, versus applications organization-wide? We spoke with Amit Chatterjee, senior vice president of the GRC (governance risk and compliance) business unit at SAP, to learn more, including details on SAP’s recent acquisition of Virsa Systems Inc., which has software to enforce controls for multiple applications.
ERP implementations are typically customized to some extent. Does that complicate using built-in controls for compliance?
SAP has always had compliance applications, secure applications, and the IT compliance controls piece in particular. The problem was, what we shipped was compliant [or configured for governance], but what was implemented was an entirely different situation. …
The more the customer plays with the process, the more he realizes, if I turn off these controls, things work better. … And that’s why a company like Virsa made sense. First, it could check the application [to see what changes were made to it]. … Second, the data is always changing. It’s residing across the business process, which is always bigger than any one application. So we had to find a way to handle process controls across customized applications, with changing data, so controls wouldn’t break.
This is what SAP and Virsa will offer—workflow and documentation … and we’ll put that together and offer it by the end of year [as a product].
How did SAP’s acquisition of Virsa relate to the formation of its GRC business unit?
The merger was approved back at the end of May. … The intention behind [buying] Virsa was not so much [about] Virsa by itself, but SAP had spent six to 12 months thinking through what governance, risk, and compliance meant, and doing development on our own. We realized there [was substantial crossover] with Virsa. …
So SAP has launched its GRC business unit. We’ll focus on taking the Virsa products to market, but also building out six to seven products in the first year alone [to pursue] new customers, and allow them, with the Virsa product, … to do more around managing risk, and not just for Sarbanes-Oxley.
What are your customers’ biggest governance, risk, and compliance challenges?
As I was working with customers [and their regulatory challenges], the number-one thing they said is, “Sometimes I don’t know I’ll be hit with a regulation in advance. What can I do?”
We identified four levels of compliance, and they’re really approaches to [answering] that question. Companies go through four stages:
- small and unaware or uninformed about needing to comply with a regulation
- reactive; customers hear about Sarbanes-Oxley, and perhaps ask their vendor for a relevant solution
- consolidation phase—[tackling] all regulations with one regulatory tool, and creating a governance, corporate, and business ecosystem
- using GRC as a strategic weapon
In the last stage, this is where you manage your business and you don’t just react to regulations, but react to influence outcomes, and achieve operation excellence.
What are companies’ built-in ERP software control options?
You have two options. Built-in controls is one. Then, if you’re trying to do the process pieces across multiple applications, or if you want controls that aren’t just limited to what’s built into one application, then you need to have a broader [approach], which is where something like the GRC becomes an opportunity.
Should companies, when instituting controls, revisit some basic ERP settings, to see what they might enable to meet requirements?
I wish it were that easy, because it would save a lot of pain. But … you have to remember that the people who recommended turning off something have moved on long ago. The ability to find a consulting organization that was willing to [trace the rationale behind current settings] would cost an unbearable amount, in many cases. Furthermore, doing that could damage the integrity of your existing business processes.
So if you want to implement a control, you need to know … [how to do that] in a way that doesn’t disrupt existing business processes.
How Virsa came about is, they did security controls consulting, and they realized everything [control-related] was so manual, so labor-intensive, that … there was a need to automate that process. And if you want to implement a control … you need to know … it won’t disrupt the business.
Why is control automation so difficult?
The complicated part is usually at the consultant part: at what point do I want to change any of the business processes so they become different? … That’s when you get into application remediation. Now, Virsa takes two to four weeks to get [up and running], whereas, conservatively, to take that system down and [alter it] might take three-plus months. …
Now, when you start to automate controls … there may be 20 key processes that you want to go after, and which [after an audit] you quickly have to hone in on and remediate. … How quickly you can use the controls that the consultant has recommended to you is how quickly the company becomes compliant.
At some point, I also think you’ll even see regulations that start to push at this, that … after your external audit, say there are 200 violations. It’s almost the issuance of the fix-it ticket that you want to see. …
Is that your recommendation for instituting controls and remediating applications—taking a trouble-ticket approach?
Yes, it’s our recommendation that, obviously, you find out what the 20 or 200—depending on the size of your organization—[violations are], because it’s not just about being compliant with regulations, but hopefully through fixing these processes, you become a better business.
The small example here is Basel II. … Simply put, it’s not about compliance. … [Really] it’s allowed banks to lower their capital reserves. … If they follow certain processes, they can decrease the amount they need to keep in their capital reserves, and that saves money.
So [regulations] aren’t just annoyances that you have to keep up with. These are massive strategic weapons you want to deploy because they make your business run more efficiently. … You’ll see more of that: the “let’s try to turn the business around and make all these regulations about revenue-generation and margin” improvements.
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.