Having helped Anglia Water develop its GRC standards in the past, SU53, an independent provider of SAP Security and SAP GRC solutions, will now help the water company upgrade its current SAP GRC Version 4 to a newer version. The company runs the SAP Risk Analysis and Remediation and the Privileged Access Control modules.
“We will need support to implement that [the upgrade] and establish best practice,” said Sandra San Vicente, security risk manager at Anglia Water.
Anglia Water’s SAP R/3 environment runs on a SUN Solaris operating system, UNIX Operating System version 10. The SAP Risk Analysis and Remediation tool runs on the same system.
Although the water company has outsourced most of its SAP-based IT for several years, to CSC, it decided to bring the SAP GRC skills back in-house three and a half years ago. It was encouraged to do so after running audits of its systems.
“We outsourced the [SAP security] skill set and we became a management system. We were getting more and more questions about security conflicts. People were asking ‘should I be seeing this?’ or ‘I can’t access something I saw yesterday’, and so on.
“[Then after running audits,] the auditors told us that we have problems with SAP security, and we decided to bring it in-house and manage it ourselves.”
It brought the security role development in-house first, followed by the implementation of GRC tools, and then the configuration of the risk and mediation tool. The Anglia Water IT team comprises five people, with four dedicated to SAP security and one focused on the control of the network and UNIX environment.
Under the contract with SU53, Anglia Water can hire the company’s contractors on an as-needed basis. The water company has been working with SU53 for around three years.
“In the past, our project managers have gone out to market and asked for somebody with SAP security skills. We don’t know who those people are, and sometimes they build roles in different ways, so we started to get different role structures that are subsequently quite difficult to manage.
“With SU53, they work with our standards they helped to develop. The company has been very flexible in supplying the right skill sets at the right time. Agencies generally want three or four-month contracts, but SU53 can do just a day.”
Anglia Water is currently finishing a project to deliver the Privileged Access Management tool around the billing area for 700 users, which involved the creation of 86 new SAP composite job roles. SU53 worked with project managers Pricewaterhouse Coopers (PwC) to deliver the required security roles.
SAP UK & Ireland User Group Annual Conference
21-23 November 2010, Manchester