Information Security at Nordwest
In many companies, structures that have grown historically are a hindrance to optimum processes. In SAP® systems, the area of authorizations provides particular potential for risk: The complex role concepts are difficult to manage with internal resources. With akquinet’s help, the NORDWEST trading network therefore cleaned up its SAP® environment and gave its authorization concept a good spring clean. The result: clean structures and spic and span risk management.
Nordwest Handel AG has been a permanent fixture in the German network landscape for almost 100 years. In addition to goods procurement in the areas of steel, building services (HVAC), construction, trade, and industry, the service provider offers its 800- plus specialist trade partners comprehensive services for finance, logistics, IT, and distribution. The associated mid-sized companies benefit from low purchase prices and low-cost services that are otherwise only enjoyed by quantity buyers. As a listed stock company, Nordwest Handel must comply with various legal requirements relating to company and customer data, for example, the German Tax Code, Federal Data Protection Act and the generally accepted principles of computerized accounting systems (GoBS). These aim to provide certainty for investors on the one hand and protect the system against misuse on the other.
The company is also committed to providing its customers with the highest degree of security. Authorization management, which had, over time, become non-transparent and difficult to manage, therefore turned out to be a risk factor. “In the area of authorization management, the SAP® standard system only offers very limited options for managing and representing roles and risks in a user-friendly way,” says Stefan Lendzian, divisional manager Informatics/Systems Support at Nordwest Handel AG. To avoid errors, the company wanted the entire system to be examined and updated.
Analysis of existing authorizations and any critical combinations “As a rule, many authorizations are assigned too generously,” says Steffen Maltig, project manager and senior consultant at akquinet. “The GRC Suite pinpoints the critical combinations and therefore provides a fast overview of where improvements are needed, and where authorizations make sense”.
Calculation of new role distribution with the help of the RoleOptimizer Here, NORDWEST benefited from around 700 stored sample templates, which take account of both external guidelines and internal rules for functions, and enable the database to be built up very quickly.
Check authorization risks The SAST module UserTrack permanently monitors all roles to determine authorization risks and therefore enables strict role planning.
The big advantage of support through SAST GRC Suite
Projects of this kind are processed up to 90 percent faster. Thanks to the modular structure (e.g. AdminTrack for emergency user management, SystemTrack for the monitoring of critical system parameters, UserTrack for the cross-client and cross-system authorization check), the solution provides extensive functions for the analysis of technical weak points, the management of emergency users, and for the real-time analysis of critical authorizations and roles. “With the modular principle, we will continue to benefit from far lower costs and sound documentation in the future,” says Stefan Lendzian from NORDWEST Handel AG. The transparent risk management also offers greater reliability in role distribution, the specialist concepts provide clear rules on preserving the structure. “Instead of ironing out individual problems in role management, we set up our authorization structures on a completely new basis using the SAST GRC Suite from akquinet. As a result, we save time and money in the long term, and we also have legal certainty,” states Mr. Lendzian.
With the help of the SAST GRC Suite from akquinet, NORDWEST Handel AG put its authorization management to the test and updated the role concept.
Numbers and Facts
• Far lower risks in authorization management.
• Far less time required for role distribution and maintenance.
• Lower costs for administration.
• Overview of all roles in the company.
• Transparent risk assessment.
• Uncontrolled growth in authorizations is prevented.
• Use of role templates possible.