A Methodology for Managing Custom Developments in a Compliance Landscape

  • by Massimo Manara, SAP Security Consultant, Aglea s.r.l.
  • October 26, 2010
New custom developments are present in most SAP implementations. Sometimes they are small modifications or enhancements and sometimes they are more significant. It’s important to ensure that the custom developments are compliant with your security requisites and policy. It is essential to understand from a security and compliance point of view the roles and responsibilities involved in the custom development process and how the workflow process is formed for new developments.
Key Concept
New custom developments should follow a well-designed workflow to ensure the security and compliance of these developments. This workflow must be shared with all actors of this process to help coordinate the entire life cycle of custom development.

During custom development, there are some essential points to keep in mind: security guidelines and best practices, segregation of duties (SoD) compliance, internal policy, and internal controls, among others. Understanding an SAP authorization concept can help you better develop and ensure correct governance and knowledge sharing in your SAP landscape. Because custom development allows for potential GRC pitfalls, ensuring a proper authorization concept in your SAP system is crucial to your GRC efforts.

This article explains some security best practices for managing and creating your custom development in a compliance landscape. I’ll provide a step-by-step guide to avoiding common errors during the release of your custom developments. Then I’ll show you a workflow-based methodology to clarify the phases, roles, and responsibilities during the release of a new custom development. Finally, I’ll discuss how to remediate a non-compliant situation that doesn’t reflect security best practices.

Let’s start by looking at a common authorization check workflow.

Massimo Manara

Massimo Manara is an SAP-certified security and compliance consultant at Aglea s.r.l. (www.aglea.com), the only Italian company whose core business is SAP security and compliance. He has nearly 10 years of experience in IT security and a bachelor’s degree and master’s degree in security computer science and on SAP projects.

See more by this author


Comments

No comments have been submitted on this article. 


Please log in to post a comment.

To learn more about subscription access to premium content, click here.