When to Use Organization Rules and Reporting in Compliance Calibrator
- by Jayne Gibbon, Director of Customer Care, SAP
- February 15, 2008
Find out if your company should use organization rules for eliminating false positives from reports.
You use organization rules to provide an additional layer of segregation of duties (SoD) analysis to remove false positives that may result from segregating based on organization levels. You perform this analysis on top of your core Compliance Calibrator SoD analysis. The organization rules allow a company to define the combination of organization levels that result in a true SoD conflict. Companies should not institute organization rules until the remediation phase of their project. It is only after identifying a possible organization rule scenario that you should create the organization rules. You should not use organization rules for grouping users into reports by organization levels to distribute SoD reports to various management levels.
The first time a company runs its segregation of duties (SoD) analysis using Compliance Calibrator, a tool that identifies and eliminates risks while maintaining preventive controls, it may have thousands, if not millions, of conflicts. Remediating these issues can seem overwhelming. Many times, a company’s initial reaction is that the reports simply cannot be accurate and must include false positives, meaning users are reported that don’t actually have the conflict. Most companies upon review, however, realize that the majority of conflicts are true conflicts and work to remediate through reassignment of access. That said, there are sometimes false positives in the reports. One cause of these false positives may be the company’s institution of segregation via organization levels.
Within Compliance Calibrator, SAP created organization rule functionality to eliminate these false positives based on organization level restrictions. It is important to understand that you should only use organization rules in those specific situations in which a company has made a conscious decision to segregate via organization levels.
In my experience, many companies think they have organizational segregation, but really they do not. I’ll discuss the business cases that justify using organization rules, but also reinforce that the functionality comes with a cost, so companies should perform analysis prior to implementation to ensure their situation warrants the use of organization rules. You can also use organization level reporting to consolidate reports of conflicts for a specific organizational unit to assist in distributing reports to the risk owners of each area. I’ll look at this later in the article. First, I’ll go through organization rules.
Would you like to see this full item?