As a technologically aligned manufacturing company, J.K. Cement Ltd. has expanded its business over four decades by developing innovative products beyond the original grey cement on which it built its organization in 1975. Its white cement business, which launched in 1984, has steadily grown the company to be the second largest white cement producer in India. In 2014, J.K. Cement opened its first manufacturing plant outside of India in Fujairah, United Arab Emirates. The business has also expanded its product offerings in this niche market by launching several specialized products, such as white cement-based primer J.K. PrimaxX. “The mindset of our stakeholders has been to always strive for inventing and investing in the latest and best technology, provided that it adds value to the business,” says Jitendra Singh, CIO of J.K. Cement. “This approach to technology has created more efficient ways of working, cut costs, ensured data security, and brought in more revenue.” An SAP customer since 2007, J.K. Cement started its SAP journey with an implementation of SAP ERP with functionality for financial accounting, controlling, materials management, sales and distribution, production planning, quality management, and plant maintenance. Over the next decade, any time the business considered adding new applications to the IT landscape, it always first looked at SAP solutions or applications that integrate with SAP software. And as the organization expanded — today, the business has plants in six locations in India in addition to the Fujairah plant — the SAP landscape grew accordingly. However, in terms of automation for the governance of this growing landscape, processes were still manual and paper based. As the company grew, the need for a stronger controls framework became obvious. Jitendra Singh CIO J.K. Cement Now, we have proof of what has been done, how it was done, and when it was done — and it’s all automated. More than anything else, it has sent a message to users organization-wide that they must be disciplined, be in control, and act carefully. — Jitendra Singh, CIO, J.K. Cement “Like anyone who grows without proper automation, we ended up creating an unwieldy architecture in our SAP system across all departments,” Singh says. Certain user roles had too much access across the various SAP modules, and segregation of duties (SoD) conflicts were increasingly common. The business had to focus on and eliminate any conflicts, for example, if someone in procurement had access to both create or change purchase orders and vendor master data. And it needed to look closely at instances where no documented process was in place for requesting, approving, and provisioning access. “Whenever department heads or functional heads wanted additional access given in SAP ERP to a certain user, they would simply write an email or pick up a phone,” says Singh. “By honoring these requests from end users or managers, over time, we were compromising the governance and security of the organization.” In 2016, after operating more than a year as an international business, J.K. Cement knew it needed to take steps to update its governance processes and put in place a governance platform that would automate the assignment and tracking of access controls. At the same time, the company was increasingly concerned about the costs of SAP licenses and the potential consequence of non-compliance (if any). Getting Ready to Pour J.K. Cement knew that an IT project can sometimes be like pouring concrete: once installed, it can take a lot of money, time, and effort to remove. Consequently, the first steps J.K. Cement took in looking for a governance and control mechanism were to roll out a request for proposals and define a list of selection criteria. The business was looking for a provider that offered the most manageable, least complex, and most user-friendly, end-to-end solution. “We had specific criteria in mind for how to control this situation while not incurring a huge cost,” Singh says. “One was the applicability of the solution with respect to J.K. Cement; second was whether the solution integrated with SAP ERP; and third was what support — hardware or man power — would be required to manage it. Additionally, the solution would need to answer each question raised by the naysayers and end users who were against implementing any technology that would limit their system access.” After evaluating the different options, J.K. Cement decided on the Security Weaver suite and proceeded to deploy nine applications: Separations Enforcer, Secure Provisioning, Emergency Repair, License Management, Process Auditor, Transaction Archive, Reset Password, Role Management, and Role Recertification. The implementation followed a big-bang methodology where all nine applications were deployed at once in under one month. (For more information about the Security Weaver suite, refer to the sidebar at the end of the article.) Once the solution suite was procured, Security Weaver came to present an orientation session at J.K. Cement headquarters in India. “Security Weaver team members gave a small presentation to apprise our top management of exactly what would be involved during the implementation and how the solution suite worked,” says Singh. “Doing so, we demonstrated to the respective stakeholders how vital their support was to the project, especially since we would most likely face some resistance during the implementation” Next was a detailed planning session that involved participation from key users at each plant and the J.K. Cement IT team, including the senior manager overseeing the SAP and Security Weaver applications, as well as resources from Security Weaver. During this planning phase, J.K. Cement identified 18,000 SoD conflicts that needed to be eliminated. J.K. Cement Headquarters: Kanpur, India Industry: Cement manufacturing Employees: 2,745 (2016) Revenue: $557 million+ (2016)< Company details: An affiliate of J.K. Organization, which was founded by Lala Kamlapat Singhania in 1918 Operations commenced in May 1975 with the opening of the Nimbahera grey cement plant in Rajastahan, India (initial capacity of .3 million tons) Currently operating nine plants in seven locations — Nimbahera, Mangrol, Muddapur, and Jharli (grey cement plants); Gotan (grey cement, white cement, and wall putty plants); Katni (wall putty plant); and Fujairah (white cement plant) — with a combined annual capacity of 7.5 million tons Second largest manufacturer of white cement in India (600,000 tons/year) and second largest wall putty producer (700,000 tons/year) International commercial production started in September 2014 in the free trade zone at Fujairah, UAE to cater to the GCC and African markets (0.6 million tons/year) NYSE: JKCEMENT) www.jkcement.com SAP solutions: SAP ERP, SAP Business Warehouse, SAP Business Planning and Consolidation, SAP Treasury and Risk Management, and SAP BusinessObjects solutions Third-party solutions: Security Weaver suite of applications including Separations Enforcer, Secure Provisioning, Emergency Repair, License Management, Process Auditor, Transaction Archive, Reset Password, Role Management, and Role Recertification Curing the Foundation The software was implemented in just under a month. In the next three months, the processes were institutionalized, according to Singh. “The institutionalization period has more to do with organizational management and less to do with the software,” he says. “We ended up creating processes called ‘delegation of authorities,’ which were nonexistent before, to keep risks under control. The idea was that the department heads, as experts in their respective fields, would know best what to do when, what to control, and what not to.” To familiarize all users with the new software, three methods of training were provided. First, the leadership team was apprised on the value the applications would add. Next, the key stakeholders in respective functions were taught how to use the solutions in a more elaborate fashion compared to what was given to the leadership team. Third, extensive training was given to two IT leaders on the manufacturing side and the head of SAP support, all of whom were spread across India. After the core team members were trained on the new software, they communicated to the SAP users across all sites that the new solutions would be implemented in the next 15 days. “Although users were worried about their loss of freedom, we assured them that this would improve their work environment and make their jobs easier,” Singh says. “The three IT team members were available anytime if anyone had issues or needed help, and fortunately, we have had very few calls.” Once the training was complete and the applications were entrenched in users’ daily lives, it did not take long before the first benefits came to light. A Perfect Mix of Aggregate IT projects, like cement, require a balanced blend of ingredients. With cement, too much or too little of one ingredient will prevent it from setting or can cause cracks in the future. For IT projects, the right amount of flexibility, control, simplicity, and automation is key to having a solution that gets adopted quickly and provides value for decades. However, having a solution architecture that was incredibly simple to implement and maintain was only part of the right mix for J.K. Cement. The solution also needed to provide automation that was directly beneficial to the business, and the automation had to be flexible enough to meet the company’s current and future needs. Security Weaver’s Secure Provisioning application did just that and more, according to Singh. “It was just a small piece in terms of the implementation footprint, but came out as a clear winner because provisioning had been one of the major pain points from the end user side,” he says. “Implementing Secure Provisioning helped create a feeling among users that we were doing something positive. That worked in our favor in getting required support from users.” Implementing an automated user provisioning solution helped users and management see that the objective of the security and compliance team was not to constrain or limit the access: IT also wanted to provision access faster. If the access was appropriate, IT wanted users to get it faster than they previously could by sending an email or calling someone. Tightly integrated with Secure Provisioning is the Separations Enforcer application. The solution automates analysis of each request and immediately notifies the requestor, his or her manager, and any other approvers in the request-provisioning workflow if granting the access will create an SoD conflict. By automating the analysis and immediately showing the results, requestors understand if additional approvals will be required, managers understand the implications of the risk without having to wait for IT to do the analysis, and supervisors can determine if, rather than granting access, they should modify the duties of their team members. With these two solutions in place, supervisors or managers can control which users should be given what rights. “The tight integration helps users to be more disciplined prior to approving a request because they see clearly if it might create holes in the system,” Singh says. “It also enables the individual managers and functional heads to analyze who does what in their team — of course, keeping in mind that risk tolerances can differ from one application to another, from one team to another, and from one manager to another.” According to Singh, Security Weaver not only proved simple to implement and flexible enough to adapt to the company’s unique business processes and challenges, it also inspired improvements to J.K. Cement’s business. He says that the new software has led the business to add more structure to the organizational functions, and gives absolute clarity to the department heads as well. “Within procurement, for example, Separations Enforcer has turned out to be a big asset to us,” he says. While provisioning appropriate access faster and finding ways to improve the business have been major wins, it is also important to highlight the numerous access risks that have been purged from the SAP system. “Today, we have already reduced the list of 18,000 SoD conflicts by 60% — so that’s been a huge achievement,” says Singh. In addition to provisioning and improved security, another area where automation has provided high value involves password management. Previously, if users forgot their password or were locked out of the SAP system because of incorrect password entry, the password reset process took close to two days, which resulted in lost productivity and frustrated users. “No matter what part of the world you are in, people want to be productive,” Singh says. “This application created confidence in the positive changes that were happening and encouraged them to support IT rather than push back.” He says that the company’s process for resetting passwords has been reduced from two days to five minutes, and everyone feels more empowered and productive. The process of improving password management was not sufficient, without also implementing an emergency access solution. In scenarios where a user with certain permissions goes on leave or is unavailable for a length of time, another person or set of individuals must be authorized to receive temporary access to complete the absent individual’s job. Furthermore, there are some authorizations in production that are too sensitive to be given on a permanent basis. In both cases, access must be terminated once it is no longer needed. Previously, assigning and revoking temporary access depended on whether someone remembered or elected to do it. Without an automated solution, managing user access required maintaining a log of access rights for users spread across India. However, with Security Weaver, that tedious burden was eliminated. According to Singh, J.K. Cement found a great mix of value, simplicity, flexibility, and control in Security Weaver’s Emergency Repair module. “With Emergency Repair, no one has to write anything down or keep a log to remember when certain rights are to be assigned and then revoked,” Singh says. “Instead, the application lets you set the number of days or timelines to take back certain rights, and access is automatically revoked from the particular user.” Not only were security administrators happy to eliminate this work, but the robust audit trail created by Emergency Repair delighted auditors. “Auditors appreciate this when they come to review the access and access controls,” he adds. “By taking care of it all automatically, Security Weaver makes their lives easier during audit time.” J.K. Cement realized early that, in addition to lowering access risks, focusing on user management could lower its SAP cost structure and make future investment requirements more predictable. Security Weaver’s License Management application provided the key. It analyzes each user’s interactions with the SAP environment and inspects the roles each user has. Based on an understanding of these roles and interactions, it can accurately and continuously assess which SAP licenses are required. Over time, it is also able to show historic consumption and anticipate how long the existing inventory of user licenses will last. The License Management application has helped J.K. Cement to increase control and reduce risk through automated role-based license management. Now the organization can anticipate when more licenses will be needed and avoid an unexpected and disruptive expense triggered by an SAP license audit. Furthermore, because Security Weaver’s solution optimizes how user licenses are allocated and avoids giving users a full professional license when all they need is a limited professional license, over time, it can lower the SAP cost structure of the enterprise. Building on a Safe and Strong Foundation “In March 2018, our annual financial close will trigger a review of user roles, and that’s when the next wave of value will be realized,” says Singh. “Department heads and functional teams will have the visibility into what was given to whom — and over time, if the roles and responsibilities of a department change, they will have the ability to look at the roles and redefine them.” Singh expects the Reset Password, Role Management, and Role Recertification modules to provide tremendous value at that time. Installing these tools prior to the annual financial close will allow J. K. Cement to explore their capabilities and accelerate time to value when the role review process begins. Security Weaver’s Transaction Archive application is expected to also greatly facilitate the role review process due to the rich user analytics it delivers. By providing data on how users are exercising their roles and interacting with the system, it enables J. K. Cement to know which roles were designed properly and the implications of removing roles from a user. However, according to Singh, J. K. Cement is not waiting for its role review process to start before getting value from Transaction Archive, which is already providing the business with unprecedented forensic capabilities and helping to keep users accountable. “Now, we have proof of what was done, how it was done, and when it was done — and it’s all automated,” says Singh. “More than anything else, it sent a message to users organization-wide that they must be disciplined, be in control, and act carefully.” Establishing a tone from the top that stresses compliance sends a strong message about the importance placed by senior leadership on proper governance, risk management, security, and compliance. In addition to understanding the value of user analytics, J.K. Cement understands the value of strong and well-controlled processes. The business included process design and control early in its planning for selecting a compliance and security solution. This was where Process Auditor came into play. By using Security Weaver’s prebuilt templates that come standard with Process Auditor, J.K. Cement was able to rapidly customize and put up controls to ensure proper risk management — controls that went beyond user access and considered both user transactions and master data. For example, J. K. Cement now sends alerts when certain master records change or if a vendor bank account matches an employee’s bank account. The business also has more control over high value transactions and SAP transports. According to Singh, J.K. Cement sees many opportunities for extending process controls to ensure compliance, consistency, and increased efficiency, and is excited to build on the firm foundation now in place. Envisioning a Stable Future J.K. Cement has, in fact, eliminated the risk of users knowingly or unknowingly carrying out fraudulent activity. While the business hasn’t had problems with fraud in the past, according to Singh, it would be virtually impossible for individual users to get away with fraud in the future. “In terms of data and processes, we are now more in control, and in a more confident state with regard to understanding and plugging any security holes related to access that could be a potential risk to the business,” he says. With renewed certainty in the security of the SAP landscape, J.K. Cement is ready to take the next step in its SAP journey and move on to SAP S/4HANA. This migration project, set to begin in 2018, has been planned since before the Security Weaver implementation. Consequently, the criteria for the security platform included that the solution be compatible with SAP S/4HANA. Security Weaver’s SAP certifications with SAP S/4HANA and other SAP platforms mean that J. K. Cement is secure in its future and its security platform is ready for SAP S/4HANA. J.K. Cement continues to honor the mindset of its stakeholders by striving to invent and invest in the latest and greatest technology to add value and provide world class operations. As it does so, IT and the business will keep in mind three takeaways that Singh saw successfully demonstrated in this project: “First, when selecting and implementing software, don’t do it half-heartedly; Second, implement the solution as quickly as possible; Third, don’t compromise on governance and control because you don’t have to.” Security Weaver Helps J.K. Cement Improve Its Governance and Controls Security Weaver partners with organizations to rapidly deliver efficient controls. Its solutions and services satisfy the most demanding enterprises without sacrificing the usability imperatives or ignoring the budget and staff constraints of smaller companies. Any organization improving the business value of its compliance-related investments can trust Security Weaver to deliver governance, risk, and compliance (GRC) solutions fitted to match their unique requirements and individual technology roadmaps. Security Weaver’s solution architecture ensures superior application performance, rapid implementations across diverse environments, and high returns on compliance-related investments. Security Weaver provided J.K. Cement with a proven platform for reducing cost and increasing productivity in its SAP environment. Regarding this partnership, Terry Hirsch, CEO at Security Weaver, says, “At Security Weaver, we pride ourselves on offering solutions that can be deployed quickly, scale indefinitely, and support best practices, with low ongoing maintenance requirements. We are pleased to see that J.K. Cement has successfully leveraged our solutions to create a leaner, more efficient enterprise, and to optimize their user management processes.” Security Weaver also offers automated password reset, role recertification, and role management solutions, as well as, GRC implementation services, solutions for transaction monitoring, process auditing, and emergency access management. It offers custom applications to the smallest and largest SAP customers. Visit www.securityweaver.com/SAP-insider for more information.
Successful companies are often built on a simple idea: Make life better for ordinary people. Southwire Company, LLC, was founded on this premise. Due to post-war wire shortages in the late 1940s, many rural farming families were living without electricity. With a mission to bring power to rural families living in Carroll County, Georgia, Southwire’s 12 employees started producing wire using second-hand machinery in 1950. Nearly 70 years later, the family-owned business has become a leading manufacturer of wire and cable in North America with 7,500 employees in over 30 locations across the US and beyond, including Canada and Mexico. Southwire manufactures and sells wire and cable products for the distribution and transmission of electricity — from the power plant to the outlets in a residential home — and the depth and breadth of its products make the company unique in its industry. Its offerings include high voltage cable for overhead and underground transmission, wires for manufacturing machinery, and wiring for light fixtures in homes and office buildings. To support its operations and processes, Southwire has maintained an SAP solution landscape since 2010, which began with the implementation of SAP Treasury and Risk Management to manage the high volume of copper going through its rod mill. It has since expanded to include other solutions, such as SAP Business Warehouse, SAP Process Integration, the SAP BusinessObjects Business Intelligence suite, SAP SuccessFactors solutions, and SAP Hybris applications. Anchoring this SAP environment is SAP ERP, which is used by all of the company’s business divisions to enable processes such as order to cash, plan to inventory, and procure to pay. As its use of technology has increased, user access across technologies and business functions has become both a key to operational efficiency and, if poorly managed, a material and unacceptable risk. In a sizable and growing business such as Southwire, where large numbers of users access a variety of applications and information daily, avoiding segregation-of-duties (SoD) conflicts is critical to ensure regulatory compliance, prevent errors, and avoid fraud. Identifying existing user access risk due to SoD conflicts in its SAP landscape became a pressing mandate for Southwire’s IT Center of Excellence team in early 2017, when it was tasked by the company’s board to minimize and mitigate SoD conflicts across the organization. Driven by this directive, the IT team embarked on a multi-phased project aimed at understanding the scope of the issue, identifying conflicts, mitigating risks, automating user provisioning, making support operations more efficient, and improving the role catalog. The project started with an investigation phase to first gain a full picture of the issue, which was followed by a planning phase to determine what the solution should look like, an implementation phase, and finally a continuous improvement program that would systematically analyze and improve role designs. Analytics were critical to each stage and continue to play an important part in Southwire’s access management strategy. Getting Plugged In To initially scope the project, Southwire implemented the Separations Enforcer application from Security Weaver to identify and manage SoD conflicts in its SAP ERP system. (For more information about Security Weaver, see the sidebar at the end of the article.) Separations Enforcer enabled Southwire to do a rapid yet thorough analysis of its SAP landscape for SoD conflicts and sensitive access risks with reports that were readable and comprehensive. The solution was also able to handle custom transactions because of its advanced pattern-matching capability, which extends its analytics beyond explicitly defined SoD rules to automatically discover SoD-relevant custom transactions that have not yet been included in the SoD ruleset. “Previously, we had no tool in the legacy systems that would identify the number of SoD conflicts, and we had no means of reporting on them,” says Chris Easterwood, Vice President of Southwire’s IT Center of Excellence. The reports generated by Separations Enforcer revealed a surprising number of conflicts — approximately 10,000 — and when the company’s board saw the results, it passed down another directive to the IT team to address these conflicts. To understand how to mitigate or remove a conflict, the team needed a way to look in depth at what transactions each user was exercising in the system. In the second quarter of 2017, Southwire selected Security Weaver’s Transaction Archive application to accomplish this task. Transaction Archive provided Southwire with detailed SAP transaction code execution histories that could be filtered by user, transaction, time period, user group, and other criteria. It not only showed which users were using which transactions, it also showed what transactions were being exercised in a role across the population of users who had the role. In addition to role and user analytics, Transaction Archive discovers and monitors Remote Function Calls (RFCs) within the SAP system to improve security across the integrated landscape. The decision to go with Transaction Archive was an easy one because of its rich analytics. It also integrated easily with other Security Weaver solutions in use at Southwire as well as with the core SAP ERP system. “We decided to pursue Transaction Archive to help us better understand our past and present user activity and provide that information in a meaningful report for IT and for the business,” says Bryan Mann, Manager of SAP Basis and Security in Southwire’s IT Center of Excellence. The in-house IT team implemented Transaction Archive within a day across Southwire’s global SAP instance using the standard change management functionality within the SAP system. The solution went live throughout the company’s SAP landscape, covering all of its SAP users, in August 2017. Shining a Light on User Roles Since that time, Southwire has successfully utilized Transaction Archive to optimize roles and improve security. The reports generated by Transaction Archive have enabled Southwire to: Analyze user transaction history, including which transactions were executed and by which users, how often they were executed and in what sequence, and when the transactions were used Evaluate role efficiency in terms of how roles are used — such as what percentage of users have exercised each transaction in a role — to ensure that the roles are not bloated with access rights Identify unused roles and then remove those roles to improve the user experience and reduce SoD conflicts The data provided by Transaction Archive has made it possible for the IT team to redesign and optimize roles. “Previously, we managed roles manually based on what we thought users would need,” says Mann. “Transaction Archive makes the process more intelligent — it allows us to design our roles around what the users are actually doing.” Using Transaction Archive and Separations Enforcer together enabled the IT team to significantly reduce conflicts, from approximately 10,000 to fewer than 1,000. For example, an SoD analysis of Southwire’s finance group using Separations Enforcer revealed several conflicts among users. “When we looked at those particular users in Transaction Archive, we discovered that they never actually used the transactions causing the conflicts,” says Easterwood. By changing the roles for these users and taking away rights to transactions they didn’t use, the IT team was able to reduce the number of SoD conflicts without affecting user productivity. “Once we did that, many of the SoD conflicts that had been on the report simply disappeared,” adds Easterwood, “and we were left with just the SoD conflicts for transactions that were actually being used, which we could easily monitor going forward.” The sales group was another area with SoD conflicts. Once Separations Enforcer identified the conflicted users, Transaction Archive enabled the sales group and the IT team to see what authorizations sales administrators were exercising. Then, using that information, the IT team was able to reduce the number of conflicts by redesigning user roles in a targeted way. For example, some users were viewing data using a transaction that allowed changes to the data when a display-only transaction would have sufficed. “Knowing this enabled us to remove access that would allow them to change something when all they needed was to display it,” says Easterwood. Connecting with the Business Separations Enforcer and Transaction Archive also enabled the IT team to better partner with business users — a critical step in mitigating SoD conflicts. The IT team worked with the business side to review what their users were accessing, the transactions they were executing, and the transactions they never used. “With Transaction Archive, we were able to communicate with the business exactly which transactions their users were actually using, and which transactions could be better used either by a different department or by other resources available in the company,” says Mann. “We also used that information to help the business to better define their processes.” Because IT and the business are the core users of analytics from Transaction Archive at Southwire, with the business users usually serving as the final approvers for SoD mitigation, it was important that the tool was easy to use for both teams. “We provided a one-hour workshop for each of the functional areas on how to use the product,” adds Mann, “and after that, with just a few questions here or there, most of the business users were proficient.” Sharing the workload across IT and business users has been a critical success factor for access management at Southwire. Wired for Success The Transaction Archive tool has become an integral part of Southwire’s SAP environment, according to Mann, and is used daily by IT and business users. The ability to quickly and easily see exactly what users have been doing in the system, and have it presented in a consolidated, meaningful report, has yielded significant returns — first and foremost by decreasing the overall number of SoD conflicts by more than 90%. “The number one benefit is that by the end of the project, we were able to present a report to the board that reflected a significant reduction in SoD conflicts,” says Easterwood. Other benefits produced by the project have been time and cost savings, including reducing the time it takes to investigate conflicts from days to minutes. “It is a lot simpler to get to the information that we need,” Easterwood reports, “and it takes less time to review what users are doing in the system than anything we’ve had in the past.” The team was also able to use its existing resources to implement, administer, and manage the tool, as well as review and respond to reports, saving the company from having to spend money on additional resources, which would have cost more than $100,000 per year. “It limited the resources we needed to work on the project,” adds Mann. In addition to enabling the IT team to efficiently address immediate access risks, the visibility into user activities provided by the tool has helped IT and the business make progress toward its overall goal of building better roles for users. “It gives us insight into how the system is being used, and we can then take that information and make better decisions about how roles should be designed,” says Easterwood. The role redesign — which is an iterative process of designing, testing, and adjusting roles before moving them into production — is an ongoing endeavor that will continue over the next few years. “It’s a continual process,” adds Mann, “and Transaction Archive will continue to play a valuable part in the overall project.” Southwire Company, LLC Headquarters: Carrollton, Georgia Industry: Wire and cable manufacturing Employees: 7,500 Company details: Founded as Richards and Associates in 1937 by Roy Richards, Sr. in Carroll County, Georgia, as a company to put up power poles and lines for utility companies Began manufacturing wires and cables in 1950 with 12 employees as Southwire Company to meet the need created by post-war wire shortages Currently operating in more than 30 locations across the US, Canada, Mexico, and other locations Leading manufacturer of wire and cable in North America www.southwire.com SAP solutions: SAP ERP, SAP Business Warehouse, SAP Process Integration, the SAP BusinessObjects Business Intelligence suite, SAP SuccessFactors solutions, and SAP Hybris solutions Third-party solutions: Security Weaver Transaction Archive, Separations Enforcer, Secure Provisioning, Authorization Help, Risk Visualizer, and Reset Password Security Weaver Helps Southwire Control Risk Through SAP User Analytics Security Weaver partners with organizations to rapidly deliver efficient controls. Its solutions and services satisfy the most demanding enterprises without sacrificing the usability imperatives or ignoring the budget and staff constraints of smaller companies. Any organization improving the business value of its compliance-related investments can trust Security Weaver to deliver governance, risk, and compliance (GRC) solutions fitted to match its unique requirements and individual technology roadmaps. Security Weaver’s solution architecture ensures superior application performance, rapid implementations across diverse environments, and high returns on compliance-related investments. Security Weaver provided Southwire with a proven platform for reducing cost and increasing productivity in its SAP environment. Regarding this partnership, Terry Hirsch, CEO at Security Weaver, says, “At Security Weaver, we pride ourselves on offering solutions that can be deployed quickly, scale indefinitely, and support best practices, with low ongoing maintenance requirements. We are pleased to see that Southwire has successfully leveraged our solutions to create a leaner, more efficient enterprise, and to optimize its user management processes.” Security Weaver also offers automated password reset, role recertification, and role management solutions, as well as GRC implementation services, solutions for transaction monitoring, process auditing, and emergency access management. It offers custom applications to the smallest and largest SAP customers. Visit www.securityweaver.com/SAP-insider for more information.
As a global provider of systems and components for automotive and industrial markets, Novi, Mich.-based Cooper Standard has a lot of moving parts. Not only does the company operate in over 100 locations in more than 20 countries — with 74 of its sites running on either SAP ERP or SAP Business Warehouse — it is in the midst of consolidating ERP environments and transitioning to SAP S/4HANA. The sprawling nature of Cooper Standard’s business and the heterogeneous application landscape it maintains mean complex challenges for its Lead Systems Administrator Jessica Goldsmith, who manages global SAP user access and security for several other non-SAP applications. When Cooper Standard saw the need to automate access management — Goldsmith found herself at the center of a major project. The project would affect over 11,000 desktop users who speak more than 18 languages. It would require her to define common processes that met the company’s current compliance requirements, improved control over the heterogenous application landscape that involved SAP and other vendor applications, and more importantly, her improvements needed to anticipate how the application landscape would evolve over time. After a rigorous evaluation period, Cooper Standard selected and implemented a suite of access management applications by Security Weaver designed to tackle these and other critical and complex challenges. Now, when a request finishes and reaches approval, the system goes out and auto-creates the user and adds the access or removes the access – all automatically. And I, as an administrator, no longer have to manually manage it which is a really big deal. – Jessica Goldsmith, Lead Systems Administrator, Cooper Standard One of the most obvious challenges that required immediate improvement had to do with the user access request and approval process. Previously, administrators and managers were manually routing their approvals, which often created delays on the back end, according to Goldsmith. “Systems administrators would first have to review all the access requests that came in before sending them on for approval.,” she says. “Then, after each request was returned to us approved, we had to manually provision the access in the SAP system.” A big opportunity for improvement was in performing periodic access reviews. Cooper Standard had been using Microsoft SharePoint as a platform, and users were manually running and uploading reports and using email to perform approvals and reviews. “We wanted to simplify this process for users and make it easier to track,” Goldsmith says. It was a manual process with many issues, and given Cooper Standard’s commitment to quality in all aspects of its business and its cultural mandate to delight customers, it needed to change. Benefiting Business Users, Not Just Administrators When Cooper Standard began investigating access management solutions, it wanted to maximize its return on investment. It did so, driven by a clear objective articulated by IT leadership. “When going through any evaluation process it’s important not just to focus on how to solve the problems for systems administrators, but rather to also make it easier for the users themselves,” says Bob Cross, Director of Information Technology at Cooper Standard. “Otherwise there’s not much value in it.” Sue Kampe, Senior VP and Chief Information and Procurement Officer at Cooper Standard, summed up another objective: “In IT, we do a thousand things at once, but they are all to enable the business. Every decision we make is designed to ensure Cooper Standard is more competitive in the market and more supportive of its employees and customers, while providing the highest levels of security on behalf of all stakeholders.” With this business orientation in mind, Cooper Standard sought a user-friendly and flexible access management solution that would benefit the business — not just IT administrators, while at the same time, ensure the highest standards of fiduciary control and compliance. One reason that objective led to Security Weaver was due to its ability to integrate with SAP software, according to Goldsmith, who has been at Cooper Standard for 17 years, and in IT for nine of them. “Another big thing was the flexibility of the automation the new solution provides,” she says. “Now, when a request finishes and reaches approval, the system goes out and auto-creates the user and adds the access or removes the access — all automatically. And I, as an administrator, no longer have to manually manage it, and that is a really big deal.” Indeed, there is a business benefit to this automation, according to Satnam Hundgenn, Director of Global IT Audit at Cooper Standard. “Though our previous system had workflow, it lacked auto-provisioning capabilities,” he says. “Users can be assured now that, as soon as their requests are approved, they will have access. Otherwise, there could be a lot of waiting time, depending on the admin queues.” Consequently, with IT staff being able to do more at scale and, at the same time, make more productive SAP users, a compelling business case to move forward with Security Weaver was finalized. In addition to IT staff benefits and SAP business user productivity, Nate Miller, Senior Manager of Global Cyber Security, IT Compliance, and Network at Cooper Standard, sums up the business case by saying, “At Cooper Standard, we understand the value of effective and efficient controls, so when we looked for a solution to give us the control and automation we needed, while improving the processes across various applications, Security Weaver was the right answer.” A Partnership-Oriented Attitude Security Weaver’s team, meanwhile, collaborated closely with Cooper Standard’s development team. “We had a great working relationship,” Goldsmith says. “We actually had a Security Weaver professional sit in our office for several months and he was basically my coworker for that time during the implementation.” Through tight collaboration, key capabilities necessary for Cooper Standard’s unique requirements were raised by Goldsmith and her team. This resulted in additional training on the solution, and in some cases, changes to Security Weaver’s product roadmap. A few times, Cooper Standard was able to get new features delivered almost immediately and well before an official product release. Security Weaver also invited Miller, Cooper Standard’s Senior Manager of Global Cyber Security, IT Compliance, and Network, to participate in its annual solution portfolio roadmap review to ensure the company’s needs were represented. Beyond product features, strong consulting services, and close executive collaboration, Security Weaver also provided, and continues to provide, ad hoc advise from domain experts and product managers and exceptional support. This level of partnership from a solutions provider is appreciated by Cooper Standard and Goldsmith. Ultimately, Cooper Standard deployed several Security Weaver solutions, including Separations Enforcer, Secure Provisioning, Role Recertification, Risk Visualizer, Emergency Repair, and Transaction Archive. The business implemented these solutions at the same time, with all going live in Q1 2017. The Whole Is Greater than the Sum of Its Parts Cooper Standard recognizes measurable benefits as a result of its migration to the new Security Weaver solutions. As Goldsmith emphasizes, the auto-create feature is paying significant dividends. She estimates that her access management group is running 700 SAP requests through a system per month and is no longer requiring an administrator to touch all those requests, which is “a really big win on our part.” The improved efficiency has enabled administrators such as Goldsmith to focus on other tasks. “Instead of spending all my time manually administering access, I can perform more value-added activities, like use Security Weaver Transaction Archive to help me to run a role management project and remove all unused roles,” she says. “I have more free time to perform those sorts of tasks that administrators rarely have time for. For example, we couldn’t do it before because we were too busy.” Consider that, as a result of the more efficient process, Goldsmith, in her “free time,” was able to remove 80% of the assigned roles from existing users. This meant more than 61,000 roles were eliminated because they weren’t being used. This streamlined the process for users when looking for the access they needed and allowed them to spend less time maintaining and recertifying roles by IT and managers. “That level of reduction is just unbelievable and has compounding benefits,” she says. “For example, by doing that, I was able to remove 40% of conflicts across the board just by removing unused access.” By cleaning up those conflicts quickly and efficiently, Cooper Standard managed to reduce risk and boost productivity. Soma Venkat, Vice President of Information Technology at Cooper Standard says, “For every conflict we remove, we eliminate a risk control that had to be performed. This means we save hundreds of hours because our global controllers and management team now avoid performing many mitigations and sign offs. It helps remove even more manual work as we move toward digitization.” Following the initial cleanup of unused roles, Cooper Standard has been able to use Security Weaver and its improved processes to maintain a leaner operation. Goldsmith says that it’s more of a maintenance phase at this point. “We’re still implementing SAP software into new locations, but now we’ve built the unused role removal as part of the go-live,” she says. “After an SAP rollout in a location, for example, we now have a standard to remove roles that haven’t been used after 45 days. If they haven’t used it in the first 45 days, they probably aren’t going to use it.” In the rare situation where a user requires a removed role after all, it is a two-minute exercise, and no one is inconvenienced by the request. The process is working. Goldsmith says she evaluated the current state of unused roles and found it is almost exactly where it was immediately after the initial cleanup. It sits within 2% of that early benchmark so, according to Goldsmith, the new processes are keeping the system lean. Great Parts, Used Well, Make for a Superb Drive The Security Weaver go-live is continuing to pay dividends. Goldsmith is focused on implementing monthly mitigation reminders built into Security Weaver Separations Enforcer. This application allows Cooper Standard to generate emails out of the system that sets actions into motion, such as: Lets users know they have a control they need to perform Creates a review Requires a sign off Allows the upload of an attachment Having these actions trafficked within the system “gives audit a better opportunity to make sure to enforce that these controls are actually being done,” Goldsmith says. “Doing this manually, it was hard to ensure that users were doing what they were supposed to be doing. Not only was it difficult for audit; it was difficult for the business.” Despite all the quantifiable benefits, perhaps the biggest benefit of Cooper Standard’s transition to Security Weaver access management solutions is that it has allowed the organization to better focus on further improvements. Its transition to SAP S/4HANA, which is targeted to be complete in the first quarter of 2020, is a great example. Meanwhile, Cooper Standard is evaluating two additional Security Weaver modules — Automation Mitigation and Process Auditor. Clearly, the automotive and materials science company that has a lot of parts moving in every direction isn’t afraid of tackling new processes — if the result is a smoother-running operation. These solutions and related professional services will streamline processes, ensure the right risks are being addressed efficiently and at the right time, and will inevitably lead to even more business benefits for the IT staff, auditors, and most importantly, business users. Cooper Standard Headquarters: Novi, Michigan Industry: Automotive industry systems and components Employees: 30,000+ Revenue: $3.6B (2018) Company details: Over 50 years of history (NYSE: CPS) www.cooperstandard.com Core product lines include sealing systems, fuel and break delivery systems, and fluid transfer systems SAP solutions: SAP ERP, SAP Business Warehouse, and in the process of migrating to SAP S/4HANA Third-party solutions: Security Weaver Separations Enforcer, Security Weaver Secure Provisioning, Security Weaver Role Recertification, Security Weaver Risk Visualizer, Security Weaver Emergency Repair, and Security Weaver Transaction Archive
Your request has been successfully sent