The group’s growth in recent years has been driven by acquisitions, with each new company incorporated in the group retaining an identity as a division within the organisation. As a result, the group operates several different SAP environments, each operating different security management processes.
Since the group’s listing on the New York Stock Exchange, it has been subject to the regulatory requirements for IT security specified in the Sarbanes Oxley Act of 2002 (SOX).
In order to satisfy the relevant requirements and to facilitate the responses to audit findings, the global packaging business implemented the cloud-based SailPoint Access Risk Management (ARM) system to manage security across its SAP landscape. SailPoint ARM itself became subject to SOX regulation and the firm needed a partner with the necessary expertise to ensure it was compliant.
A personal recommendation led the business to Risk, Identity and SAP Security specialists Turnkey as an expert in the field. In 2018 Turnkey was selected to support the existing Global IT security operation, via its Bedrock Governance, Risk Management and Compliance (GRC) service, and to undertake specialised project-based work. Security for all the SAP systems would be managed via SailPoint ARM instances, governed centrally and managed by Turnkey.
The Turnkey Bedrock service took over the day-to-day management of the Access Risk Management environments, supporting access control over the SAP estate, providing the business with an efficient, cost effective service it can trust. As part of this service, Turney also manages the relationship with SailPoint ARM, tracking bug fixes and change requests for future releases, freeing up in-house resources to focus on strategic issues. “We work closely with the Turnkey team and trust them completely to get the job done,” says the Group IT Director for IT Security.
Bringing its access risk management and SAP security expertise to the tasks, Turnkey’s project teams undertook critical projects for its client, including:
Segregation of duties within SAP environments is a key control point. Turnkey helped the business to standardise the model across all its SAP environments. Specifically, it created a global list of ‘conflicts’ where segregation was not 100% possible, linking each to a mitigating control within the business. All of this was managed using SailPoint ARM, giving the group and its external auditors full visibility of the ‘rule book’ and the mitigations relating to segregation of duties.
As the business moved control of emergency access management to SailPoint ARM and the service became mission critical, Turnkey ensured the facility was always available and complied with SOX standards. All such access requests now follow a standard model and are managed through SailPoint ARM, connecting to each individual SAP instance.
In 2018 the group disposed of one of its packaging divisions to form a separate company. The division shared an SAP environment with another of the firm’s divisions, requiring separation of data within the SAP environment and creation of a new instance of SailPoint ARM for the independent company. Turnkey ensured both entities would be ‘audit-ready’.
Global Standardisation Some areas operating different processes for security management, Turnkey worked with its client to roll out a globally accepted security management process to achieve consistency of approach.
It is a SOX requirement to re-certify all users every year, demonstrating that each access profile has an owner and approver. Turnkey managed the process, extracting the relevant data and sending it to managers for validation. Some 2000 locked profiles were removed from the SAP environments and a further 3000 confirmed as valid users. SailPoint ARM was used to manage the process and provide the location, function, and reporting line for each profile. Owing to the global spread of the projects, remote working was already the norm, so ways of working hardly needed to change when the Covid crisis arose. “There was almost no impact from Covid on our relationship or methods,” explains the Group IT Director. “It was a seamless transition.”
The success of the close relationship between the client and Turnkey has prompted a further project to help define a strategy for Identity Access Management. “Turnkey’s expertise helped us to recognise the value of a clear strategy before diving into solutions,” continues the Group IT Director. “They had anticipated our requirements in this area and were ready to go immediately with a statement of work.”
Turnkey’s client now has a global set of standardised, SOX-compliant processes for security management across all its SAP instances. Turnkey has taken on the day-to-day management of access controls, freeing up resources at the global packaging business for more strategic work.
Turnkey’s Bedrock support service also manages the relationship with the 3rd party SailPoint ARM provider, ensuring that bug fixes and change requests are processed quickly and efficiently, and removes the need for the firm to interact with the provider.
“We were very comfortable outsourcing this vital role to Turnkey,” says the Group IT Director. “Our confidence has been rewarded and our global security governance has benefitted enormously from the relationship.”