Establishing an enterprise view of access risk to comply with industry regulations

“To realise the level of maturity the client needed to achieve to undertake this business change journey, Turnkey initially reviewed the firm’s existing SAPGRC approach, making recommendations for improvements on the technical implementation as well as strategically on the business use and ownership of the solution”

Challenge

With energy suppliers increasingly relying on technology to run their networks, cyber security risks have a much bigger impact on suppliers and the public they serve. To address this, the Government introduced the Network & Information Systems (NIS) Regulations in 2018 to provide the UK’s energy providers with legal measures and requirements for securing their critical networks and information systems access.

Turnkey’s client was in the infancy of its enterprise identity management journey. It needed to develop a strategy on how to manage identities and access to systems and data across the organisation. The utility firm had previously commissioned a systems integrator to implement SAP GRC as part of its SAP S/4HANA rollout. However, subsequent audit findings related to the SAP GRC led the client to seek advice from a third-party specialist to review the implementation and provide a more integrated strategy going forward.

The client wished to review its whole approach to identity, security and access of its SAP and non-SAP systems, exploring how best to provide these services by adopting a more holistic and future-proofed strategy to its entire userbase and IT landscape.

Solution

Turnkey Consulting was engaged to support the utility organisation in providing the expertise, analysis, recommendations and strategy to secure the foundations of an enterprise-wide identity and access programme.

To realise the level of maturity the client needed to achieve to undertake this business change journey, Turnkey initially reviewed the firm’s existing SAP GRC approach, making recommendations for improvements on the technical implementation as well as strategically on the business use and ownership of the solution. This included ownership of roles, controls and different risks across the business.

The findings were focused across three projects:

1. SAP GRC Target Operating Model for an effective GRC function supported by Standard Operating Procedures to develop the processes for how the client operates the function day-to-day.

2. IAM strategy to provide direction for Identity Governance and Administration (IGA), and Privileged Access Management (PAM).

3. Market analysis of vendors for Risk and Controls Management, and audit management against their requirements to provide a best fit solution recommendation.

As a trusted advisor, Turnkey set out how the utility provider can achieve its aspirations, identifying gaps in people, process and technology. Streamlining business processes to provide a single view of all access, the strategy has reduced access risks across the organisation and is ensuring it meets its compliance and regulatory objectives.

Benefits

• There is reduced enterprise risk as the utility firm has a solid structure and understanding of governance, identity and compliance roles required within the business together with a five-year plan.
• Turnkey’s client is confident of meeting its compliance objectives for NIS Regulations and other legal requirements including GDPR.
• With the enhanced SAP GRC and IAM programme, the firm has a holistic view of access risk enabling improved performance and gaining real insight of the gaps it needs to fulfil in terms of resourcing and skill sets.
•  The utility provider has the right strategy that enables the right people to access the right systems and data, for the right reasons and at the right time.