Managing access violation and improving efficiency with the Bedrock GRC managed service

The client

In the UK & Ireland, Sodexo offers a range of on-site services from construction management, reception and food services through to asset maintenance, security and grounds maintenance for clients in offices, schools, prisons, hospitals, military bases, remote sites and at hospitality events.

In addition, they provide benefits & reward services (including childcare vouchers and public sector reward schemes), and home services.

With over 35,000 people working for Sodexo in the UK and Ireland, Sodexo strives to improve the quality of daily life at over 2,000 client locations across all market sectors.

Challenge

Sodexo had invested in expanding its SAP environment over a number of years. While this brought greater functionality and additional capabilities, for example through the Employee Self Service (ESS) and the Manager Self Service (MSS) HR modules, it also significantly increased the number of users and the complexity of the system.

SAP Security Consultant, Sodexo explains: “Our business is very diverse and we now have 5000 users which had grown dramatically after the last GRC project. That built in some extra areas of vulnerability that we needed to resolve”.

With a large workforce comes the risk of access creep. Sodexo wanted the ability to monitor and report on their access risk violations internally, rather than depending on external audit. They needed a tool that could run next to the new roles to ensure segregation of duties, and they wanted to transfer knowledge from their internal SAP team into a tool that anyone could run. They also wanted to improve the manual provisioning processes through automation, in order to maximise the SAP team’s efficiency.

“It was time for some automation, and we definitely needed additional assistance. We needed a system that we, Audit, and Control & Compliance could all use inhouse, in order to take a proactive approach,” says Sodexo’s SAP Security Consultant.

Solution

Sodexo chose to implement SAP GRC Access Control 10.1 as a cloud solution, delivered through Turnkey’s Bedrock managed service. “A big thing for us about Turnkey was they were very personable. We felt that our key contact’s experience as a security developer, an auditor and now as a director of a company implementing GRC, was excellent. He understood what we needed from the system”, says Sodexo’s SAP Security Consultant. 

Turnkey tools to speed implementation

Turnkey used their in-house rule set and quick start accelerators to help Sodexo get the basic system in place quickly, with the system going live in under 3 months. The foundation rule set provided a platform to build on, making it a much quicker approach than having to build the rule set from nothing.

Sodexo has now implemented SAP GRC Access Control including emergency access and risk analysis. They are moving onto remediation projects, and will then implement the automated workflow provisioning.

Emergency Access

Implementing the emergency access module has greatly benefited Sodexo. Previously, whenever a consultant needed emergency access to the SAP system the SAP team had to review what transactions they were planning to do and how they would do them, before manually allowing access – a time consuming process. Now, Access Controls emergency access provides an automated, monitored and auditable process for all emergency access requests. Sodexo’s SAP Security Team Lead says: “Being automated saves us time because we don’t have to do all the investigation side of it”.

“The access risk analysis is key and the firefighter was a huge win for us in terms of monitoring our team’s privileges and having it all auditable. Having that in a workflow process that’s been reviewed and signed off is great,” adds Sodexo’s SAP Security Consultant.

Benefits 

• Access is better understood, managed and controlled: Sodexo has strengthened their internal access controls by implementing effective workflow on user access, while also reducing the manual activities. As a whole the project has raised the profile of access risks across the business.
• Manage and report on access risk violations: Sodexo is now in a much stronger position to manage access violations, putting them ahead of external audit. “The business wasn’t really thinking about access creep, and leaving users with the wrong access when they changed their roles. There is now a mechanism for us to prevent a lot of those issues,” says Sodexo’s SAP Security Consultant.
• Automation of access review processes: the automation within Access Control provides robust and approved workflow processes for granting access with full auditability and reduces the manual burden on the internal SAP team. 
• Turnkey’s tools and accelerators aid quick implementation: due to their extensive experience in implementing GRC Turnkey has developed accelerators and rule sets to help projects get off to a flying start. “It needed tailoring but the initial rule set was a benefit”, says Lynch.
• Emergency access: having a standard, approved and automated emergency access process has been a big win. It is fully auditable and gives visibility of what consultants are doing with elevated access.