This website is not affiliated with, sponsored by, or approved by SAP AG.

SAP Security assessment, role redesign & remediation costs

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

SAP Security assessment, role redesign & remediation costs

Postby Jaydhruv » Mon Apr 03, 2017 9:58 am


Does any one know of average costs associated with.
a.) SAP Security assessments. (10K ?)
b.) Role redesign. (500 to 700K ?)
c.) SOD remediation. ( ?? )

also does anyone have templates on the same. what each one covers. atleast the SAP security assessment one.

Swim monkey
Posts: 45
Joined: Thu Jun 26, 2003 2:12 am
Location: Florida, USA

Re: SAP Security assessment, role redesign & remediation costs

Postby Al. » Tue May 09, 2017 5:28 pm

It is very dependent on things like complexity of landscape, complexity & maturity of business processes, regulatory requirements etc. Who is doing the work will also influence costs greatly as they are likely to be working on a T&M basis.

Very generally I would expect a security assessment to be 2-3w for a 3 tier landscape covering ECC + a couple of other modules. It is very scope dependent. Adding in technical stuff e.g. system hardening will increase that. Cost could range from £8k-£20k depending on who you would use and what output the client wants.

Redesign - again, complexity is the driver. £100k - £400k tends to be the most common range that I see across a wide range of companies.
SoD remediation - remediating existing roles is often around 50% of the cost of a redesign but again, there are lots of variables.

In terms of an assessment, generally I will scope this based around what a client needs. As somewhere to start I have listed scope items for the review of a relatively complex security implementation. This is only roles & users, no technical/cyber security is included. From memory this was about 4 weeks worth of work and had a load of detailed sensitive auths analysis

Technical review of the design, build, and the process around testing, maintenance and usage of roles with focus on:

Role definition process
- Design Strategy
- Integration between security and process teams
- Role data gathering and processing
- Test and signoff process
- Design change process (template and localisation)
- Design ownership & decision model
- Adherence to good design practice (internal and external)
- Flexibility & scalability of design to support known final system scope, architecture and target operating model
- Supportability of design during rollout & BaU

Technical design approach
- Design selection process
- Design choice rationale - Enhancements/challenge made to previous design
- Metrics used to support decision
- Volume of roles considering supportability and maintainability
- Flexibility of solution to adapt to future operating model
- Use of organisational levels and derivation

Role Mapping
- Role mapping approach - Roles, responsibilities, touch points and gaps
- Integration with (local and project) organisational design/change/HR/training teams
- Data gathering and sign-off process
- Mapping data quality assurance
- Change management - Communications (project and business stakeholders
Posts: 3050
Joined: Tue Feb 25, 2003 5:35 am
Location: London

Return to SAP Security

Who is online

Users browsing this forum: No registered users and 7 guests

This website is not affiliated with, sponsored by, or approved by SAP AG.