This website is not affiliated with, sponsored by, or approved by SAP AG.

SAP Security assessment, role redesign & remediation costs

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

SAP Security assessment, role redesign & remediation costs

Postby Jaydhruv » Mon Apr 03, 2017 9:58 am

Hi,

Does any one know of average costs associated with.
a.) SAP Security assessments. (10K ?)
b.) Role redesign. (500 to 700K ?)
c.) SOD remediation. ( ?? )

also does anyone have templates on the same. what each one covers. atleast the SAP security assessment one.

regards
Swim monkey
Jaydhruv
 
Posts: 45
Joined: Thu Jun 26, 2003 2:12 am
Location: Florida, USA

Re: SAP Security assessment, role redesign & remediation costs

Postby Al. » Tue May 09, 2017 5:28 pm

It is very dependent on things like complexity of landscape, complexity & maturity of business processes, regulatory requirements etc. Who is doing the work will also influence costs greatly as they are likely to be working on a T&M basis.

Very generally I would expect a security assessment to be 2-3w for a 3 tier landscape covering ECC + a couple of other modules. It is very scope dependent. Adding in technical stuff e.g. system hardening will increase that. Cost could range from £8k-£20k depending on who you would use and what output the client wants.

Redesign - again, complexity is the driver. £100k - £400k tends to be the most common range that I see across a wide range of companies.
SoD remediation - remediating existing roles is often around 50% of the cost of a redesign but again, there are lots of variables.

In terms of an assessment, generally I will scope this based around what a client needs. As somewhere to start I have listed scope items for the review of a relatively complex security implementation. This is only roles & users, no technical/cyber security is included. From memory this was about 4 weeks worth of work and had a load of detailed sensitive auths analysis

Technical review of the design, build, and the process around testing, maintenance and usage of roles with focus on:

Role definition process
- Design Strategy
- Integration between security and process teams
- Role data gathering and processing
- Test and signoff process
- Design change process (template and localisation)
- Design ownership & decision model
- Adherence to good design practice (internal and external)
- Flexibility & scalability of design to support known final system scope, architecture and target operating model
- Supportability of design during rollout & BaU

Technical design approach
- Design selection process
- Design choice rationale - Enhancements/challenge made to previous design
- Metrics used to support decision
- Volume of roles considering supportability and maintainability
- Flexibility of solution to adapt to future operating model
- Use of organisational levels and derivation

Role Mapping
- Role mapping approach - Roles, responsibilities, touch points and gaps
- Integration with (local and project) organisational design/change/HR/training teams
- Data gathering and sign-off process
- Mapping data quality assurance
- Change management - Communications (project and business stakeholders
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3050
Joined: Tue Feb 25, 2003 5:35 am
Location: London

Re: SAP Security assessment, role redesign & remediation costs

Postby os » Sun Sep 10, 2017 4:40 pm

Jaydhruv wrote:Hi,

Does any one know of average costs associated with.
a.) SAP Security assessments. (10K ?)
b.) Role redesign. (500 to 700K ?)
c.) SOD remediation. ( ?? )

also does anyone have templates on the same. what each one covers. atleast the SAP security assessment one.

regards


Which currency are you using?

Security assessment should be pre-sales and a serious contender should do it for free. If you are not a serious customer they will charge you at least USD 10k and that is correct. It should include a proposal for the redesign concept though, otherwise you are wasting your money.

Likewise if composite roles and value roles are mentioned just once, then dont waste your time. By the same token, if they dont want to do a pre-assessment then also dont waste your time.

Redesign itself can be done in 30 days, so USD 60k. If you have more than 100 "master roles" and it costs you more than USD 300k then the alarm bells must go off.

SOD remediation you can spend any amount of money on that you want. If your concept is a good one then you only need a monitoring tool and some workflows. Depending on the quality of the tool which covers (re)assessments, (re)design changes, fast upgrades and central monitoring reporting then you can get away with a good deal if you research the market for references that work and ones which dont.

OS
os
 
Posts: 469
Joined: Wed Dec 21, 2005 10:51 am


Return to SAP Security

Who is online

Users browsing this forum: No registered users and 2 guests





loading...


This website is not affiliated with, sponsored by, or approved by SAP AG.