Hear from Preston Futrell, leader of the Global Business Services organization at IBM, as he discusses how they help customers develop their SAP implementations as they migrate to the cloud and how working with Onapsis enables them to assure that security is included.
SOX was enacted in 2002, and its ICFR provisions went into effect in 2003. Since then, numerous other countries have adopted similar laws, such as:
The European Union addresses corporate financial reporting through several directives, which each member state must then “translate” into national law. The EU 8th Company Directive addresses the duties of the audit committee and internal audit functions, including the effectiveness of internal controls.
Some countries don’t have a specific law that requires attention to ICFR, but have other regulations or codes that imply management’s responsibility for ICFR. For example, Britain does not have a “UK SOX” law, but the U.K. Corporate Governance Code holds corporate boards responsible for internal control generally, including ICFR.
The Sarbanes-Oxley Act (SOX) requires publicly-traded companies to maintain adequate controls over financial reporting (Section 404 of the law) so that management can certify that the company’s financial statements are a fair and accurate representation of financial performance (Section 302 of the law).
All filers are subject to Section 404(a), which says management must assess and report on the company’s internal control over financial reporting (ICFR). Large filers are also subject to Section404(b), which requires an audit of ICFR by a certified public accounting firm. Smaller filers are exempt from Section 404(b).
A company does not need effective ICFR to meet filing standards for the Securities and Exchange Commission: it can report that it has ineffective ICFR, usually by disclosing one or more weaknesses in its internal controls. It does, however, need to make accurate disclosures about internal controls over financial reporting.
For example, if management attests to effective ICFR under Section 404(a), but auditors find weaknesses as they perform their duties under Section 404(b), then the certification senior executives make about financial statement accuracy under Section 302 of SOX are no longer reliable.
Ineffective ICFR is often the precursor to a financial restatement. In the worst cases, CEOs and CFOs could be personally liable for making false statements under Section 302.
Cybersecurity is crucial to ICFR and SOX compliance, but too often, the threat is misunderstood.
For example, user access controls to financial systems are one potential weakness; so are poor password reset policies, internal control frameworks already exist to help companies implement strong controls over those areas, and audit firms review and test those controls regularly.
Those examples, however, only address cybersecurity at the application level. Companies subject to SOX compliance must also consider cybersecurity risks at the infrastructure and data levels.
That is, an unauthenticated attack targeting a misconfiguration or vulnerability in your ERP system could let hackers manipulate underlying financial data without touching financial applications or leaving an audit trail. Even with strong internal controls and audits at the data and infrastructure layers, those other security weaknesses in the application layer can still leave financial data subject to exploitation.
So declarations about ICFT would not be correct, and the company would not be in SOX compliance like executives (and auditors) might mistakenly believe.
Learn how Onapsis can help identify security and compliance risks and streamline your audit processes. https://onapsis.com/request-a-demo/
GDPR came into force in 2018. It has since become the model for other new data privacy laws cropping up around the world, such as:
All of these laws work from the premise that personal data belongs to the individual, so companies collecting that data must meet certain duties of care to protect it. Chief among those duties is keeping the data secure from unauthorized access or processing— including from hackers that might exploit weaknesses in mission-critical applications to reach PII in your company’s control.
The European Union’s General Data Protection Regulation (GDPR) is a far-reaching law that provides a set of privacy rights for all EU citizens. Any business working in the EU, as well as any business anywhere in the world that collects personal data about EU citizens, must comply with those GDPR standards or risk severe financial penalties. Some of these GDPR guarantees include:
GDPR doesn’t specify how a company must fulfill these rights; it only requires that a company covered by GDPR fulfill those rights somehow.
Likewise, the GDPR mandate does not expressly say that businesses must encrypt the personal data they collect about individuals. Instead, GDPR repeatedly cites encryption and pseudonymization as examples of the “appropriate technical and organizational measures” a company must take to assure the security of personal data it collects.
GDPR has also become a model for other privacy laws, such as the California Consumer Privacy Act. While CCPA and GDPR aren’t identical, both are rooted in the principle that personal data belongs to the person, rather than to the company collecting the data. As such, the company must meet certain standards of care while personal data is in its possession—such as keeping the data secure.
Article 5 of the GDPR mandate states that personal data must be protected against “unlawful or unauthorized processing; and against accidental loss, destruction, or damage.” This is where cybersecurity enters the GDPR compliance picture. The data must be protected from unlawful or unauthorized manipulation.
Part of that challenge is to keep unauthorized users away (PII) resides. Another part, however, is to protect data itself, at the data and infrastructure layers.
That is, hackers could target a misconfiguration or vulnerability in the company’s mission-critical applications, and gain access to personal data without using business applications or leaving an audit trail. Even with strong internal controls and audits at the infrastructure or database levels, weaknesses in the application layer can still leave personal data exposed to unauthorized manipulation—and leave the company violating GDPR.
The potential fines for violating GDPR are substantial; to €20 million or 4% of an organization’s global revenue, whichever is greater.
Learn how Onapsis can help identify security and compliance risks and streamline your audit processes. https://onapsis.com/request-a-demo/
The adequate safeguards required under DFARS are spelled out in the NIST security framework 800-171. That standard addresses 14 aspects of effective security, including:
The U.S. Department of Defense (DoD) manages its procurement needs through a rule called the Defense Federal Acquisition Regulation Supplement, or DFARS. One section of DFARS (Clause 252.204-7012) requires that all defense contractors maintain adequate security safeguards for any ‘controlled unclassified information’ (CUI) that either is stored in or transits through the contractor’s systems.
Contractors that use subcontractors for parts of their DoD contracts or that outsource some of their IT operations are still responsible for assuring DFARS compliance throughout their supply chain. That is, a defense contractor is responsible for the DFARS compliance (or the lack thereof) of its third parties.
The Defense Department does not certify that a contractor is DFARS compliant; nor will it recognize any third-party assessment or certification that a contractor is DFARS compliant. Rather, by signing a contract with the DoD, a company is agreeing that it will comply with DFARS.
A contractor that fails to meet DFARS standards can be barred from bidding on government contracts, lose contracts it currently has, or even face civil and criminal penalties in court.
Controlled unclassified information can encompass a vast range of material: personal data, financial data, nuclear propulsion plans, accident information, budget estimates, whistleblower identities and much more. Any defense contractor possessing or processing any such information for the DoD will need to provide security protections as dictated by NIST 800-171.
The NIST standard expressly addresses several points about enterprise security. Among those points are configuration management and system maintenance, including software patches.
So an unauthenticated attack exploiting a misconfiguration or vulnerability in your mission-critical applications, which many organizations use to manage their supply chains with their partners, could allow malicious actors to manipulate underlying data without touching user applications or leaving an audit trail. Even with strong internal controls and audits at the infrastructure and database layers, security weaknesses at the application level can still leave CUI data exposed and jeopardize your DFARS compliance.
Learn how Onapsis can help identify security and compliance risks and streamline your audit processes. https://onapsis.com/request-a-demo/
The FCPA was enacted in 1977. A host of other anti-bribery statutes around the world have come onto the books since then, including:
All of these laws have the same basic structure as the FCPA. They prohibit the bribery of foreign government officials, and require businesses to maintain adequate books and records to identify potential illicit payments.
While enforcement of these laws will vary from country to country, the potential legal liability is the same across most jurisdictions. So the ability to maintain adequate books and records is crucial to compliance, no matter which particular statutes might apply to your business.
The U.S. Foreign Corrupt Practices Act (FCPA) is the foremost corporate anti-bribery statute in the world. It has a criminal section, which prohibits corporations from bribing officials of foreign governments to win business; and a civil section, which requires publicly-trading corporations to maintain adequate books and records that reflect corporate transactions.
The Justice Department enforces the criminal section, and can exercise jurisdiction over any corporation – public or private, based anywhere in the world – that does business in the United States. The Securities and Exchange Commission (SEC) enforces the books-and-records provisions against any corporation that trades on the U.S. stock exchanges, even if that company does not do business in the United States.
Always remember that the FCPA books-and-records provisions provide the legal basis for SEX to punch corporate accounting fraud, even if the company is not violating the law’s criminal provisions. That’s because the FCPA amends the Securities and Exchange Act of 1934, to specify that all companies trading on the U.S. stock exchanges must maintain adequate books and records.
So any company trading on U.S stock exchanges must meet the books-and-standards dictated by the FCPA, even if that company does no business overseas whatsoever.
Cybersecurity is crucial to compliance with the FCPA or any related anti-bribery statute. Bribery schemes work by disguising illicit payments as something else. The ability to create a false trail of transaction records – sales policies bent to generate slush funds, accounting policies abused to fund bribes, payment records altered to hide true recipients – is what allows corrupt payments to flow. Strong cybersecurity thwarts that manipulation.
Moreover, accounting fraud works by manipulating data. So any cybersecurity strategy that ignores threats at the application layer leaves a company vulnerable to accounting fraud, regardless of other security measures such as firewalls access control, and segregation of duties (SoD).
That is, an unauthenticated attack targeting a misconfiguration or vulnerability could target your company’s mission-critical applications, which supports financial operations, and manipulate underlying financial data without touching financial applications themselves or leaving an audit trail. Even with strong internal controls and audits at the infrastructure and database layers, weaknesses at the application layer can still leave financial data vulnerable to bribery or fraud schemes.
Learn how Onapsis can help identify security and compliance risks and streamline your audit processes. https://onapsis.com/request-a-demo/
Switchable Authorization Checks is a solution provided by SAP that allows developers to deliver authorization changes in an SAP system without disrupting the productive systems. This solution allows system administrators to decide how and when new authorizations are applied in the system. It is managed through transaction SACF (Switchable Authorization Checks Framework) which supports administrators to identify users requiring additional authorizations due to the new check. Authorization checks can be activated after completing the required changes to user roles. We will explain step by step how to perform a complete implementation of a switchable scenario, since installing a Switchable Authorization Checks note activates the scenario and its objects.
The mission-critical applications that run your business-supply chain management (SCM), human capital management (HCM), enterprise resource planning (ERP), customer relationship management (CRM), business intelligence (BI) and other systems-have shifted from running solely within a controlled, self-managed environment to a complex and interconnected mix of on-premises, infrastructure as a service (laaS), platform as a service (PaaS) environments and software as a service (SaaS) offerings.
At the same time, digital transformation, including cloud, DevOps, artificial intelligence, robotic process automation and other initiatives, introduces new software and capabilities in the most agile, fast and cost-effective way possible, with security often being an afterthought. As a result, constant change from continuous integration and continuous deployment can introduce errors, overly privileged user access and vulnerabilities that put the business at risk.
While cloud computing and interconnectivity bring operational benefits, such as agility, cost savings and efficiencies, they also create new challenges. IT, cybersecurity and risk professionals must overcome these challenges to protect the enterprise against internal and external threats, ensure compliance with regulatory requirements and optimize availability. Without a complete view across on-premises, laaS, PaaS and SaaS environments, it’s impossible to understand your company’s true application security risk or accurately identify and address the most severe gaps, vulnerabilities and threats.
Onapsis is purpose-built to protect organizations from cyber threats, streamline regulatory compliance and improve availability and performance of mission-critical applications from SAP, Oracle, Salesforce and others across cloud, hybrid and on- premises deployments. You will get a complete view into your most important applications and how they connect to one another, no matter where the applications are running-without multiple tools and additional expertise. Onapsis simplifies interconnected systems and uncovers risk introduced by connecting applications to help you protect the intelligent enterprise, while ensuring compliance and enhancing performance and availability.
With The Onapsis Platform, you can:
Reduce the security and compliance risk of extended business processes
Enforce security and compliance baselines
Monitor application security, user activity and threats in production
Accelerate and ease cloud adoption
Trust, but verify, security of cloud applications
As business processes get extended into the cloud, it becomes increasingly difficult for IT, cybersecurity, development and audit and compliance teams to understand which applications and services support critical business processes, how they interconnect with each other and how changes impact compliance, security and performance over time.
Onapsis can help teams answer these and other questions about their extended business processes:
With The Onapsis Platform, your company gains application- and business-level context to the entire application environment, with a 360-degree view of cyber risk across your critical applications, both on-premises and in the cloud. Designed for cross-functional collaboration among IT, cybersecurity, development and audit and compliance teams, The Onapsis Platform gives you:
Onapsis Delivers Proven Results
Companies using Onapsis have experienced:
Onapsis delivers the actionable insight, secure change, automated governance and continuous monitoring capabilities required by cross-functional teams to optimize workflows and automate manual tasks. Your teams will embrace and accelerate application modernization, cloud and mobility initiatives while keeping your company’s most vital systems and data protected and compliant.
The Onapsis Platform is powered by the Onapsis Research Labs, our dedicated security research team responsible for the discovery and mitigation of more than 800 vulnerabilities in mission-critical applications. The reach of our threat research and platform is broadened through leading consulting and audit firms such as Accenture, Deloitte, IBM, PwC and Verizon-making Onapsis solutions the de-facto standard in helping organizations protect their cloud, hybrid and on- premises mission-critical information and processes.
SAP SuccessFactors contains some of an organization’s most sensitive and regulated data, including employee PII and bank account details to support payroll. Protecting this data – ensuring only authorized users can access and modify it, minimizing risk of breach – is essential for avoiding fraud and costly compliance violations.
Costly, unexpected project delays due to manual code reviews and lack of transport visibility
A global chemical company relies on SAP for their business critical applications and leverages custom code development to support their organization. However, the organization struggled to keep up their development cycles at a pace that aligned with the speed of their business. A manual code review process with no way to check transports for errors, led to long, error prone, development cycles for SAP applications. Additionally, it was difficult to implement changes without impacting existing system performance, or introducing security or compliance issues. This resulted not only in missed project deadlines but also unexpected costs, due to remediation efforts and rework when errors in code were brought into production.
“Onapsis helps us address two of the biggest trouble areas in our change management processes—custom code and transports. A third-party solution for analyzing these that integrates into SAP ChaRM allows us to get things right the first time and avoid costly rework and manual analyses.”
Security Architecture Manager, Global Chemical Company
Onapsis Control automates code scans, checks transports, and reduces development cost and time
The company found the ideal solution in Onapsis Control. They were able to eliminate their manual code review processes and automatically scan hundreds of lines of codes in minutes for errors. Onapsis Control’s detailed explanations and step-by-step remediation guidance shortened their time to resolution and accelerated their development cycle. Deep visibility into their transport errors prior to production enabled the resolution of problematic transports prior to import. This eliminated the need to remediate production errors and also enabled projects to be delivered on time and within budget. The company was able to use Onapsis Control’s ability to check code and transports for quality issues that can negatively impact system performance, compliance, and security. They were also able to ensure that system changes enabled by transports did not impact system performance,. Because they received timely, critical threat intelligence from the Onapsis Research Labs, the company had confidence they could stay ahead of the latest potential threats to their SAP landscape.
“With Onapsis, we can be more confident that the changes we’re making aren’t going to cause disruptions or performance issues while addressing security and compliance at the same time. It’s a win for everyone.”
Security Architecture Manager, Global Chemical Company
Implementing Onapsis Control has enabled the company to incorporate security earlier into their application development cycle, thereby reducing costly errors in production that affect manufacturing and delivery processes. Deep scanning of transports ensures that configuration or authorization changes that violate company policy or manufacturing process guidelines are blocked and, ultimately, rewritten prior to being deployed in the production environment.
This resulted in a 75% reduction in the number of security and quality errors imported into production. As a result, their development process is more secure and efficient, and they have eliminated time-consuming rework and costly system disruption or downtime. The development team also replaced their time-consuming manual code review process with the automatic code scans of Onapsis Control, reducing their code review cycle time by 25%.
