Verified case study


by Vince Warrington | 1 August 2016



A very large, global UK business had a history of recurring Access Control issues in SAP which caused a number of serious security breaches. 

The internal IT team reacted to those control issues and mitigated them as part of a BAU process, but the solutions that were applied did not address the root causes of the access violations and only treated the symptoms. .

There was also a lack of security governance for SAP, resulting in inconsistent processes, absence of standards and policies, and incomplete security controls.


Our expert examined the current state of the SAP security focusing primarily on Segregation of Duty and sensitive access and determined how to mitigate the risks of Access Control violations.

We then planned what changes need to make to people, process and technology to ensure the risks were reduced via effective controls and that SAP security remained in a compliant state.

The project including three major phases:

  • Governance and Target Operating Model
  • Access Controls and Authorisations
  • vulnerability and penetration testing of the SAP structure


We formed a large project team consisting of our experts and the clients' in-house employees with specialist SAP Knowledge, we well as representatives of the business users from across the globe. This composition allowed us to bring together not only the security experts, but also end users who could explain how they needed SAP to operate.


The project took nearly three years to complete, as the various SAP instances were all very different and had to be thoroughly analysed before any remediating actions could be agreed and implemented, but the business was able to gain several benefits from this complex project:

  • a Target Operating Model applicable to all SAP instances, ensuring conformity for the set-up, usage, and maintenance throughout the business
  • A significant reduction in the number of Security Breaches caused by users having inappropriate levels of access achieved mainly through the imposition of new controls around User Creation and a thorough evaluation of all Roles within SAP.
  • Increased Senior Management confidence that the possibility for internal fraud to occur had been reduced by implementing effective Segregation of Duties policies, preventing individuals from collaborating on potentially fraudulent transactions.


Vince Warrington

Vince is an expert in data protection and cyber security. He runs Protective Intelligence, an information security consultancy.



Success factors

Significant transformation


Project lead

Vince Warrington

Project status


Start date

February 2016

End date

February 2016

Project value