I have had the opportunity to work for both small and large employers – including one of the largest employers in the world. In both cases, there were some other payroll technologies used in addition to SAP or ...
Senior Vice-President of HCM Solutions Danielle Larocca has worked in the SAP HCM space for over 20 years. An SAP Mentor and featured speaker at numerous conferences, Danielle has authored four best-selling books on SAP, is the Technical Editor for the SAP Professional Journal, and often the Voice of the Expert on SAPInsider’s Ask the Expert series for HR.
There is quite a bit in the news lately about hackers, scammers, ransomware and technology, and security is always at the forefront. The protection of employee data is a critical aspect for those of us in the Human Capital Management and Payroll workforce. The laws and regulations vary by country and include the POPI Act, GDPR and HIPAA as examples, but there is also simply the commonsense requirement to maintain employees’ right to privacy.
Many times the vulnerability of employee data is caused by human error, as in this famous example from a few years back: Payroll company apologizes for accidentally publishing social insurance numbers. Other times it is more malicious in nature, where the motivation is to cyberattack an organization to steal employee identities.
Regardless of the intent, ensuring your critical HR and Payroll data is secure is a necessity. For those companies using SAP® or SAP SuccessFactors, here are a few key points that you need to be aware of.
Whether you are using SAP or SuccessFactors, your data may reside in more than one environment. Often customers need valid data in non-productive instances or clients for testing, support, or training. This is an area of vulnerability as the controls in place in non-productive environments may be different from those in production. Customers often refresh data from one environment to another which may include employee data. In these cases, you require a secure mechanism for the secure movement of that data and the appropriate anonymization of that data in SAP or SAP SuccessFactors hybrid environments. To learn more and to be sure that your critical data is secure and leveraging an SAP-certified solution, visit Data Sync Manager (DSM) for HCM for more information.
It is easy to identify the primary location that stores a lot of the basic employee data. For example, we know that the Gender field is stored on Infotype 0002 Personal Information in SAP and on the Employee Profile in SuccessFactors Employee Central. However, we also need to think about any of the places that data is propagated to including reports, interfaces and spool files, and ensure that the data is secured there as well. Knowing all of these touchpoints is critical. One way to ensure that your data is protected is to be sure that any third-party solutions that you are using are certified by SAP, as only those that hold the appropriate certifications are ensured to respect the appropriate SAP and SuccessFactors authorizations. For reporting, interfaces and documents, the leading solution that holds this critical SAP certification is the Query Manager with Document Builder, visit Query Manager for more information.
Ensuring compliance with any regulations is not a one-time activity but rather a recurring event that requires continuous review and update. In the SAP ECC world, this includes not only access to employee data but access to develop or execute ABAP (where code can be written to evaluate table or cluster data) and database access. I have seen many employers that made an enormous effort to keep master data locked down at the transaction code/infotype/user level while ignoring the availability of that sensitive data to anyone with the skills to review data either via code, ad hoc table access (SQ01), spools or Basis database (Select *...) access. Additionally, data is also fed to Finance modules with their own sets of authorizations that require review. Keep in mind any monies paid are recorded somewhere and even a cost center report could divulge critical sensitive information that may make an employee’s personal data vulnerable.
For SAP HCM, authorization objects are the nuts and bolts of your HR security. They decide what can be done on a given infotype. Access needs to be controlled and reviewed regularly but you also need to consider segregation of duties for payroll processing. To look after these concerns and assess, update and maintain roles and authorizations in a cost-effective and intuitive way, and comply with data privacy regulations, check out Soterion Access Risk Manager. Visit Soterion's compliance software for more information.
© 2023 EPI-USE Labs
Trafford House, 11th Floor, Chester Road, Stretford, Manchester, United Kingdom, M32 0RS •Other Office Locations
Leave a Comment: