Business Process Cyber ​​Risk Management

Controls in ERP systems

Implementing an ERP system is a major undertaking for any company. In almost all cases, it leads to the redesign of business processes and results in significant changes to the organization's business control environment

Our services span the life cycle of an ERP system: from designing controls and appropriate segregation of duties as part of the implementation process, to ongoing monitoring and assessment, or one-time reviews in the course of operations. As a result, you will be able to assess the key risks influencing your business, avoid costly upgrades after the ERP system’s implementation, and minimize fraud risks when implementing projects in accordance with your plans.

Automated GRC solutions

Many projects in such areas as process and risk management, as well as GRC (Governance, Risk and Compliance) are often capital intensive, pose complications for the core business and are implemented on a siloed basis.

Instead of siloed solutions in GRC, process and risk management, organizations should implement an integrated concept based on advanced technology.

Our GRC design and implementation services enable organizations to decrease the load on the personnel and simultaneously ensure the involvement of all key participants in implementing GRC design and implementation projects.

Segregation of duties in ERP systems

Many organizations are using or planning to use ERP solutions in order to automate their business processes. When implementing and using such information systems, businesses need to pay particular attention to proper segregation of duties (SoD) among employees. In order to minimize fraud risk and prevent unauthorized operations, the control over two and more stages of a process should not be assigned to a single person. Based on our experience, most SoD-related issues arise from a company’s failure to account for risks or underestimating the importance of an organization’s SoD framework.

Protection of SAP systems from cyber threats

Deloitte possesses unparalleled experience in assessing the security of the SAP system landscape and the impact of cyber threats on an entity’s operations.

In the field of SAP system protection from cyber threats, Deloitte offers the following key services:

• Independent assessment of SAP system security including black box penetration testing, social engineering, assessment of SAP system security architecture, support in addressing the identified vulnerabilities;
• Analysis of the primary code in in-house builds to identify vulnerabilities and implement secure development processes for SAP systems;
• Connection of SAP systems to SIEM systems and the development of correlation rules to identify cyber threats based on the specific features of the SAP systems;
• Advancement of processes used in the information security management center and integration with the SAP information security function;
• Advancement of information security incident response processes;
• Integration of the cyber security strategy with the business strategy and implementation of programs for the development and transformation of the cyber security function.

Compliance with IT security requirements

Survival in a highly competitive modern environment and the ability to meet external challenges requires that companies implement and maintain their security management infrastructure (including personnel, processes and technology) in working condition.

Deloitte’s key information security compliance services are: 

• Assessment of the current status of IT systems in accordance with the security standard of the Bank of Russia, the Federal Law “On Personal Data,” PCI DSS, ISO27000, etc.
• Risk assessment, development of information protection strategies, implementation cases, and business case analysis.

Business continuity and fault tolerance

Business continuity and fault tolerance are relevant in day-to-day operations as never before, given that more and more companies are switching to 24/7 operations, while the success of business operations depends on the implementation of new technology.

Growing expectations of interested parties and regulatory requirements drive the need for applying approaches that enable organizations to manage both short-term and long-term consequences of various incidents affecting the personnel, processes, systems, or external events.

Deloitte’s key business continuity and fault tolerance services are:

• Current status analysis and operational consequences
• Business continuity program management
• Development of business continuity plans
• Organizational business continuity system testing and delivery of training programs

Data leakage prevention (DLP)

Given that all companies deal with confidential information, clients, business partners, regulatory authorities, shareholders, and boards of directors expect the organization to ensure the appropriate data protection. However, security system breaches involving corporate and personal data theft continue.

The interference of regulatory authorities combined with negative media coverage and damage to the company’s image force organizations to immediately analyze the confidential information that is entrusted to them and the available DLP management tools.

Deloitte’s key information leakage prevention services are:

• Data flow analysis aimed at gaining insight into confidential data treatment, storage, use, and processing in the organization.
• Assessment of data loss probability and consequences
• Review of information control and processing tools
• Remediation planning
• Assistance in DLP software system selection and implementation