Anglian Water is using governance, risk and compliance services to ensure the best security for its SAP applications without outsourcing this critical aspect of IT.
The organisation has outsourced most aspects of its IT to CSC, including application and infrastructure support, but wanted to retain control of SAP security authorisations and manage its own SAP governance, risk and compliance (GRC) tools.
"Planning resources around security requires striking the right balance what needs to be done with the available resources in-house and what you feel comfortable outsourcing," said Sandra San Vicente, security risk manager at Anglian Water.
"If the responsibility of managing access is with the IT services provider, organisations can quickly lose visibility of the risks," she said.
In implementing this strategy, Anglian Water has forged a strategic relationship with GRC and security consultancy su53.
Unlike traditional contractors, su53 has been able to provide a wider range of expertise over a longer period of time and work in a more consistent and integrated way that is more in tune with Anglian Water's business objectives, said San Vicente.
"Su53 has been happy to transfer knowledge and boost the skills of our in-house team, but if you are working with a contractor, sometimes that knowledge can disappear with the contractor," she said.
The increasing demand for such services to increase security controls at lower cost has led su53 to bundle its services into what it claims is the first integrated GRC operating and service for SAP environments.
The consultancy's Managed Security Service offers a range of tools and services from flexible ad hoc support for organisations like Anglian Water to fully outsourced GRC for SAP, including operating SAP's GRC tools and providing best-practice support.
Organisations typically look for help before a compliance audit, said Martyn Proctor, managing director at su53.
"Over time they discover the continually changing nature of their business means that access controls need to be updated constantly," he said.
Su53's managed service is designed to provide low-cost, ongoing maintenance and support for GRC integration with business processes, said Proctor.
The managed service is independent of main IT outsourcing firm, which ensures the system is being used in a safe way, and is low cost because it is based in Northern Ireland, he said
Operating out of Northern Ireland means that su53 is not only relatively close European companies, but also falls within the same data protection legislation and can benefit from some of the lowest labour and business costs in the region.