Our data security philosophy focuses not only on securing the castle but primarily on protecting the King.  With over 14 years of SAP Security consulting experience, our founder, Thomas Tsan, developed  a security strategy called Role-based Risk Controls (RbRC) .  The principle of the RbRC method states that authorization to perform sensitive activities and SoD are always transparent and controlled while non-sensitive activities, such as display and reporting, are granted generously to all users.  RbRC is a design paradigm shift that encourages business owners to share non-sensitive and semi-sensitive access to reduce administrative costs while controlling critical access and segregation of duties for compliance.

Based on the RBRC principle, you can follow a four-tier risk architecture method to improve controls and Sarbanes-Oxley compliance (Figure 1). Because risk plays an important role in the four-tier model, the pyramid shown in Figure 1 illustrates where a particular authorization resides. The foundation of the pyramid has the fewest risks while the top of the pyramid assumes the most serious risks.