SAP GRC Access Control(1)

March 16, 2018 | Author: Hareesh Kumar K | Category: Provisioning, Access Control, Business Process, Audit, Superuser


Comments



Description

Member ofDeloitte Touche Tohmatsu SAP GRC Access Control 8 May 2008 Carl Clicteur 2 ©2008, Deloitte Enterprise Risk Services CVBA Agenda Why Access Controls? SAP GRC Access Control Suite New features of SAP GRC Access Control 5.3 Critical factors for a successful integration SAP GRC Access Control and Identity Management 3 ©2008, Deloitte Enterprise Risk Services CVBA Common detected Issues Recurring Audit Items regarding User Access and Authorization Controls User life cycle and authorization management process is manual, error-prone and not embedded in operations department (including lack of tooling) Poor communication between Business & IT results in "best-guess¨ approval of requests Risks due to Segregation of Duties (SoD) violations remain undetected and uncorrected (shift of responsibilities, personnel moves, changes in organization.) Request for emergency access (admin rights) is ad hoc and insufficiently monitored and controlled 4 ©2008, Deloitte Enterprise Risk Services CVBA Necessity to implement embedded access controls Common approaches rely on periodic audits/manual evaluations and subsequent remediation of the findings. Despite the high effort, without a process in place to continuous monitor Segregation of Duties risks are not under control time r i s k Common approaches: - Spot checks - Reactive - Sample based - Nanual process audit audit Sustainable approach: - Continuous - Proactive - Comprehensive - !ntegrated - Process specific Continuous monitoring audit 5 ©2008, Deloitte Enterprise Risk Services CVBA Evolve from manual, unreliable and inefficient controls to technology-based, cost effective, reliable controls Maturity Model Non-awareness Automation of controls Continuous Compliance True Vision Automated Monitoring Spreadsheets Manual Confusion Benefit - Lack of visibility - Lack of control - Manually-intensive Business & IT processes - Reactive and non- integrated approach - Approach not driven by risk - Large sample sizes for audit - Approach driven by risk - Automated user access process - Real-time risk analysis - Integrated, but reactive approach - Reduced sample sizes for audit - Embedded risk & control library - Proactive approach by simulation of changes - Alerts & monitor effectiveness of controls - Business value - Audit trial of all changes and approvals - Embedded risk management - True Business transparency - Increased stakeholder confidence - Improved Business performance and sustainability - Lack of visibility - Lack of control - Manually-intensive Business & IT processes - Reactive and non-integrated approach - Overwhelming sample sizes (audit) 6 ©2008, Deloitte Enterprise Risk Services CVBA Agenda Why Access Controls? SAP GRC Access Control Suite New features of SAP GRC Access Control 5.3 Critical factors for a successful integration SAP GRC Access Control and Identity Management 7 ©2008, Deloitte Enterprise Risk Services CVBA Stage 2: Stay clean by continuous Access Management SAP GRC Access Control - Overview Stage 1: Get clean SAP GRC Risk Analysis and Remediation (Compliance Calibrator) SAP GRC Super user Privilege Management (Firefighter) SAP GRC Enterprise Role Management (Role Expert) SAP GRC Compliant User Provisioning (Access Enforcer) Risk Identification & Remediation Role Change Management Emergency Access Control User Access Management Stage 3: Stay in control Periodic Review & Audit SAP GRC Access Control 5.2 8 ©2008, Deloitte Enterprise Risk Services CVBA SAP GRC Access Control modules Risk Analysis and Remediation (ex-Virsa Compliance Calibrator) SAP GRC Risk Analysis and Remediation (Compliance Calibrator) SAP GRC Super user Privilege Management (Firefighter) SAP GRC Enterprise Role Management (Role Expert) SAP GRC Compliant User Provisioning (Access Enforcer) Facilitate discussions between Business and IT Centralized definition of Risks related to User Access Real-time and Cross-system risk analysis Remediation of SoD violations Proactive detection of SoD issues by simulation Audit ability of Change Documents . 9 ©2008, Deloitte Enterprise Risk Services CVBA Risk Analysis & Remediation - Glossary Risk * Function 1 Function 2 Actions Permissions Actions Permissions Business Process P001: Procure to Pay Process Org. rules Org. rules PR01: Maintain Vendor Master Data AP03: Release Blocked Invoices PR07: Maintain a Vendor's Bank Account Number and Release Invoice for payment, might lead to monetary loss. SAP transaction codes: FK01, FK02, XK01, XK02, XK99 & MRBR SAP authorization objects and values: F_LFA1_APP: ACTVT= 01 or 02 APPKZ = F F_LFA1_BUK: ACTVT= 01 or 02 BUKRS= $BUKRS F_LFA1_GRP: ACTVT= 01 or 02 KTOKK= VEN1 Organizational rules: Belgium => $BUKRS = BE00 B u s i n e s s l a n g u a g e T e c h n i c a l t a l k * 250 pre-defined risks out-of-the-box 10 ©2008, Deloitte Enterprise Risk Services CVBA SAP GRC Access Control modules Compliant User Provisioning (ex-Virsa Access Enforcer) SAP GRC Risk Analysis and Remediation (Compliance Calibrator) SAP GRC Super user Privilege Management (Firefighter) SAP GRC Enterprise Role Management (Role Expert) SAP GRC Compliant User Provisioning (Access Enforcer) Homogenized access request process Automated approval management (work flow) Risk analysis before request approval Transparent view on impact of the approval (in business language) Automated user provisioning to SAP Automatic logging of request approvals and modifications 11 ©2008, Deloitte Enterprise Risk Services CVBA Compliant User Provisioning - Functional overview Automated Provisioning SAP System SAP GRC Access Enforcer Workflow Connectors Request Initiator User Data & Authentication SAP GRC Risk Analysis & Remediation Risk Analysis User Data Source SAP end users or Line Managers Line Managers Role Owners Risk Owners Email Server Approvals Notifications & Reminders 3 1 2 4 5 6 12 ©2008, Deloitte Enterprise Risk Services CVBA Pre-approved emergency access Automatic e-mail notification when Firefighter mode is activated Automatic sending of log report to controller Detailed audit trails of performed actions Audit ability (FF-user = SAP_ALL-user) Web-based log reports, including Risk analysis SAP GRC Access Control modules Super User Privilege Management (ex-Virsa Firefighter for SAP) SAP GRC Risk Analysis and Remediation (Compliance Calibrator) SAP GRC Super user Privilege Management (Firefighter) SAP GRC Enterprise Role Management (Role Expert) SAP GRC Compliant User Provisioning (Access Enforcer) 13 ©2008, Deloitte Enterprise Risk Services CVBA Super User Privilege Management - Process overview User activates Firefighter mode User enters Business justification User receives elevated privileges User leaves Firefighter mode Log report sent to Controller E-mail notification sent to Controller Log files collected for User User looses elevated privileges Firefighter mode Pre-approved access to use Firefighter regular mode 14 ©2008, Deloitte Enterprise Risk Services CVBA SAP GRC Access Control modules Enterprise Role Management (ex-Role Expert) SAP GRC Risk Analysis and Remediation (Compliance Calibrator) SAP GRC Super user Privilege Management (Firefighter) SAP GRC Enterprise Role Management (Role Expert) SAP GRC Compliant User Provisioning (Access Enforcer) Central management of authorization roles Automatic notification of changes to Role Owners Approval workflow for Role changes Preventive Risk analysis for roles Automatic role generation in SAP systems Audit trails and reporting of all Role changes Risk Analysis Authorizations Role Definition Approval Generation 15 ©2008, Deloitte Enterprise Risk Services CVBA Agenda Why Access Controls? SAP GRC Access Control Suite New features of SAP GRC Access Control 5.3 Critical factors for a successful integration SAP GRC Access Control and Identity Management 16 ©2008, Deloitte Enterprise Risk Services CVBA New features in Access Control 5.3 (1) Risk Analysis and Remediation Single Launch Pad for all four capabilities (multiple window may be open) Performance improvements Enterprise Portal and UME integration (Risk analysis and user provisioning) Import/export utilities (Component, Configuration & Mitigation data) Enhanced Reporting - Many added reports and more reports can be exported - BI integration of custom reporting Enhancements of Change Management Audit Trail SoD Management by exception - Identifies unmitigated risks - Provides Mitigation Reaffirm functionality 17 ©2008, Deloitte Enterprise Risk Services CVBA New features in Access Control 5.3 (2) Compliant User Provisioning End-user request form customization Integration with multiple data sources Password reset - Supported for Oracle, PeopleSoft and JD Edwards - User password self-service with a challenge response Cross-system risk analysis for access requests Compliant User Provisioning for Oracle, PeopleSoft and JD Edwards Utilize HR triggers from PeopleSoft Enhance CUA support Integration with training systems Identity Management Integration with major IDM vendors 18 ©2008, Deloitte Enterprise Risk Services CVBA New features in Access Control 5.3 (3) Enterprise Role Management Enhanced role derivation (org value maps) Enhanced risk analysis and simulation Ability to generate roles for multiple systems at one time Ability to copy a role Documentation of non-SAP roles and enterprise-wide roles Integration with SAP ERP's Profile Generator (PFCG) Super User Privilege Management Enhanced log reports Multiple owners for Firefighter IDs Automatic archival of Log Report 19 ©2008, Deloitte Enterprise Risk Services CVBA Agenda Why Access Controls? SAP GRC Access Control Suite New features of SAP GRC Access Control 5.3 Critical factors for a successful integration SAP GRC Access Control and Identity Management 20 ©2008, Deloitte Enterprise Risk Services CVBA Critical success factors to implement Access Controls Engaging Business and IT team in order to customize and fine-tune risk definitions and gather all requirements. Validate rule set with Internal Audit. Management Support - having support from appropriate levels of the organization will assist in addressing points of resistance Resources - understanding the organization´s key business initiatives will be critical, since multiple initiatives often compete for the same (business) resources "Avoid the Big Bang¨ - building out the GRC Access Control solution component by component allows to absorb all parts of a sustainable solution Installation vs. Integration - an operational installation of SAP Access Control is realistic in "20 days¨ ; however a successful integration requires much more time, effort and expertise Embed the solution in the organization by defining the operational processes to sustain compliance (e.g. impact on new projects, new risks, new systems, changes in organization) 21 ©2008, Deloitte Enterprise Risk Services CVBA Agenda Why Access Controls? SAP GRC Access Control Suite New features of SAP GRC Access Control 5.3 Critical factors for a successful integration SAP GRC Access Control and Identity Management 22 ©2008, Deloitte Enterprise Risk Services CVBA Business-Oriented Identity Management Thank you for your attention ! #$ &' (% ( ( #$ " % #$ ( % % ( -. ,( ! (( , )+ * -( - (- % ! . ( % 2 3 ( -2 ./ ( (. % . 0 ( ( 93 8 % -( . .( 6 1.( % 4.( 0 ( ( ' (( .% 0 ( / (# 8 % % % ! ( -( % . !( 2( . 3 7( 1 % ( .. - . 3 ( - ( %(. . % .% . 5 (% ( 2 % % . . : (% % ( . ( risk audit Continuous monitoring time .. % ! ' . .( % 8 % ( -( .(.* %( ( %audit audit (% ( %% (- ( . Integrated. Automated user access process . Business value . Overwhelming sample sizes (audit) Spreadsheets . Alerts & monitor effectiveness of controls . Improved Business performance and sustainability Confusion Manual Automated Monitoring Benefit . Approach not driven by risk . Manually-intensive Business & IT processes . Audit trial of all changes and approvals True Vision .(% % ( . True Business transparency . Lack of visibility . Real-time risk analysis . Large sample sizes for audit Automation of controls . Lack of control .1 ( ! ( (( Non-awareness . Embedded risk & control library . Reduced sample sizes for audit Continuous Compliance . Reactive and nonintegrated approach . Lack of visibility . Manually-intensive Business & IT processes . Increased stakeholder confidence . Embedded risk management . Proactive approach by simulation of changes . Reactive and non-integrated approach . but reactive approach . Lack of control . Approach driven by risk . )+ * .! #$ &' (% ( ( #$ " % #$ ( % % ( -. .( ! (( . ! ! " Stage 1: Get clean Risk Identification & Remediation Stage 2: Stay clean by continuous Access Management Emergency Access Control Role Change Management User Access Management Stage 3: Stay in control Periodic Review & Audit SAP GRC Super user Privilege Management (Firefighter) SAP GRC Enterprise Role Management (Role Expert) SAP GRC Compliant User Provisioning (Access Enforcer) SAP GRC Risk Analysis and Remediation (Compliance Calibrator) SAP GRC Access Control 5.2 . (! = ( (( . 5 / ( ( 3 ( 0 -(1 -( # ( % ( 9 SAP GRC Super user Privilege Management (Firefighter) ( 1 ! ( ( (! (- ! (.% -( 2< 1 ' % ( ( ( -. % % ! %( SAP GRC Enterprise Role Management (Role Expert) SAP GRC Compliant User Provisioning (Access Enforcer) SAP GRC Risk Analysis and Remediation (Compliance Calibrator) . XK02. Function 2 PR01: Maintain Vendor Master Data AP03: Release Blocked Invoices Actions SAP transaction codes: FK01.# Business language $ % Risk * # P001: Procure to Pay Process PR07: Maintain a Vendor's Bank Account Number and Release Invoice for payment. XK99 & MRBR SAP authorization objects and values: F_LFA1_APP: ACTVT= 01 or 02 APPKZ = F F_LFA1_BUK: ACTVT= 01 or 02 BUKRS= $BUKRS F_LFA1_GRP: ACTVT= 01 or 02 KTOKK= VEN1 Organizational rules: Belgium => $BUKRS = BE00 Function 1 Actions Technical talk Permissions Permissions Org. rules % ) 1- - %1 1 1 < . might lead to monetary loss. rules Org. XK01. FK02. # ( (( SAP GRC Compliant User Provisioning (Access Enforcer) . 2< 1 ( 3 > % .( 3 %. SAP GRC Enterprise Role Management (Role Expert) SAP GRC Risk Analysis and Remediation (Compliance Calibrator) . . 8 % ( SAP GRC Super user Privilege Management (Firefighter) ( -( ( (! '3 5( % % ( ( -% ( ' ( (2 % (. . 0 -( ( 8 % (( . 8 % ( 2 ' ( ( .( / # . & User Data Source 2 ! '( ! ! " User Data & Authentication SAP GRC Access Enforcer 1 Initiator SAP end users or Line Managers Workflow Connectors Automated Provisioning Request 3 6 SAP System 4 Risk Analysis 5 Notifications & Reminders Approvals Line Managers Role Owners Risk Owners SAP GRC Risk Analysis & Remediation Email Server . (( ... ( ( - ( -( % % ( 1 ( . !2= = 1% SAP GRC Super user Privilege Management (Firefighter) SAP GRC Enterprise Role Management (Role Expert) SAP GRC Compliant User Provisioning (Access Enforcer) SAP GRC Risk Analysis and Remediation (Compliance Calibrator) . . 3 ( (! ' = . -( # A 1% @ A % . ( ? !( ( . 2< 1 (= . # 3 # 1( % % ( ( 1 ( .% / # . & ! ! ! " regular mode Pre-approved access to use Firefighter User activates Firefighter mode Firefighter mode User enters Business justification User receives elevated privileges User leaves Firefighter mode User looses elevated privileges E-mail notification sent to Controller Log files collected for User Log report sent to Controller . (. (Authorizations 2< 1 ( % 0 ( < 3 (. ( % ( (' # % % ( ( (( . ( ' ( (! . B ' ( .(( . Approval Generation Role Definition Risk Analysis SAP GRC Super user Privilege Management (Firefighter) SAP GRC Enterprise Role Management (Role Expert) SAP GRC Compliant User Provisioning (Access Enforcer) SAP GRC Risk Analysis and Remediation (Compliance Calibrator) . ( # ! (. .( ! (( . )+ * .! #$ &' (% ( ( #$ " % #$ ( % % ( -. 3 :< - 2 ( !( . ( % 4 ( -% . ! < . % 5( - % ( ! . C . .( ( ./ + . ( . ( (..( 2 ( (! .. A% ( # ( # . ( C C *.") # . < - ( (( . C # % . ( ( (( . (% .( ( 3 . #( ( % (( 2 % ' -' ( ! 3 ( ( -/ % . . ./ + 0 ! % . . E - ! (( .( 8 % ' % *.. ! .") & 1% . . / ' % # ( (! .( . C / ( ' - 1 ! ( / / 0 > ( . .( ' ( . . # ( B( 8 % # ( -D .'( .'( ( .( ( 0 ( % # ' ( C % B( 1 # ' ( -D ( ( . . .. (% (%( % ! ( ( 3 ( (! ( !( 1 # # # F ($ ( 1'2= $ # 3 & ( % % ( .( ( ' # .") *. 1 ( ( ! ! % . ( 2 .. A. ' ( ! = ( . ./ + . . )+ * .! #$ &' (% ( ( #$ " % #$ ( % % ( -.( ! (( . !7 H ' ( (. 0 ( ( . % ( ( -. 0 ( ( 3 !. % 7 $ ! ( ' ( ( * . %% % * (( ( G 0 (% ' ( ( ! % ( ( 2% ' 3 1% . ( . (( ( % ( (. ( ( 8 % (( . %. (.. .) .( . 0 ( ( ( 2 ** .( . % (.. ' E . ( % * - 1 ( . . ( 5 ( -. (( % . .< % ( ( % ( ( % ( % ( ( # 8 % ( ' % ( ' ! % . ( . . 0 ( ( % ( % 6 % ' ( .. (.( 6 . ( ! (( . . )+ * .! #$ &' (% ( ( #$ " % #$ ( % % ( -. 2 ' . Thank you for your attention .
Copyright © 2024 DOKUMEN.SITE Inc.