Scribd Logo
Upload

Welcome to Scribd!

  • Governance, Risk & Compliance: SAP Live and Local Webcast Tour 08 5 June, 2008

    Uploaded by

    Vũ Đỗ
    18 views15 pages

    Original Title

    080605grcedocfind-com-110409133323-phpapp02

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    18 views15 pages

    Governance, Risk & Compliance: SAP Live and Local Webcast Tour 08 5 June, 2008

    Uploaded by

    Vũ Đỗ

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 15

    Governance, Risk & Compliance

    SAP Live and Local Webcast Tour ‘08

    5 June, 2008

    johonna.murphy@sap.com
    Fragmentation
    Managing with confidence is difficult in an increasingly complex world

    ASX ROHS Human


    Segregation Credit Capital Project
    Principle CLERP 9 SOX of duties Risk Risk
    7 WEEE Risk

    Board of
    Australia Directors
    Compliance
    Governance Finance
    U.S.A Risk Mgmt. Governance
    Legal
    Risk
    Japan Mgmt. Sales
    Compliance
    Risk Mgmt.
    Contracts
    U.K.
    Compliance
    Compliance
    HR
    Compliance
    France Risk Mgmt. Controller
    Risk Mgmt.
    Governance IT
    China
    Compliance
    Policy Mgmt.
    Germany Governance Risk Mgmt.
    Audit &
    Compliance
    India
    Treasury
    Proj. Doc.
    Security Mgmt. Mgmt. Contracts Planning Customers ERP Production Billing

    © SAP 2007 / Page 2


    Integrated GRC
    Forward looking organizations are seeking a unified approach to GRC

    ASX ROHS Human


    Segregation Credit Capital Project
    Principle CLERP 9 SOX
    WEEE Of Duties Risk Risk
    7 Risk

    Board of
    Australia Directors
    Compliance
    Governance Finance
    U.S. A. Risk Mgmt. Governance
    Legal
    Risk
    Japan Mgmt. Sales
    Compliance
    Risk Mgmt.
    Contracts
    U.K.
    Compliance
    Compliance
    HR
    Compliance
    France Risk Mgmt. Controller
    Risk Mgmt.
    Governance IT
    China
    Compliance
    Policy Mgmt.
    Germany Governance Risk Mgmt.
    Audit &
    Compliance
    India
    Treasury
    Proj. Doc.
    Security Mgmt. Mgmt. Contracts Planning Customers ERP Production Billing

    © SAP 2007 / Page 3


    SAP Solutions for GRC
    A unified solution for GRC management
    Business Process

    Industry-Specific GRC
    Life Sciences Chemicals Oil & Gas
     Transparency to balanced
    Banking
    global risk profile
    High Tech

    Cross-Industry GRC  Standardization on


    Risk
    Risk Management
    common GRC content and
    Management
    rules
    Access
    Compliance Process Global Environment
    & Controls
    Control Control Trade
     Automates and embeds
    GRC into business
    GRC Repository
    processes

    Business Process Platform

    Business
    Applications

    © SAP 2007 / Page 4


    SAP GRC Access Control
    Sustainable prevention of segregation of duties violations

    Effective
    Minimal Continuous
    Management Oversight
    Time To Compliance Access Management
    and Audit
    (Get Clean) (Stay Clean) (Stay in Control)

    Risk Identification Enterprise Role Compliant User Superuser Privilege Periodic Access
    and Remediation Management Provisioning Management Review and Audit

    Rapid, cost-effective Enforce SoD Prevent SoD Close #1 audit issue Focus on remaining
    and comprehensive compliance at violations at with temporary challenges during
    initial clean-up design time run time emergency access recurring audits

    Risk analysis, remediation and prevention services

    Cross-enterprise library of best practice segregation of duties rules

    © SAP 2007 / Page 5


    Risk Analysis, Remediation and Prevention
    Services
    Delivers 24/7, real-time compliance by stopping security and controls violations before they occur

    Access Risks Services


    Risk Identification

    Real-time SoD Risk Analysis


    • Common services across all
    Critical Transaction Monitoring SAP GRC Access Control
    Cross-Application Integration capabilities
    Elimination

    Remediation Management
    Mitigation Management

    Alerts Framework
    Reporting

    Reporting
    Prevention

    Real-time Simulation
    Mandatory Prevention “SAP GRC Access Control, with its
    comprehensive preconfigured rule
    set, reflected deep expertise within
    Access Risks Library SAP that would have taken us a
    very long time to replicate.”
    Cross-Enterprise Rules Database Synopsys Inc.
    Rules

    Cross-Enterprise Rules Architect

    © SAP 2007 / Page 6


    Risk Analysis and Remediation
    Getting clean

    Initial Risk Analysis and Remediation


    • Facilitates collaboration
    Risk between Business and IT to
    Identification clean up access risks

    Risk Elimination
    End-to-End
    Automation

    Reporting
    “The clean-up process has
    brought a tremendous degree of
    discipline to the way we think
    Prevention about and manage user access
    and authorizations.”
    Synopsys Inc.

    © SAP 2007 / Page 7


    Enterprise Role Definition
    Enables enterprise role definition and maintenance in a single location

    Centralized Role Management • Reduce cost of role


    maintenance
    Enterprise SAP GRC
    Rules Access Control
    Audit log • Ease compliance and avoid
    authorization risk
    Across applications • Eliminate errors and enforce
    best practices
    • Assure audit-ready traceability
    … and security checks

    Role Role Role Role Role Role Role Role


    Role
    Role 28% time savings in role
    management
    Compliant enterprise roles Customer Survey, 3/2006

    © SAP 2007 / Page 8


    SAP GRC Access Control
    Superuser Access Management

    The only compliance-focused emergency access solution

    Key Functionality Compliant Superuser Access

    ID Administration Superuser

    Date Restrictions
    Privileged
    Security

    Log-in Restrictions Access

    Single User per ID New Session New Session New Session New Session

    Specific Authorization Access Firecall ID Firecall ID Firecall ID Firecall ID


    ...
    SD MM FICO
    Notification

    Alert Framework
    Log Log Log Log
    Reporting

    Reporting • Pre-assigned firecall IDs


    • Access restrictions
    Audit Logs
    • Validity dates
    • Field-level changes tracked in audit log

    © SAP 2007 / Page 9


    SAP GRC Access Control
    Compliant Provisioning

    Current Approach—Inefficient, Not Compliant Enables Compliant End-to-End


    Access email
    Provisioning
    Request “hire to retire”

    Manager
    email Approval

    Role
    Owner

    spreadsheets,
    paper forms

    spreadsheets,
    paper forms IT Security

    Manual
    Provisioning

    © SAP 2007 / Page 10


    GRC Access Control
    Compliant Provisioning

    Compliant Provisioning with Dynamic Workflow


    • Embed cross-enterprise
    Request
    HR Event Generated
    100% Automated
    preventive compliance into
    business process
    Employee Path Workflow—based
    Hired/Retired on request type and
    user attributes • Reduce cost of user
    Mgr administration
    Approval Via e-mail

    • Improve productivity of end


    Escalation
    Workflow
    users
    Risk 1 “Click” Preventive • Auditable tracking for
    Analysis Simulation
    auditors
    Exception
    Workflow

    Automated
    Provisioning 100% Automated “We reduced provisioning from 2
    weeks to 2 days”
    – Web Seminar Rockwell Collins, 3/2005
    … … …

    © SAP 2007 / Page 11


    GRC Access Controls

    Key Solution Capabilities and Benefits


     Identifies and prevents access and authorization risks in
    cross-enterprise IT systems to prevent fraud and reduce the
    cost of continuous compliance and control
     Provides end-to-end automation for detecting, remediating,
    mitigating, and preventing access and authorisation risk
    across the enterprise
     Allows for true cross-enterprise SoD risk mitigation by
    integrating into SAP and non-SAP systems

    Common Customer Challenges Addressed


     Need to comply with SOX regulations for section 404, or
    similar regulations
     Weak support for the audit process to ensure the right
    measures are in place to prevent fraud
     Manual or people-intensive compliance processes involving
    emails, spreadsheets and/or paper
     Costly, manual remediation
    Value Proposition
     Uncontrolled role management  Establish approach and process to manage risk rules
     Excessive super-user access  Gain alerts on potential violations
     Inefficient and un-auditable user provisioning  Identify business functions which produces risks when
     Reactive vs. preventative executed by same individual
     Focus on prevention vs. “a point in time” detection
     Simplify compliant enterprise level role administration
     Enforce compliant security for Privileged Access
     Increase visibility through timely notification
     Deliver audit ready, detailed reporting
     Lower risk and save money through proactive compliance

    © SAP 2007 / Page 12


    Our offer to you

    The Two Faces of Risk:

    Cultivating Risk Intelligence


    for Competitive Advantage
    Deloitte Review

    © SAP 2007 / Page 13


    Questions?

    © SAP 2007 / Page 14


    Thank you
    johonna.murphy@sap.com

    © SAP 2008 / Page 15

    You might also like