You are on page 1of 31

SAP WORLD TOUR LUXEMBOURG 2010

October 26, 2010 Kikuoka Mercure Golf Club

SAP BusinessObjects Access Control


A Solution for Sustainable Authorization Compliance

Chris Walravens GRC Competence & Delivery Lead Expertum


For more info:

www.expertum.net

Koen Roaen Business Development & GRC Competence Lead Expertum

Agenda

1. 2.

Expertum introduction GRC today

3.

SAP BO GRC AC 5.3


Benefits Stakeholder interests Issues encountered & Solution approach

4.

Get Clean Stay Clean Stay in control


RAR CUP SPM RAR

5. 6. 7.

Conclusion The next release Questions

SAP 2010 / Page 2

Expertum Introduction

Founded in 2006 Team of +45 SAP Experts and Project Managers


Project Management (PM)

SAP Service Partner SAP Channel Partner SAP Education Partner SAP Lounge Partner SAPience.be Partner

Product Lifecycle Management (PLM)

Supply Chain Planning (SCP)

Our Expertise :

Finance (FI)

Business Intelligence (BI)

Knowledge Management Product & Service Development

Supply Chain Execution (SCE)

SAP NetWeaver (NW)

SAP Solution Manager (SolMan)

Governance, Risk, and Compliance (GRC)

Our Mission: Exceed client expectations by providing top-quality expertise Provide our people a safe environment for personal and professional growth

SAP 2010 / Page 3

GRC today

Enables

Access Control

compliant continuous control of access and authorization across the enterprise Proactively protects information and prevents fraud through automated risk analysis and remediation

Governance, Risk and Compliance


Access Control Sustainability Performance Management

Sustainability Performance Management


Manages

processes and analytics to communicate and execute sustainability strategy Data gathering with automatic and repeatable collection from systems and people

Process Control

Global Trade Services

Automated

continuous control monitoring across policies and regulatory requirements Delivers cross-system visibility and a unified repository of compliance data for efficient multiinitiative management

Automates

Process Control

Global Trade Services

import and export compliance, including ITAR Supports electronic customs filling and reporting Monitors and manages outbound NFe transactions Identify, manage and prioritize risk exposure across global supply chains

Formal

Risk Management

Environment, Health, and Safety Management


Comprehensive

integration of risk management with strategy Repeatable framework to analyze and mitigate risk Continuously monitor key risk indicators across strategic objectives

Risk Management

Environment, Health, and Safety Management

platform for Environmental, Health and Safety Management Provides support across three pillars of Health and Safety, Product, Safety and Stewardship and Emissions Management

SAP 2010 / Page 4

Benefits of SAP BO GRC AC 5.3

Control access

Centralized access (and identity) management

Out of the box rules automatically eliminate access and authorization risks
Enforce segregation of duties across applications and departments Prevents improper access to assets

Automate compliance

Automate segregation of duties and access management Automated audit trails and documentation Automated analysis

SAP 2010 / Page 5

Benefits of SAP BO GRC AC 5.3

Real-time oversight and predictability


Review and approval process

Real-time detective controls and transaction monitoring


Automated IT and Line of Business collaboration

Facilitates the road to compliance


Obtain quick, effective, and comprehensive identification of risks Eliminate existing access and authorization risks

SAP 2010 / Page 6

Benefits of SAP BO GRC AC 5.3

Continuous access management


Avoid business obstructions with faster emergency response

Improve productivity of end users


Mitigate risk through continuous monitoring

Effective management oversight


Provide capabilities for management oversight Facilitate internal audit Minimizes audit cost & time

SAP 2010 / Page 7

Stakeholder interests

CFO

- Better visibility of access risk - Solid proof and reliability for financial data and regulatory reporting - Reduce risk by analyzing issues and performing necessary remediation

CIO

- Increase efficiency and collaboration with compliance embedded into business processes - Faster resolution of issues with IT and Line of business collaboration

Audit

- Transfer ownership of controls to business - Minimized audit time and audit related costs - Automated audit trails and documentation

SAP 2010 / Page 8

Issues encountered
Compliance and Audit

Business Operations
Lack of visibility due to technical complexity Overwhelmed by ever-increasing number of global and local regulatory requirements Limited effectiveness with review and approval processes

Compliance analysis is mostly a manual process Manage numerous diverse regulatory requirements Lack of governance framework to ensure compliant role management Role proliferation and excess privileges increase audit challenge

IT Operations
Manual, labor intensive user provisioning and access management Fragmented approach to access management increases the possibility for errors and inconsistency Complex and technical security data models prevent collaboration between IT and business

End Users
Productivity loss due to delay in getting access Fragmented access management process provides incomplete access Access not kept synchronized with changing role, resulting in inadequate access (or potential unauthorized access)

SAP 2010 / Page 9

Solution approach
Business Operations
Provides for business user accountability Collaborative role management process Business friendly role definitions reflect the reality of business

Compliance and Audit


Preventive compliance of roles through integrated risk analysis Streamlines job functions with consistent business roles Visibility of role compliance and role exceptions Increases confidence with built-in audit trails

IT Operations
Reduction in administration costs Elimination of manual errors resulting in increased user satisfaction Consistent, repeatable, streamlined processes to manage users across the enterprise Single toolset for heterogeneous landscape resulting in lower training costs

End Users
Quick on-boarding eliminating productivity loss Right access to right systems at right time Reduce risk of unauthorized access

Customers / Partners
Secure and compliant access to business services across organization boundaries

SAP 2010 / Page 10

SAP BO Access Control


Sustainable prevention of segregation of duties violations

Minimal Time To Compliance

Continuous Access Management

Effective Management Oversight and Audit

(Get Clean)
Risk Analysis and Remediation Rapid, cost-effective and comprehensive initial clean-up Enterprise Role Management Enforce SoD compliance at design time

(Stay Clean)
Compliant User Provisioning Prevent SoD violations at run time Superuser Privilege Management Close #1 audit issue with temporary emergency access

(Stay in Control)
Periodic Access Review and Audit Focus on remaining challenges during recurring audits

SAP 2010 / Page 11

SAP BO Access Control


Minimal time to compliance

Get Clean
Risk Analysis and Remediation

SAP 2010 / Page 12

SAP BO Access Control


Sustainable prevention of segregation of duties violations

Minimal Time To Compliance

(Get Clean)
Risk Analysis and Remediation Rapid, cost-effective and comprehensive initial clean-up

SAP 2010 / Page 13

Get Clean RAR demo

SAP 2010 / Page 14

Get clean (RAR)

Cross-enterprise view on SOD violations

Allows an effective road towards compliance Allows reviews per system, user group, organizational level or role Translates a technical subject (authorizations, rule sets, etc.) into business language Remediation actions can be authorization removal mitigating control assignment

Side notes

Authorization concept architecture impacts ease of remediation Mitigating controls need to be in place and inventoried The default rule set needs to be made company specific (false positives)

SAP 2010 / Page 15

SAP BO Access Control


Continuous Access Management

Stay Clean
Compliant User Provisioning Superuser Privilege Management Enterprise Role Management

Get Clean
Risk Analysis and Remediation

SAP 2010 / Page 16

SAP BO Access Control


Sustainable prevention of segregation of duties violations

Minimal Time To Compliance

Continuous Access Management

(Get Clean)
Risk Analysis and Remediation Rapid, cost-effective and comprehensive initial clean-up Enterprise Role Management Enforce SoD compliance at design time

(Stay Clean)
Compliant User Provisioning Prevent SoD violations at run time

SAP 2010 / Page 17

Stay Clean CUP demo

SAP 2010 / Page 18

Stay clean (CUP)

Request procedure is very structured

Only choice from existing business roles Forces to work within the existing roles Sustainability of implemented roles

Approval procedure automated

Automated workflow (efficiency) Preventive SOD checks (before approval) Automated user provisioning Sustainability of compliance of role assignments

Side note

Role / authorization owners needed

SAP 2010 / Page 19

SAP BO Access Control


Sustainable prevention of segregation of duties violations

Minimal Time To Compliance

Continuous Access Management

(Get Clean)
Risk Analysis and Remediation Rapid, cost-effective and comprehensive initial clean-up Enterprise Role Management Enforce SoD compliance at design time

(Stay Clean)
Compliant User Provisioning Prevent SoD violations at run time Superuser Privilege Management Close #1 audit issue with temporary emergency access

SAP 2010 / Page 20

Stay Clean SPM demo

SAP 2010 / Page 21

Stay clean (SPM)

Firefighter roles

Classical firefighter activities (the truck is waiting and the issue needs to be solved)
Critical system access (debugging) Support roles for IT people needing to perform business functionality on occasion

Sustainability of regular access rights Sustainability of audit trail for activities out of the regular

SAP 2010 / Page 22

SAP BO Access Control

Effective Management Oversight and Audit

Stay in Control
Management Oversight Internal Audit

Stay Clean
Compliant User Provisioning Superuser Privilege Management Enterprise Role Management

Get Clean
Risk Analysis and Remediation

SAP 2010 / Page 23

SAP BO Access Control


Sustainable prevention of segregation of duties violations

Minimal Time To Compliance

Continuous Access Management

Effective Management Oversight and Audit

(Get Clean)
Risk Analysis and Remediation Rapid, cost-effective and comprehensive initial clean-up Enterprise Role Management Enforce SoD compliance at design time

(Stay Clean)
Compliant User Provisioning Prevent SoD violations at run time Superuser Privilege Management Close #1 audit issue with temporary emergency access

(Stay in Control)
Periodic Access Review and Audit Focus on remaining challenges during recurring audits

SAP 2010 / Page 24

Stay in Control RAR demo

SAP 2010 / Page 25

Stay in Control (RAR)

What-if analysis

Check compliance before violations occur Sustainability of compliance of role assignments

Reaffirmation

Reaffirm role assignments on a regular basis Sustainability of compliance of role assignments

SAP 2010 / Page 26

SAP BO Access Control


Sustainable prevention of segregation of duties violations

Minimal Time To Compliance

Continuous Access Management

Effective Management Oversight and Audit

(Get Clean)
Risk Analysis and Remediation Rapid, cost-effective and comprehensive initial clean-up Enterprise Role Management Enforce SoD compliance at design time

(Stay Clean)
Compliant User Provisioning Prevent SoD violations at run time Superuser Privilege Management Close #1 audit issue with temporary emergency access

(Stay in Control)
Periodic Access Review and Audit Focus on remaining challenges during recurring audits

Risk analysis, remediation and prevention services

Cross-enterprise library of best practice segregation of duties rules

SAP 2010 / Page 27

Conclusion

SAP BO GRC Access Control ensures sustainability of


Implemented roles through a very structured request procedure


Compliance of role assignments (regular access) through: Automated approval procedure with preventive rule set check What-if analysis Reaffirmation procedure Audit trails (access out of the regular)

SAP 2010 / Page 28

SAP BO GRC AC : The next release

GRC2010 Barcelona

Release 10.0 of AC, PC & RM will be presented


One common technology platform (ABAP based) More integration between the three applications Mitigating controls in AC & PC Risks in PC & RM Functionality improvements

SAP 2010 / Page 29

Questions?

SAP 2010 / Page 30

For more info:

www.expertum.net

Thank you!