Professional Documents
Culture Documents
Edu07052 PDF
Edu07052 PDF
Compliance Trends
and Techniques in
Higher Education
Sherry Amos
Director, Industry Strategy, SAP
Craig Kennedy
Executive Solution Engineer, SAP
Craig Weisiger
SAP Security Analyst, Baylor College of Medicine
GRC in Detail
Craig Kennedy
Solution Engineer, SAP
SAP ERP
Student Lifecycle
Financials
Human Capital Management
Supply Chain
Facilities
Analytics
SAP NetWeaver
Portal
Collaboration
INFORMATION INTEGRATION
Bus. Intelligence
Knowledge Mgmt
PEOPLE INTEGRATION
Multi channel access
DB and OS Abstraction
non-SAP systems
Chemicals
Standardize components
Utilities
High Tech
Automate processes
Risk
Compliance
& Controls
Governance
Embed in processes
Access
Control
Process
Control
GRC Repository
ESOA Platform
Business
Applications and
IT Infrastructure
Global
Trade
Environmental
GRC
Composites
SONA
Access Control
Process Control
Repository
Global Trade Services
Applications for EH&S Compliance Management
Risk Management
Questions
Minimal
Time To Compliance
Continuous
Access Management
Effective
Management Oversight
and Audit
(Get Clean)
(Stay Clean)
(Stay in Control)
Risk Identification
and Remediation
Enterprise Role
Management
Compliant User
Provisioning
Superuser Privilege
Management
Periodic Access
Review and Audit
Rapid, cost-effective
and comprehensive
initial clean-up
Enforce SoD
compliance at
design time
Prevent SoD
violations at
run time
Focus on remaining
challenges during
recurring audits
Real-time Compliance 24 x 7
w
Object
F_BKPF_GSB
F_BKPF_BUP
M_MSEG_BWA
M_MSEG_LGO
S_TCODE
T - Code
FB05
Single Role
Composite Role
S1
C1
MIGO
MB1A
Derived Role
S2
SU01
F-29
S3
C2
M_MSEG_BWE
F_BKPF_BUK
M_MRES_BWA
FK01
MB21
S4
MB01
C3
F_BKPF_KOA
FK02
S5
Access Control
User
Risk
Identification
Risk Elimination
End-to-End
Automation
Reporting
Prevention
SAP GRC
Access Control
Audit log
Across applications
Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
Request
generated
Employee
hired/retired
100% automated
Path workflowbased
on request type and
user attributes
Mgr
approval
Via e-mail
One-click preventive
simulation
Exception
workflow
Automated
provisioning
Escalation
workflow
Risk
analysis
Embed cross-enterprise
preventive compliance in
business process
100% automated
New session
Super user
SAP_ALL
New session
New session
New session
Firecall ID
Firecall ID
Firecall ID
Firecall ID
SD
MM
FICO
Log
Log
Log
Log
Management Oversight
Periodic Access Reviews
Management by exception
Review
User Provisioning
Review
Emergency Access
Management
Review
Potential Risks
Review Policy
Audit
1) Validate
via sampling that
changes to access
were appropriately
authorized
Internal Audit
2) Validate that
segregation of duties
risks are appropriately
mitigated on a sample
basis
Current Environment
Users 14000
R/3 Roles 5200
Main Roles - 417
Composite Roles - 45
Derived roles - 2897
Biology
Medicine
SRM Roles 34
End user assigned roles 14
Communication or support roles 30
Portal Roles 10
Assigned to users 4
Communications or Support Roles - 6
SAP AG 2007, EDUCAUSE 2007
Virology
FireFighter
Widely used with SME and Audit
Use a one to one Firefighter account to User
Special Roles for Viewing Reports
Compliance Calibrator
In place during 3 external audits
Audit has found no issues with roles
Assignment issues with users
Mitigation controls moved responsibility to Business Units
Role Expert
Have elected not to use at this time due to our role design
Would recommend Role Expert for new installations
Key Benefits
Reduce False Positives and focus on analyzing real issues
Catch low hanging fruit (e.g. Role analysis)
Focus on SOD issues by functional areas (HR, FI) and/or risk levels
Reduce analysis time (BPOs, WPOs, IT)
Key Drivers
Reduce auditing cost
Audit effort (Internal Audit)
Response effort (BPOs,WPOs, IT)
Reporting capabilities
Real Time
Distributed to appropriate Managers
Access Control
Process Control
Repository
Global Trade Services
Applications for EH&S Compliance Management
Questions
9
9
9 9 9 9
9
9
9
9
Monitor
Certify
Review Exceptions
Test
Test Automated
Controls
Remediate Issues
Test
Manual
Controls
Perform
Assessments
Business Processes
E Yved withn
R Vn impro entatio
le
be
on nd imp
S pU
ucti
rod tion a
e
5
4
3
12
11
1 2
1 9 10
19
18
8
17
26
16
6 7
25
15
24
14
23
13
22
21
30
20
29
28
27
s
Ha installa
the AP?
of S
Ye s
No
Document
IT Infrastructure
Process-Control-Objective-Risk
SAP
SAP Solutions
Solutions for
for GRC
GRC
Access Control
Process Control
Repository
Global Trade Services
Applications for EH&S Compliance Management
Questions
Logistics/ Trade
Team
Legal/ SOX
Compliance Team
IT
Team
Import/
Export Officer
Increased
Productivity
and
Business
Insight
Integrate
Systems,
Data and
Business
Partners
Export
Management
Trade
Preference
Management
Import
Management
Restitution
Management
SAP NetWeaver
Applications
ERP
SCM/
SRM
CRM
Data
Legacy
HTS
ECCN,
etc
Duty
Rates
Business Partners
SPL
Data
Rules
Of
Origin
Customer
& Supplier
Banks
Freight
Forwarder
Customs
Agencies
Deemed Exports
Public Domain Exemption
Fundamental Research Exemption
Full-time employee exemption
Educational Instruction Exemption
Government-sponsored research covered by
national security contract controls
ITAR -- defense articles and defense services,
especially in space research and, increasingly, in
life sciences and nanotechnology research
Other applications of U.S. export controls to faculty
or university research
The US Department of State, Office of Defense Trade Controls (ODTC), is responsible for items and
information inherently military in design, purpose, or use. Referred to as "defense articles," such items
are found on the US Munitions List, 22 CFR 121 (linked above). Spacecraft and satellites, even if not for
military use, are on the Munitions List, along with their associated systems and related equipment.
Information related to Defense Articles is referred to as "technical data."
The US Department of Commerce, Bureau of Industry and Security (BIS), has export jurisdiction over
every thing in the United States, although BIS does not require a license for every export. BIS controls
goods and information having both civilian and military uses by including them on the Commerce Control
List, 15 CFR 774. This is also known as the "Dual Use List" (linked above). BIS uses the term
"technology" when referring to information about the goods on the Commerce Control List.
The US Department of the Treasury oversees US trade embargo through its Office of Foreign Assets
Control (OFAC). Empowered by the Trading with the Enemy Act and the International Emergency
Economic Powers Act, OFAC enforces anti-terrorism sanctions at our borders and through Customs.
Concerned with the giving of "assistance" to the enemy, the pertinent regulations provide OFAC with
broad authority to interdict vaguely defined "prohibited transactions" involving persons from sanctioned
countries.
Universities screen
Students
Faculty
Full-Time Employees
Part-Time Employees
1) US Sanctioned Party
Lists
2) US Export
Administration
Regulations
Researchers
Contractors/Consultants
3) UN Sanctioned Party
Lists
Visitors
Partners
4) Other regulations
based on industry and
corporate policy
Security
Compliance
Team
Human
Resources
Alerts and
Business Intelligence
Rules engine
Integration Management,
Workflow
SAP NetWeaver
HR
HR
Visit
Visit
Download
Download
Travel
Travel
Ad
Ad
Hoc
Hoc
Sales
Sales
Reps
Reps
Back-end systems
SAP
SAP Solutions
Solutions for
for GRC
GRC
Access Control
Process Control
Repository
Global Trade Services
Applications for EH&S Compliance Management
Questions
Substances
Employee
Waste Management
Work
areas
SAP ERP
Human
Enterprise
Capital
Asset
Management Management
Research
Procurement
AR
Financials/
Accounting
Business process
integration
Occupational
Health
Industrial
Hygiene
and Safety
Hazardous
Substance
Management
Waste
Management
Reduce TCO
Designed for deployment around the world
Adaptive solution based on generic and proven process models,
that can be configured to the individual company needs
We are now going to integrate EHS business processes such as product safety, dangerous
goods and waste management and industrial health and safety into the existing SAP R/3
environment. This integration is the real power of EH&S and will reduce EHS and other costs
significantly.
Aventis
WM
SAP
SAP EH&S
EH&S
Compliance Management
Permit Management
Emissions Management
Greenhouse Gas Management
REACH
DG
SAP
REACH
Compliance
PS
CfP
HSM
Compliance
For
Product
IHS
SAP
Environmental
Compliance
OH
Industry-Specific
Environ
Cross-Industry
Questions?
Sherry Amos
Craig Weisiger
Craig Kennedy
Washington, DC
Houston, TX
Newtown Square, PA
E sherry.amos@sap.com
E weisiger@bcm.edu
E craig.kennedy@sap.com