Professional Documents
Culture Documents
One SAP GRC Access Control
One SAP GRC Access Control
One SAP GRC Access Control
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
1. GRC Background
3.
4.
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
1. Governance, Risk
and Compliance (GRC)
2. Solution SAP GRC
module
3.
SAP Access Control
4. Case Study Implement
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
GRC Background
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
GRC
(Ethics)
Governance
(Transparency)
(Responsibility)
(Accountability)
(Equitable Treatment)
(Creation of Long
Term Value Sustainable Growth)
(Social and Environmental Awareness)
6
(Promotion of Best
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
GRC
(Stakeholders)
(Shareholders)
Tone at the top
/
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
Performance
Conformance
Management Control
Management controls are the organization,
policies, and procedures used by agencies to
reasonably ensure that:
Programs achieve their intended results,
Resources are used consistent with agency mission,
Programs and resources are protected from waste,
fraud, and mismanagement,
Laws and regulations are followed, and
Reliable and timely information is obtained,
maintained, reported and used for decision making.
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
Corporate Governance
Other
stakeholder
Shareholder
Board
Monitoring
Disclosure
Desirable behavior
Key assets
Human
assets
Financial
assets
Physical
assets
IP assets
Information and
IT assets
Financial governance
Mechanisms
(committees, budgets, etc.)
Relationship
assets
IT governance mechanisms
(committees, budgets, etc.)
www.isaca.org
Introduction
GRC defined
Setting Expectations
Setting Expectations
Getting Started
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
Enterprise
Access
Risk management
Control
Process Control
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
SAP GRC Benefits
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
Reduced Risk:
Lower fraud-related loss
Faster remediation
Improved business processes and overall performance
Reduced Cost of compliance :
Automation /Monitoring frees up resources for value tasks
Shorter audit cycles
Streamlined evaluations
Lower TCO
Improved confidence:
Visibility /Real-time information
Single version of the truth
Reinforced accountability
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
Observation of AS IS Process
Benefits
Security activities require 25% to 50% of security admin time Automated monitoring
Manual processes are inefficient and prone to error, Annual and tracking
audit time of several weeks to manually create SoD reports and Preventive and detective
to review
controls
Add/Change/Delete Users
Manual data entry is inefficient, generates error, and creates Automated users
risk
administration
Frequent Add/Change requests requiring manual effort
Delays of process create risk of unauthorized access
Deletion of users is not consistently and accurately
implemented
Automated Superuser
access with tracking of all
activities
Compliant role design
and management
Sensitive Transactions
Management
Reporting
Automate alerting,
tracking, and logging
Automated pre-built
access controls reporting
Qualitative Benefits
Manual Process
GRC AC Process
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
Purpose
Intended audience:
Infrastructure, Security
SAP Functional
Internal Control/ Internal Audit
IT Security
Security Compliance
GRC Solutions
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
ACCESS CONTROL
Risk Analysis and Remediation
Compliant User Provisioning
Superuser Privilege Management
Enterprise Role Management
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
Compliance World-wide
Integrated GRC
Unified process, compliance
and risk methodologies
Alignment of risk
and strategy management
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
Maturity Model
Evolve from Manual, unreliable and inefficient controls to
technology-based, cost effective, reliable controls
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
Terminology
Risk Management
IT Governance:
Helps to ensure alignment of IT and enterprise objectives
Likelihood of occurrences
Act accordingly:
J SOX ( Japan)
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
GRC RAR
SOD
Rules
repository
Maintenance
Mitigation Plan
Maintenance
Management
Reporting
Continuous
Compliance
monitoring
GRC CUP
Dynamic approval
workflows, audit trails
Authorization
changes
Role design
changes
Compliance
repository
changes
Access, Authorization
Changes, Approvals,
Audit Trials
Emergency access
requests
GRC SPM
Emergency Change
Access Management
Emergency session
log capture and storage
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
GRC ERM
SAP Role
Management
Compliant SAP Role
management
Role management
audit trails
Segregation of Duties
A segregation of duty issue for a business process is when an individual can perform two or more of the following
functions on a given transaction
an asset,
Authorization:
transaction or activity
business
Reconciliation:
Comparisons of recorded balances or
volumes to
actual between time intervals to
detect differences and take action on any
differences
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
Authorization Concept
Glen, a G/L Accountant wants to execute a GL Posting.
Job
Task
In addition to this, if Glen had access to
FS00 G/L Account Master record maintenance
SAP Role
Transaction
Code
Execute Tcode
FB50
Check auth.object
S_TCODE
Accounting document:
Authorization for
Company Code
Check auth.object
F_BKPF_GSB
Accounting document:
Authorization for
Business area
Check auth.object
F_BKPF_KOA
Accounting document:
Authorization for
Account type
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
Risk!
Gives someone the access to create a
fictitious GL account and generate
journal activity or hide activity via
posting entries
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
Evaluate
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
SAP
256 Risks
58,649 action combinations As of 2008 Q2 update for the below business
processes
HR and Payroll
Materials Management
APO/SCM
SRM
Finance (37/6229)
General Accounting
Project Systems
CRM
Fixed Assets
Basis, Security and System Administration (25/13556)
Consolidations
Oracle
162 Risks
13,183 action combinations
PeopleSoft
57 Risks
27,906 action combinations
JD Edwards
21 Risks
303 action combinations
Non-RTA system analysis framework for legacy systems
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
Terminology
RTA: It
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
TYPE
Stored procedure
Web services
Web services
Query
Flat file (delimited)
SAP GRC Access Control Application System Landscape for a Typical Installation
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
SAP GRC Access Control Application System Landscape with Authoritative-User Sources
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
SAP GRC Access Control Application System Landscape with User Provisioning with or Without the CUA
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
GRC AC Applications
GRC Access Control is an enterprise application that provides end-toend automation for documenting, detecting, remediating, mitigating, and
preventing access and authorization risk enterprise wide, resulting in
proper segregation of duties, lower costs, reduced risk, and better
business performance; it also provides an integrated framework for
designing, enforcing and monitoring continuous compliance in SAP
systems
GRC Access Control consists of the below four Applications:
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
SAP GRC
Compliant
User
Provisioning
(Access Enforcer)
SAP GRC
Enterprise
Role
Management
(Role Expert)
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
Risk Terminator
Provides real-time SOD analysis during user and role maintenance and user to role
assignment
Risk Terminator can be configured to run a risk analysis when one of the four tasks is
performed
When a role is generated using PFCG
When users are assigned to a role using PFCG
When a role or profile is assigned to a user using SU01
When a role or profile is assigned to users using SU10
The Risk Analysis report will be displayed to the user with showing the SoD violations
The configuration setting Stop generation if violation exists will determine if this is an
error or a warning.
If the User continues to process the task, a warning message is displayed with two
options:
Discard changes
Continue
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
Work Order
Acceptance
FFID
Is Required
No
Current
E.RFC
Yes
Emergency
Situation
Pre-Designated
Firefighter logs into
CUP and requests a FF
ID + Notification sent
to BTO
Firefighter has
required access
remediate
situation.
Audit Logs /
Transactions are
Archived for Future
Audits
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
Access auto expires
after pre-determined
period
SAP GRC
Super User
Privilege
Management
(Firefighter)
SAP GRC
Compliant
User
Provisioning
(Access Enforcer)
SAP GRC
Enterprise
Role
Management
(Role Expert)
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
CUP Functionalities
Assessment of Business
Assessment of Business relationship
Design Dynamic workflow service
Automate User provisioning
Reduce burden on IT
Prevents Risks by proactive analysis
Meets Regulatory compliance target
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
SAP GRC
Compliant
User
Provisioning
(Access Enforcer)
SAP GRC
Enterprise
Role
Management
(Role Expert)
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
User Access
Request
Role Owner
Approval
HR
CRM
Manager
Approval
Security
Coordinator
Approval
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
Legacy
Multiple Approvers
Different workflow paths for different request attributes
Parallel Paths Different workflow paths based on role selection
Detours and Forks certain predefined conditions can trigger detours
Escape Routes
Forwarding to another approver
Automated provisioning without security review
Automated Actions
Create/Change User
Change User Master record information (validity date, user group, etc)
Lock/Unlock user
Delete Users
Notifications
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
Password Self-Service
HR Triggers
Ability to setup automatic workflow requests based on a function/action that occurs in an SAP HR system
Allows users to reset their password using challenge and response (If not authenticating against MS AD)
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
Maintain Roles
Upload new roles on periodic basis
Remove roles on periodic basis
Maintain Approvers
Maintain Workflow
Manage Requests
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
Enterprise
Rules
SAP GRC
Access Control
Audit log
Across applications
Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
SAP GRC
Compliant
User
Provisioning
(Access Enforcer)
SAP GRC
Enterprise
Role
Management
(Role Expert)
Compliant
User
Provisionin
g
CRM
ECC
Business
Process
Owner
CRM
ECC
Risk
Analysis Approval Generation
DefinitionAuthorization
Security
HR
D
e
r
i
v
e
Risk
Analysis &
Remediatio
n
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
T
e
s
t
Case Study
Stakeholders
Performance
Conformance
Regulator
2009 PTT ICT Solutions All Rights Reserved -Proprietary and Confidential
Date: 14/6/2554
129