SAP GRC Overview
Post on 22-Mar-2016
760 Views
Preview:
DESCRIPTION
Transcript
GRC Access Control Overview
2
Agenda
Purpose & Target Audience GRC Solutions Why GRC Access Control GRC Access Control Basics GRC Access Control Architecture GRC Access Control Applications
• Risk Analysis & Remediation
• Compliant User Provisioning
• Enterprise User Management
• Super User Privilege Management
New features of Access Control 5.3 GRC Access Control – Critical success factors to implement GRC Access Control benefits GRC Products and Vendors Appendix
3
Purpose
The purpose of this document is:Provide an overview of GRC AC system architecture and functionality.
Intended audience:
• Infrastructure, Security
• SAP Functional
• Internal Control/ Internal Audit
• IT Security
• Security Compliance
4
GRC Solutions
5
Governance, Risk & Compliance (GRC) Solutions
Risk Analysis and Remediation
Compliant User Provisioning
Superuser Privilege Management
Enterprise Role Management
ACCESS CONTROL
6
Why GRC Access Control
7
Business Drivers / Common Challenges
Customers face a host of security challenges, including: Continued increase in compliance spend
Requirement for continuous compliance monitoring
Requirement for centralized Internal controls repository
Fraud Examiner report recently estimated average loss of existing fraud is 7% of revenue.
Disparate and complex application landscape with process inefficiencies/redundancies
Existing segregation of duties violations and compliance issues
Desire to automate user provisioning to support compliance requirements, operational efficiency goals, and regulatory requirements
Request of Emergency access (admin rights) is ad hoc and insufficiently monitored and controlled
Poor communication between Business & IT results in “best-guess” approval of requests
8
GRC Access Control Goals
9
Compliance World-wide
GRC to ensure Compliance with regulatory mandates
10
Integrated GRC
Unified process, complianceand risk methodologies
Alignment of riskand strategy management
Increased visibility acrossimpact of risk
Standardized risk andcompliance methodologies
11
Necessity to Implement Access Control
Common approaches rely on periodic audits/manual evaluations and subsequent remediation of the findings
Despite the high effort, without a process in place to continuous monitor Segregation of Duties risks are not under control
12
Maturity Model
Evolve from Manual, unreliable and inefficient controls to technology-based, cost effective, reliable controls
13
GRC Access Control Basics
14
Terminology
Segregation of Duties (SoD): Segregation of Duties deals with access controls ensuring that no one user has access to two or more than two incompatible duties. Some examples of incompatible duties are:
• Creating vendor and initiate payment• Creating and modifying invoices• Processing inventory, and posting payments
Roles: A role is a container that holds Transactions/Reports and an associated profile Authorization: Permission to access data or execute transactions Authorization Object: A group of fields that allow for management of authorizations User: End Users given access to SAP applications Risk: This defines the potential risks existing in the system due to SOD and is based
on the standard business process Risk Analysis: The Process of analyzing Roles, Profiles and/or Users for Risks Mitigation Control: Mitigation Controls gives the ability to associate controls with
Risks, so they can be applied to Users, Roles identified to violate SoDs during Risk Analysis.
15
Governance, Risk and Compliance
Corporate Governance:• Ethical corporate behavior together with management and practices in the creation of all stakeholders
• Spells out the rules and procedures for making decisions about corporate affairs
IT Governance:• Helps to ensure alignment of IT and enterprise objectives
•IT resources are used responsibly and its risks are managed properly
Risk Management• Identify, classify, document, and reduce risks to an acceptable level
• Risk is a result of three different parameters
• Existence of a threat for a business process
• Likelihood of occurrences
• Impact on the Business process
Act accordingly:• National and International legal requirements:
• Sarbanes – Oxley Act (US)
• Data Protection Law (Germany)
• J – SOX ( Japan)
• Corporate policies represents both corporate philosophy and strategic thinking on a high level
• Low – level policies focus on the operational layer
Policies need to be in sync with the overall business strategy and legal requirements
16
Evolution of SAP GRC
Virsa Systems founded in 1996
Sarbanes-Oxley Act (SOX) 2004
SAP AG announced acquisition of Virsa on 3rd April 2006
SAP AG renamed SAP Virsa Application to SAP GRC suite
SAP upgrades GRC
SAP integrates GRC AC with PC,EHS & GTS
SAP GRC + SAP BO GRC = SAP BO GRC SAP BO GRC + RM + PC= SAP BO GRC
SAP BO GRC + IDM components + Dashboards
17
GRC AC Risk Remediation Strategy
Pro-active real-time compliance by preventing security and controls violations before they occur. The approach of GRC AC in implementing Access Control is top to bottom.
18
GRC Access Control Processes
• SOD – Rules
repository Maintenance
– Mitigation Plan Maintenance
– Management Reporting
• Continuous Compliance monitoring
GRC AC
• Dynamic approval workflows, audit trails
•Authorization changes•Role design changes•Compliance repository changes
•Access, Authorization Changes, Approvals, Audit Trials• Emergency access requests
• Emergency Change Access Management• Emergency session log capture and storage
• SAP Role Management• Compliant SAP Role management• Role management audit trails
GRC RAR GRC CUP GRC SPM GRC ERM
19
Segregation of Duties
A segregation of duty issue for a business process is when an individual can perform two or more of the following functions on a given transaction
Authorization: Implied or explicit approval to perform a business transaction or activity
Custody: Activities assigned to personnel to safeguard an asset, including information
Record Keeping: Activities to record the transaction or event in the company’s records
Reconciliation: Comparisons of recorded balances or volumes to actual between time intervals to detect differences and take action on any differences
20
Authorization Concept
Check auth.objectF_BKPF_BUK
Accounting document: Authorization for Company Code
Check auth.objectF_BKPF_GSB
Accounting document: Authorization for Business area
Check auth.objectF_BKPF_KOA
Accounting document: Authorization for Account type
Auth Objects and Field Values
Check auth.objectS_TCODE
Transaction Code
Execute Tcode FB50
Glen, a G/L Accountant wants to execute a GL Posting.Job Task
SAP RoleIn addition to this, if Glen had access to
FS00 – G/L Account Master record maintenance
F_SKA1_BES: G/L Account: Account AuthF_BKPF_BLA: Acctg Doc: Auth for Doc Types
21
Risk!Gives someone the access to create a fictitious GL account and generate journal activity or hide activity via posting entries
FS00 – G/L Account Master record maintenance
FB50 – G/L Account posting
Authorization Concept
Authorization Concept (contd..)
22
GRC SOD Rules Approach
Evaluate
Analysis
23
RAR Standard Rule Set• SAP
– 256 Risks• 58,649 action combinations – As of 2008 Q2 update for the below business
processes
• Oracle– 162 Risks
• 13,183 action combinations• PeopleSoft
– 57 Risks• 27,906 action combinations
• JD Edwards– 21 Risks
• 303 action combinations• Non-RTA system analysis framework for legacy systems
–HR and Payroll –Materials Management
–Procure to Pay (70/11104) –APO/SCM
–Order to Cash (32/6101) –SRM
–Finance (37/6229)
•General Accounting
•Project Systems
•Fixed Assets
–CRM
–Basis, Security and System Administration (25/13556) –Consolidations
24
Cross-Enterprise Rules Library Delivered out of the box
25
GRC Access Control Architecture
26
Terminology
RTA: It respond to events or signals as fast as possible, or as they happen and sits in the backend .
JCO: A programming interface (API) that provides an interface between a Java program and a legacy application such as CICS and ECC
IGS: The IGS is used to generate graphical content, and to give you enough information to incorporate such graphics into your own Web Dynpro applications
UME: A Java-based user administration component with central user administration, an SSO, and secure access to distributed applications
SLD: Signifies the layout of the systems in an environment. Landscape is the highest node within the system landscape hierarchy.
27
Standard GRC Architecture
28
GRC Architecture-Generic view
29
RTA: The Enterprise Software Real-Time Agent
RTA Usage TYPE Prebuilt for SAP BAPI® programming interface
Prebuilt for Oracle Stored procedure Stored procedure
Prebuilt for PeopleSoft Web services Web services
Prebuilt for Hyperion Web services Web services
Custom-built for direct access to legacy system database Query
Query
Custom-built for upload file extraction to legacy system Flat file (delimited)
30
GRC Access Control Landscape - Basic
SAP GRC Access Control Application System Landscape for a Typical Installation
31
GRC Access Control Landscape – Authoritative User Sources
SAP GRC Access Control Application System Landscape with Authoritative-User Sources
32
GRC Access Control Landscape – Central User Administrator
SAP GRC Access Control Application System Landscape with User Provisioning with or Without the CUA
33
GRC Access Control Applications
34
GRC Access Control Overview
35
GRC AC Applications GRC Access Control is an enterprise application that provides end-to-end automation for
documenting, detecting, remediating, mitigating, and preventing access and authorization risk enterprise wide, resulting in proper segregation of duties, lower costs, reduced risk, and better business performance; it also provides an integrated framework for designing, enforcing and monitoring continuous compliance in SAP systems
GRC Access Control consists of the below four Applications:
• Risk Analysis & Remediation (RAR) and Risk Terminator– Sustainable SoD definition, remediation, monitoring and reporting for continuous
compliance
• Complaint User provisioning (CUP)– Proactive, compliant, automated auditable access approval and provisioning
• Enterprise Role management (ERM)– Compliant role design, maintenance and auditability
• Super user Privilege Management (SPM)– Controlled and reviewable privilege user management
36
Risk Analysis and RemediationRisk Analysis and Remediation enables monitoring of SAP User Access and applies a library of Segregation of Duties (SoD) rules to detect potential irregularities and minimize risks of fraudulent activity. It is a real-time and preventive compliance solution.
• Audit & Assessment of existing practice
• Risk Identification and Assessment
• Business SoD rules definition
• Mitigation Controls definition
• Assessment of Mitigation Controls
• Remediation plans
• Progress Monitoring
• Dynamic Dashboards
RAR Functionalities
37
Facilitate discussion between Business and IT Centralized definition of Risks related to User Access Real-time and Cross-system risk analysis Remediation of SoD Violations Proactive detection of SoD issues by simulation Audit ability of Change Documents
RAR - features and benefits include
SAP GRC Super UserPrivilege Management (Firefighter)
SAP GRC EnterpriseRoleManagement (Role Expert)
SAP GRC CompliantUserProvisioning (Access Enforcer)
SAP GRC Risk Analysis and Remediation (Complaince Calibrator)
38
Risk Terminator
•Provides real-time SOD analysis during user and role maintenance and user to role assignment
• Risk Terminator can be configured to run a risk analysis when one of the four tasks is performed
• When a role is generated using PFCG• When users are assigned to a role using PFCG• When a role or profile is assigned to a user using SU01• When a role or profile is assigned to users using SU10
• The Risk Analysis report will be displayed to the user with showing the SoD violations•The configuration setting “Stop generation if violation exists” will determine if this is an error or a warning.•If the User continues to process the task, a warning message is displayed with two options:
•Discard changes•Continue
39
Superuser Privileged User Access ManagementThe Privileged User Access Management Tool lets "superusers" perform emergency activities outside of their role under a controlled and auditable environment.
CurrentE.RFC
Emergency Situation
Firefighter has
required access
remediate situation.
Firefighter ID Owner logs into
CUP and approves the FF ID to the FF with an expiration
date.
Pre-Designated
Firefighter logs into CUP and requests a FF
ID + Notification sent to BTO
Audit Logs / Transactions are Archived
for Future Audits
Access auto expires after
pre-determined period
Firefighter logs into SAP using
their ID and executes a
TCode to check out the FF id.
Work Order Acceptance
FFIDIs Required
Yes
No
40
SPM - features and benefits include Pre-approved emergency access Automatic email notification when Firefighter mode is activated Automatic sending of log report to controller Detailed audit trial of performed actions Audit ability ( FF User not equal to SAP_ALL User) Web based log reports, including Risk Analysis
SAP GRC Super UserPrivilege Management (Firefighter)
SAP GRC EnterpriseRoleManagement (Role Expert)
SAP GRC CompliantUserProvisioning (Access Enforcer)
SAP GRC Risk Analysis and Remediation (Complaince Calibrator)
41
SPM – Process Overview
42
Compliant User ProvisioningJob functions change frequently and employees transition into new roles or inherit new responsibilities, but companies often overlook how these changes impact SoD requirements. By incorporating control activities into everyday business processes, companies avoid after-the-fact violation detection. SAP GRC Access Control creates visibility, enables fully compliant user provisioning throughout the employee life cycle, and prevents new SoD violations.
• Assessment of Business
• Assessment of Business relationship
• Design Dynamic workflow service
• Automate User provisioning
• Reduce burden on IT
• Prevents Risks by proactive analysis
• Meets Regulatory compliance target
CUP Functionalities
43
CUP - features and benefits include Homogenized access request process Automated approval management (Workflow) Dynamic routing for approval Risk analysis before request approval Transparent view on impact of the approval (in business language) Automated user provisioning to SAP Automated logging of request approvals and modifications
SAP GRC Super UserPrivilege Management (Firefighter)
SAP GRC EnterpriseRoleManagement (Role Expert)
SAP GRC CompliantUserProvisioning (Access Enforcer)
SAP GRC Risk Analysis and Remediation (Complaince Calibrator)
44
CUP – Functional Overview
45
CUP – Typical End User
Requestors – request access to systems and roles
Approvers – approve user access request; security, managers, data owners (role owners), process owners, etc
Administrators – administer requests, configure workflow, manage application security, manage
other system settings/configuration
46
CUP – Provisioning Workflow
User Access Request
Role OwnerApproval
ManagerApproval
Security CoordinatorApproval
Security Coordinator
ApprovalHR
CRM
Legacy
ECC
47
CUP – Workflow features Flexible configuration of workflows
Multiple Approvers
Different workflow paths for different request attributes
Parallel Paths – Different workflow paths based on role selection
Detours and Forks – certain predefined conditions can trigger detours
Escape Routes
Forwarding to another approver
Automated provisioning without security review
Automated Actions Create/Change User
Change User Master record information (validity date, user group, etc)
Lock/Unlock user
Delete Users
Notifications
48
CUP - Other Workflow types (non user access request) Risk Analysis and Remediation
Risk Change Approvals
Mitigation change approvals
SOD Management by exception
Superuser Privilege Management – Automates E-RFC process while providing audit trail and maintaining compliance
Superuser access assignment
Enterprise Role Management Role maintenance approvals
User Access Review – Can facilitate Quarterly Access Review Reviews sent to approvers to approve user’s current access
SOD Management by Exception Exception based reporting and remediation via workflow
49
CUP - Additional Capabilities Password Self-Service
Allows users to reset their password using challenge and response (If not authenticating against MS AD)
HR Triggers Ability to setup automatic workflow requests based on a function/action that occurs in an SAP HR
system
BI Integration for detailed custom reporting Standard cube is available (as of 5.3)
Integration with Training System Verification of user training status
Will need web service integration configuration
50
CUP - Typical Administration Maintain Roles
Upload new roles on periodic basis
Remove roles on periodic basis
Maintain Approvers Upload new approvers
Remove approver information as required
Maintain Workflow Maintain workflow paths
Opportunities to streamline workflow process
Manage Requests On hold or stale requests
51
CUP - Integration Points and Data Sources Possible points of integration
ECC, BI, BI-EP, Solution Manager
Non SAP Systems (with custom RTA)
Supported Data Sources Multiple SAP Systems
Multiple LDAP Systems
Out of the Box
Active Directory
SunOne
Novel E-directory
IBM Tivoli
Any LDAP system supported by SAP UME
Non-SAP Support Systems Oracle, PeopleSoft, JD Edwards
52
Enterprise Role ManagementEnterprise Role Management addresses the root of access control through standardized and centralized role design, testing, and maintenance. It helps you eliminate manual errors and makes it easier to enforce best practices. The application puts role ownership in the hands of business process owners rather than IT staff, allowing them both to document role definitions, perform automated risk assessments, track changes, and conduct maintenance with ease, which increases consistency and lowers IT costs.
Centralized Role Management
Across applications
Enterprise Rules Audit logSAP GRC
Access Control
Role
…
RoleRole
Role
Role Role Role Role Role Role
Compliant enterprise roles
ERM Functionalities• Creation and maintenance of role
• Integrates with RAR for SoD analysis
• Assignment of Role Owner to roles
• Triggers dynamic approval workflow
• Dual environment : Analysis & Generation
• Provision opening SAP profile generator
53
ERM - features and benefits include Central management of authorization roles
Automatic notification of change of Role Owners
Approval workflow for Role Changes
Preventive Risk analysis for roles
Automatic role generation in SAP system
Audit trials and reporting of all role changes
SAP GRC Super UserPrivilege Management (Firefighter)
SAP GRC EnterpriseRoleManagement (Role Expert)
SAP GRC CompliantUserProvisioning (Access Enforcer)
SAP GRC Risk Analysis and Remediation (Complaince Calibrator)
54
ERM – Process Overview
HR
ECC
CRM
Definition Authorization Derive Generation Approval Risk Analysis
Security Business Process Owner
Risk Analysis & Remediation
Compliant User Provisioning
HR
ECC
CRM
Test
55
New Features of Access Control 5.3
56
New Features of Access Control 5.3
Risk Analysis and Remediation: Single launch pad for all the four capabilities (multiple window may be open)
Performance improvements
Enterprise portal and UME integration (Risk Analysis and user provisioning)
Import/Export utilities (Component, Configuration, Mitigation data)
Enhanced reporting• Many added reports and more reports can be exported
• BI integration of custom reporting
Enhancements of change Management Audit Trail
SoD management by exception• Identifies unmitigated risks
• Provides Mitigation reaffirm functionality
57
Compliant User Provisioning: End user request form customization
Integration with multiple data sources
Password reset• Supported for Oracle, PeopleSoft, JD Edwards
• User password self-service with a challenge response
Cross-system risk analysis for access requests
Compliant User Provisioning for Oracle, PeopleSoft, JD Edwards
Utilize HR triggers fro PeopleSoft
Enhance CUA support
Integration with training systems
Identity Management integration with major IDM vendors
New Features of Access Control 5.3 (contd..)
58
Enterprise Role Management Enhanced role derivation (org. value maps)
Enhanced risk analysis and simulation
Ability to generate roles for multiple systems at one time
Ability to copy a role
Documentation of Non-SAP roles and enterprise wide roles
Integration with SAP ERP’s profile generator
Superuser Privilege Management Enhanced log report
Multiple owners for firefighter IDs
Automatic archival of Log report
New Features of Access Control 5.3 (contd..)
59
GRC Access Control Critical success factors
60
Access Control – Critical success factors to implement
Engaging Business and IT team- In order to customize and fine-tune risk definitions and gather all requirements. Validate rule set with Internal Audit.
Management support- Having support from appropriate level of the organization will assist in addressing points of resistance
Resources- Understanding the organization’s key business initiatives will be critical, since multiple initiatives often compete for the same (business) resources
“Avoid the Big bang”- Building out the GRC Access Control solution component by component allows to absorb all parts of a sustainable solution
Installation Vs Integration- An operational installation of SAP Access Control is realistic in relatively less time, however a successful integration requires much more time, effort and expertise
Embed the solution in the organization- By defining the operational processes to sustain compliance ( impact on new projects, new risks, new systems, changes in organization)
61
SAP GRC Benefits
62
SAP GRC Benefits Reduced Risk:
• Lower fraud-related loss
• Faster remediation
• Improved business processes and overall performance
Reduced Cost of compliance :
• Automation /Monitoring frees up resources for value tasks
• Shorter audit cycles
• Streamlined evaluations
• Lower TCO
Improved confidence:
• Visibility /Real-time information
• Single version of the truth
• Reinforced accountability
63
SAP GRC Benefits (contd..)Key Areas Observation of “AS IS” Process Benefits
Segregation of Duties Security activities require 25% to 50% of security admin time
Manual processes are inefficient and prone to error, Annual audit time of several weeks to manually create SoD reports and to review
Automated monitoring and tracking
Preventive and detective controls
Add/Change/Delete Users Manual data entry is inefficient, generates error, and creates risk
Frequent Add/Change requests requiring manual effort
Delays of process create risk of unauthorized access
Deletion of users is not consistently and accurately implemented
Automated users administration
Privileged User Access Access is granted for extended period of time
Activity is not verifiable
Question of “What did they do when they had access?”
Automated Superuser access with tracking of all activities
Role Design and Management Limited Role reaffirm process
Limited ability for validation of current roles and proposed changes of roles
Difficult to manage large number of master roles and derived roles
Compliant role design and management
Sensitive Transactions Management
Limited, manual tracking of access
Current control does not meet Audit requirements well
Automate alerting, tracking, and logging
Reporting Manual reporting process
Manual analysis of differences between time periods
Limited visibility for management
Automated pre-built access controls reporting
64
Qualitative Benefits
Comparative study of GRC AC v. Manual Process
Provides partial pro-active SOD analysis
SOD analysis level restricted to Transaction Code level
Captures the SOD implications at periodic Internal Audit control
Captures potential risk with no solution
Prone to human error in provisioning Roles to users
Manual Log process for emergency access provisioning leading to discrepancy and missing Audit trail
Manual definition of Role creation process resulting in loss of control and Audit trail
GRC AC Process Manual ProcessProvides fully pro-active SOD analysis
SOD analysis spreads to Auth. Object level values
Captures the SOD implications at run time
Captures potential Risks with probable solution
Avoids human error in provisioning Roles by Defining Pre-approved approval paths
Automatically captures the Log for emergency access provisioning and limits access to time period producing Audit trail
Standard methodology defined for Role creation Process resulting into Auditable roles
65
GRC Products and Vendors
66
GRC – Products and vendors SAP- SAP is a German Enterprise business software company provides a comprehensive
suite of GRC solutions. Some of the major GRC products are:• GRC Access Controls
• GRC Process Controls
• Enterprise Risk Management
• Global Trade Services and others
Oracle- Oracle, is one of the giant companies to provide GRC solutions. Oracle offers “Oracle Governance, Risk and Compliance Manager” solution. Oracle provides an enterprise GRC platform that integrates business intelligence, process management, and automated controls enforcement to enable sustainable risk and compliance management. Core capabilities includes:
• GRC Insight
• GRC Process
• GRC Controls
Approva Corporation- Approva’s Controls Intelligence Suite provides real-time insight and analysis about the state of controls across your business. Companies are using the product to address a wide array of business challenges. Some of the GRC products from Approva are:
• User Access Controls & Security
• Financial & Operational Controls
67
• Master Data Integrity & Accuracy
• Fraud Identification & Prevention
• Controls Design & Optimization
• Compliance & Continuous Auditing
Archer Technologies- Archer’s out-of-the-box solutions provide the foundation for a best-in-class enterprise governance, risk and compliance (GRC) program. They include Policy, Threat, Asset, Risk, Business Continuity, Incident, Vendor and Compliance Management. Enterprise Governance, Risk and Compliance Solutions Over 6 Million Licensed Users.
Security Weaver- Security Weaver is a leading enterprise IT security solutions provider company with world class solutions for all sizes of customers. Using Security Weaver’s GRC solutions you get Superior Application Performance with less hardware expenses and minimal Installation Expense, yet Leverage Existing Organizational Competency. Security Weaver provides following solutions:
• Separations Enforcer
• Emergency Repair
• Secure Provisioning
• Secure Audit
• Secure Enterprise
Trintech- Trintech- Trintech provides a world class solution to address SOX and other compliance initiatives, such as HIPAA, PCI-DSS, FERC/NERC, etc.
68
69
Appendix
70
GlossaryTerminology Description
Segregation Of Duties A primary internal control intended to prevent or decrease the risk of errors or irregularities by assigning conflicting duties to different personnel.
Personalization Applications may support community personalization to allow organizational groups to customize views for all users.
SOX Sarbanes Oxley Compliance commonly called SOX, it is a controversial United States federal law passed in response to a number of major corporate and accounting scandals.
GRC Governance Risks Compliance
Mitigation Controls It is a term used for the controls defined for the Identified Risks in the system.
Mitigation Objects It is a term used for identifying the conflicting roles and users which has the Mitigation controls defined
Risks This defines the potential risks existing in the system due to SOD and is based on the standard business process.
Rules This is the collection of risks and functions that forms the core for analyzing the SOD Conflicts
Rule set This is the facility in GRC to bucket the specific rules for different Business Requirements
Role Provisioning It is the process of assigning the authorization to the requested user in the system.
Auto provisioning Auto provisioning is taken care by SAP GRC internally from the CUP approval workflow
Firefighter It defines the emergency access provided to the user in the system based on the request for the limited duration and is monitored for its activities
Firefighter ID It is the ID pre defined in the system to be used by the firefighter on emergency basis
RAR Risk Analysis and Remediation
CUP Compliant User Provisioning
ERM Enterprise Role Management
SPM Superuser Privilege Management
top related