Benefits of Automating Compliance

8/10/2019 Benefits of Automating Compliance

1/34

Enterprise Application Compliance

Simple Fast Efficient

S E C U R I T Y W E A V E R

Benefits of Automating

Compliance

Stephen DuBravac

Executive Vice President


2/34


3/34

3

S E C U R I T Y W E A V E REnterprise Application Compliance Simplified

Agenda

1 Introduction

2 Exploit all kinds of automation benefits

3 Optimize ROI of automation

4 Resources


4/34

4


Security WeaverTrusted, Proven, Growing

Security Weaver is a best-of-breed compliance

application suite that integrates with any SAPenvironment to quickly and easily control enterprisecross-application compliance risk in real-time.

Headquarter San Diego, California USA

Founded 2004

Solutions Cross Platform Access Controls,Process Controls, LicenseManagement & Custom Solutions

Clients >100 Customers globally >300 Installations globally >1,000,000 SAP users

Geography North America, Latin America, India,and Europe

Services 24x7x365 Technical Support,Implementation Services , Training,Consulting and Remediation


5/34

5


Agenda

2 Exploit all kinds of automation benefits


4 Resources


6/34

6


Benefits of automated controls

Tactical StrategicDrive

up

Compliance Breadth of control

Control effectiveness

Audit cadence

Adaptiveness

Process effectiveness Cycle time

Validation scope

Visibility

Better business decisions

Drive

down

Cost efficiencies Cost of controls

Cost of research Cost of penalties & fines

Cost of audit

Risks Economic risk

Reputational risk Operational risk

Audit shocks


7/34

7S E C U R I T Y W E A V E REnterprise Application Compliance Simplified

Agenda

Introduction

Exploit all kinds of automation benefits


4 Resources


8/34


Optimize ROI of automation

1st things 1st


9/34


Compliance maturity levels

Level 1:Auditor Driven

Level 2:Auditor Anticipated

Level 3:

Process Optimized

Level 4Business Optimized

Level 0: Chaos


10/34


Maturity informed investments

Level 1:Auditor Driven

Level 2:AuditorAnticipated

Level 3:ProcessOptimized

Level 4BusinessOptimized

Detective

After the finding

Penalty & theft

avoidance

Example: SOD

rules matrix

Collaborative

After the fact

Audit efficiency

Example: RTprocess controls

Preventative

Before the fact

Process

efficiencies and

effectiveness

Example:

compliant

automated user

provisioning

Insightful

Correlated with

business and

market data

Business

outcomes

Example:

consolidated

reporting


11/34



1st things 1st

Leverage


12/34


Admin/LaborPower/Space

Maint

Software

Leverage existing technology stack

Acquire

Cost Complexity

Big BlocksProcesses &

training

Maint &

integrations

ETL

Sourcing

+


13/34



1st things 1st

Leverage

Iterate


14/34


Reuse(Framework and technology stack)

Iterate: Keep earning your budget

1. Have a repeatable management process

2. Think strategically and horizontally (have a roadmap)

3. Act tactically (quick cadence of a string of wins)

4. Balance multiple stakeholder objectives anticipate

competition for budget

5. Iterate across increasing levels of clarity:

Prove(quantify the

business case)

Prevent(when: cadence

and signals)

Correct(who and how)

Detect(what and why)


15/34


Example Compliance RoadmapUnique to each enterprise (user centric)

Segregation of duties rule set with conflict tracking

ROIC

Process controls

Automated user provisioning

Self-service password reset

Self-service temporary/emergency access

User license management

Transaction analytics

Maturity

Role design automation

Common cockpit


16/34


Risk management lifecycleA sustainable management methodology

1.Orient: Understand the internal and external landscape

2.Assess: Frame risk management options and selection guidelines

3.Plan: Determine the optimal response and specify requirements

4.Design: Architect people, processes, data, and technology

5.Build: Document, code, create training, and package releases

6.Test: Validate assumptions, stakeholder alignment, and code

7.Operate: Check, measure, and control operational outcomes

8.Adjust: Make tactical, operational, or initiate strategic changes asappropriate

l i i


17/34


Implementation sequencingA sustainable management methodology

Riskweighting(1) ROI

Time toimplement

Totalcosts

Auditcriticality Total

Option

1

Option

2

Option

3

Option

4Option

n

(1)Risk weighting = (impact of risk) * (likelihood of risk)


18/34



1st things 1st

Leverage

Iterate

Value People


19/34


Prove you teams value

1. Use benchmark data (ISACA, ACFE, user groups)

2. Model current processes (esp.inputs/outputs)

3. Conduct time and labor baseline

4. Let sunk costs stay sunk5. Keep it simple

6. Conduct follow up studies after each phase

7. Include non-quantitative benefits as well

8. Track compliance data and data access gains


20/34


Always think about people

1. Create a safe workplace

Computers dont commit fraud people do

2. Use the skills you already have and already trust

3. Design compliance to enable greater productivity

4. Use compliance data for better processes androles not just for better control

5. Get feedback and give it to you partners


21/34


the median loss from fraud with20% of losses at least $1M(1)

are first time offenders(3), 70%of all employees said theywould if they could get away

with it(4)

>83%

140K

>1/2 of victims recovered nothing(5)

How can

enterprisessimultaneously:

makecompliance anon-event,

driveoperationalefficiencies,

elevate thevalue of riskmanagement

increase profits

What matters

ISACA survey respondentsmade segregation of duties last

years top issue(2)

53%


22/34



1st things 1st

Leverage

Iterate

Value People

Get continuous


23/34


Continuous management by exception

1. Think in terms of episodes instead of periods

2. Think in terms of audit systems not just auditfindings

3. Share data and processes between audit andmanagement

4. Focus on providing useful risk information not just

compliance attestation data.


24/34



1st things 1st

Leverage

Iterate

Value People

Get continuous

Businessfocused


25/34


Drive business outcomes

Tactical StrategicDrive

up

Compliance Breadth of control

Control effectiveness

Audit cadence

Adaptiveness

Process effectiveness Cycle time

Validation scope

Visibility

Better business decisions

Drive

down

Cost efficiencies Cost of controls

Cost of research

Cost of penalties & fines

Cost of audit

Risks Economic risk

Reputational risk

Operational risk

Audit shocks


26/34


Siemens is SAPs largest customerwith more than 400,000 usersspread across 500+ subsidiaries, in160+ countries, on nearly 100 SAPPRD instances.

Global compliance issues and no

automated solution

Auditor required an automated

process for management review of

user access to SAP

No structured way to provisionnew users

Needed a fast scalable solution for

their global complex SAP

environment

Already sunk significant cost into

other SOD solutions.

Implemented Security Weaver

Integrated automated SOD

management and reporting to

tighten user access controls

worldwide.

12,000 User system scan in

less than 4 minutes

Full SOD remediation in 8

weeks.

Integrated with non-SAP

applications

User Access and SOD Compliance

The implementation speed, intuitive user

handling and the value of immediate

usage of the product without major

customizing led Siemens AG, amongstother key features like application

handling, reporting efficiency and

integration within SAP, to the purchase of

Security Weaver, -- Michael Brauer,

head of Siemens CIO CA/Program

Manager for P2P Data Assurance.

Problem Solution Result


27/34


Agenda

Introduction

Exploit all kinds of automation benefits


4 Resources


28/34


Resources

- SecurityWeaver.com Customized training

Formal training

Product and solution details

Free SOD evaluations and product trials

- ISS booth near Bordeaux A

- ISACA.org

- ERP Control Specialists* www.erpcontrol.com

- Security Weaver User group

* ERP Controls Specialists is a Security Weaver Platinum Level partner focusing onintegrated compliance process design and optimization


29/34


Customers include


30/34


cost of incremental hardware

percent of our solutions areavailable as services100%

0$How can

enterprisessimultaneously:

makecompliance anon-event,

driveoperationalefficiencies,

elevate the

value of riskmanagement

increase profits

Why Security Weaver

days to install entire suite of tools fora fully automated user-centriccompliance solution

5

months to payback typically forcompliance solution


31/34

Enterprise Application Compliance

Simple Fast Efficient


Thank You


32/34


Leverage existing investments

1. Exploit existing software Native monitoring, alerting, and enforcement

Add ons, SAP transports,

2. Avoid new hardware purchases

3. Use controls that work inline

4. Do small data first, big data later

5. Use modular solutions and move at the speed of

you business needs

6. Avoid complex and foreign skill set requirements


33/34


Why Security Weaver

100% Customer Satisfaction

- no client has ever canceled support or left for a competitor

Superior Performance:

- accomplish compliance work in least time possible

Exceptionally low costs:.- typically do not need to purchase hardware

- may be purchased as a service

- typically is between 2 and 5 days per module

- use the skills you have, no new technology stack to manage

Proven:.

- leverage existing SAP Capabilities

- POC in less than 5 days and receive a thorough findings report,

ROI analysis, and project plan.


34/34

34


Security Weaver GRC Platform

Critical Access Monitoring & ReportingSeparations Enforcer (SE)

Tool to manage Segregations of Duties (SOD)

Delivered with a best practice SOD rule set

Dash

Management Reporting and Analytics

Secure Enterprise

Integration Layer for Non-SAP systems

User Access Operations

Secure Provisioning (SP) User provisioning with integrated SOD Analysis

Supports full employee life cycle user administration

Reset Password (RP)

Integrated self-service password reset for SAP users

Role Deriver (RD)

Support tool for Derived Role Build (part of SE)

Emergency Repair

Providing emergency access in secure environment

Business Process ControlsProcess Auditor (PA) Embedded, configurable rules engine capable of true,

real-time continuous controls monitoring

SAP License Utilization OptimizationLicense Manager

Delivers cost savings based on Role/User

reclassifications

Enterprise Applications

ERP, Legacy, Other

D

ash

ManagementRe

portingandAnalytics

Modules

Secure Enterprise (EN)

Platform Independent Compliance Integration Layer

Security Weaver

Reset Password

(RP)(Enterprise Password

Management)

License Manager

(LM)(Enterprise Software

Asset Management)

Process Auditor

(PA)(Transaction monitoring

and auditing)

Role Driver

(RD)(Role Administration)

Emergency Repair

(ER)(Emergency Access

Mgmt.)

Separations Enforcer

(SE)(SOD & CA Reporting)

Enterprise

Application

Compliance

Secure Provisioning

(SP)(Full Life Cycle User

Access Administration)

Benefits of Automating Compliance

Documents