8/10/2019 Benefits of Automating Compliance
1/34
Enterprise Application Compliance
Simple Fast Efficient
S E C U R I T Y W E A V E R
Benefits of Automating
Compliance
Stephen DuBravac
Executive Vice President
8/10/2019 Benefits of Automating Compliance
2/34
8/10/2019 Benefits of Automating Compliance
3/34
3
S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Agenda
1 Introduction
2 Exploit all kinds of automation benefits
3 Optimize ROI of automation
4 Resources
8/10/2019 Benefits of Automating Compliance
4/34
4
S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Security WeaverTrusted, Proven, Growing
Security Weaver is a best-of-breed compliance
application suite that integrates with any SAPenvironment to quickly and easily control enterprisecross-application compliance risk in real-time.
Headquarter San Diego, California USA
Founded 2004
Solutions Cross Platform Access Controls,Process Controls, LicenseManagement & Custom Solutions
Clients >100 Customers globally >300 Installations globally >1,000,000 SAP users
Geography North America, Latin America, India,and Europe
Services 24x7x365 Technical Support,Implementation Services , Training,Consulting and Remediation
8/10/2019 Benefits of Automating Compliance
5/34
5
S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Agenda
2 Exploit all kinds of automation benefits
3 Optimize ROI of automation
4 Resources
8/10/2019 Benefits of Automating Compliance
6/34
6
S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Benefits of automated controls
Tactical StrategicDrive
up
Compliance Breadth of control
Control effectiveness
Audit cadence
Adaptiveness
Process effectiveness Cycle time
Validation scope
Visibility
Better business decisions
Drive
down
Cost efficiencies Cost of controls
Cost of research Cost of penalties & fines
Cost of audit
Risks Economic risk
Reputational risk Operational risk
Audit shocks
8/10/2019 Benefits of Automating Compliance
7/34
7S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Agenda
Introduction
Exploit all kinds of automation benefits
3 Optimize ROI of automation
4 Resources
8/10/2019 Benefits of Automating Compliance
8/34
8S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Optimize ROI of automation
1st things 1st
8/10/2019 Benefits of Automating Compliance
9/34
9S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Compliance maturity levels
Level 1:Auditor Driven
Level 2:Auditor Anticipated
Level 3:
Process Optimized
Level 4Business Optimized
Level 0: Chaos
8/10/2019 Benefits of Automating Compliance
10/34
10S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Maturity informed investments
Level 1:Auditor Driven
Level 2:AuditorAnticipated
Level 3:ProcessOptimized
Level 4BusinessOptimized
Detective
After the finding
Penalty & theft
avoidance
Example: SOD
rules matrix
Collaborative
After the fact
Audit efficiency
Example: RTprocess controls
Preventative
Before the fact
Process
efficiencies and
effectiveness
Example:
compliant
automated user
provisioning
Insightful
Correlated with
business and
market data
Business
outcomes
Example:
consolidated
reporting
8/10/2019 Benefits of Automating Compliance
11/34
11S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Optimize ROI of automation
1st things 1st
Leverage
8/10/2019 Benefits of Automating Compliance
12/34
12S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Admin/LaborPower/Space
Maint
Software
Leverage existing technology stack
Acquire
Cost Complexity
Big BlocksProcesses &
training
Maint &
integrations
ETL
Sourcing
+
8/10/2019 Benefits of Automating Compliance
13/34
13S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Optimize ROI of automation
1st things 1st
Leverage
Iterate
8/10/2019 Benefits of Automating Compliance
14/34
14S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Reuse(Framework and technology stack)
Iterate: Keep earning your budget
1. Have a repeatable management process
2. Think strategically and horizontally (have a roadmap)
3. Act tactically (quick cadence of a string of wins)
4. Balance multiple stakeholder objectives anticipate
competition for budget
5. Iterate across increasing levels of clarity:
Prove(quantify the
business case)
Prevent(when: cadence
and signals)
Correct(who and how)
Detect(what and why)
8/10/2019 Benefits of Automating Compliance
15/34
15S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Example Compliance RoadmapUnique to each enterprise (user centric)
Segregation of duties rule set with conflict tracking
ROIC
Process controls
Automated user provisioning
Self-service password reset
Self-service temporary/emergency access
User license management
Transaction analytics
Maturity
Role design automation
Common cockpit
8/10/2019 Benefits of Automating Compliance
16/34
16S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Risk management lifecycleA sustainable management methodology
1.Orient: Understand the internal and external landscape
2.Assess: Frame risk management options and selection guidelines
3.Plan: Determine the optimal response and specify requirements
4.Design: Architect people, processes, data, and technology
5.Build: Document, code, create training, and package releases
6.Test: Validate assumptions, stakeholder alignment, and code
7.Operate: Check, measure, and control operational outcomes
8.Adjust: Make tactical, operational, or initiate strategic changes asappropriate
l i i
8/10/2019 Benefits of Automating Compliance
17/34
17S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Implementation sequencingA sustainable management methodology
Riskweighting(1) ROI
Time toimplement
Totalcosts
Auditcriticality Total
Option
1
Option
2
Option
3
Option
4Option
n
(1)Risk weighting = (impact of risk) * (likelihood of risk)
8/10/2019 Benefits of Automating Compliance
18/34
18S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Optimize ROI of automation
1st things 1st
Leverage
Iterate
Value People
8/10/2019 Benefits of Automating Compliance
19/34
19S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Prove you teams value
1. Use benchmark data (ISACA, ACFE, user groups)
2. Model current processes (esp.inputs/outputs)
3. Conduct time and labor baseline
4. Let sunk costs stay sunk5. Keep it simple
6. Conduct follow up studies after each phase
7. Include non-quantitative benefits as well
8. Track compliance data and data access gains
8/10/2019 Benefits of Automating Compliance
20/34
20S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Always think about people
1. Create a safe workplace
Computers dont commit fraud people do
2. Use the skills you already have and already trust
3. Design compliance to enable greater productivity
4. Use compliance data for better processes androles not just for better control
5. Get feedback and give it to you partners
8/10/2019 Benefits of Automating Compliance
21/34
21S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
the median loss from fraud with20% of losses at least $1M(1)
are first time offenders(3), 70%of all employees said theywould if they could get away
with it(4)
>83%
140K
>1/2 of victims recovered nothing(5)
How can
enterprisessimultaneously:
makecompliance anon-event,
driveoperationalefficiencies,
elevate thevalue of riskmanagement
increase profits
What matters
ISACA survey respondentsmade segregation of duties last
years top issue(2)
53%
8/10/2019 Benefits of Automating Compliance
22/34
22S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Optimize ROI of automation
1st things 1st
Leverage
Iterate
Value People
Get continuous
8/10/2019 Benefits of Automating Compliance
23/34
23S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Continuous management by exception
1. Think in terms of episodes instead of periods
2. Think in terms of audit systems not just auditfindings
3. Share data and processes between audit andmanagement
4. Focus on providing useful risk information not just
compliance attestation data.
8/10/2019 Benefits of Automating Compliance
24/34
24S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Optimize ROI of automation
1st things 1st
Leverage
Iterate
Value People
Get continuous
Businessfocused
8/10/2019 Benefits of Automating Compliance
25/34
25S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Drive business outcomes
Tactical StrategicDrive
up
Compliance Breadth of control
Control effectiveness
Audit cadence
Adaptiveness
Process effectiveness Cycle time
Validation scope
Visibility
Better business decisions
Drive
down
Cost efficiencies Cost of controls
Cost of research
Cost of penalties & fines
Cost of audit
Risks Economic risk
Reputational risk
Operational risk
Audit shocks
8/10/2019 Benefits of Automating Compliance
26/34
26S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Siemens is SAPs largest customerwith more than 400,000 usersspread across 500+ subsidiaries, in160+ countries, on nearly 100 SAPPRD instances.
Global compliance issues and no
automated solution
Auditor required an automated
process for management review of
user access to SAP
No structured way to provisionnew users
Needed a fast scalable solution for
their global complex SAP
environment
Already sunk significant cost into
other SOD solutions.
Implemented Security Weaver
Integrated automated SOD
management and reporting to
tighten user access controls
worldwide.
12,000 User system scan in
less than 4 minutes
Full SOD remediation in 8
weeks.
Integrated with non-SAP
applications
User Access and SOD Compliance
The implementation speed, intuitive user
handling and the value of immediate
usage of the product without major
customizing led Siemens AG, amongstother key features like application
handling, reporting efficiency and
integration within SAP, to the purchase of
Security Weaver, -- Michael Brauer,
head of Siemens CIO CA/Program
Manager for P2P Data Assurance.
Problem Solution Result
8/10/2019 Benefits of Automating Compliance
27/34
27S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Agenda
Introduction
Exploit all kinds of automation benefits
Optimize ROI of automation
4 Resources
8/10/2019 Benefits of Automating Compliance
28/34
28S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Resources
- SecurityWeaver.com Customized training
Formal training
Product and solution details
Free SOD evaluations and product trials
- ISS booth near Bordeaux A
- ISACA.org
- ERP Control Specialists* www.erpcontrol.com
- Security Weaver User group
* ERP Controls Specialists is a Security Weaver Platinum Level partner focusing onintegrated compliance process design and optimization
8/10/2019 Benefits of Automating Compliance
29/34
29S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Customers include
8/10/2019 Benefits of Automating Compliance
30/34
30S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
cost of incremental hardware
percent of our solutions areavailable as services100%
0$How can
enterprisessimultaneously:
makecompliance anon-event,
driveoperationalefficiencies,
elevate the
value of riskmanagement
increase profits
Why Security Weaver
days to install entire suite of tools fora fully automated user-centriccompliance solution
5
months to payback typically forcompliance solution
8/10/2019 Benefits of Automating Compliance
31/34
Enterprise Application Compliance
Simple Fast Efficient
S E C U R I T Y W E A V E R
Thank You
8/10/2019 Benefits of Automating Compliance
32/34
32S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Leverage existing investments
1. Exploit existing software Native monitoring, alerting, and enforcement
Add ons, SAP transports,
2. Avoid new hardware purchases
3. Use controls that work inline
4. Do small data first, big data later
5. Use modular solutions and move at the speed of
you business needs
6. Avoid complex and foreign skill set requirements
8/10/2019 Benefits of Automating Compliance
33/34
33S E C U R I T Y W E A V E REnterprise Application Compliance Simplified
Why Security Weaver
100% Customer Satisfaction
- no client has ever canceled support or left for a competitor
Superior Performance:
- accomplish compliance work in least time possible
Exceptionally low costs:.- typically do not need to purchase hardware
- may be purchased as a service
- typically is between 2 and 5 days per module
- use the skills you have, no new technology stack to manage
Proven:.
- leverage existing SAP Capabilities
- POC in less than 5 days and receive a thorough findings report,
ROI analysis, and project plan.
8/10/2019 Benefits of Automating Compliance
34/34
34
S E C U R I T Y W E A V E R
Security Weaver GRC Platform
Critical Access Monitoring & ReportingSeparations Enforcer (SE)
Tool to manage Segregations of Duties (SOD)
Delivered with a best practice SOD rule set
Dash
Management Reporting and Analytics
Secure Enterprise
Integration Layer for Non-SAP systems
User Access Operations
Secure Provisioning (SP) User provisioning with integrated SOD Analysis
Supports full employee life cycle user administration
Reset Password (RP)
Integrated self-service password reset for SAP users
Role Deriver (RD)
Support tool for Derived Role Build (part of SE)
Emergency Repair
Providing emergency access in secure environment
Business Process ControlsProcess Auditor (PA) Embedded, configurable rules engine capable of true,
real-time continuous controls monitoring
SAP License Utilization OptimizationLicense Manager
Delivers cost savings based on Role/User
reclassifications
Enterprise Applications
ERP, Legacy, Other
D
ash
ManagementRe
portingandAnalytics
Modules
Secure Enterprise (EN)
Platform Independent Compliance Integration Layer
Security Weaver
Reset Password
(RP)(Enterprise Password
Management)
License Manager
(LM)(Enterprise Software
Asset Management)
Process Auditor
(PA)(Transaction monitoring
and auditing)
Role Driver
(RD)(Role Administration)
Emergency Repair
(ER)(Emergency Access
Mgmt.)
Separations Enforcer
(SE)(SOD & CA Reporting)
Enterprise
Application
Compliance
Secure Provisioning
(SP)(Full Life Cycle User
Access Administration)