Implementing Process Controls and Risk Management with Novell® Compliance Management Platform extension for SAP Environments Mark Worwetz Senior Engineering Manager Novell Inc./[email protected]Volker Scheuber Consulting Engineer Novell Inc./[email protected]
41
Embed
Implementing Process Controls and Risk Management with Novell Compliance Management Platform extension for SAP environments
Managing processes, automatically testing controls within processes, and proactively managing risk through key performance/risk indicators are significant challenges to establishing GRC/IT-GRC practices and an effective compliance framework. This session will focus on the current and future capabilities of Novell Compliance Management Platform that can assist organizations with implementating process controls and risk management throughout the enterprise. We will provide specific examples with SAP GRC Access Control, Process Control and Risk Management.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Implementing Process Controls and Risk Management with Novell® Compliance Management Platform extension for SAP Environments
Novell® Compliance Management Platform• Integrated Identity and Security Management Platform
– Software Components> Identity Vault> Novell® Identity Manager with Roles Based Provisioning Module (RBPM)> Novell® Sentinel™
> Novell® Access Manager™
– Tools> Designer for Novell Identity Manager> Analyzer for Novell Identity Manager
– Solution Content> Integrated Provisioning and Access Control Policies and Workflows> Identity Tracking> Identity and Security Monitoring and Reporting
• Role Mapping Administrator– Tool for mapping SAP-specific authorizations to RBPM Business Roles
• SAP Drivers – New or Enhanced– SAP User Management Fanout Driver– SAP Business Logic Driver– SAP Portal (UME) Driver– SAP BusinessObjects Access Control Driver
• SAP Solution Pack– SAP-specific Sentinel Content
• Roles for all SAP systems are aggregated in Access Control• Risk Analysis can be run for all SAP role assignment requests• Risk Mitigation can be performed prior to approval of role assignments• IDM exposes the results of SAP Risk Analysis in Provisioning Workflow
– Provides critical risk information to Role Approver– Provides information to guide tuning of Enterprise Role Model and
Process Controls• Leaves the ultimate decision on SAP Provisioning Security in the domain
• Roles for non-SAP systems are imported to Access Control• Risk Analysis Rules can be implemented for non-SAP systems• Risk Mitigation can be performed prior to requesting provisioning of role
assignments to non-SAP systems• IDM can act as a Provisioning Agent to non-SAP systems
for(;;) {Are the Business Service Level Agreements being met?Are my Employees as Productive as Possible?Is My Infrastructure Compliant?Are my IT System and Application Administrators following established processes?Are my Controls Adequate and Efficient?Are my Control Policies Protected?Can I Verify all of this?}
• Process Policies:– All Access Approvals are granted via IDM Workflows– All Access Workflows must be completed within 24 hours
• Business Problems:– How Long do Workflows really take to complete?– Are there any Bottlenecks in Approval Chains?– What is the current state of my Workflows?– Are my current Policies optimal for the Business?– Are my current Policies meeting my Security Needs?
• Process Policies:– All Access Approvals are Processed via IDM Workflows– All Access Workflows must be completed within 24 hours– All Low Threat Access will have Automated Approval– All Medium Threat Access must have 1 Approval– All High Threat Access must have 2 Approvals
• Process Policies:– All Access Approvals are Processed via IDM Workflows– All Access Workflows must be completed within 24 hours– All Low Threat Access will have Automated Approval– All Medium Threat Access must have 1 Approval– All High Threat Access must have 2 Approvals
• Process Improvements:– All Access Approvals are completed faster!– Security Posture Improved!– Bottlenecks Removed!
• Process Policies:– All Access Approvals are granted via IDM Workflows– All Access Rights changes are performed via IDM Drivers after
approval
• Business Problems:– Can I detect if these policies are violated?– Can I remediate violations at an IT level?– Can Process Owners receive notification of violations?
Novell® CMP receives eventAnd begins IT and Process remediation
GRC Process control forwards the item to Glen to review the effect on SAP applications
Jim's Acces is reset in the SAP CRM system
A notification is sent to Process administrators to remediate controls violation
Violating Policy, Natasha grants Jim SAP_ALL rights in the SAP CRM system.
Jim requests IT to Temporarily give him access rights to perform a task
“Rogue Administration” work flow is started to remediate IT security
Questions and Answers
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.