10.1. sap business objects access control as a sustainable solution for authorization compliance

SAP WORLD TOUR LUXEMBOURG 2010October 26, 2010 – Kikuoka Mercure Golf Club

SAP BusinessObjects Access Control

Chris WalravensGRC Competence & Delivery LeadExpertum

Koen RoaenBusiness Development& GRC Competence LeadExpertum

A Solution for Sustainable Authorization Compliance

For more info:www.expertum.net

http://expertum.net/

Agenda

1. Expertum introduction

2. GRC today

3. SAP BO GRC AC 5.3• Benefits• Stakeholder interests• Issues encountered & Solution approach

4. Get Clean – Stay Clean – Stay in control• RAR• CUP• SPM• RAR

5. Conclusion

6. The next release

7. Questions

© SAP 2010 /

Expertum Introduction

Founded in 2006 Team of +45 SAP Experts and Project Managers

Our Expertise :

© SAP 2010 /

Our Mission:Exceed client expectations by providing top-quality expertiseProvide our people a safe environment for personal and professional growth

SAP Service Partner SAP Channel Partner SAP Education Partner SAP Lounge Partner SAPience.be Partner

Knowledge Management

-Product &

Service Development

Project Manage

ment (PM)

Supply Chain

Planning (SCP)

Supply Chain

Execution

(SCE)

SAP NetWea

ver (NW) Governa

nce, Risk, and

Compliance

(GRC)

SAP Solution Manage

r (SolMan

)

Business

Intelligence (BI)

Finance (FI)

Product Lifecycl

e Manage

ment (PLM)

GRC today

Governance, Risk and

Compliance

Access Control

Process Control

Risk Managem

ent

Sustainability

Performance

Management

Global Trade

Services

Environment, Health, and Safety Managem

ent

© SAP 2010 /

• Comprehensive platform for Environmental, Health and Safety Management

• Provides support across three pillars of Health and Safety, Product, Safety and Stewardship and Emissions Management

Environment, Health, and Safety Management

• Automates import and export compliance, including ITAR

• Supports electronic customs filling and reporting

• Monitors and manages outbound NFe transactions

• Identify, manage and prioritize risk exposure across global supply chains

Global Trade Services

• Formal integration of risk management with strategy

• Repeatable framework to analyze and mitigate risk

• Continuously monitor key risk indicators across strategic objectives

Risk Management

• Automated continuous control monitoring across policies and regulatory requirements

• Delivers cross-system visibility and a unified repository of compliance data for efficient multi-initiative management

Process Control

• Enables compliant continuous control of access and authorization across the enterprise

• Proactively protects information and prevents fraud through automated risk analysis and remediation

Access Control

• Manages processes and analytics to communicate and execute sustainability strategy

• Data gathering with automatic and repeatable collection from systems and people

Sustainability Performance Management

Benefits of SAP BO GRC AC 5.3

Control access Centralized access (and identity) management Out of the box rules automatically eliminate access and authorization risks Enforce segregation of duties across applications and departments Prevents improper access to assets

Automate compliance Automate segregation of duties and access management Automated audit trails and documentation Automated analysis

© SAP 2010 /


Real-time oversight and predictability Review and approval process Real-time detective controls and transaction monitoring Automated IT and Line of Business collaboration

Facilitates the road to compliance Obtain quick, effective, and comprehensive identification of risks Eliminate existing access and authorization risks

© SAP 2010 /


Continuous access management Avoid business obstructions with faster emergency response Improve productivity of end users Mitigate risk through continuous monitoring

Effective management oversight Provide capabilities for management oversight Facilitate internal audit Minimizes audit cost & time

© SAP 2010 /

Stakeholder interests

CFO- Better visibility of access risk- Solid proof and reliability for financial data and regulatory reporting- Reduce risk by analyzing issues and performing necessary remediation

CIO- Increase efficiency and collaboration with compliance embedded into

business processes - Faster resolution of issues with IT and Line of business collaboration

Audit- Transfer ownership of controls to business- Minimized audit time and audit related costs- Automated audit trails and documentation

© SAP 2010 /

Issues encountered

© SAP 2010 /

Business Operations Lack of visibility due to technical complexity Overwhelmed by ever-increasing number of

global and local regulatory requirements Limited effectiveness with review and approval

processes

Compliance and Audit Compliance analysis is mostly a manual process Manage numerous diverse regulatory requirements Lack of governance framework to ensure compliant

role management Role proliferation and excess privileges increase audit

challenge

IT Operations Manual, labor intensive user provisioning and access

management Fragmented approach to access management increases the

possibility for errors and inconsistency Complex and technical security data models prevent

collaboration between IT and business

End Users Productivity loss due to delay in getting access Fragmented access management process provides

incomplete access Access not kept synchronized with changing role, resulting

in inadequate access (or potential unauthorized access)

Solution approach

© SAP 2010 /

Business Operations Provides for business user accountability Collaborative role management process Business friendly role definitions reflect the

reality of business

Compliance and Audit Preventive compliance of roles through integrated risk

analysis Streamlines job functions with consistent business roles Visibility of role compliance and role exceptions Increases confidence with built-in audit trails

End Users Quick on-boarding

eliminating productivity loss

Right access to right systems at right time

Reduce risk of unauthorized access

IT Operations Reduction in administration

costs Elimination of manual

errors resulting in increased user satisfaction

Consistent, repeatable, streamlined processes to manage users across the enterprise

Single toolset for heterogeneous landscape resulting in lower training costs

Customers / Partners Secure and compliant access to business services

across organization boundaries

© SAP 2010 /

SAP BO Access ControlSustainable prevention of segregation of duties violations

Compliant User Provisioning

Prevent SoD violations at

run time

(Stay Clean)

Enterprise Role Management

Enforce SoD compliance at

design time

Risk Analysis and Remediation

Rapid, cost-effective and comprehensive

initial clean-up

(Get Clean)

Minimal Time To Compliance

Continuous Access Management

Superuser Privilege Management

Close #1 audit issue with temporary

emergency access

Periodic Access Review and Audit

Focus on remaining challenges during recurring audits

(Stay in Control)

Effective

Management Oversight

and Audit

SAP BO Access ControlMinimal time to compliance

© SAP 2010 /

Risk Analysisand Remediation

Get Clean

© SAP 2010 /



initial clean-up

(Get Clean)

Minimal

Time To Compliance


Get Clean – RAR demo

© SAP 2010 /

Get clean (RAR)

Cross-enterprise view on SOD violations Allows an effective road towards compliance Allows reviews per system, user group, organizational level or role Translates a technical subject (authorizations, rule sets, etc.) into business language Remediation actions can be

authorization removal mitigating control assignment

Side notes Authorization concept architecture impacts ease of remediation Mitigating controls need to be in place and inventoried The default rule set needs to be made company specific (false positives)

© SAP 2010 /

SAP BO Access ControlContinuous Access Management

© SAP 2010 /




Stay Clean

Get Clean


© SAP 2010 /



run time

(Stay Clean)



design time



initial clean-up

(Get Clean)

Minimal

Time To Compliance

Continuous

Access Management


Stay Clean – CUP demo

© SAP 2010 /

Stay clean (CUP)

Request procedure is very structured Only choice from existing business roles Forces to work within the existing roles Sustainability of implemented roles

Approval procedure automated Automated workflow (efficiency) Preventive SOD checks (before approval) Automated user provisioning Sustainability of compliance of role assignments

Side note Role / authorization owners needed

© SAP 2010 /

© SAP 2010 /




run time

(Stay Clean)



design time



initial clean-up

(Get Clean)





emergency access

Stay Clean – SPM demo

© SAP 2010 /

Stay clean (SPM)

Firefighter roles

Classical firefighter activities (the truck is waiting and the issue needs to be solved)

Critical system access (debugging)

Support roles for IT people needing to perform business functionality on occasion

Sustainability of regular access rights

Sustainability of audit trail for activities out of the regular

© SAP 2010 /

SAP BO Access ControlEffective Management Oversight and Audit

© SAP 2010 /

Management Oversight Internal Audit




Stay in Control

Stay Clean

Get Clean


© SAP 2010 /




run time

(Stay Clean)



design time



initial clean-up

(Get Clean)





emergency access



(Stay in Control)

Effective


and Audit

Stay in Control (RAR)

What-if analysis

Check compliance before violations occur Sustainability of compliance of role assignments

Reaffirmation

Reaffirm role assignments on a regular basis Sustainability of compliance of role assignments

© SAP 2010 /

© SAP 2010 /

Cross-enterprise library of best practice segregation of duties rules



run time



emergency access



(Stay in Control)(Stay Clean)

Risk analysis, remediation and prevention services



design time



initial clean-up

(Get Clean)

Minimal

Time To Compliance

Continuous

Access Management

Effective


and Audit


Conclusion

SAP BO GRC Access Control ensures sustainability of

Implemented roles through a very structured request procedure

Compliance of role assignments (regular access) through: Automated approval procedure with preventive rule set check What-if analysis Reaffirmation procedure

Audit trails (access out of the regular)

© SAP 2010 /

SAP BO GRC AC : The next release

GRC2010 Barcelona

Release 10.0 of AC, PC & RM will be presented

One common technology platform (ABAP based)

More integration between the three applications Mitigating controls in AC & PC Risks in PC & RM

Functionality improvements

© SAP 2010 /

Thank you!

For more info:www.expertum.net

http://expertum.net/

10.1. sap business objects access control as a sustainable solution for authorization compliance

Documents