10.1. sap business objects access control as a sustainable solution for authorization compliance
TRANSCRIPT
SAP WORLD TOUR LUXEMBOURG 2010October 26, 2010 – Kikuoka Mercure Golf Club
SAP BusinessObjects Access Control
Chris WalravensGRC Competence & Delivery LeadExpertum
Koen RoaenBusiness Development& GRC Competence LeadExpertum
A Solution for Sustainable Authorization Compliance
For more info:www.expertum.net
Agenda
1. Expertum introduction
2. GRC today
3. SAP BO GRC AC 5.3• Benefits• Stakeholder interests• Issues encountered & Solution approach
4. Get Clean – Stay Clean – Stay in control• RAR• CUP• SPM• RAR
5. Conclusion
6. The next release
7. Questions
© SAP 2010 / Page 2
Expertum Introduction
Founded in 2006 Team of +45 SAP Experts and Project Managers
Our Expertise :
© SAP 2010 / Page 3
Our Mission:Exceed client expectations by providing top-quality expertiseProvide our people a safe environment for personal and professional growth
SAP Service Partner SAP Channel Partner SAP Education Partner SAP Lounge Partner SAPience.be Partner
Knowledge Management
-Product &
Service Development
Project Manage
ment (PM)
Supply Chain
Planning (SCP)
Supply Chain
Execution
(SCE)
SAP NetWea
ver (NW) Governa
nce, Risk, and
Compliance
(GRC)
SAP Solution Manage
r (SolMan
)
Business
Intelligence (BI)
Finance (FI)
Product Lifecycl
e Manage
ment (PLM)
GRC today
Governance, Risk and
Compliance
Access Control
Process Control
Risk Managem
ent
Sustainability
Performance
Management
Global Trade
Services
Environment, Health, and Safety Managem
ent
© SAP 2010 / Page 4
• Comprehensive platform for Environmental, Health and Safety Management
• Provides support across three pillars of Health and Safety, Product, Safety and Stewardship and Emissions Management
Environment, Health, and Safety Management
• Automates import and export compliance, including ITAR
• Supports electronic customs filling and reporting
• Monitors and manages outbound NFe transactions
• Identify, manage and prioritize risk exposure across global supply chains
Global Trade Services
• Formal integration of risk management with strategy
• Repeatable framework to analyze and mitigate risk
• Continuously monitor key risk indicators across strategic objectives
Risk Management
• Automated continuous control monitoring across policies and regulatory requirements
• Delivers cross-system visibility and a unified repository of compliance data for efficient multi-initiative management
Process Control
• Enables compliant continuous control of access and authorization across the enterprise
• Proactively protects information and prevents fraud through automated risk analysis and remediation
Access Control
• Manages processes and analytics to communicate and execute sustainability strategy
• Data gathering with automatic and repeatable collection from systems and people
Sustainability Performance Management
Benefits of SAP BO GRC AC 5.3
Control access Centralized access (and identity) management Out of the box rules automatically eliminate access and authorization risks Enforce segregation of duties across applications and departments Prevents improper access to assets
Automate compliance Automate segregation of duties and access management Automated audit trails and documentation Automated analysis
© SAP 2010 / Page 5
Benefits of SAP BO GRC AC 5.3
Real-time oversight and predictability Review and approval process Real-time detective controls and transaction monitoring Automated IT and Line of Business collaboration
Facilitates the road to compliance Obtain quick, effective, and comprehensive identification of risks Eliminate existing access and authorization risks
© SAP 2010 / Page 6
Benefits of SAP BO GRC AC 5.3
Continuous access management Avoid business obstructions with faster emergency response Improve productivity of end users Mitigate risk through continuous monitoring
Effective management oversight Provide capabilities for management oversight Facilitate internal audit Minimizes audit cost & time
© SAP 2010 / Page 7
Stakeholder interests
CFO- Better visibility of access risk- Solid proof and reliability for financial data and regulatory reporting- Reduce risk by analyzing issues and performing necessary remediation
CIO- Increase efficiency and collaboration with compliance embedded into
business processes - Faster resolution of issues with IT and Line of business collaboration
Audit- Transfer ownership of controls to business- Minimized audit time and audit related costs- Automated audit trails and documentation
© SAP 2010 / Page 8
Issues encountered
© SAP 2010 / Page 9
Business Operations Lack of visibility due to technical complexity Overwhelmed by ever-increasing number of
global and local regulatory requirements Limited effectiveness with review and approval
processes
Compliance and Audit Compliance analysis is mostly a manual process Manage numerous diverse regulatory requirements Lack of governance framework to ensure compliant
role management Role proliferation and excess privileges increase audit
challenge
IT Operations Manual, labor intensive user provisioning and access
management Fragmented approach to access management increases the
possibility for errors and inconsistency Complex and technical security data models prevent
collaboration between IT and business
End Users Productivity loss due to delay in getting access Fragmented access management process provides
incomplete access Access not kept synchronized with changing role, resulting
in inadequate access (or potential unauthorized access)
Solution approach
© SAP 2010 / Page 10
Business Operations Provides for business user accountability Collaborative role management process Business friendly role definitions reflect the
reality of business
Compliance and Audit Preventive compliance of roles through integrated risk
analysis Streamlines job functions with consistent business roles Visibility of role compliance and role exceptions Increases confidence with built-in audit trails
End Users Quick on-boarding
eliminating productivity loss
Right access to right systems at right time
Reduce risk of unauthorized access
IT Operations Reduction in administration
costs Elimination of manual
errors resulting in increased user satisfaction
Consistent, repeatable, streamlined processes to manage users across the enterprise
Single toolset for heterogeneous landscape resulting in lower training costs
Customers / Partners Secure and compliant access to business services
across organization boundaries
© SAP 2010 / Page 11
SAP BO Access ControlSustainable prevention of segregation of duties violations
Compliant User Provisioning
Prevent SoD violations at
run time
(Stay Clean)
Enterprise Role Management
Enforce SoD compliance at
design time
Risk Analysis and Remediation
Rapid, cost-effective and comprehensive
initial clean-up
(Get Clean)
Minimal Time To Compliance
Continuous Access Management
Superuser Privilege Management
Close #1 audit issue with temporary
emergency access
Periodic Access Review and Audit
Focus on remaining challenges during recurring audits
(Stay in Control)
Effective
Management Oversight
and Audit
SAP BO Access ControlMinimal time to compliance
© SAP 2010 / Page 12
Risk Analysisand Remediation
Get Clean
© SAP 2010 / Page 13
Risk Analysis and Remediation
Rapid, cost-effective and comprehensive
initial clean-up
(Get Clean)
Minimal
Time To Compliance
SAP BO Access ControlSustainable prevention of segregation of duties violations
Get Clean – RAR demo
© SAP 2010 / Page 14
Get clean (RAR)
Cross-enterprise view on SOD violations Allows an effective road towards compliance Allows reviews per system, user group, organizational level or role Translates a technical subject (authorizations, rule sets, etc.) into business language Remediation actions can be
authorization removal mitigating control assignment
Side notes Authorization concept architecture impacts ease of remediation Mitigating controls need to be in place and inventoried The default rule set needs to be made company specific (false positives)
© SAP 2010 / Page 15
SAP BO Access ControlContinuous Access Management
© SAP 2010 / Page 16
Enterprise Role Management
Superuser Privilege Management
Risk Analysisand Remediation
Stay Clean
Get Clean
Compliant User Provisioning
© SAP 2010 / Page 17
Compliant User Provisioning
Prevent SoD violations at
run time
(Stay Clean)
Enterprise Role Management
Enforce SoD compliance at
design time
Risk Analysis and Remediation
Rapid, cost-effective and comprehensive
initial clean-up
(Get Clean)
Minimal
Time To Compliance
Continuous
Access Management
SAP BO Access ControlSustainable prevention of segregation of duties violations
Stay Clean – CUP demo
© SAP 2010 / Page 18
Stay clean (CUP)
Request procedure is very structured Only choice from existing business roles Forces to work within the existing roles Sustainability of implemented roles
Approval procedure automated Automated workflow (efficiency) Preventive SOD checks (before approval) Automated user provisioning Sustainability of compliance of role assignments
Side note Role / authorization owners needed
© SAP 2010 / Page 19
© SAP 2010 / Page 20
SAP BO Access ControlSustainable prevention of segregation of duties violations
Compliant User Provisioning
Prevent SoD violations at
run time
(Stay Clean)
Enterprise Role Management
Enforce SoD compliance at
design time
Risk Analysis and Remediation
Rapid, cost-effective and comprehensive
initial clean-up
(Get Clean)
Minimal Time To Compliance
Continuous Access Management
Superuser Privilege Management
Close #1 audit issue with temporary
emergency access
Stay Clean – SPM demo
© SAP 2010 / Page 21
Stay clean (SPM)
Firefighter roles
Classical firefighter activities (the truck is waiting and the issue needs to be solved)
Critical system access (debugging)
Support roles for IT people needing to perform business functionality on occasion
Sustainability of regular access rights
Sustainability of audit trail for activities out of the regular
© SAP 2010 / Page 22
SAP BO Access ControlEffective Management Oversight and Audit
© SAP 2010 / Page 23
Management Oversight Internal Audit
Enterprise Role Management
Superuser Privilege Management
Risk Analysisand Remediation
Stay in Control
Stay Clean
Get Clean
Compliant User Provisioning
© SAP 2010 / Page 24
SAP BO Access ControlSustainable prevention of segregation of duties violations
Compliant User Provisioning
Prevent SoD violations at
run time
(Stay Clean)
Enterprise Role Management
Enforce SoD compliance at
design time
Risk Analysis and Remediation
Rapid, cost-effective and comprehensive
initial clean-up
(Get Clean)
Minimal Time To Compliance
Continuous Access Management
Superuser Privilege Management
Close #1 audit issue with temporary
emergency access
Periodic Access Review and Audit
Focus on remaining challenges during recurring audits
(Stay in Control)
Effective
Management Oversight
and Audit
Stay in Control – RAR demo
© SAP 2010 / Page 25
Stay in Control (RAR)
What-if analysis
Check compliance before violations occur Sustainability of compliance of role assignments
Reaffirmation
Reaffirm role assignments on a regular basis Sustainability of compliance of role assignments
© SAP 2010 / Page 26
© SAP 2010 / Page 27
Cross-enterprise library of best practice segregation of duties rules
Compliant User Provisioning
Prevent SoD violations at
run time
Superuser Privilege Management
Close #1 audit issue with temporary
emergency access
Periodic Access Review and Audit
Focus on remaining challenges during recurring audits
(Stay in Control)(Stay Clean)
Risk analysis, remediation and prevention services
Enterprise Role Management
Enforce SoD compliance at
design time
Risk Analysis and Remediation
Rapid, cost-effective and comprehensive
initial clean-up
(Get Clean)
Minimal
Time To Compliance
Continuous
Access Management
Effective
Management Oversight
and Audit
SAP BO Access ControlSustainable prevention of segregation of duties violations
Conclusion
SAP BO GRC Access Control ensures sustainability of
Implemented roles through a very structured request procedure
Compliance of role assignments (regular access) through: Automated approval procedure with preventive rule set check What-if analysis Reaffirmation procedure
Audit trails (access out of the regular)
© SAP 2010 / Page 28
SAP BO GRC AC : The next release
GRC2010 Barcelona
Release 10.0 of AC, PC & RM will be presented
One common technology platform (ABAP based)
More integration between the three applications Mitigating controls in AC & PC Risks in PC & RM
Functionality improvements
© SAP 2010 / Page 29
Questions?
© SAP 2010 / Page 30