emc hybrid cloud for sap - enhanced security and compliance

White Paper

EMC Solutions

Abstract

This White Paper details the integration between the RSA Archer ® and SAP products by prototyping integration processes that help a customer understand how the two products can work together to provide a unified eGRC solution. This solution satisfies business and management priorities across IT, finance, operations, and legal domains, and helps achieve automated compliance with regulatory requirements.

August 2014

EMC HYBRID CLOUD FOR SAP Enhanced Security and Compliance

Centralize compliance information into a single repository Automate application control verification Integrate RSA Archer with SAP

EMC Hybrid Cloud for SAP Enhanced Security and Compliance

2

Copyright © 2014 EMC Corporation. All Rights Reserved.

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.

Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.

All trademarks used herein are the property of their respective owners.

Part Number H13328

3 EMC Hybrid Cloud for SAP Enhanced Security and Compliance

Table of contents

Executive summary ............................................................................................................................... 5

Business case .................................................................................................................................. 5

Solution overview ............................................................................................................................ 5

Key results/ recommendations ........................................................................................................ 6

Introduction.......................................................................................................................................... 7

Purpose ........................................................................................................................................... 7

Scope .............................................................................................................................................. 7

Audience ......................................................................................................................................... 7

Terminology ..................................................................................................................................... 7

Solution overview ................................................................................................................................. 8

Current situation .............................................................................................................................. 8

Our solution ..................................................................................................................................... 9

Solution architecture ................................................................................................................. 10

Key components ............................................................................................................................ 11

SAP Business Suite ................................................................................................................... 11

SAP GRC .................................................................................................................................... 11

RSA Archer ................................................................................................................................ 12

EHC overview ................................................................................................................................. 13

Use cases and verifications ................................................................................................................ 15

Overview ........................................................................................................................................ 15

Using an automated application to control verification .................................................................. 15

Process ..................................................................................................................................... 15

Summary ................................................................................................................................... 15

Monitoring client opening and closing for configuration ................................................................. 15

Process ..................................................................................................................................... 16

Summary ................................................................................................................................... 16

Assigning high-risk profiles ............................................................................................................ 16

Process ..................................................................................................................................... 16

Summary ................................................................................................................................... 16

Identifying and deleting inactive SAP user accounts ....................................................................... 17

Process ..................................................................................................................................... 17

Summary ................................................................................................................................... 17

Monitoring SoD user violation rates ............................................................................................... 17

Process ..................................................................................................................................... 18

Summary ................................................................................................................................... 18

Monitoring SoD role violation rates ................................................................................................ 18

Process ..................................................................................................................................... 18


4

Summary ................................................................................................................................... 19

Monitoring of opening/closing of financial and material periods for posting .................................. 19

Process ..................................................................................................................................... 19

Summary ................................................................................................................................... 19

Conclusion ......................................................................................................................................... 20

Summary ....................................................................................................................................... 20

Findings ......................................................................................................................................... 20

Professional Services ..................................................................................................................... 20

References.......................................................................................................................................... 22

White papers ................................................................................................................................. 22

Product documentation .................................................................................................................. 22


Executive summary

Organizations recognize that their ability to compete in a global marketplace is increasingly tied to the efficiency and agility of their IT solutions and their ability to remain flexible as the business environment evolves. Enterprise Governance, Risk, and Compliance (eGRC) strategy is a key component to this evolution as it ensures effective risk management and organizational compliance, which are critical to the organization’s mission. The impact of unmanaged risk to this mission is highly visible and detrimental to the organization’s bottom line.

For the Chief Information Security Officer (CISO), and other executives performing similar duties, the increased focus on an organization’s compliance posture has led to increased focus on financial risks, operational risks, strategic risks and the close management of operationalizing security initiatives. For IT professionals, this requires translating IT risks into digestible terms for the business so that they can prioritize the risks appropriately at the enterprise level. Compliance should be embedded in core processes, not the afterthought following a significant event.

This compliance revolution is taking place as businesses are moving core applications into the cloud and facing the challenges of big data, explosive information growth, data mobility, and social media. The ability to manage risks and effectively meet compliance requirements in this networked and mobile world enables the enterprise to meet these challenges head on.

Alternatively, in some cases, the compliance landscape is fragmented with multiple applications housing GRC-related data. This GRC landscape has many disadvantages including the delayed processing of manual tasks, complex management of IT architecture, data inefficiency, and overburdened resources. This lack of consolidated data hinders the organization from achieving timely compliance and managing risk effectively.

As part of the EMC Hybrid Cloud for SAP solution, the EMC Solutions team in collaboration with the RSA Archer® team and EMC/RSA partner, S3, has created a solution that directly integrates the RSA Archer and SAP products. This will assist customers in addressing the challenges of centralizing and consolidating governance, risk, and controls information from SAP and non-SAP applications into a single repository to support ongoing compliance activities. Figure 1 represents the basic elements of this solution.

Figure 1. Unified eGRC solution

Business case

Solution overview


6

This solution builds and tests the integration between RSA Archer and SAP products by prototyping the processes that aid customers in understanding how the two products can work together. This combined, unified eGRC solution satisfies business and management priorities and facilitates the automated compliance with regulatory requirements.

Organizations using both SAP and RSA Archer GRC will be able to:

Assess their current eGRC operations and identify processes that are resource intensive, time consuming, manual and repetitive.

Automate control and compliance data collection.

Receive direct data feeds from SAP into Archer to consolidate compliance results.

Use Archer’s advanced user interface, dashboard, analytics and reports to improve eGRC maturity.

Reduce manual effort spent on data collection, research, and analysis of GRC results from multiple sources.

Increase resource efficiency and the ability to evolve towards a predictive risk posture.

Eliminate manual action plan task assignment for compliance failures.

Immediately respond to both internal and external compliance inquiries with automated verification of detailed results.

Key results/ recommendations


Introduction

The purpose of this document is to provide information about integration between RSA Archer GRC and SAP, which is provided as a service by RSA.

This White Paper focuses on the integration between RSA Archer GRC and SAP. The solution design, architecture and a sample of seven use cases are discussed in detail. The paper does not cover step-by-step configuration, infrastructure, or non-SAP application compliance management.

This document is intended for information security, risk, and controls (ISRC) leadership, Chief Information Security Officers, governance officers, internal audit, and SAP security managers. Readers should be familiar with Enterprise Compliance regulations and requirements, the RSA Archer GRC platform and its applications, SAP Business Suite, SAP GRC, and general IT functions requirements. Knowledge of EMC Hybrid Cloud is recommended but not mandatory.

Table 1 lists terminology included in this white paper.

Table 1. Terminology

Term Definition

CISO Chief Information Security Officer

eGRC Enterprise Governance, Risk, and Compliance

GRC Governance, Risk, and Compliance

SoD Segregation of Duties

SOX Sarbanes-Oxley Act

Purpose

Scope

Audience

Terminology


8

Solution overview

SAP Business Suite is the pre-eminent business software suite used by enterprises all over the world. All major business processes are covered by its components such as ERP, CRM, and SRM. SAP GRC or similar third-party tools are widely used by organizations to provide governance, risk and control to their SAP systems. The RSA Archer GRC solution is not only widely recognized as the eGRC market leader by Gartner and Forrester IT, but is in use in over 25 of the Fortune 100. This results in many of these organizations using both the SAP GRC (or similar third-party tools) and RSA Archer GRC. It also may result in the use of two separate GRC systems in many of these enterprises. Typically, SAP GRC manages compliance efforts within the SAP applications while Archer eGRC manages enterprise-wide non-SAP applications as well as infrastructure requirements.

Figure 2 shows how SAP applications communicate together but are separate from the Archer platform. The Archer application needs manual input for validation from non-SAP applications.

Figure 2. Current Archer/SAP environment

This scenario has several major disadvantages, including the effort required, the manual documentation needed, and the use of two separate but similar tools.

Significant effort required Regulatory compliance within SAP is a resource-intensive activity that requires large amounts of time and distracts the focus of security team members who would be more productive focusing on more strategic preventative and predictive risk management activities.

Manual documentation The current method of reporting compliance consists of manual testing followed by manually recording the results into Archer. This generates a huge amount of data to satisfy regulatory requirements. Furthermore, External Audit is far less comfortable with manually created documents than it is with trusted system-to-system interfaces or data transfers.

Current situation


Separate tools Having two separate GRC tools (Archer and SAP) both addressing “Compliance” and “Risk” objectives creates confusion about the purpose of each system. This confusion often leads to duplication of effort and overlapping resource responsibilities. In fact, these applications have quite different business objectives. The SAP GRC tool supports activities such as access management or compliant user provisioning (including segregation-of-duties reviews and mitigating controls), emergency access management, role management, and process controls. The Archer eGRC tool takes an enterprise focus that allows you to manage the complete lifecycle of corporate policies and report compliance with controls and regulatory requirements across the organization.

The Archer/SAP integration approach eliminates the manual intervention required to report results and generate action plans. It addresses GRC from both a business and an IT perspective simultaneously. This enterprise-wide GRC strategy reduces risk with measurable and consistent metrics. It assists the company in becoming more cost-efficient in addressing risk and allows greater flexibility in adjusting its business model as the market demands without significantly increasing risk.

Figure 3 shows how SAP applications, non-SAP applications, and infrastructure integrate and feed into the Archer enterprise platform.

Figure 3. Archer/SAP integration

Compliance management and incident management In this solution, the compliance management application directly communicates the adherence to or failure of the SAP applications to comply with client-specific settings and SOX regulations as identified within policy management. This results in tailored compliance solutions automatically distributing email notification of results related to your compliance levels. Compliance status is immediately visible within the dashboard reporting metrics and action can be taken based on automated workflow notification. This further advances the maturity of the organization and its ability to take action based on ongoing automated monitoring efforts rather than audit findings.

Our solution


10

When Archer's incident management application identifies a non-compliant policy, it generates an incident which, in turn, creates a work task for the responsible party.

In this solution, not only will the Compliance Management dashboards display current compliance levels, but Incident Management will also track open items to achieve resolution for any temporary failures.

Each solution includes automated workflow notification functionality to communicate status. This is available to distribute updates to any interested or responsible parties.

Figure 4 illustrates an example of integrated compliance management, incident management and email notification.

Figure 4. Integrated compliance/incident management and email notification

Solution architecture

This solution consists of an SAP GRC system and an RSA Archer GRC system. To demonstrate the use cases of this solution, an SAP ERP IDES system was prepared as a source system to the SAP GRC system. A shared file repository is required and should be accessible from both the SAP GRC system and Archer GRC.

Note: While a standalone SAP GRC system was used in this solution, it is not mandatory. The tools can be integrated with an SAP system or an SAP GRC system.

Figure 5 shows the architecture of this solution.


Figure 5. Archer/SAP integration architecture

Table 2 lists the software components and their versions used in the solution lab.

Table 2. Solution software

Software Version Purpose

SAP GRC 10 SP13/NW 7.0 EhP2 SAP GRC system

SAP ERP ECC 6.0 EhP6 SAP ERP IDES system

RSA Archer GRC 5.4 SP1 P2 RSA Archer GRC system

SAP Business Suite

SAP Business Suite is a collection of business applications that integrates enterprise-wide information and processes, collaboration, and functionality for specific industries. It consists of the following applications:

SAP ERP (Enterprise Resource Planning)

SAP CRM (Customer Relationship Management)

SAP SRM (Supplier Relationship Management)

SAP SCM (Supply Chain Management)

SAP PLM (Product Lifecycle Management)

The SAP ERP application provides the core of the SAP Business Suite. Augmented with the CRM, SRM, SCM, and PLM applications, it is used to manage all the key business processes involved in the daily business of companies all over the world. Manufacturing, inventory, sales, marketing, human resources, and accounting—there is hardly any aspect of modern business that SAP Business Suite does not handle.

SAP GRC

The SAP Business Suite includes multiple modules and products that cover all aspects of business operations (supply chain, finance, asset management, procurement, and so on). Each of these areas carries inherent compliance and risk components that need to be monitored by a centralized tool.

Key components


12

SAP-GRC is the tool used to ensure that SAP-related application, access, and process controls comply with standard regulatory statutes.

SAP GRC reviews access controls, process controls, and role management activities within the SAP applications to provide detailed feedback on internal control violations based on configured Segregation-of-Duties (SoD) matrices or process control violations based on defined policies. It is particularly effective in the monitoring of segregation-of-duties and process control capabilities within SAP applications, which are critical to assessing the overall GRC risk posture for the organization.

SAP GRC also supports firefighter or emergency access to SAP applications with tracking for audit purposes. These activities carry a compliance requirement to ensure that this special access is managed appropriately, reviewed in a timely manner, and is not used excessively.

RSA Archer

RSA Archer provides a technology architecture that integrates with EMC/VMware systems to provide a cohesive view into the organization’s eGRC operations. The integrated solution not only provides compliance data for configuration violations and vulnerabilities but also blends with risk analytics, loss events, logs, document and records retention data, and accounting information. This data is often scattered across multiple tools and systems. RSA Archer aggregates the data, putting risks, threats, incidents and compliance deficiencies into a business context and enabling managers to prioritize the response based on what is most significant to the organization.

Key characteristics The key characteristics of the RSA Archer platform include:

Centralized views—A central view of risk and compliance activities provides a single lens through which stakeholders can identify threats early and prioritize issues, as well as improve efficiencies by applying a single process to multiple regulations. Archer’s dashboards provide easy-to-read information at executive and administrative levels. They include metrics on risk, compliance, incidents, and threat management, giving the organization valuable insight to drive its risk management processes. Figure 6 shows an example Archer dashboard.


Figure 6. Archer dashboard

Automation—Through automation, organizations achieve continuous risk and controls monitoring as opposed to the point-in-time spot checks of the past. Technological capabilities required include advanced risk analytics and modeling, automated controls tied to business rules engines, advanced content and process management capabilities, and embedded GRC control points.

Integration—Multiple point solutions that span different areas of the infrastructure are costly to manage, fail to deliver a holistic view of the enterprise, and cannot correlate analysis to provide reliable conclusions. Archer’s level of integration enables management and reporting across the enterprise.

Flexibility—The Archer platform is adaptable and can evolve as the business evolves. Furthermore, business is able to make changes and build out applications to solve business programs without relying on costly, time-intensive custom development.

The EMC Hybrid Cloud solution empowers IT organizations to accelerate implementation and adoption of an on-premises hybrid cloud that delivers infrastructure as a service (IaaS) to their business, while still enabling customer choice for the compute and networking infrastructure within the data center. It integrates the best of EMC and VMware products and services, and enables customers to build an enterprise-class, scalable, multitenant infrastructure that provides features and functionalities including:

Self-service and automation

Multitenancy and secure separation

Security and compliance

Monitoring and service assurance

Data protection, continuous availability, and disaster recovery

EHC overview


14

Metering

Particularly regarding security and compliance, this solution addresses the challenges of securing authentication and configuration management to aid in compliance with industry and regulatory standards through:

Securing the infrastructure by integrating with a public key infrastructure (PKI) to provide authenticity, nonrepudiation, and encryption

Converging the various authentication sources into a single directory to enable a centralized point of administration and policy enforcement

Using configuration management tools to audit the infrastructure and demonstrate compliance.

This solution seamlessly integrates with EMC Hybrid Cloud to provide enhanced security compliance on top of the previously mentioned security and compliance measures. In addition, it can be implemented as a standalone solution for those who would like to enjoy the benefit before transforming their existing IT infrastructure to EMC Hybrid Cloud.


Use cases and verifications

The following use cases provide a glimpse into the extensive automation possibilities between the SAP and Archer GRC applications. Each of the following SAP-related procedures has been created and tested. They can be implemented with the basic configuration framework to customize the solution based on the specific needs of an individual customer’s SAP landscape.

Note: These use cases are only a small representative sample of the many that are possible with SAP and Archer GRC integration.

Automating the detailed confirmation of RSPARAM or IT application control settings enables customers to monitor specific application controls within SAP for regulatory compliance purposes. The existing parameters are identified and reported to Archer to note current settings (passed tests) and/or deviations from the configured requirements (failed tests).

Process

The following table describes the process of this use case.

Table 3. Using an automated application to control verification

Step Description

1 Each test is executed based on scheduled batch job execution within the SAP system.

2 Results are written to a text file on a shared file server.

3 Archer selects the file and creates a Scan ID or Automated Configuration Check to provide evidence of the current settings for each target application.

4 Each parameter reviewed within every SAP client is reported as text within the automated configuration check or test execution and emailed to procedure owners for investigation based on any failures.

Summary

This automation eliminates the manual verification process that typically can take hundreds of hours of review (annually) across the SAP landscape. This results in a reduction in manual verification procedures and investigation time for internal resources.

Integration between Archer and SAP target systems documents the opening and closing of the SAP client for configuration. Each target system is monitored based on scheduled batch job execution within the SAP system, creating a text file on a shared file server. Archer selects the file and then creates a Scan ID or Automated Configuration Check to provide evidence of the current client configuration settings for each target application. These settings should be monitored to confirm that production and validated environments are set correctly. When a ticket is submitted to change the settings, opening the client for configuration should be extremely brief and monitored by system administrators. Automating this process to integrate into

Overview

Using an automated application to control verification

Monitoring client opening and closing for configuration


16

Archer for visibility, continuous monitoring, and awareness to confirm correctness will facilitate the communication of this high-risk activity.

Process


Table 4. Monitor client opening and closing for configuration

Step Description

1 Data from each SAP client is reported as text within the automated configuration check or test execution.

2 The data is emailed to procedure owners for investigation of any failures.

3 Based on standard internal control reviews for SAP, production systems and validated environments are monitored to confirm adherence to general control settings.

Summary

This automation eliminates the manual client setting monitoring and verification process that typically occurs reactively after the identification of an incident. Our automated monitoring results in a reduction of manual verification procedures and investigation time for internal resources as well as providing more accurate and timely information on a high-risk SAP setting.

Integration between Archer and SAP target systems monitors the assignment of standard delivered SAP profiles to ensure that users are not assigned high-risk profiles directly. Each target system is monitored based on scheduled batch job execution within the SAP system creating a text file on a shared file server to identify any direct profile assignments. Archer will select the file and then create a Scan ID or Automated Configuration Check to provide evidence of the current profile assignment occurrences for each target application.

Process


Table 5. Standard delivered SAP profiles

Step Description

1 Data from each SAP client is reported as text within the automated user to profile assignment report or test execution.

2 The data is emailed to procedure owners for investigation based on any user assignments.

3 Standard SAP security reporting programs are executed to identify any profile-related user assignments to relay to Archer.

Summary

Generating and automating reports eliminates the manual verification process across the SAP landscape and reduces investigation time for internal resources.

Assigning high-risk profiles


Integration between Archer and SAP target systems monitors inactive user accounts to identify those that can be stripped of transactional access and eliminated. This use case is customized for each client based on internal Information Protection Protocols to migrate inactive user accounts into a retired user group or to dispose of them, as required. De-provision inactive accounts to remove any current access assignments, and modify user groups when necessary.

Each target system is monitored based on a scheduled batch job execution within the SAP system creating a text file on a shared file server to identify the inactive user accounts. Archer selects the file and then creates a Scan ID or Automated Configuration Check to provide evidence of the current profile assignment occurrences for each target application. Standard SAP security reporting and programs identify inactive user accounts based on last logon dates and the customer’s inactive account parameters; these accounts are then relayed to Archer.

Process


Table 6. Identifying and deleting inactive SAP user accounts

Step Description

1 Data from each SAP client is reported as text within the automated last logon report or test execution.

2 Data is emailed to procedure owners for investigation of any accounts that should be retired.

3 Based on each client’s workflow needs, automatic GRC-Access Controls provisioning requests are created to eliminate role assignments identified during the review of stale user accounts.

4 Once accounts are identified based on the standard Last Logon report, an automatic deprovisioning request is submitted to retire the account.

Summary

Generating automated reports eliminates the manual verification process across the SAP landscape, reducing investigation time for internal resources.

Integration between Archer and SAP target systems monitors users with unmitigated SoD violations to identify those that require further remediation. Outstanding user SoD violation rates should be below customer-defined tolerances and automatically monitored or remediated on an ongoing basis. When user violations occur, it is likely that role provisioning has occurred that is outside of the mitigation process. This increases the risks related to provisioning and potential misuse of the applications.

When users are identified after execution of the standard batch jobs within SAP-GRC, the scheduled batch job creates an aggregated SAP target system text file on a shared file server to identify users for mitigation. Archer selects the file and creates a Scan ID or Automated Configuration Check to provide evidence of the current open user SoD violations. This use case is supported based on standard SAP security

Identifying and deleting inactive SAP user accounts

Monitoring SoD user violation rates


18

reporting and programs to identify user accounts with unmitigated SoD violations to relay to Archer.

Process


Table 7. Monitoring SoD user violation rates

Step Description

1 Data from each SAP client is reported as text within the GRC reports for unmitigated users.

2 Data is emailed to procedure owners for investigation and mitigation.

3 Standard SAP security reporting and programs identify users with unmitigated SoD violations.

4 These users are relayed to Archer for distribution.

5 Based on each client’s mitigation needs, automatic GRC-Access Controls provisioning requests can be created to request user mitigation during the review of SoD occurrences within existing active user accounts.

6 Once the accounts are identified, an automatic deprovisioning request can be submitted to retire the account.

Summary

Automating this process facilitates the visibility of the recertification process and aligns continuous monitoring to the overall organization risk profile. This results in a reduction in manual verification procedures and investigation time for internal resources while increasing the automation of the mitigation and evidence-gathering processes.

Integration between Archer and SAP target systems monitors open SoD role violation rates to identify single or composite roles that maintain unmitigated SoD violations. Outstanding role SoD violation rates should be zero and need to be automatically monitored or remediated on an ongoing basis. This information is aggregated in GRC for all target applications and provided in an attachment to Archer for notification and distribution on a periodic basis. This automation reduces the risk that violations exist but are not monitored by the appropriate business personnel. By integrating the remediation and continuous monitoring process into the Archer platform, the results are visible to management to ensure compliance and role recertification.

Process


Monitoring SoD role violation rates


Table 8. Monitoring SoD role violation rates

Step Description

1 When roles with open SoD violations are identified after execution of the standard batch jobs within SAP-GRC, the scheduled batch job aggregating data from each SAP target system creates a text file on a shared file server to identify roles for mitigation.

2 Archer selects the file and creates a Scan ID or Automated Configuration Check with an attachment (or link) with supporting evidence of the current open SoD role violations for per target application.

3 Standard SAP security reporting and programs identify roles with unmitigated SoD violations and relay them to Archer for distribution.

Summary

Automating this process improves the visibility of the recertification process and aligns continuous monitoring to the overall organization risk profile. This reduces manual verification procedures and investigation time for internal resources, while increasingly automating the mitigation and evidence gathering process.

Integration between Archer and SAP target systems identifies the current setting based on scheduled batch job execution to report the status of the opening and closing of the SAP financial and material posting periods for configuration. The risk to an organization is that the posting period for a prior (or future) period is open and posting is allowed into the wrong period, affecting revenue recognition.

Each target system is reported based on scheduled batch job execution within the SAP target systems and creating a text file on a shared file server. Archer selects the file and creates a Scan ID or Automated Configuration Check to provide documentation of the current posting period settings for each target application.

Process


Table 9. Monitoring of opening/closing of financial and material periods for posting

Step Description

1 Data from each SAP client is reported as text within the automated configuration check or test execution.

2 The data is emailed to procedure owners for confirmation.

3 Based on standard internal control reviews for SAP, production systems and validated environments are monitored to confirm adherence to general control settings, and to confirm that the financial and material posting periods are aligned with the desired settings.

Summary

This automation eliminates the manual verification process and avoids uncertainty about the status of the application while reducing investigation time for internal resources.

Monitoring of opening/closing of financial and material periods for posting


20

Conclusion

The integration of RSA Archer and SAP provides a solution that enables customers to address the challenges posed by the disjointed nature of GRC as it currently exists in the SAP landscape. This solution centralizes and consolidates audit information from SAP and non-SAP applications in a single repository. This unified eGRC solution satisfies both business and IT priorities and enables automated compliance with regulatory requirements.

Archer’s Professional Services personnel can transform the fragmented and largely manual governance programs into automated analysis solutions. Their services can apply sophisticated dashboard reporting, integrated data connections, and real-time analysis to what is (in many cases) the biggest and most important business application used in the enterprise. The complete visibility afforded by this solution facilitates executive decision-making, supports current regulatory compliance needs, and meets the predictive risk and eGRC needs of tomorrow.

Customers who employ both RSA Archer and SAP should:

Assess their current eGRC practice and identify processes that are time-consuming, manual, and repetitive.

Automate to the greatest extent possible the collection of control and compliance data.

Implement direct data feeds from SAP to Archer to consolidate compliance results.

Use Archer’s advanced user interface, dashboard, analytics and reports to improve eGRC maturity.

These highly integrated solutions enable Professional Services personnel to transform your existing manual governance programs into fully automated predictive analysis solutions. Service experts inject technology efficiency and automation into your processes to drive immediate results.

With enhanced dashboard reporting, integrated data connections, and immediately available analysis to your largest and key applications we provide a 360° glimpse into your risk environment. This complete visibility facilitates executive decision-making, immediate risk management results, and is the foundation to evolve your IT department to enable business operations.

A Professional Services team provides solutions that can immediately reduce your IT spend in the areas of regulatory compliance and support by:

Identifying client-specific SAP configuration for core Archer integration and automation

Providing recommendations and a roadmap for further automation and overall program enhancements

Providing a detailed assessment of your Archer, SAP, and eGRC landscape

Summary

Findings

Professional Services


Professional Services can transform your organization to meet the predictive risk and eGRC needs of tomorrow while smoothly supporting the regulatory compliance needs of today.

Additional services A sample of additional professional services and technology solutions related to SAP/Security/IAM/eGRC include:

Complete SAP security deployments

Role redesign and/or remediation

GRC deployments, upgrades, assessments

IAM/IdM integration and deployment

Full life cycle identity, authorization, and authentication solutions

Further customizations of Archer, SAP, and IdM solutions

Automation of SAP continuous monitoring tasks, including

Identification of incomplete, manual, or changed authorizations

Identification and analysis of out-of-synch roles (mismatched parent-to-child or incorrect child role values)

Identification of roles with non-compliant technical names

Identification of non-compliant user group elements


22

References

For additional information, see the white papers listed below.

EMC Hybrid Cloud Solution with VMware: Foundation Infrastructure Reference Architecture 2.5

EMC Hybrid Cloud Solution with VMware: Foundation Infrastructure Solution Guide 2.5

EMC Hybrid Cloud Solution with VMware: Security Solution Guide 2.5

EMC Hybrid Cloud for SAP: VMware vCloud Automation Center, VMware vCloud Application Director, EMC ViPR, EMC ViPR SRM

For additional information, see the product documents listed below.

RSA Archer GRC Platform Administration Guide

RSA Archer GRC Platform 5.4 Solutions User Guide

White papers

Product documentation

emc hybrid cloud for sap - enhanced security and compliance

Technology