Benefits of Automating Compliance

Benefits of Automating
Compliance
Stephen DuBravac
Executive Vice President
SECURITY WEAVER
Enterprise Application Compliance

Simple Fast Efficient
What matters
5% of revenue is lost to fraud &
million dollars in the fine for

accidental submission of
wrongful SOX certification (2)
1
50K +
2x
abuse(1)
recurring cost of SOD analysis if

no acceptable tools for
compliance evidence (3)
amount costs will increase by 2014

without a formal enterprise risk
program (4)
SECURITY WEAVER
Enterprise Application Compliance Simplified
How can
enterprises
simultaneously:
make
compliance a
non-event,
drive
operational
efficiencies,
elevate the
value of risk
management
increase profits
2
Agenda
Introduction
Exploit all kinds of automation benefits
Optimize ROI of automation
Resources
SECURITY WEAVER
Security Weaver
Trusted, Proven, Growing
Security Weaver is a best-of-breed compliance
application suite that integrates with any SAP
environment to quickly and easily control enterprise
cross-application compliance risk in real-time.
Headquarter
San Diego, California USA
Founded
2004
Solutions
Cross Platform Access Controls,

Process Controls, License
Management & Custom Solutions
Clients
>100 Customers globally

>300 Installations globally
>1,000,000 SAP users
Geography
North America, Latin America, India,

and Europe
Services
24x7x365 Technical Support,

Implementation Services , Training,
Consulting and Remediation
SECURITY WEAVER
Agenda
Resources
SECURITY WEAVER
Benefits of automated controls

Tactical
Strategic
Drive
up
Compliance
Process effectiveness
Breadth of control
Control effectiveness
Audit cadence
Adaptiveness
Cycle time
Validation scope
Visibility
Better business decisions
Drive
down
Cost efficiencies
Risks
Cost of controls
Cost of research
Cost of penalties & fines
Cost of audit
Economic risk
Reputational risk
Operational risk
Audit shocks
SECURITY WEAVER
Agenda
Introduction
3
Resources
SECURITY WEAVER
1st things 1st

SECURITY WEAVER
Compliance maturity levels

Level 4
Business Optimized
Level 3:
Process Optimized
Level 2:
Auditor Anticipated
Level 1:
Auditor Driven
Level 0: Chaos
SECURITY WEAVER
Maturity informed investments

Detective
Collaborative
Preventative
Insightful
After the finding
After the fact
Before the fact
Penalty & theft

avoidance
Audit efficiency
Process
efficiencies and
effectiveness
Correlated with
business and
market data
Example: SOD
rules matrix
Level 1:
Auditor Driven
Example: RT
process controls
Example:
compliant
automated user
provisioning
Level 2:
Auditor
Anticipated
Level 3:
Process
Optimized
SECURITY WEAVER
Business
outcomes
Example:
consolidated
reporting
Level 4
Business
Optimized
10
Leverage
1st things 1st
SECURITY WEAVER
11
Leverage existing technology stack

Admin/Labor
Big Blocks
Power/Space
Processes &
training
Maint
Software
Acquire
Cost
Maint &
integrations
ETL
Sourcing
Complexity
SECURITY WEAVER
12
Iterate
Leverage
1st things 1st
SECURITY WEAVER
13
Iterate: Keep earning your budget

1. Have a repeatable management process
2. Think strategically and horizontally (have a roadmap)
3. Act tactically (quick cadence of a string of wins)
4. Balance multiple stakeholder objectives anticipate
competition for budget
5. Iterate across increasing levels of clarity:
Detect
Correct
(what and why)
(who and how)
Prevent
Prove
(when: cadence
and signals)
(quantify the
business case)
Reuse
(Framework and technology stack)
SECURITY WEAVER
14
Example Compliance Roadmap

Unique to each enterprise (user centric)
Common cockpit
Transaction analytics
ROIC
User license management

Process controls
Automated user provisioning
Self-service password reset
Self-service temporary/emergency access
Role design automation
Segregation of duties rule set with conflict tracking

Maturity
SECURITY WEAVER
15
Risk management lifecycle

A sustainable management methodology
1. Orient: Understand the internal and external landscape
2. Assess: Frame risk management options and selection guidelines
3. Plan: Determine the optimal response and specify requirements
4. Design: Architect people, processes, data, and technology
5. Build: Document, code, create training, and package releases
6. Test: Validate assumptions, stakeholder alignment, and code
7. Operate: Check, measure, and control operational outcomes

8. Adjust: Make tactical, operational, or initiate strategic changes as
appropriate
SECURITY WEAVER
16
Implementation sequencing
A sustainable management methodology
Risk
weighting(1)
Time to
ROI implement
Total Audit
costs criticality
Total
Option
1
Option
2
Option
3
Option
4
Option
n
(1)Risk
weighting = (impact of risk) * (likelihood of risk)

SECURITY WEAVER
17
Value People
Iterate
Leverage
1st things 1st
SECURITY WEAVER
18
Prove you teams value

1. Use benchmark data (ISACA, ACFE, user groups)
2. Model current processes (esp.inputs/outputs)
3. Conduct time and labor baseline

4. Let sunk costs stay sunk
5. Keep it simple
6. Conduct follow up studies after each phase
7. Include non-quantitative benefits as well

8. Track compliance data and data access gains
SECURITY WEAVER
19
Always think about people

1. Create a safe workplace
Computers dont commit fraud people do
2. Use the skills you already have and already trust

3. Design compliance to enable greater productivity
4. Use compliance data for better processes and

roles not just for better control
5. Get feedback and give it to you partners
SECURITY WEAVER
20
What matters
140K
the median loss from fraud with

20% of losses at least $1M(1)
How can
enterprises
simultaneously:
53%
ISACA survey respondents

made segregation of duties last
years top issue(2)
make
compliance a
non-event,
>83%
are first time offenders(3), 70%

of all employees said they
would if they could get away
with it(4)
>1/2
of victims recovered nothing(5)

SECURITY WEAVER
drive
operational
efficiencies,
elevate the
value of risk
management
increase profits
21
Get continuous
Value People
Iterate
Leverage
1st things 1st
SECURITY WEAVER
22
Continuous management by exception

1. Think in terms of episodes instead of periods
2. Think in terms of audit systems not just audit
findings
3. Share data and processes between audit and
management
4. Focus on providing useful risk information not just
compliance attestation data.
SECURITY WEAVER
23

Business
focused
Get continuous
Value People
Iterate
Leverage
1st things 1st
SECURITY WEAVER
24
Drive business outcomes

Tactical
Strategic
Drive
up
Compliance
Process effectiveness
Breadth of control
Control effectiveness
Audit cadence
Adaptiveness
Cycle time
Validation scope
Visibility
Better business decisions
Drive
down
Cost efficiencies
Risks
Cost of controls
Cost of research
Cost of penalties & fines
Cost of audit
Economic risk
Reputational risk
Operational risk
Audit shocks
SECURITY WEAVER
25
Siemens is SAPs largest customer

with more than 400,000 users
spread across 500+ subsidiaries, in
160+ countries, on nearly 100 SAP
PRD instances.
Problem
Global compliance issues and no

automated solution
Solution
Auditor required an automated

process for management review of
user access to SAP
No structured way to provision
new users
Needed a fast scalable solution for
their global complex SAP
environment
Already sunk significant cost into
other SOD solutions.
Implemented Security Weaver

Integrated automated SOD
management and reporting to
tighten user access controls
worldwide.
12,000 User system scan in
less than 4 minutes
Full SOD remediation in 8
weeks.
Integrated with non-SAP
applications
Result
User Access and SOD Compliance
The implementation speed, intuitive user
handling and the value of immediate
usage of the product without major
customizing led Siemens AG, amongst
other key features like application
handling, reporting efficiency and
integration within SAP, to the purchase of
Security Weaver, -- Michael Brauer,
head of Siemens CIO CA/Program
Manager for P2P Data Assurance.
SECURITY WEAVER
26
Agenda
Introduction
4
Resources
SECURITY WEAVER
27
Resources
- SecurityWeaver.com
Customized training
Formal training
Product and solution details
Free SOD evaluations and product trials
- ISS booth near Bordeaux A

- ISACA.org
- ERP Control Specialists*
www.erpcontrol.com
- Security Weaver User group

* ERP Controls Specialists is a Security Weaver Platinum Level partner focusing on
integrated compliance process design and optimization
SECURITY WEAVER
28
Customers include
SECURITY WEAVER
29
Why Security Weaver
0$
<6
cost of incremental hardware
months to payback typically for

compliance solution
days to install entire suite of tools for

a fully automated user-centric
compliance solution
100%
percent of our solutions are

available as services
SECURITY WEAVER
How can
enterprises
simultaneously:
make
compliance a
non-event,
drive
operational
efficiencies,
elevate the
value of risk
management
increase profits
30
Thank You
SECURITY WEAVER
Enterprise Application Compliance

Simple Fast Efficient
Leverage existing investments

1. Exploit existing software
Native monitoring, alerting, and enforcement

Add ons, SAP transports,
2. Avoid new hardware purchases

3. Use controls that work inline
4. Do small data first, big data later
5. Use modular solutions and move at the speed of
you business needs
6. Avoid complex and foreign skill set requirements
SECURITY WEAVER
32
Why Security Weaver

100% Customer Satisfaction
- no client has ever canceled support or left for a competitor
Superior Performance:
- accomplish compliance work in least time possible
Exceptionally low costs:.

- typically do not need to purchase hardware
- may be purchased as a service
- typically is between 2 and 5 days per module
- use the skills you have, no new technology stack to manage
Proven:.
- leverage existing SAP Capabilities
- POC in less than 5 days and receive a thorough findings report,
ROI analysis, and project plan.
SECURITY WEAVER
33
Modules
Critical Access Monitoring & Reporting
Separations Enforcer (SE)
Tool to manage Segregations of Duties (SOD)
Delivered with a best practice SOD rule set
Dash
Management Reporting and Analytics
Secure Enterprise
Integration Layer for Non-SAP systems
Secure Provisioning
(SP)
Process Auditor
(PA)
(Full Life Cycle User

Access Administration)
(Transaction monitoring
and auditing)
Emergency Repair
(ER)
Role Driver
(RD)
(Emergency Access
Mgmt.)
(Role Administration)
User Access Operations

Secure Provisioning (SP)
User provisioning with integrated SOD Analysis
Supports full employee life cycle user administration
Reset Password (RP)
Integrated self-service password reset for SAP users
Role Deriver (RD)
Support tool for Derived Role Build (part of SE)
Emergency Repair
Providing emergency access in secure environment
Reset Password
(RP)
Dash
Management Reporting and Analytics
Security Weaver GRC Platform
Enterprise
Application
Compliance
(Enterprise Password
Management)
License Manager
(LM)
(Enterprise Software
Asset Management)
Separations Enforcer
(SE)
(SOD & CA Reporting)
Security Weaver
Business Process Controls

Process Auditor (PA)
Embedded, configurable rules engine capable of true,
real-time continuous controls monitoring
SAP License Utilization Optimization

License Manager
Delivers cost savings based on Role/User
reclassifications
Secure Enterprise (EN)

Platform Independent Compliance Integration Layer
Enterprise Applications
ERP, Legacy, Other
SECURITY WEAVER
34

Benefits of Automating Compliance

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Benefits of Automating Compliance

Încărcat de

Drepturi de autor:

Formate disponibile

Benefits of Automating

Enterprise Application Compliance

5% of revenue is lost to fraud &

million dollars in the fine for

recurring cost of SOD analysis if

amount costs will increase by 2014

Exploit all kinds of automation benefits

Optimize ROI of automation

San Diego, California USA

Cross Platform Access Controls,

>100 Customers globally

North America, Latin America, India,

24x7x365 Technical Support,

Exploit all kinds of automation benefits

Optimize ROI of automation

Benefits of automated controls

Optimize ROI of automation

Optimize ROI of automation

1st things 1st

Compliance maturity levels

Maturity informed investments

After the finding

After the fact

Before the fact

Penalty & theft

Optimize ROI of automation

Leverage existing technology stack

Optimize ROI of automation

Iterate: Keep earning your budget

5. Iterate across increasing levels of clarity:

(what and why)

(who and how)

Example Compliance Roadmap

User license management

Segregation of duties rule set with conflict tracking

Risk management lifecycle

7. Operate: Check, measure, and control operational outcomes

weighting = (impact of risk) * (likelihood of risk)

Optimize ROI of automation

Prove you teams value

3. Conduct time and labor baseline

7. Include non-quantitative benefits as well

Always think about people

2. Use the skills you already have and already trust

4. Use compliance data for better processes and

the median loss from fraud with

ISACA survey respondents

are first time offenders(3), 70%

of victims recovered nothing(5)

Optimize ROI of automation

Continuous management by exception

Optimize ROI of automation

Drive business outcomes

Siemens is SAPs largest customer

Global compliance issues and no

Auditor required an automated

Implemented Security Weaver

- ISS booth near Bordeaux A

- Security Weaver User group

Why Security Weaver

cost of incremental hardware

months to payback typically for

days to install entire suite of tools for

percent of our solutions are