Business Analytics the way we do it

Access Controls

Providing end to end

user access
management
eliminating
segregation of duties
(SOD) risks

The Opportunity
Access management with segregation of duties is critical requirement of every
organization today. By having appropriate roles and authorizations maintained in the
organization we can prevent frauds and control user access.
Despite the importance of access some of the key challenges that organizations are
facing today are

Delays in providing access to users

No uniform roles and tasks definition
No information and analytics on quantum of risks
High audit time and cost
No active management and visibility of sensitive access

Business and IT - Ongoing Dilemma

Business

IT
(Security/Controls Team)

I need ALL
access, Im a
Super User
Why dont
you let me do
my job ?
I hired Bill today.
He needs access to close
books by tomorrow!!!

Auditors/Compliance
Teams
Violating so many
controls? This is
ugly...

Senior Management
Why cant you
ever get your
act together?

Figure above depicts ever growing access demand of business and stringent
audit requirements.

Capgemini Solution
Capgemini Global Process Model based standard roles and associated
tasks will ensure conflict free roles while ensuring adequate access to
operating team for seemless performance of various processes.

Deliver Centralized Preventive Control Around Segregation of Duties

This would mean a common Segregation of Duties (SOD) matrix being followed
across the organization. A common SOD matrix across different business processes
and entities will provide cross organization risks which otherwise will not be visible.
All roles created within the organization should be compliant to this central SOD
matrix. Users, when assigned to the roles, would need to be checked for any SOD
conflicts before the actual assignment.

Drive Automation in User Access Management

This would ensure faster access to users. Automation will also enable approvals from
various stakeholders like role owners and line managers to be taken through a web
enabled workflow. Audit trail for entire access provisioning will also be captured.

Reduce Audit Time and Cost

Cost will come down if centralized access control processes, based on Capgemini
defined Global Process Models, are followed. The Global Process Model for access
control provides the best practice for various access processes like role creation,
role deletion, user role assignment workflows, periodic reviews for movers, leavers
and joiners and many more. These Processes capture all audit requirements thereby
reducing audit time and cost.
Analytics and reporting around sensitive access drives better decision making.
Pre-delivered set of analytics and reporting is available from Capgemini around the
following areas to drive greater visibility and predictability of risks.

How It Works
Step by step approach for conceptualization, analysis and remediation around
Access Controls.

Case Study
Capgemini is currently
providing complete access
control service including
global reporting and
analytics across more than
50 countries for leading Fast
Moving Consumer Goods
(FMCG) company. The scope
includes Role management,
User access management,
monitoring critical access
and super users access.
Role management includes
evaluation of effectiveness
of mitigation controls.
Capgemini has provided
the list of global mitigation
controls which are part of the
Global Process Model.
Capgemini has increased
visibility with global reporting
along with recommendations
on remediation for identified
risks. The global reporting
offers summarized as well
as drill down view of the risk
areas by country or business
process. Analytics around
top 5 sensitive access risks,
unmitigated SOD risks, usage
for fire fighter Single Platform
Module (SPM) and more help
drive the organization focus
towards key risk areas and
address them quickly.

Risk Recognition

Rule
Building and
Validation

Analysis

Remediation

Phase One

Mitigation

Phase Two

(1) Risk Recognition

Continuous
Compliance
Phase Three

(2) Rule Building and Validation

Identify or approve conflicts and exceptions

Classify risks as Critical, High, Medium, or Low
Identify new risks and conditions that should be monitored
(3) Analysis

Establish technical rules to monitor risk

Verify rules against test cases (Users/Roles)
(4) Remediation
Determine alternatives for eliminating risks
Present analysis and select corrective actions
Document approval of corrective actions
Modify/create roles or user assignment

Run reports for risk analysis

Explore alternatives to eliminating risk
Size cleanup efforts
Modify rules based on analysis
(5) Mitigation

(6) Continuous Compliance

Design alternative controls to mitigate risk

Educate management on conflicts approval and monitoring
Document a process for monitoring mitigation controls
Implement controls

Communicate changes in roles and user assignment

Simulate changes to roles and users
Implement alerts they will
- Aid in monitoring new access risks
- Assist in testing mitigation controls

Capgemini will deliver Access Control service on run service basis

and will ensure to avoid segregation of duty challenges at the stage of
providing access.

Key Analytics We Provide on Access Control:

Access Control Reporting and
Analytics

Visibility and Outcome

Movers, Leavers and Joiners

The number of people in ERP changing

positions, leaving or joining the organization

Sensitive Access

People having access to sensitive IT

transactions or sensitive business transactions

Segregation of Duties

Reporting specific to divisions & clusters in the

organization for SOD and follow up for resolution

Super User Access and Usage

Fire fighter IDs assigned to users with validity

and type of usage

Usage Analysis and Role Mining

From within the roles available with the users

reviewing the transactions used

Benefits of Access Controls

Protect Information and Prevent Fraud
Eliminate access and authorization risks with out-of-the-box rules
Enforce segregation of duties across applications and departments
Prevent improper access instead of reacting to problems

Business Analytics the way we do it

For more details contact:

Optimize Operations

Automate segregation of duties management

Automate access management
Promote IT and Line of Business collaboration
Enforce accountability with review and approval processes
Ease compliance and avoid authorization risk

Terry Sandiford
terence.sandiford@capgemini.com

Minimize Time and Cost of Financial Compliance

Provide proof and reliability with control tests and audit trial for SOD controls
Report and review key risk indicators for system access

Capgemini Differentiators
Differentiator

Purpose

SPRInT

Strategy for Provisioning Roles in Transparency a brain child of

Capgemini for accelerated SOD health check.

GRC Business
Value
Workshops

A day/s workshop at the client premises which is a good starting

point of the engagement depending on the GRC maturity of the
customer.

GRC CoE
Infrastructure

Sandbox and Demo environment for GRC suite of products which

can be used by Capgemini Consultants to conceptualize client
scenarios and test.

Ready to Run
Training Scenarios
GPM
Risk and Control
Library
CG GRC Global
Community

Standard Training scripts and recordings to accelerate transition

and transformation around Access Controls.
Global Process Models for SAP GRC Access Controls and Process
Controls activities.
Capgemini has a detailed risk and controls library with over 400+
controls defined for various business processes across sectors.
A global community of Access Control and Risk management
consultants across the world with knowledge of business processes.

About
Capgemini
With more than 125,000 people
in 44 countries, Capgemini is one
of the worlds foremost providers
of consulting, technology and
outsourcing services. The Group
reported 2012 global revenues of
EUR 10.3 billion.
Together with its clients,
Capgemini creates and delivers
business and technology solutions
that fit their needs and drive the
results they want.
A deeply multicultural organization,
Capgemini has developed its own
way of working, the Collaborative
Business Experience, and draws
on Rightshore , its worldwide
delivery model.
Learn more about us at

www.capgemini.com
The information contained in this document is proprietary. 2013 Capgemini.
All rights reserved. Rightshore is a trademark belonging to Capgemini.