SAP GRC- ACCESS CONTROL

Submitted by :
• Manas Choudhary (12030241142 ) – C Group Leader –
9665372521
• Shankar Kendre (12030241159) – C – 9960899626
• Raghavendra Aarole (Roll No) - C – 7709998886
• Ishan Mishra (12030241073) - A – 7276899981
• Rahul Vardhan Dinesh (12030241210) – D – 9420290268
Batch 2012-14

1
Agenda
• Fragmentation 01
• Integrated GRC 02
• SAP Solutions for GRC 03
• Segregation of Duties Violations 04
• Risk Analysis and Remediation 05-06
• Access Management 07
• Compliant Provisioning 08-09
• Benefits of SAP GRC 10-11

2
 Fragmentation
Managing with confidence is difficult in an increasingly complex world
ASX ROHS Human
Segregation Credit Capital Project
Principle CLERP 9 SOX of duties Risk Risk
7 WEEE Risk

Board of
Australia Directors
Compliance
Governance Finance
U.S.A Risk Mgmt. Governance
Legal
Risk
Japan Mgmt. Sales
Compliance
Risk Mgmt.
Contracts
U.K.
Compliance
Compliance HR
Compliance
France Risk Mgmt. Controller
Risk Mgmt.
China
Governance IT
Compliance Policy Mgmt.
Germany Governance Risk Mgmt. Audit &
Compliance
India
Treasury

Proj. Doc.
Security Mgmt. Mgmt. Contracts Planning Customers ERP Production Billing
 Integrated GRC
Forward looking organizations are seeking a unified approach to GRC
ASX ROHS Human
Segregation Credit Capital Project
Principle CLERP 9 SOX
WEEE Of Duties Risk Risk
7 Risk

Board of
Australia Directors
Compliance
Governance Finance
U.S. A. Risk Mgmt. Governance
Legal
Risk
Japan Mgmt. Sales
Compliance
Risk Mgmt.
Contracts
U.K.
Compliance
Compliance HR
Compliance
France
Risk Mgmt. Controller
Risk Mgmt.
China Governance IT
Compliance Policy Mgmt.
Germany
Governance Risk Mgmt. Audit &
Compliance
India
Treasury

Proj. Doc.
Security Mgmt. Mgmt. Contracts Planning Customers ERP Production Billing
 SAP Solutions for GRC
A unified solution for GRC management
Business Process

Industry-Specific GRC
Life Sciences Chemicals Oil & Gas
 Transparency to
High Tech Banking
balanced global risk
profile
Cross-Industry GRC
Risk
Management
Risk Management  Standardization on
Compliance Access
Control
Process
Control
Global
Trade
Environment common GRC content
& Controls
and rules
GRC Repository  Automates and embeds
GRC into business
processes
Business Process Platform

Business
Applications
 Segregation of Duties Violations
Effective
Minimal Continuous
Management Oversight
Time To Compliance Access Management
and Audit
(Get Clean) (Stay Clean) (Stay in Control)

Risk Identification Enterprise Role Compliant User Superuser Privilege Periodic Access
and Remediation Management Provisioning Management Review and Audit

Rapid, cost-effective Enforce SoD Prevent SoD Close #1 audit issue Focus on remaining
and comprehensive compliance at violations at with temporary challenges during
initial clean-up design time run time emergency access recurring audits

Risk analysis, remediation and prevention services

Cross-enterprise library of best practice segregation of duties rules

 Risk Analysis and Remediation
Access Risks Services
Risk Identification

Real-time SoD Risk Analysis

• Common services across all
Critical Transaction Monitoring SAP GRC Access Control
Cross-Application Integration capabilities
• Prevention Services
Elimination

Remediation Management
Mitigation Management Delivers 24/7, real-time
compliance by stopping
Reporting

Alerts Framework security and controls

Reporting violations before they occur
Prevention

Real-time Simulation
Mandatory Prevention
Access Risks Library
Cross-Enterprise Rules Database
Rules
“SAP GRC Access Control, with its
comprehensive preconfigured rule
set, reflected deep expertise within
SAP that would have taken us a
very long time to replicate.”
Synopsys Inc.

Cross-Enterprise Rules Architect

 Risk Analysis and Remediation
Contd.
Getting clean
Initial Risk Analysis and Remediation
• Facilitates collaboration
Risk between Business and IT to
Identification clean up access risks

Risk Elimination
End-to-End
Automation

Reporting “The clean-up process has

brought a tremendous
degree of discipline to the
Prevention way we think about and
manage user access and
authorizations.”
Synopsys Inc.
 Access Management
The only compliance-focused emergency access solution

Key Functionality Compliant Superuser Access

ID Administration Superuser

Date Restrictions
Privileged
Security

Log-in Restrictions Access

Single User per ID New Session New Session New Session New Session

Specific Authorization Access Firecall ID Firecall ID Firecall ID Firecall ID

...
SD MM FICO
Notification

Alert Framework
Log Log Log Log
Reporting

Reporting • Pre-assigned firecall IDs

• Access restrictions
Audit Logs
• Validity dates
• Field-level changes tracked in audit log
 Compliant Provisioning
Current Approach—Inefficient, Not Compliant Enables Compliant End-to-End
Access
Provisioning
email
Request “hire to retire”

Manager
email Approval

Role
Owner

spreadsheets,
paper forms

spreadsheets,
paper forms IT Security

Manual
Provisioning
 Compliant Provisioning contd..
Compliant Provisioning with Dynamic Workflow
Request
• Embed cross-enterprise
100% Automated
HR Event
Generated preventive compliance into
Employee Path Workflow—based business process
Hired/Retired on request type and
user attributes
• Reduce cost of user
Mgr
Approval Via e-mail administration
Escalation • Improve productivity of
Workflow
end users
Risk 1 “Click” Preventive
• Auditable tracking for
Analysis Simulation

Exception auditors
Workflow

Automated
Provisioning 100% Automated

… … …
 Benefits of SAP GRC
• Key Solution Capabilities and Benefits
– Identifies and prevents access and
authorization risks in cross-enterprise IT
systems to prevent fraud and reduce the
cost of continuous compliance and control
– Provides end-to-end automation for
detecting, remediating, mitigating, and
preventing access and authorisation risk
across the enterprise
– Allows for true cross-enterprise SoD risk
mitigation by integrating into SAP and non-
SAP systems
• Common Customer Challenges Addressed
– Need to comply with SOX regulations for
section 404, or similar regulations
– Weak support for the audit process to
ensure the right measures are in place to
prevent fraud
– Manual or people-intensive compliance
processes involving emails, spreadsheets
and/or paper
– Costly, manual remediation
– Uncontrolled role management
– Excessive super-user access
– Inefficient and un-auditable user
provisioning
– Reactive vs. preventative
• Establish approach and process to manage risk rules
• Gain alerts on potential violations
• Identify business functions which produces risks when executed by
same individual
• Focus on prevention vs. “a point in time” detection
• Simplify compliant enterprise level role administration
• Enforce compliant security for Privileged Access
• Increase visibility through timely notification
• Deliver audit ready, detailed reporting
• Lower risk and save money through proactive compliance
•
13
Thank You

14