View
91
Download
0
Embed Size (px)
DESCRIPTION
Citation preview
Your logo
1
How to implement SAP GRC Access Control 10.0 successfully
The National Lottery Belgium case
Gert De PauwThe National Lottery
Chris WalravensExpertum
SAPience.be Tech Day 2012
Your logo
2
Agenda
Key Facts about the National Lottery
Project challenges / major reasons
Key Facts about Delaware / Expertum
Project Approach / solutions
Benefits for business & IT
Success Factors
Lessons learned / pitfalls
Next steps
SAPience.be Tech Day 2012
Your logo
3
The National Lottery
SAPience.be Tech Day 2012
Wet van 19 april 2002 + het beheerscontract tussen de Belgische Staat en de Nationale Loterij: “sociaal verantwoordelijke en professionele aanbieder van spelplezier” met twee essentiële doelstellingen :
• het spelgedrag kanaliseren en zo een alternatief bieden voor privé en/of illegale spelen
• de bestaande gebruikers van loterijen en kansspelen aantrekken met een modern en aantrekkelijk aanbod, zonder evenwel de omvang van de markt uit te breiden
Financiële steun aan organisaties en manifestaties van publiek belang:
• 225,3 miljoen euro aan subsidies rond de thema's sociaal, sport, cultuur, familie, wetenschap en nationaal prestige worden door de ministerraad goedgekeurd. Sinds 2002 stort de Nationale Loterij 27,44% van het globale jaarlijkse subsidiebedrag rechtstreeks aan de drie (Vlaamse, Franse en Duitstalige) Gemeenschappen.
• Sociale of naamsponsoring van initiatieven ten voordele van de integratie en het welzijn van minderbegoede bevolkingsgroepen (b.v. Restos du Coeur, eindejaarsdiners, bezoeken aan evenementen en tentoonstellingen aan verminderd tarief)
Op een verantwoorde
manier
Grootste mecenas
van België
Kanalisatie
Actief en op een autonome manier bijdragen tot de preventie en behandeling van gokverslaving dankzij de steun aan initiatieven in die richting
Your logo
4
The National Lottery
SAPience.be Tech Day 2012
Enkele kerncijfers
RK VTE ops/log
VTE sales
RK Brussel (Jette) 3 6
RK Antwerpen 4 8
RK Brugge 3 6
RK Tienen 3 7
RK Gent 5 7
RK Namen 3 7
RK Mons 4 6
RK Liège 4 6
Totaal Decentraal 29 53
• Eén van de grootste retailnetwerken van België• 5240 winkelpunten – zelfstandigen werken op commissie en verkopen onze producten
Your logo
5
The Project Challenges
Business• Access too broad with impact on performance / fraud / errors
• No transparency regarding content of authorizations
IT• Mainly manual processes
• No prevention of access risk possible
SOD (Segregation of Duties)• Hardly any segregation of duties enforced
• No clear responsibilities defined
• Difficult overview for Internal and External Audit
SAPience.be Tech Day 2012
Your logo
6
The Project Challenges
SAPience.be Tech Day 2012
Business• Reduce the accesses on a need to have basis
• Enhance transparency to enhance understanding
• Introduce role / risk ownership to allow a clear approval process
IT• Automate user provisioning processes
• Enforce preventive SOD checks
Audit• Enforce segregation of duties
• Obtain audit trail for user provisioning processes
• Monitoring & Reporting tool for Internal and External Audit
Your logo
7
Delaware
SAPience.be Tech Day 2012
History• Founded in 1981; has been part of Bekaert, Andersen and Deloitte• Independent partnership since 2003
Today• 750 professionals• Belgium, China, Singapore, France, Luxembourg, The Netherlands & US
Recipe• Aligning business and technology• Combining strengths, delivering solutions
Philosophy• Entrepreneurship, Care, Respect, Team spirit, Commitment
Your logo
8
Expertum
SAPience.be Tech Day 2012
History• Founded in April 2006 by 2 ex-SAP Belux employees• Partnerships
Today• Team of 50+ SAP Experts and Project Managers
Mission• Exceed client expectations by providing top-quality expertise• Provide our people a safe environment for personal and professional growth
Strength• Highly skilled & experienced SAP consultants in all SAP areas, combined with a wide industry knowledge in several domains
Your logo
9
The Project Approach
SAPience.be Tech Day 2012
Transition plan• SAP GRC Access Control 10.0
• AMR (Analyse & Manage Risk)
• EAM (Emergency Access Management)
• PMU (Provision & Manage Users)
Monitoring / Reporting
Business Role
Situering:
01/11/2011 01/05/2012
TO BE
SAP GRCAccess Control 10.0
MonitoringReporting
01/05/2013
Business Roles
08/11/2012
Your logo
10
The Project Approach
SAPience.be Tech Day 2012
Provision & Manage Users (PMU)
ProvisioningApproval
ProceduresWorkflow
(Stay Clean)
Business Role Management (BRM)
“PFCG”(existing authorization
concept remains)
Analyze & Manage Risk (AMR)
CustomizingMaster Data
Rule set vs used functionality
(Get Clean)
Minimal Time To Compliance
Continuous Access Management
Emergency Access Management (EAM)
Fire fighters: who ?Approval: who ?Access: what ?
Periodic Access Review and Audit
Focus on remaining challenges during
periodic audits
(Stay in Control)
Effective Management Oversight
and Audit
GRC AC 10.0 authorizations
Your logo
11
The Project Approach - AMR
Create understanding & ownership of the rule set
Validation workshops for the rule set:• Business processes (department / ECC module / owners)
• Risks (classification / owners)
• Segregation of Duties conflicts
• Critical functionality
• Integration of own developed transaction codes
Input from key users was crucial
Validation of the rule set from internal audit
SAPience.be Tech Day 2012
Your logo
12
The Project Approach - AMR
Results workshops:• Review user lists with rule set violations
• Indicate remove / keep
• Parts of the Segregation of Duties conflicts
• Critical functionality
• Detailed testing of the rule set
• Preparation for the remediation activities
Remediation activities• Remove / update roles
• Assign a mitigating control (« access accepted »)
• Split roles postponed until the business roles setup
SAPience.be Tech Day 2012
Your logo
13
The Project Approach - EAM
SAPience.be Tech Day 2012
Workshops for identifying: • What Firefighter IDs are needed
• What specific authorizations are needed per firefighter
• Which users can use which firefighter
• What the Firefighter owners & controllers are
• What the allowed Reason Codes are
Input from key users was crucial
Your logo
14
The Project Approach - EAM
SAPience.be Tech Day 2012
End user
Central GRC dashboard
FF session 1
FF session 2
Firefighter ECCLogging & Reporting
FF user-ID 1
FF user-ID 2
FF user-ID 3 FF session 3
Report 1
Report 2
Report 3
Owner Approval
Your logo
15
The Project Approach - PMU
SAPience.be Tech Day 2012
Automatic workflow provisioning• New user triggered by HR department
• Role assignments / removals approved by role owner(s)
• Requests / approvals / changes automatically logged
Preventive risk analysis• Role assignment requests include risk analysis
• Risk violations approved / mitigated / rejected by risk owner(s)
Your logo
16
Benefits
Business• Understanding
• Transparency
• Ownership
• Approvals with (more) knowledge
IT• Automation
• Process is business driven
• Ownership lies with business
SAPience.be Tech Day 2012
Your logo
17
Success Factors
Key user / business involvement from the start
Technical knowledge of the software
Knowledge of user and role administration processes
Combining technical and process knowledge into optimal solution and application setup
SAPience.be Tech Day 2012
Your logo
18
Lessons Learned / Pitfalls
Usually existing authorizations concepts are not fully suited to allow:• Advanced remediation activities
• Full transparency to fully allow ownership and understanding
Don’t overestimate the possibilities• Firefighter log only logs what is in CDHDR & CDPOS tables
• Webdynpro’s are customizable, but to a point
• Portal integration (UWL) not fully possible
SAPience.be Tech Day 2012
Your logo
19
The Next Steps
Business Roles• Redesign technical roles
• Define business roles corresponding to positions
• Setup BRM module
Automate HR trigger• Currently user creation triggered by manual request
• Automated request will be implemented
Approval Delegation
SAPience.be Tech Day 2012
Your logo
20
Gert De PauwSenior SAP Manager
T. +32 475 22 49 56E. [email protected]
Chris WalravensGRC Competence Lead
T. +32 474 47 59 83E. [email protected]
www.expertum.net
Contact Details
Thank you!
Your logo
21SAPience.be Tech Day 2012