Basics for GRC

7/29/2019 Basics for GRC

1/42

SAP GRC (Basic),

Biju (jays)

http://sapsecurity.info

a e : - pr-

1 GRC Basic


2/42

Time Section Topics

Introduction Welcome

SAP Security Overview

SOX Overview

Access Control Solution Overview

Compliance Calibrator Overview

Rules Architect

Contents:

Mitigation Controls

Alerts

Compliance Configuration

Firefighter Overview

Access Enforcer Overview

Module Breakdown

Process Walkthrough

Role Expert Overview

Module Breakdown

2 GRC Basic


3/42

Process

Sub-Process

Sub-Process

ActivityRole:

performsone or more

Position:performs

one ormore roles

Employee

Business Processes

Role

Job:General category

For jobs

Org Unit:

Division

Role Mapping

CompositeRole

Role

Security Design

Example R/3 Role Design model

Activity

Workstep

Workstep

Workstep

Transaction:SAP worksteps

transactions

3 GRC Basic


4/42

SAP Security The major elements of the SAP authorization concept

Users Composite Profiles Simple profiles Authorization Objects Authorizations Fields Values (Activities, Organizational elements) Transactions

User Profile

User Profile

Composite

Profile

Composite

Profile

Composite

Profile

Composite

Profile

Users

SAP Security

To address this complexity and flexibility,SAP has developed a solution called SAP GRC-

Access Controls Suite.

We will guide through how CC addresses someof these issues.

Simple

Profile

Simple

Profile

Simple

Profile

Simple

Profile

Authorization

Authorization

Roles

Object Access

andRestrictions

Authorization

Authorization

Objects Objects

Authorization

Transactions Authorization

Transactions

4 GRC Basic


5/42

Securing Financial Applications Systems for SOX Compliance

SOX.

The Sarbanes-Oxley Act of 2002 also called as Public Company Accounting Reform andInvestor Protection Act of 2002 and commonly called SOX or Sarbox in response to majorcorporate scandals like Enron..

Enron Corporation was an American energy company based in Houston, Texas.

Enron figures in late 2001

Enron employed around 22,000 people (McLean & Elkind, 2003)

Claimed revenues of $111 billion in 2000

Fortune named Enron "America's Most Innovative Company" for six consecutive years

At the end of 2001

It was revealed that its reported financial condition was sustained substantially byinstitutionalized, systematic, and creatively planned accounting fraud

Enron filed for bankruptcy protection in the Southern District of New York

5 GRC Basic


6/42

Some interesting facts

6 GRC Basic


7/42

Present access and authorizations approach

ITdoesnotowntheresponsibilityforpropersegregationofduties.Theycantunderstandhurdleson

businessside,astheylackthecollaborationtoolsandlanguagetoefficientlycollaboratewiththebusiness

owners.

LinesofthebusinessmanagersareresponsibleforSoD,buttheylackthetechnicaldepthtomanageuseraccess,sotheyrelyonIT

InternalauditorsaretryingdesperatelytostayontopoftheSoDissue.Howeverwithmanuallymaintained

spreadsheetslistingtheaccessandauthorizationsofallemployees,contractors,andpartnersandsoon,

theycanonlyperformaverylimitedauditataveryhighcost.

7 GRC Basic


8/42

Sarbanes Oxley and SAP - Top 7 Control Deficiencies in SAP

1. Segregation of Duties - segregation of duties as the most important point of control focus or

deficiency.

2. Inconsistent Business Process Procedures - Business procedures not matching the actual process is

another problem area in many SAP implementations.

3. Unsecured Customized Programs - Many customized 'Z' transactions or 'Y' transactions built in to

suit the business process.

4.Unauthorized Access to SAP BASIS - Many companies make the mistake of giving access to

sensitive BASIS transactions like SE13, SE38, SM49, SU10, SU12, SM13, SC38, SM59, KE54 etc

.

Such unrestricted access can lead to a potential control deficiency under Sarbanes Oxley.

5. Unrestricted Posting Periods - Allowing unrestricted access to open Posting periods in SAP can

result in unauthorized entires in previous open periods. This can become a severe control deficiency

under SOX

6. SAP Access to Terminated Employees - SAP access had not been revoked for employees who had

been terminated. This can potentially lead to control deficiency

7. Database and OS Hardening - The data in SAP sits on databases like Oracle etc and SAP Portal as

such runs on an operating system. If databases and operating systems are not hardened, the whole

SAP environment is put at risk.

8 GRC Basic


9/42

GRC Governance Risk Compliance

SAP Compliance Calibrator

Business Challenges

- Identifying risks arising through user access privileges.

- Knowing when users have executed transactions that constitute a risk

- Developing solutions for risk management and control.-

IT / Security Challenges

- Stopping risk from being introduced into the production system through change updates.

- Prohibiting and controlling access to critical basis, developer and sensitive businesstransaction.

.

- Prohibiting and controlling access to critical basis, developer and sensitive businesstransaction.

- Ensuring that mitigating controls exists for user access risks and are executed.

9 GRC Basic


10/42

Segregation of duties in applications SOD

The basic premise of segregation of duties is that users should not be in a position to initiate andauthorize their own transactions.

Modern IT applications ERPs like SAP, Oracle Apps, J D Edwards, Peoplesoft can be configured based

on roles. .

Access to specific transactions in the system can be restricted based on user roles and profiles.

Segregation of duties in applications can act as a major antifraud controls and lead to better SOX

compliance.

IT Based Antifraud Controls - SOD & SAT

SATs coupled with SODs can act as the foundation for IT based antifraud controls.

The other important antifraud control is restricting user access to sensitive transaction in the system.

From an IT perspective users have access to a lot of information such as payroll data, balance sheet,

profit and loss account etc.

This sensitive information can be misused. It is therefore important to restrict users access to this

sensitive information in applications.

10 GRC Basic


11/42

MM SoD Conflicts Sample dataSoD Controls (Functions that should be segragated) RisksRISK LEVEL

Post Goods Receipt and Post Payments

A user could post or change a fictitious or incorrect goods receiptand set up a fraudulent automatic payment or create a fraudulentcheck. H

Post Goods Receipt and Process Outgoing Payments

A user could post or change a fictitious or incorrect goods receiptand post a fraudulent payment or clear the invoice to hide the

deception. H

A user could post or change a fictitious or incorrect goods receipt

Post Goods Receipt and Process Inventory

and create/change an inventory document/count to hide thedeception or clear the inventory count to hide the deception. H

Post Goods Receipt and Process Inventory Documents

A user could post or change a fictitious or incorrect goods receiptand create/change an inventory document/count to hide thedeception or clear the inventory count to hide the deception. H

Post Goods Receipt and Goods Issue

A user could post or change a fictitious or incorrect goods receiptand then use a goods issue to hide the deception. The vendor

would be paid for the excess recorded receipt. H

Post Goods Receipt and Process MaterialsA user could create or change a fictitious receipt and create/change

a material document to hide the deception. H

11


12/42

Compliance Calibrator Key Terms

Business Process Used to classify risks, rules and rule sets by business function e.g. Order toCash, Purchase to Pay, Record to Report are all types of Business Processes. All risks and functionsare assigned to business functions.

Function - Identifies the tasks an employee performs to accomplish a specific portion of their jobresponsibilities. This can be analogous to a role, but more often a role comprises multiple functions.

Action- Known as Transactions in SAP. To perform a function, more than one action may be requiredto be performed.

Permission Object in SAP, which form as part of Actions.

Risks Identify potential problems your enterprise may encounter, which could cause error orirregularities within the system.

Rule SetsCcategorize and aggregate the rules generated from a risk. when you define a risk, you

attribute one or more rule sets to that risk. Similar to business process.

SoD Segregation of Duties, are primary internal controls intended to prevent, or decrease the risk oferrors or regulatory irregularities, identify problems, and ensure corrective action is taken. This isachieved by assuring no single individual has control over separate phases of a business transaction.

.

12 GRC Basic


13/42

Definitions Function, Business Process, Action,

Permissions & Activities

3

21

51. Function

2. Business process

3. Action

4. Permissions

5. Activities

4

13 GRC Basic


14/42

RoleMaintenance(preventative)

Request Rolechange

Analyse &Approve Rolechange

BuildChange

RiskAnalysis

ApproveChange

DeployChange

SAP CC is used to identify SOD conflicts before the change enters production. This allows control leads to reject theintroduction of risk or assign / implement a mit igating control before risk is apparent.

Note: Rules have to be pre-defined before Risk Analysis is performed.


Process Overview

UserProvisioning

(preventative)

RequestAccess

IdentifyRisks

BusinessApproval

Updateuser

ExecuteControls

.

SecurityControls

(detective)

AnalyseSODconflicts

AnalyseCriticalTransactions

.. ..

AlertSODviolations

AlertCTusage

..

Deeper understanding of risks inherent in the security design allows business approvers to make a proactive choice asto whether they allow a user to have an SOD risk or critical transaction.

SAP CC is used to execute security controls for period review and approval for SOD conflict and critical transactionrisks. The alert monitoring can also be used to identify business or control leads when a SOD violation occurs or acritical transaction is used.

14 GRC Basic


15/42

Rules Architect SOD risk


Rules are created in compliance calibrator based on the risks you define.

Rules are logical constructions composed of a circumstance or condition, and the appropriate response to thatcondition. This is commonly represented as an If-Then statement.

IF

Employee X can Create a Vendor &

Employee X can Authorize Pay vendor

Then

Employee X has been granted High Risk Conflicting Roles

This is an example of a SOD risk.

RisksComplianceCalibrator

Rules15 GRC Basic


16/42

Rules Architect The Rules Library

The core engine of SAP CC contains a rules library that maintains the risks for SOD conflicts. This library will contain conflicting

transactions, grouped into functions, including the object and activity settings and runs to 1000s of records.

For each identified risk the rules need to be configured so that the risk is properly recorded, in essence this means the removal of false

positives. False positives are identified when at the object level potential risk is not realized e.g. the action is to read only.

Building rule sets

1. Set up functions (groups of activitiesthat users perform to carry out their


.

2. Map two or more functions togetherto define a risk

3. SAP CC creates rules based on therisks which are used for risk analysisreporting and alert monitoring.

4. Business process can also be

defined and mapped to risks for easeof reporting e.g. Finance Accounting.

5. Multiple rule sets can also be set upto act as reporting filters, versioncontrol and other uses.

16 GRC Basic


17/42

Rules Architect- Key Drivers

Building rule sets can be complex and time consuming. Typically three distinct roles and

skills are involved.

Internal Controls Expert

Provides information on SOD risks, criticality and represents business (process) owners in decisions to mitigate or

remove risks.


InternalControl

SAP Functional Expert Provides expertise on the business

Expert

SAPFunctionalExpert

SAPCCExpert

,on objects and activity values. Helps to setthe configuration data for the rule setlibrary. Helps identify false positives.

SAP CC Expert

Provides knowledge on rulessetting in SAP CC performing massupload changes and risk analysis.

RulesGeneration

17 GRC Basic


18/42

Risk Analysis

Once the rule set has been defined and implemented risk analysis can be performed to identify the SOD

conflict and critical transaction risks in the staging and production system.

Risk analysis can be performed at the user or role level. Risk Analysis and remediation is most efficient when

a structured authorizations concept is implemented that maps roles to job and people. In these

circumstance remedial efforts correct risks for large groups of users.


1. During the project lifecycle before users areallowed in the production system.

2. Before each change request for rolemaintenance is deployed to production.

3. Before provisioning exceptional roles to

individual users4. To execute periodic security controls.

18 GRC Basic


19/42

Risk Analysis Types of risks

Segregation of Duties (SoD) risk

A combination of two or more actions or permissions that, when assigned to a single employee, create a vulnerability. That is to say, in the case

of two conflicting actions an employee may have permission to perform one of these actions, but not both.

Critical Action riskCertain actions are, by their nature, inherently risky. Any employee who has permission to perform one of these actions automatically poses a

risk. Definin a critical action risk ensures that an em lo ee assi ned this ermission is identified b the risk anal sis rocess.. .

Critical Permission risk

Just as some individual actions can be critical, the same is true for some permissions. Defining a critical permission risk ensures that risk analysis

identifies any employee who has been assigned an action that includes a potentially risky permission.

The severity of a risk can be categorized as either:

Low

Medium

High

Critical

You use the Risk Level to categorize risksand the rules they generateby severity. What determines, for example, a critical risk is according

to your company policies.

19 GRC Basic


20/42

InformerInformerallows a appropriate user to access specific reports. In addition to the default report formats, there are specific user-selectedfocus areas available on many of the reports.

Informer tab report types include:

Management View- Can view reports in the following types: Risk Violations, Users Analysis, Role Analysis, Comparisons,Alerts, Rules Library, Controls Library

Risk Analysis- Performed to see if any User, Role, HR Object or Organization has access to two or more conflicting actions.

Audit Reports- Provides report headings covering different aspects of the enterprise. Each Audit report menu item contains linksto reports that may be user modified to fit needs requested.

Security Reports - Provides an access point for reports on every aspect of product and enterprise security compliance issue.

Background Job - Allows SoD conflicts to be analyzed for a large number of Users, Roles, HR Objects or Organizations.

20 GRC Basic


21/42

Informer

Compliance Calibrator provides Interactive visual analysis in the form of Bar charts, Pie Charts and Line Charts

By clicking upona certain chartarea, detailedstatistics areaccessed

21 GRC Basic


22/42


You can generate reports for Users, User Groups, Roles, Profiles, HR Objects and Organizational Levels

Informer

22 GRC Basic


23/42

Mitigation Control

Mitigation Controls- Rather than remove the cause of the risk, you may want to control certain risk violations that you want available to specific users, roles,or profiles.

Monitor ID - The ID of the User who is assigned as a Monitor, who is assigned the specific Controls.

Where risks are accepted in the system, a mitigating control should be implemented and executed. An example is a supervisory review and sign off.

SAP CC gives you the functionality to document the mitigating controls for each risk. Once documented and assigned to a Monitor the tool can be used to trackexecution of the control or non compliance.

Many clients will have separate cross-enterprise process controls software and we suggest three options for implementation:

1) Simplest option, identify risk as controlled. Risk is removed from risk reporting.2) Associate the risk with a mitigating control in an alternate repository e.g. process control software.

u y ocumen e m ga ng con ro w n e omp ance a ra or.

A choice also exists on who to give responsibility for maintaining data in the SAP CC tool. This can be centralized in IT or Controls or fully distributed to thebusiness.

Controls Library option lists all the existingMitigation Controls (active/inactive). The

Controls Library displays the Controls by Risklevel and are sorted by:RiskRisk Level (Low, Medium, High)Business UnitMonitorUser, Role, Profiles, or HR Object

23 GRC Basic


24/42

Alerts Monitor

Compliance Calibrator includes functionality which can alert business and controls leads by email when a critical orconflicting action is executed.

Alerts are available within the following risk areas:

Conflicting and Critical Actions When a user performs both transactions in an SOD rule or uses a criticaltransaction.

Miti ation monitorin If a Monitor does not execute a control to a s ecified fre uenc then an alert will begenerated which is sent to the Monitor and visible to the control leads.

Cleared alerts- When an alert message has been delivered and cleared. Alerts remain as an archived record and can stillbe tracked and monitored.

24 GRC Basic


25/42

SAP Compliance Configuration

The configuration Tab is the main starting point for post installation setup.

NOTE: Only an User with Administrative authority can access and use this aspect of Compliance calibrator.

The Java Connector (JCO) acts as the integration point between the Java application and the SAP system to be monitored / analyzed.

The User Management Engine provides for out-of the box J2EE Administrator profiles to be defined or activated .

The Rule set upload function is used to load the standard rules or customized rule set e.g. critical transaction codes, critical objects etcetera. Thesecharacteristics are the foundations of the SoD rules.

The Workflow com onent is used to tri er email alerts to named Process Owners within the User Provisionin . It is an inte rated art of the AccessEnforcer solution.

Background Job Scheduling is used for activating Monitoring e.g.. frequency of SoD analysis, Risk Violations.

25 GRC Basic


26/42

STANDARD GRC RULESET

SAP Compliance Configuration

SCHEDULING RISK ANALYSIS

26 GRC Basic


27/42

Major Activities Walkthrough

Activity SAP Compliance Calibrator

Install and set up SAP CC Technical installation Core ECC, RFC connections to Modules, Assembly Test.

Agree security design principles anddependencies with SAP CC

Establish design concepts and principles for mapping roles to jobs and users e.g. 1Composite role to each user

Confirm Project governance and highlevel processes

Agree business owners, Business Approvers, Control Approvers, RoleMaintenance and UP processes. Define Security controls.

Master data and functional set up. Test

functionality

Agree master data definitions; Organization; Business Process; Risk Descriptions;

Monitors and Control Approvers.Define risks and configure risk rule set Agree SODs conflicts and critical transactions. Categorise risk (H/M/L). Update

risks rule set. Test risks.

Run Risk analysis Run risk analysis in staging environment. Run Risk Analysis in productionenvironment. Export reports and update Risk Logs.

Remedial actions Identify and remove false positives. Agree whether to accept or reject risks. Planauthorization changes, update security design templates and raise change requestto security maintenance. Re-run risk analysis.

Mitigate Accepted Risks Agree mitigating controls for each risk. Agree control owners and businessapprovers (execution). Update mitigating controls in tool.

Update procedures and security controls. Update procedures to introduce SAP CC as a preventative control and reflectgovernance for business ownership.

Transition to live Train and enable operations staff, business approvers, control owners. Deploy newprocedures. Stabilization support

27 GRC Basic


28/42

28 GRC Basic


29/42

F i r e - f i g h t e r

The Firefighter application allows a user to take responsibility for tasks outside their normal job function, in aemergency situation.

Enables users to perform duties not included in the roles or profiles assigned to their user IDs.

Provides this extended capability to users while creating an auditing layer to monitor and record Firefighter usage,providing the capability to review activities used during an emergency situation.

Role 1

Before users can access Firefighter, they must be assigned a Firefighter ID. For each Firefighter ID you define thefollowing roles.

Owner Owners can assign Firefighter IDs to Firefighters

Controllers Receives email notification and reviews the Firefighter Log report.In addition the Administrator perform the creation of Firefighter ID and assign authorization roles.

Role 2 Firefighter ID 1 User 1

Role 3

29 GRC Basic


30/42

Process Overview

Requestaccess toproduction

Request accessto Production.

ApproveRequest

AssignFirefighteraccount

UpdateProduction

ReviewControlLog

Firefighter enables users to perform duties not included in the roles or profiles assigned to theiruserIDs. Firefighter provides this extended capability to users while creating an auditing layer tomonitor and record Firefighter usage.

Through automated emergency access administration, Firefighter tracks, monitors, and logs all

SAP Firefighter

emergency access ac v es

Example

If the employee who normally works with vendor accounting, but is on vacation or sick leave, anotheremployee who usually verifies invoices may be assigned a Firefighter ID to perform this tasktemporarily.

Benefits of Firefighter are:

Avoid business obstructions with faster emergency response

Reduce audit time

Reduce time to perform critical tasks

30 GRC Basic


31/42

Firefighter dashboard

Firefighter Log Report

F i r e - f i g h t e r

31 GRC Basic


32/42

32 GRC Basic


33/42

Access Enforcer is a web-based application within J2EE and NetWeaver environments. It is connected tomultiple data sources such as an LDAP and SAP backend system.

Access Enforcer automates the end-to-end access provisioning approval process by combining roles andpermissions with workflow.

When a user requests access to resources for which they do not have permission, Access Enforcer automaticallyforwards the access request to designated managers and approvers within a pre-defined workflow. This

Access - Enforcer

.

Roles and permissions are automatically applied to the enterprise directories when the access request areapproved.

Access Enforcer automates the role provisioning process within the identity management environment. Itensures corporate accountability and compliance with Sarbanes-Oxley along with other laws and regulations.

33 GRC Basic


34/42

Access Enforcer

Access Enforcer has four task modules for specific usage. They include:

Requestors The Requestors module is for end-users who are requesting access to SAP and non-SAP backendsystems.

Approvers The Approvers module is for approvers who approve access requests. Approvers can also requestaccess for other end-users. Approvers include line managers and IT security.

Informer The Informer module is a reporting tool that provides graphical and analytical reports for managers.

Configuration The Configuration module is for Access Enforcer Administrators who define defaults, workflow,and other attributes that are based on their corporate business processes and policies.

34 GRC Basic


35/42

Access Enforcer Module Breakdown

Approver Requestor Informer

Access Enforcer provides three standard Approvertypes. Depending on your organizational hierarchyand process, there may be other Approver typesthat can be added to Access Enforcer. The standard

Approver types are:

Manager Approveris usually the requestorsmanager. Manager can review and approve their

As a Requestor, you use theRequestor module to createvarious access requests for anSAP backend system, non-SAPsystem, or other application(server). There are three types ofRequestors:

Access Enforcer provides theability to generate various reportsfor the purpose of viewing andanalyzing request approvalactivities. Reports are divided intotwo categories:

Analytical lets you drill down to.

Role Owner Approverhas the authority to approveor reject a request. The Approver can put a requeston hold and add additional roles to the request, ifnecessary. An Approver can only approve or rejectrequests that they own and cannot approverequests for other approvers unless they areassigned as a alternate approver.

Security Approveris usually the last approver in atypical workflow. The Security Approver canprovision access to the target system that has beenrequested.

requests for access permissions orroles, for themselves or for theirteam members

Managers Creates requests forroles for their subordinates

Approvers Other managers canalso create requests

permission requests.

Chart generates a graphical viewof the request approvalinformation, which can be used toanalyze various activities.

35 GRC Basic


36/42

Access Enforcer Screenshots

Request for Approval List- displays pending requestsassigned to you.

Request Approver Page for a request submitted.

36 GRC Basic


37/42

Access Enforcer Walkthrough

1 Makes access Request for specific application,for which they do not have the necessary roles

Requestor

SAP

Access

Enforcer

2. Provides Access Request page, which can be set to specificor multiple data sources (e.g. SAP HR system or non-SAP systems)

to complete the request process

3. Submits completed Access request page. This triggers a Workflow process, whichis made up of several pre-defined approval stages and is customized to reflect

the business and security policies and procedures.

Approver

4. Receives email notification of access request at each approval stage.Performs Risk analysis and SOD assessments.

When conflict arises, approver can mitigate the problem or reject the Request.

5. Upon approval, access request is routed to next stage, which could involvethe IT security team for entry to the SAP backend system or application server.

Automatic provisioning to the target system could take place.

37 GRC Basic


38/42

Access Enforcer - Benefits

38 GRC Basic


39/42

39 GRC Basic


40/42

Role Expert

Role Expert is a solution for compliant enterprise role management, allowing role owners to define,

document, and manage roles across multiple enterprise applications ad enforces best practices, resulting in

lower ongoing maintenance and effortless knowledge transfer

Automatically analyzes roles for potential security risks (audit and SoD issues), tracks changes, and facilitates

approval workflow, eliminating the inefficient back-and-forth exchanges between business managers and IT.

Role Expert provides a complete audit trail, covering role definition, detailed change history, and control test

results and allows SAP security administrators and Role Owners to document important role information that

can be of great value for better role management such as:

rac ng progress ur ng ro e mp ementat on

Monitoring the overall quality of the implementation

Performing risk analysis at role design time

Setting up a workflow for role approval

Providing an audit trail for all role modifications

Maintaining roles after they are generated to keep role information current

40 GRC Basic


41/42

Role ExpertRole Library- Dashboard of all the roles in Role Expert. Displays an interactive graphical interface of the rolesbroken down by system landscape, role owner, or business process. It also shows the number of roles withviolations and roles belonging to different role types.

Role designer- Provides you with a step-by-step guide for designing roles across your enterprise. Role Designerallows you to define:

Role Building MethodologyNaming ConventionsRole AttributesOrg. Value MappingApproval Criteria

Or Level- Ma s the hierarchical

structuring of organization,

enabling to manage roles

effectively.

Change history provides you with

an audit trail for all the changes

made to roles within Role Expert

or your SAP system

Mass Maintenance- Allows you to

synchronize the SAP Back-end

systems with Role Expert by

importing roles that already exist

in the SAP system.

41 GRC Basic


42/42

Please let me know if any concerns.ThanksBiju

42 GRC Basic