Embed Size (px)
Citation preview
Fahri Batur October 2013
SAP GRC AC ARA
Access Risk AnalysisRequirements Gathering Workshop
Today is all about exploring how you will use Access Control by leveraging your business knowledge and our product knowledge to arrive at design decisions that will enable us to write the Blueprint and configure the system
It is important we have people in this session that can provide (with our help) direction in terms of how you will use Access Control
So lets start by doing introductions around the room to include what your area of interest is in relation to Access Control
About This SessionIntroduction
Requirements gathering for Segregation of Duties management via the Access Risk Analysis (ARA) module
AgendaRunning Order
Integrc’s role today
Ask you lots of questions about how you will use Access Control
Provide context to what we’re discussing and how our questions relate to your future use of Access Control
To help you understand how Access Control will need to be set-up in order to meet your business requirements
Tease out all the detail we will need to write the Blueprint and configure your solution
How We’re Going to Do ThisA little insight into what’s in store
Your role today
Answer lots of questions!
Provide business context
Between us, we will establish all the facts we need to proceed
Good old fashioned talking where your business knowledge and our product knowledge comes together
How We’re Going to Do ThisMethod
We have various techniques and aids to help us identify how Access Control will need to be configured
Structured questionnaire that will ensure we capture all information we need
Access to the Integrc GRC lab where we can demo scenarios through the day for context if necessary
Lets Start at the Very BeginningOverview of SAP GRC Access Control
Gavin Campbell - [email protected]+44 7828 658812
Risk Identification & Remediation
Prevention
Business Role Management
Role definition and management
Access Risk Analysis
Risk analysis, detection, and remediation solution for access and authorisation controls
Emergency Access Management
Privileged user access control solution
Access Request Management
Compliant provisioning solution
Sprint Phase (Get Clean) Marathon Phase(Stay Clean)
Privileged User Access
Role Management
Access Risk Analysis (ARA)Segregation of Duties Management
The rules engine that enables your Segregation of Duties reporting
Interfaces with other Access Control modules to enable compliant processes for provisioning and role management
Holds your definition of Segregation of Duties risks
Analyses roles and users in real time against defined SoD risks to provide visibility of where risks are
Just Before We Start
For each Access Control module, we will need to capture the following variables:-
System settings and parameters
Will dictate how your system behaves and what default settings it uses
Configuration settingsDictate how you will use the solution and how your GRC processes will work
Master data
An Insight Into the Variables We Need to Capture
Cross Application
Configuration and Settings
Microsoft Office Excel 97-2003 Worksheet
Target Systems
A target system is a backend system that will be connected to Access Control for the purposes of risk analysis, provisioning, super user management or role management
Identify Systems to be Connected to Access Control
Click icon for Target Systems data capture sheet
Complete Incomplete
Microsoft Office Excel 97-2003 Worksheet
ConnectorsCommunication Channels Between GRC and Target Systems
A connector is created in GRC for each target system that Access Control will connect to. Your consultant will capture the connector details for each in scope system
ImplementImplementClick icon for Generic System Settings data
capture sheet
Complete Incomplete
Microsoft Office Excel 97-2003 Worksheet
Implement
Maintain
Connector Definition
A connector definition is required for each defined connector/target system. Your consultant will capture these technical settings for the purpose of documenting them in the Blueprint
Technical Connector Settings
ImplementImplementClick icon for Generic System Settings data
capture sheet
Complete Incomplete
Microsoft Office Excel 97-2003 Worksheet
Connector Groups
Your consultant will discuss with you the different types of connector groups, what the advantages are of each type and establish which are best for you
Logical Groupings of Physical Connections
ImplementImplementClick icon for Generic System Settings data
capture sheet
Complete Incomplete
Microsoft Office Excel 97-2003 Worksheet
Connector Integration Scenarios
Integration scenarios are used to define the flow of information between different application components. Your consultant will help work out which scenarios are relevant to you
ImplementImplementClick icon for Generic System Settings data
capture sheet
Complete Incomplete
Cross ApplicationGeneric System Settings
These parameters influence how the system operates but are not related as such to any one module. They are central to the system, much like the Basis layer of any SAP system.
Microsoft Office Excel 97-2003 Worksheet
Click icon for Generic System Settings data
capture sheet
Complete Incomplete
Microsoft Office Excel 97-2003 Worksheet
Implement
Maintain
Access Control Owners
Users that will be involved in your Access Control processes need to be assigned their responsibilities in the Access Control owners table in addition to their ABAP roles
Important Users Who Are Assigned Specific Responsibilities
Click icon for Generic System Settings data
capture sheet
Complete Incomplete
Microsoft Office Excel 97-2003 Worksheet
Organisational Structure
The organisational structure is shared between Access Control and Process Control and used to assign controls in a structured way
Shared Structure for Assigning Mitigating Controls
ImplementClick icon for Generic System Settings data
capture sheet
Complete Incomplete
Microsoft Office Excel 97-2003 Worksheet
ARA Configuration Parameters
These parameters influence how ARA operates. System default values are defined here
System Settings for ARA
ImplementClick icon for Generic System Settings data
capture sheet
Complete Incomplete
Microsoft Office Excel 97-2003 Worksheet
SoD and Critical Risk RulesetDefining the Risk Library
The ruleset defines the risks that matter to your organisation and ultimately shows the transactions that should not be allocated to users in combination
ImplementClick icon for Generic System Settings data
capture sheet
Complete Incomplete
Microsoft Office Excel 97-2003 Worksheet
Implement
Maintain
Mitigating Controls
Mitigating controls are documented in Access Control as a way of mitigating the risk of assigning conflicting access to users. Whilst Access Control does not manage the control execution, it provides reporting for visibility of mitigated and unmitigated risks
Define Controls and Map Them to Risks
Click icon for Generic System Settings data
capture sheet
Implement
Complete Incomplete
Microsoft Office Excel 97-2003 Worksheet
Mitigating Control Assignment
This step defines the mitigating controls that need to be mapped to users based on the SoD risks that they will have at go-live
Mapping Users to Controls
ImplementClick icon for Generic System Settings data
capture sheet
Implement
Complete Incomplete
Microsoft Office Excel 97-2003 Worksheet
Business Processes and Sub Processes
Part of mitigating control master data used to categorise controls
ImplementImplementClick icon for Generic System Settings data
capture sheet
Complete Incomplete
Next StepsWhat Happens Next
Feed design decisions into Blueprint document
Collate outstanding items asap and feed into Blueprint
Approve Blueprint
Integrc prepare for configuration
Configuration and master data loaded to GRC development
Test
Thank You
On behalf of Integrc, thank you for your invaluable contribution. Your input during requirements gathering will influence the
success of the Access Control implementation
