Upload
afzallodhi736
View
215
Download
0
Embed Size (px)
Citation preview
7/28/2019 Gr c 2009 Segregation Access Control
http://slidepdf.com/reader/full/gr-c-2009-segregation-access-control 1/6
7/28/2019 Gr c 2009 Segregation Access Control
http://slidepdf.com/reader/full/gr-c-2009-segregation-access-control 2/6
Are you worried about unauthorised access to critical systems and condential inormation?
Are you able to identiy and address segregation o duties (SoD) conficts eectively?
Is access control technology really benecial and necessary?
Why segregation o duties and access control?
With the heightened ocus on corporate governance
and internal controls in today’s business environment,
organisations need to implement eective measures or
achieving regulatory compliance and meeting a variety o
stakeholder demands – among them the demands or a
better and eective Governance, Risk management and
Compliance (GRC) programme.
Implementing eective and ecient internal controls is an
important aspect o a GRC programme. Internal controls
are mechanisms to help organisations achieve theirbusiness objectives while containing risks, which may lead
to nancial, operational and reputational losses. Eective
and ecient internal controls are directly correlated to an
organisation’s ability to execute business transactions,
ensure productivity, protability and sustainability.
Internal controls in a business environment are oten
enorced through segregation o duties in business
processes. Dierent roles and responsibilities are assigned
to each individual to provide a check-and-balance
environment appropriate to the risk level o the business.
Segregation o duties is naturally embedded into the
hierarchical and compartmentalised structure o anybusiness organisation.
However, there is oten a blind-spot – access to computer
systems. With the advent o computer systems in almost
every aspect o business, organisations are increasingly
reliant on technology-based access control to enorce
segregation o duties. Without proper and adequate
access control, organisations may nd out the hard way
that segregation o duties is bypassed and controls no
longer work.
Addressing the key issues
Many organisations do have diculties managing
segregation o duties and access controls. These
realisations oten arise through inspections and audits, or
in some cases, raud investigations. The three common
issues are:
How to identiy SoD conficts and what is adequate
How to balance the inconvenience o access controls
and productivity
How to monitor the use o powerul system unctions
and unauthorised access to condential inormation on acontinuous basis
These three issues cannot be addressed eectively
without the support o access control technology.
•
•
•
SAP GRC Access Control enables you to achieve:
Minimal time or compliance – by setting up the right
access controls using a comprehensive library o SoD
rules which allows you to go live quickly and achieve a
cost-eective clean-up o initial controls to stop uture
violations.
Continuous access management – by enorcing SoD
compliance rom the start with enterprise-wide role
design, documentation, and maintenance that eliminate
manual errors and enorce best practices. This prevents
the reintroduction o SoD violations and allows businessusers to perorm emergency activities using superuser
privilege in a controlled manner.
Eective management oversight and audit – by
giving managers eective and comprehensive oversight
through user access rearmations and reviews o
access-risk, SoD rules, mitigating controls and roles.
There are also audit trails or role provisioning, user
provisioning, emergency access, and more. Auditors
can comprehensively and more easily validate proper
management oversight to ensure the business
complies with all policies by making sure all access is
properly authorised and by ensuring that SoD risks areappropriately mitigated.
The importance o a holistic GRC approach
Building and implementing segregation o duties and
access control requires a holistic approach that is woven
into the abric o the organisation, oten viewed as part o
a larger GRC programme. Under this view, an eective
governance structure is put in place, and roles and
responsibilities are clearly dened. Risk identication,
assessment and mitigation are closely tied to the
achievement o the organisation’s business objectives.Executives and management have ready access to timely,
accurate, relevant inormation about controls, and their
impact on risk exposure. In other words, segregation o
duties and access control are not the responsibility o one
or two departments; it is a concerted eort o everyone in
the organisation, rom the Board right down to the sta on
the ground.
•
•
•
7/28/2019 Gr c 2009 Segregation Access Control
http://slidepdf.com/reader/full/gr-c-2009-segregation-access-control 3/6
PwC is the specialist in SoD and
access control
As one o the largest and most
experienced global providers o GRC
services, PwC has been working
closely with technology providers
such as SAP to help organisations
create integrated, sustainable GRC
programmes.
PwC’s proven methodology and
approach ensure that organisations
implement and operate SAP GRC Access Control using proper Strategy,
Structure, Process, People and
Technology.
Our approach recognises that technology is not a solution
but an enabler, a tool to eciently gather and analysedata and support people and processes. With one o
the largest available global resource pools o SAP GRC
technologies, we work with organisations to address a
wide range o GRC issues. We can help you:
• Dene the strategic vision or an integrated GRC
programme at the most appropriate level – enterprise,
regional or divisional to ensure you remain within your
risk tolerance
• Conduct a current state assessment o GRC
capabilities and identiy gaps and requirements or key
risks and controls, probably in areas such as training,monitoring and project risk reviews
• Implement and integrate the solution in accordance
with the strategic vision
• Customise SAP GRC solution to specic organisation
needs and requirements
• Leverage templates, tools and standard industry
practices to “ast track” implementation
• Support solution implementation with knowledge
and experience in key GRC-related areas, such as
inormation security, data management, and sourcing
• Design and congure reporting to help meet client
regulatory, compliance and risk management needs
• Conduct testing, remediation and training activities
to maintain the eectiveness o the GRC programme,
personnel, and policies
PwCGRC
Programme Process
Implement eectiveand ecient
processes to ensurecontinuity o controls
Technology
Provide a consistentplatorm to achieve
sustainability,consistency,
transparency and
eciency
Strategy
Adopt a holistic GRC
approach that involvesall key stakeholders
Structure
Align to strategy witha control ramework,
clear governancestructure, and welldened security roles,responsibilities and
procedures
People
Align the humanelements o the
business with properskills, competency,training, and clearly
dened perormancemeasures
The eect o tightening SoD and access controls
Organisations that have gone through this exercise
typically experience the ollowing:
Clearer dened set o SoD rules
Signicantly ewer transaction codes assigned to each
user. In the example below, originally 45% o users
had more than 500 transaction codes each. Ater the
exercise, 90% o users had less than 300 codes each.
Workfow or user provisioning
Remediation o SoD conficts
•
•
•
•
Beore
Ater
No o transaction codes per user
(Sample size: 220 users)
< 100 100-300 300-500 > 500
50
40
30
20
10
0
P e r c e n t a g e ( % ) o f u s e r s
7/28/2019 Gr c 2009 Segregation Access Control
http://slidepdf.com/reader/full/gr-c-2009-segregation-access-control 4/6
Board, Audit CommitteePreventive approach
Internal AuditLower cost o audit andaudit-related ees
IT OperationsImprove eciencyby automating corecompliance/security tasks
Inormation Security
Sensitive transactionmonitoring
Supply Chain Customers & Channel
OperationsCompliant, role-based
access control
Human ResourcesEcient and compliantuser provisioning
Finance Vulnerability to unwantednancial activity xed
Executives & Managers
Manage compliancewith condence
Segregation o duties and access control managementOvercome ragmentation, gain comprehensive access control
PwC’s GRC Access Control implementation approach
Stay cleanContinuous Access
Management
Stay in controlEective Management
Oversight and Audit
Risk analysis, remediation and prevention services
Cross-enterprise library o best practice segregation o duties rules
Get cleanMinimal Time To
Compliance
P w C
S A
P
Risk Analysis andRemediation
Rapid, cost-eective andcomprehensive initial
clean-up
Enterprise RoleManagement
Enorce SoD complianceat design time
Compliant UserProvisioning
Prevent SoD violations atrun time
Superuser PrivilegeManagement
Close #1 audit issuewith temporary
emergency access
Periodic AccessReview and Audit
Focus on remainingchallenges duringrecurring audits
SAP GRC Access Framework
Advise and acilitate setting up o GRC Access Framework and implement bothSAP GRC Compliant User Provisioning
(CUP) and Superuser PrivilegeManagement (SPM) to sustain the SAPaccess compliance
Outcome and benefts
Structured SAP GRC Framework is set up
Controlled and secured user provisioning
is put in place with Compliant User
Provisioning and Superuser Privilege
Management
Sustainability is achieved
•
•
•
Role Remediation
Facilitate role remediation workshops to‘clean up’ roles with two best in classoerings working together:
PwC’s SAP Role Redesign Methodologyand Risks Library
SAP GRC Enterprise Role Management(ERM)
Outcome and benefts
SAP authorisation is standardisedand roles are clearly designed using
Enterprise Role Management
•
•
•
Risk Analysis
Prepare, plan and acilitate riskworkshops to identiy SoD andaccess control rules, and implement
SAP GRC Risk Analysis andRemediation (RAR)
Outcome and benefts
SoD and access control rules areidentied with clearly documented
remediation and mitigating controls
•
7/28/2019 Gr c 2009 Segregation Access Control
http://slidepdf.com/reader/full/gr-c-2009-segregation-access-control 5/6
Contacts:
Chan Hiang Tiak
+65 6236 3338
Tan Shong Ye
+65 6236 3262
Charles Loh
+65 6236 4479
Keith Stephenson
+65 6236 3358
For general enquiries, please email to [email protected]
The inormation contained in this brochure is o a general nature only. It is not meant to be comprehensive and does not constitute the rendering olegal, accounting, tax or other proessional advice or service by PricewaterhouseCoopers. Beore taking any action, please ensure that you obtainadvice specic to your circumstances.
7/28/2019 Gr c 2009 Segregation Access Control
http://slidepdf.com/reader/full/gr-c-2009-segregation-access-control 6/6
pwc.com/sg© 2009 PricewaterhouseCoopers LLP. All rights reserved. “PricewaterhouseCoopers LLP” is part o the network o member rms o PricewaterhouseCoopersInternational Limited, each o which is a separate and independent legal entity.