Embed Size (px)
DESCRIPTION
SAP GRC ACCESS CONTROL
Citation preview
SAP GRC- ACCESS CONTROL
Submitted by : • Manas Choudhary (12030241142 ) – C Group Leader –
9665372521• Shankar Kendre (12030241159) – C – 9960899626• Raghavendra Aarole (Roll No) - C – 7709998886• Ishan Mishra (12030241073) - A – 7276899981• Rahul Vardhan Dinesh (12030241210) – D – 9420290268 Batch 2012-14
1
Agenda
• Fragmentation 01• Integrated GRC 02• SAP Solutions for GRC 03
• Segregation of Duties Violations 04
• Risk Analysis and Remediation 05-06• Access Management 07• Compliant Provisioning 08-09• Benefits of SAP GRC 10-11
2
FragmentationManaging with confidence is difficult in an increasingly complex world
Compliance
Board of Directors
Finance
Legal
Sales
Contracts
HR
Controller
IT
Policy Mgmt.
Audit & Compliance
Treasury
Compliance
Compliance
Compliance
Compliance
Governance
Compliance
Risk Mgmt.
Governance Risk Mgmt.
Risk Mgmt.
Governance
Risk Mgmt.
Risk Mgmt.
Risk Mgmt.
Governance
SecurityProj.
Mgmt.Doc.
Mgmt. Contracts Planning Customers ERP Production Billing
ASXPrinciple
7CLERP 9 Credit
Risk
HumanCapital
RiskSegregation
of dutiesSOXROHS
WEEEProject
Risk
Compliance
Risk Mgmt.
Governance
Australia
U.S.A
Japan
U.K.
France
China
Germany
India
ComplianceCompliance
Compliance
Compliance
Compliance
Governance
Compliance
Risk Mgmt.
Governance Risk Mgmt.
Risk Mgmt.
Governance
Risk Mgmt.
Risk Mgmt.
Risk Mgmt.
Governance
Compliance
Risk Mgmt.
Governance
Australia
U.S. A.
Japan
U.K.
France
China
Germany
India
SecurityProj.
Mgmt.Doc.
Mgmt. Contracts Planning Customers ERP Production Billing
Board of Directors
Finance
Legal
Sales
Contracts
HR
Controller
IT
Policy Mgmt.
Audit & Compliance
Treasury
ASXPrinciple
7CLERP 9 Credit
Risk
HumanCapital
RiskSOX
ROHS
WEEEProject
RiskSegregation
Of Duties
Integrated GRCForward looking organizations are seeking a unified approach to GRC
SAP Solutions for GRCA unified solution for GRC management
Transparency to balanced global risk profile
Standardization on common GRC content and rules
Automates and embeds GRC into business processes
Business Process Platform
Cross-Industry GRC
Environment
Risk ManagementRiskManagement
Business Applications
AccessControl
GlobalTrade
ProcessControl
Compliance & Controls
Industry-Specific GRC
Life Sciences
High Tech
Chemicals Oil & Gas
Banking
GRC Repository
Business Process
Segregation of Duties Violations
Cross-enterprise library of best practice segregation of duties rules
Compliant User Provisioning
Prevent SoD violations at
run time
Compliant User Provisioning
Prevent SoD violations at
run time
Superuser Privilege Management
Close #1 audit issue with temporary
emergency access
Superuser Privilege Management
Close #1 audit issue with temporary
emergency access
Periodic Access Review and Audit
Focus on remaining challenges during recurring audits
Periodic Access Review and Audit
Focus on remaining challenges during recurring audits
(Stay in Control)(Stay Clean)
Risk analysis, remediation and prevention services
Enterprise Role Management
Enforce SoD compliance at
design time
Enterprise Role Management
Enforce SoD compliance at
design time
Risk Identification and Remediation
Rapid, cost-effective and comprehensive
initial clean-up
Risk Identification and Remediation
Rapid, cost-effective and comprehensive
initial clean-up
(Get Clean)
Minimal Time To Compliance
Minimal Time To Compliance
Continuous Access Management
Continuous Access Management
Effective Management Oversight
and Audit
Effective Management Oversight
and Audit
Risk Analysis and Remediation
Alerts FrameworkAlerts Framework
ReportingReporting
Rep
ort
ing
Real-time SimulationReal-time Simulation
Mitigation ManagementMitigation Management
Remediation ManagementRemediation Management
Critical Transaction MonitoringCritical Transaction Monitoring
Real-time SoD Risk AnalysisReal-time SoD Risk Analysis
Cross-Application IntegrationCross-Application Integration
Ris
k Id
enti
fica
tio
nE
limin
atio
nP
reve
nti
on
Mandatory PreventionMandatory Prevention
Access Risks Services
Cross-Enterprise Rules ArchitectCross-Enterprise Rules Architect
Cross-Enterprise Rules DatabaseCross-Enterprise Rules Database
Ru
les
Access Risks Library
• Common services across all SAP GRC Access Control capabilities
• Prevention ServicesDelivers 24/7, real-time compliance by stopping security and controls violations before they occur
“SAP GRC Access Control, with its comprehensive preconfigured rule set, reflected deep expertise within SAP that would have taken us a very long time to replicate.” Synopsys Inc.
“SAP GRC Access Control, with its comprehensive preconfigured rule set, reflected deep expertise within SAP that would have taken us a very long time to replicate.” Synopsys Inc.
Risk Analysis and Remediation Contd.
Getting clean
Reporting
Risk Elimination
RiskIdentification
Prevention
End-to-EndAutomation
Initial Risk Analysis and Remediation
• Facilitates collaboration between Business and IT to clean up access risks
“The clean-up process has brought a tremendous degree of discipline to the way we think about and manage user access and authorizations.”Synopsys Inc.
“The clean-up process has brought a tremendous degree of discipline to the way we think about and manage user access and authorizations.”Synopsys Inc.
Access Management
Key FunctionalityKey Functionality
Alert FrameworkAlert Framework
Date RestrictionsDate Restrictions
ID AdministrationID Administration
Audit LogsAudit Logs
Sec
uri
tyN
oti
fica
tio
nR
epo
rtin
g
ReportingReporting
The only compliance-focused emergency access solution
Compliant Superuser Access
Privileged Access
Firecall ID
SD
Firecall ID
MM
Firecall ID
FICO
Firecall ID. . .
New Session New Session New Session New Session
Log Log Log Log
Superuser
• Pre-assigned firecall IDs• Access restrictions• Validity dates• Field-level changes tracked in audit log
Log-in RestrictionsLog-in Restrictions
Single User per IDSingle User per ID
Specific Authorization AccessSpecific Authorization Access
Compliant ProvisioningEnables Compliant End-to-
End Provisioning“hire to retire”
Current Approach—Inefficient, Not Compliant
Access Request
Manager Approval
Role Owner
IT Security
Manual Provisioning
spreadsheets, paper forms
spreadsheets, paper forms
Compliant Provisioning contd..Compliant Provisioning with Dynamic Workflow
Request Generated
Automated Provisioning
Mgr Approval
Risk Analysis
Path Workflow—based on request type and
user attributes
Escalation Workflow
Exception Workflow
100% AutomatedHR Event
EmployeeHired/Retired
Via e-mail
1 “Click” Preventive Simulation
100% Automated
• Embed cross-enterprise preventive compliance into business process
• Reduce cost of user administration
• Improve productivity of end users
• Auditable tracking for auditors
………
Benefits of SAP GRC• Key Solution Capabilities and Benefits
– Identifies and prevents access and authorization risks in cross-enterprise IT systems to prevent fraud and reduce the cost of continuous compliance and control
– Provides end-to-end automation for detecting, remediating, mitigating, and preventing access and authorisation risk across the enterprise
– Allows for true cross-enterprise SoD risk mitigation by integrating into SAP and non-SAP systems
• Common Customer Challenges Addressed
– Need to comply with SOX regulations for section 404, or similar regulations
– Weak support for the audit process to ensure the right measures are in place to prevent fraud
– Manual or people-intensive compliance processes involving emails, spreadsheets and/or paper
– Costly, manual remediation– Uncontrolled role management– Excessive super-user access– Inefficient and un-auditable user
provisioning– Reactive vs. preventative
• Establish approach and process to manage risk rules• Gain alerts on potential violations• Identify business functions which produces risks when
executed by same individual• Focus on prevention vs. “a point in time” detection• Simplify compliant enterprise level role administration• Enforce compliant security for Privileged Access• Increase visibility through timely notification• Deliver audit ready, detailed reporting• Lower risk and save money through proactive compliance•
13
Thank You
14
