• Home

  • Documents

  • SAP Security Services - Winterhawk Consulting · PDF fileSAP Security Audit SAP Audit...
3
SAP Role Design Review and Redesign - Page 1 of 3 Simplify | Optimise | Standardise W INTERHAWK C ONSULTING Email: [email protected] Website: http://www.winterhawkconsulting.com SAP Security Services The regulatory and compliance landscape of today requires companies to ensure critical business applications such as SAP are properly secured and adhere to stringent guidelines related to privacy and regulatory requirements. In addition, businesses must have proper segregation of duties to avoid fraud, and limited access to critical system transactions to avoid operational interruptions. Within any SAP environment the challenge of meeting these and other rigorous standards is compounded by the complex SAP Security model as well as the constant changes brought on by a dynamic thriving business. SAP Role Design Review and Redesign 1. SAP Role Design Review Winterhawk’s SAP Security Services target customers that know there are problems with their current SAP Role Design, but are unsure of the best approach to resolve them. We identify the specific issues in the current design, prioritise each based on the level of risk and create a road map for resolution. Our review service is designed to evaluate a customer’s existing SAP Role Design and provide actionable recommendations for the customer to address the findings from our review. Specifically, we identify issues with: Assignment of sensitive business transactions Assignment of sensitive system administration transactions Assignment of sensitive authorisation objects Manual insertion of authorisation object S_TCODE for transaction access Quality of the design based on a user’s usage compared to a user’s access Adequacy of naming conventions Assignment of organisational access Usage of manual authorisation changes in Roles Table USOBT_C maintenance through transaction code SU24 Direct role or profile assignments to end users Unassigned roles in Production Create and/or change activities assigned in display only roles 2. SAP Security Role Redesign Identification of issues may begin with an audit, the implementation of compliance software such as SAP GRC, the discovery of fraudulent activities or even a major system outage due to inappropriate privileged access. Whatever the reason, we are here to work with you. For role redesigns our team can quickly determine the most effective and efficient approach to fixing the existing Role Design.

SAP Security Services - Winterhawk Consulting · PDF fileSAP Security Audit SAP Audit Outsourcing/Co-Sourcing. Control Rationalisation. Control Optimisation. SAP GRC Services SAP GRC

Embed Size (px)

Citation preview

Page 1: SAP Security Services - Winterhawk Consulting · PDF fileSAP Security Audit SAP Audit Outsourcing/Co-Sourcing. Control Rationalisation. Control Optimisation. SAP GRC Services SAP GRC

S A P R o l e D e s i g n R e v i e w a n d R e d e s i g n - P a g e 1 o f 3

S i m p l i f y | O p t i m i s e | S t a n d a r d i s e

W I N T E R H A W K C O N S U L T I N G

Email: [email protected]

Website: http://www.winterhawkconsulting.com

SAP Security Services

The regulatory and compliance landscape of today requires companies to ensure critical business applications such as SAP are properly secured and adhere to stringent guidelines related to privacy and regulatory requirements. In addition, businesses must have proper segregation of duties to avoid fraud, and limited access to critical system transactions to avoid operational interruptions.

Within any SAP environment the challenge of meeting these and other rigorous standards is compounded by the complex SAP Security model as well as the constant changes brought on by a dynamic thriving business.

SAP Role Design Review and Redesign

1. SAP Role Design Review

Winterhawk’s SAP Security Services target customers that know there are problems with their current SAP Role Design, but are unsure of the best approach to resolve them. We identify the specific issues in the current design, prioritise each based on the level of risk and create a road map for resolution.

Our review service is designed to evaluate a customer’s existing SAP Role Design and provide actionable recommendations for the customer to address the findings from our review. Specifically, we identify issues with:

Assignment of sensitive business transactions

Assignment of sensitive system administration transactions

Assignment of sensitive authorisation objects

Manual insertion of authorisation object S_TCODE for transaction access

Quality of the design based on a user’s usage compared to a user’s access

Adequacy of naming conventions

Assignment of organisational access

Usage of manual authorisation changes in Roles

Table USOBT_C maintenance through transaction code SU24

Direct role or profile assignments to end users

Unassigned roles in Production

Create and/or change activities assigned in display only roles

2. SAP Security Role Redesign

Identification of issues may begin with an audit, the implementation of compliance software such as SAP GRC, the discovery of fraudulent activities or even a major system outage due to inappropriate privileged access. Whatever the reason, we are here to work with you.

For role redesigns our team can quickly determine the most effective and efficient approach to fixing the existing Role Design.

http://www.winterhawkconsulting.com/
Page 2: SAP Security Services - Winterhawk Consulting · PDF fileSAP Security Audit SAP Audit Outsourcing/Co-Sourcing. Control Rationalisation. Control Optimisation. SAP GRC Services SAP GRC

S A P R o l e D e s i g n R e v i e w a n d R e d e s i g n - P a g e 2 o f 3

S i m p l i f y | O p t i m i s e | S t a n d a r d i s e

W I N T E R H A W K C O N S U L T I N G

Email: [email protected]

Website: http://www.winterhawkconsulting.com

3. Winterhawk Toolkits

Customisable Project Related

Project Plan - SAP New Role Design

Project Plan - SAP Role Redesign and/or Remediation

Project Plan - SAP GRC Implementation

Project Plan - SAP GRC Upgrade

Project Charters

Project Risk Assessments / RAID Logs

Project Communication Plans

Technical Accelerators

Requirements Analysis

Blueprinting Accelerator

SAP Role Design Review Database

SAP Role User & Job Mapping Database

Functional & Technical Design Specifications

Best Practice Accelerators

System Parameters & Client Settings

Sensitive Transactions / Single Sided Risks

SAP Role Design

SAP Security Principles and Standards

Exceptions Reporting

Compliance Monitoring

Case Study Extract

SAP Role Redesign Project across Europe with large Global Beverage Organisation.

Situation

In early Q3 2014, an Audit raised significant concerns over Segregation of Duties, Sensitive Access, Role Mapping of User Entitlements and a lack of Standards and Policies across the SAP Security landscape. Auditors gave 90 days to reduce issues.

Approach

Winterhawk leveraged experienced resources with access to proven accelerators and industry best practices to execute a project plan that enabled a rapid replacement of old roles to new task based roles.

This was accomplished by re-mapping users based on transactions they used rather than the transactions they had assigned. The re-mapping of users and embedding of new standards was successfully completed across multiple countries.

Impact and Advantage

The use of Winterhawk’s databases allowed large amounts of data to be quickly analysed and summarised, leading to faster delivery to the business. The project successfully met deadlines and resulted in the remediation of the audit deficiency; work completed with little or no interruption to users, and new standards and policies were successfully implemented.

http://www.winterhawkconsulting.com/
Page 3: SAP Security Services - Winterhawk Consulting · PDF fileSAP Security Audit SAP Audit Outsourcing/Co-Sourcing. Control Rationalisation. Control Optimisation. SAP GRC Services SAP GRC

S A P R o l e D e s i g n R e v i e w a n d R e d e s i g n - P a g e 3 o f 3

S i m p l i f y | O p t i m i s e | S t a n d a r d i s e

W I N T E R H A W K C O N S U L T I N G

Email: [email protected]

Website: http://www.winterhawkconsulting.com

SAP Security Build

Companies frequently require external assistance for initial SAP implementations, addressing issues with an existing inadequate security design, or with remediating risks identified by auditors. In order to address these requirements, Winterhawk developed service lines to specifically address these common issues.

SAP Security New Role Design

Our SAP Security Role Design services target SAP customers:

Implementing SAP for the first time

Integrating an acquisition onto SAP

Rolling out new business functionality

Incorporating new organisations or territories onto SAP.

Winterhawk resources have significant experience with SAP Role Designs for new SAP implementations. For new designs we follow a structured methodology, accelerating project time lines by leveraging the SAP Security Role Design components of the Winterhawk Tool Set.

Our pre-configured SAP Role Design was developed to achieve the following objectives:

Significantly reduce the level of effort in the blueprinting phase,

Significantly reduce the level of effort in the testing phase,

Provide a logical naming convention to reduce the complexity of user provisioning,

Built-in compliance for Segregation of Duties,

Well structured, consistent and logical design providing the foundation to simplify maintenance over the life of the design,

Reusable model to make it easy to integrate future acquisition or business units, and

Consideration of risk when defining roles.

Map Business Processes to SAP Security Authorisation

Winterhawk Services

SAP Security & Role Design Services

SAP Role Design Review

SAP Security Role Design

SAP Security Role Re-Design

SAP SoD Remediation

SAP Audit Services

SAP Pre-Implementation Review

SAP Application Control Assessment, Design & Testing

SAP General Computer Control Review & Testing

SAP Security Audit

SAP Audit Outsourcing/Co-Sourcing.

Control Rationalisation.

Control Optimisation.

SAP GRC Services

SAP GRC Planning and Preparation

SAP GRC Implementations

SAP GRC Enhancements and Optimisation

SAP GRC Upgrades

SAP GRC Post Implementation Managed Services

SAP GRC Independent Verification and Validation

Risks

Business Functions

System Actions & Permissions

SAP Security Role Designs

http://www.winterhawkconsulting.com/
http://winterhawkconsulting.com/services/sap-audit-services/sap-pre-implementation-reviews/
http://winterhawkconsulting.com/services/sap-audit-services/sap-application-controls/
http://winterhawkconsulting.com/services/sap-audit-services/sap-application-controls/
http://winterhawkconsulting.com/services/sap-audit-services/sap-general-computer-controls/
http://winterhawkconsulting.com/services/sap-audit-services/sap-security-audit/
http://winterhawkconsulting.com/services/sap-audit-services/sap-audit-outsourcing-cosourcing/
http://winterhawkconsulting.com/services/sap-audit-services/sap-control-rationalization/
http://winterhawkconsulting.com/services/sap-audit-services/sap-control-optimization/

SAP GRC Overview

SAP GRC Overview

Documents
SAP GRC Access Control(1)

SAP GRC Access Control(1)

Documents
COKE SAP GRC Access Controls

COKE SAP GRC Access Controls

Documents
SAP GRC AC5.3 - Installation Guide

SAP GRC AC5.3 - Installation Guide

Documents
SAP GRC AC 10 - ASUG Argentinaasug.org.ar/wp-content/uploads/2016/08/SAP-GRC-10.1-PwC-y-SAP.pdf · SAP Región Sur Agenda SAP GRC: Functionalities SAP GRC AC 10.1: Functionalities

SAP GRC AC 10 - ASUG Argentinaasug.org.ar/wp-content/uploads/2016/08/SAP-GRC-10.1-PwC-y-SAP.pdf · SAP Región Sur Agenda SAP GRC: Functionalities SAP GRC AC 10.1: Functionalities

Documents
Coke - Auditing Sap Grc

Coke - Auditing Sap Grc

Documents
SAP BPC Authorizations via the SAP GRC

SAP BPC Authorizations via the SAP GRC

Documents
SAP GRC RM_PwC Implementation Approach_v2.0

SAP GRC RM_PwC Implementation Approach_v2.0

Documents
SAP GRC (Basic), - dbmanagement.infodbmanagement.info/Books/MIX/GRC_Basic-1.pdf · SAP GRC (Basic), Biju (jays) ... SAP worksteps 3 GRC Basic. ... SAP Security – The major elements

SAP GRC (Basic), - dbmanagement.infodbmanagement.info/Books/MIX/GRC_Basic-1.pdf · SAP GRC (Basic), Biju (jays) ... SAP worksteps 3 GRC Basic. ... SAP Security – The major elements

Documents
SAP GRC GOVERNANCE, RISK & COMPLIANCE · 2018-09-20 · Aspectos que caracterizan SAP GRC La principal ventaja de utilizar SAP GRC es la sincronía que consigue entre los departamentos

SAP GRC GOVERNANCE, RISK & COMPLIANCE · 2018-09-20 · Aspectos que caracterizan SAP GRC La principal ventaja de utilizar SAP GRC es la sincronía que consigue entre los departamentos

Documents
SAP GRC 99411GRCAC_Installations

SAP GRC 99411GRCAC_Installations

Documents
sap GRC Basics

sap GRC Basics

Documents
SAP GRC Access Control Document

SAP GRC Access Control Document

Documents
Helping enhance the real value of SAP GRC through … enhance the real value of SAP GRC through RouteONE Managed Services | 3 ... This service area uses SAP GRC technology and dashboards

Helping enhance the real value of SAP GRC through … enhance the real value of SAP GRC through RouteONE Managed Services | 3 ... This service area uses SAP GRC technology and dashboards

Documents
Sap grc nfe 1

Sap grc nfe 1

Technology
Helping enhance the real value of SAP GRC through RouteONE ... · 6 elping enhance the real value o SAP GRC through RouteONE anaged Services RouteONE Managed Services for SAP GRC

Helping enhance the real value of SAP GRC through RouteONE ... · 6 elping enhance the real value o SAP GRC through RouteONE anaged Services RouteONE Managed Services for SAP GRC

Documents
Auditing SAP GRC

Auditing SAP GRC

Documents
SAP GRC Access & Process Control

SAP GRC Access & Process Control

Documents
SAP GRC 10 Installation Guide

SAP GRC 10 Installation Guide

Documents
Implementation of SAP-GRC with the Pictet · PDF fileImplementation of SAP-GRC with the Pictet Group Pictet & Cie | Implementation of SAP-GRC with the Pictet Group Olivier VERDAN,

Implementation of SAP-GRC with the Pictet · PDF fileImplementation of SAP-GRC with the Pictet Group Pictet & Cie | Implementation of SAP-GRC with the Pictet Group Olivier VERDAN,

Documents
SAP GRC AC - SAP Finance Day

SAP GRC AC - SAP Finance Day

Economy & Finance
Download SAP GRC Tutorial

Download SAP GRC Tutorial

Documents
SAP GRC FOR FINANCIAL INSTITUTIONS.pdf

SAP GRC FOR FINANCIAL INSTITUTIONS.pdf

Documents
SAP Security & GRC Framework

SAP Security & GRC Framework

Documents
SAP GRC SOD

SAP GRC SOD

Documents
SAP GRC Audit for Call

SAP GRC Audit for Call

Documents
SAP GRC access control @ ULg

SAP GRC access control @ ULg

Documents
GRC Nordic SAP User Management · 2020. 9. 16. · GRC Nordic SAP User Management webinar. SAP Authorisation management ... •Financial reporting reliability •Internal control

GRC Nordic SAP User Management · 2020. 9. 16. · GRC Nordic SAP User Management webinar. SAP Authorisation management ... •Financial reporting reliability •Internal control

Documents
Auditing SAP GRC - ISACA - Information Security · PDF fileAuditing SAP GRC - Audit Risk Analysis (ARA) Security ARA is the web front end interface into SAP GRC

Auditing SAP GRC - ISACA - Information Security · PDF fileAuditing SAP GRC - Audit Risk Analysis (ARA) Security ARA is the web front end interface into SAP GRC

Documents
SAP GRC - UKISUG · PDF fileSAP GRC LATEST DEVELOPMENTS AND FUTURE PLANS. Reporting and Analytics SAP Risk Management SAP Process Control SAP Access Control SAP

SAP GRC - UKISUG · PDF fileSAP GRC LATEST DEVELOPMENTS AND FUTURE PLANS. Reporting and Analytics SAP Risk Management SAP Process Control SAP Access Control SAP

Documents