User Manual Risk Analysis & Remediation

User Manual Risk Analysis & RemediationIt is one of the components in SAP GRC which takes care of risk analysis, detection, and remediation solution for access and authorization control.

In the below screen shot you have the home page for SAP GRC RAR, where you are able to see 7 tabs for different types of activity to be performed.Users have associated work in Mitigation and Informer tab.

Major Functions Of RAR:RAR provides the ability to perform several major functions:

Determine and report if there are any risks associated with a group of actions or

permissions and a User, Role, or Profile.

Determine and report if any risks will be introduced by simulating the addition of

actions, Roles, or Profiles to a User ID. This powerful feature effectively eliminates

new risks being introduced to your production environment.

Easily create, maintain, and manage Risks used to generate Rules.

Apply Controls to mitigate any Risk associated with a User, Role, or Profile.

Alert the appropriate monitor when conflicting or critical actions are used, or a

control is assigned to mitigate a risk.

Alert the appropriate manager when activity monitoring is not performed.SAP Security Check Sequence: R/3 user logs into SAP

Executes Transactions

SAP Programs are called

Security routines identify authorization objects and required values

Values in SAP program are matched to the values in security authorization

Access granted.Risk Analysis:A Risk is defined as two or more actions that, when available to a single user, role, profile,

or HR Object, creates the possibility of error or irregularity. There are thousands of action

combinations that can be categorized as Risks. Risks can also be defined by different

combinations of permissions associated with specific actions. Purpose:

When you run a Risk Analysis or a Simulation, you generate reports presenting different

types of information. You may generate reports presenting risks or conflicts or the use of

critical actions by the User, Role, Profile, or HR Object you included in the analysis.

By generating these reports you can identify the Risk and either remove it or apply a

Control.Mitigation:

Purpose

Once you have run a Risk Analysis and have identified any Risks associated with a User,

Role, you may want to limit or monitor the Risk rather than removing the cause.

Mitigation Controls give us the ability to associate controls with Risks, so they can be

applied to Users, Roles identified to violate SODs during Risk Analysis. You also define monitors and approvers, and assign them to specific controls, and create Business Units to help categorize our Mitigation Controls.The Mitigation tab allows us to mitigate certain risk violations that you want available to

specific users or roles . This is done by creating and assigning a Mitigation Control.

Mitigation Control performs the following functions: Identifies the Segregation of Duties (SOD) as a known Risk.

Establishes a period of time during which the Risk may exist (is monitored).

Associates a list of Monitors with the Control. Only Monitors associated with a

Control definition may be selected when mitigating a Risk.

Prerequisite to configure Mitigation. Administrator Business UnitsThe Administrator option allows us to create and maintain Approvers, Monitors and Risk Owners. Users who need to perform these functions need to be maintained in this Administrator screen in order to be available in subsequent screens.

Administrator ID FBD_M004

Full NameSupratip Narayan Roy

Emailsupratip.roy@itc.in

RoleMonitor

Search Administrator:Menu Path: Go to Mitigation Tab ( Administrator ( Select the role you want to search ( Search . Now you can view and edit the created Administrator by selecting and clicking in the change button.

Business Unit:

Establishing Business Units allows you to categorize your Mitigation Controls. When youdefine Mitigation Controls, you will categorize them by assigning each one a specific Business Unit. This enables us to limit the Controls available to the Business Units specified in a RAR Role definition.Creation of Business Unit:

1. The Business Units option expands to Create and Search. Click Create and the

Define Business Unit page appears.

2. In the Business Unit ID field, enter a unique alphanumeric identification for the

business unit.

3. In the Description field, enter a short description of the business unit.

4. In the Approver tab, click the Plus icon to add a new Approver ID and their full

name.

5. In the Monitor tab, click the Plus icon to add a new Monitor ID and their full

name.Note: Approvers and Monitors must be set up using the Administrator pane before they can be assigned to Business Units

6 Click Create.After creation of the same you can search the business process and can do any amendment if required.

Click on the search button you will be directed to the below mentioned page where you have the change and delete option.

Mitigating Controls:

When you define a Mitigation Control you create a Mitigation Control ID. This Control ID

appears in various Risk Analysis reports.

Defining a Mitigation Control includes associating the Risk IDs that are mitigated by the

control. Roles are to be mitigated corresponding to the Risk IDs associated in the Control definition are mitigated.

Create Of Mitigating Control:1 Menu Path: Go to Mitigation Tab ( Mitigation Controls ( Create

2 In the Mitigating Control ID field, enter a unique alphanumeric maximum of 10 character

number for the mitigating control ID.

3 In the Description field, enter a short description of the mitigating control ID.

4 In the Business Unit drop down menu, select the desired business unit. The dropdown

menu displays the business units that you created using the Business Units

option.

5 In the Management Approver drop down menu, select the desired approver. The

drop down menu displays the approvers that are associated with the Business Unit

entered in Step 4.

6 In the Associated Risks tab, click the Plus icon to add risk IDs to the mitigating

control risk id should be placed followed by * as shown in the below mentioned screen shot.The Associated Risks tab is used to associate Risk IDs with the Mitigation Control.

Only Risk IDs associated with a Control can be used to mitigate a Risk.

7. In the Monitors tab, click the Plus icon to add monitors to the mitigating control as shown in the above screen shot.The Monitors tab is used to associate Monitors with the Mitigation Control.Note: Approvers and Monitors must be set up using the Administrator pane before they can be assigned to Business Units. 8. Click Save.To search a Mitigating Control:1 The Mitigating Controls option expands to Create and Search. Click Search and the Search Mitigating Controls page appears.

Note: During your search, use any of the fields in the Search Mitigating Controls page as search criteria. After entering data in any field, click Search.

2 In the Mitigating Control ID field, click the Search icon to search for a mitigating control ID.

3 In the Description field, enter a short description of the mitigating control.

4 In the Business Unit field, click the Search icon to search for a business unit.

5 In the Management Approver field, enter the approvers user ID for the mitigating control you want to search.

6 In the User ID field, click the Search icon to search for a user ID.

7 In the Role field, click the Search icon to search for a role.

8 In the Monitor drop down menu, select the desired monitor.

9 In the Risk ID field, click the Search icon to search for a risk ID.

10 In the Valid From and Valid To fields, click the Calendar icon to define a valid time range during which the mitigation control mitigates a user/role.11 In the Status drop down menu, select the desired status (All, Enable, Disable).

12 Click Search.Mitigation of Roles: Search the mitigation control id under which the risk id exist for which you want to mitigate the specific roles then select the control id and click on change button as shown in below mentioned pic.

Now you select the risk under which you want to put the mitigation roles click the mitigate roles button as shown in the below mentioned pic.

After clicking the mitigate role you will be directed to below mentioned page where you will click on add button to add the roles which you want to mitigate.

After clicking the add button you will be directed to below mentioned page where you search for the role as shown in the below mentioned screen

( click on the Role name ( select the system ( paste the role name ( click on search button , you will have the roll ( click select ( put the risk id followed by star ( select the monitor id ( save the data.

So this specific role has been mitigated now.

Informer:RAR provides detailed compliance analysis for enterprises. RAR software allows enterprises to examine every aspect of their complex Enterprise Resource Planning (ERP) system and to

implement internal controls. The data gathered in each analysis is made available for

immediate viewing in an exceptionally wide range of predetermined and user modified

reports. These reports are accessible through the Informer tab.Informer tab report types include:

Management View

Risk Analysis

Audit Reports

Security Reports

Background Job

You can generate reports for Users, User Groups, Roles, Profiles, HR Objects and

Organizational Levels.

Management View

The following reports are accessed from the Management View menu:

Risk Violations

Users Analysis

Role Analysis

Comparisons

Alerts

Rules Library

Controls LibraryEach item in the Management View category includes at least one of the following

interactive, graphical displays:

Pie Chart

Bar Chart

After selecting report parameters for any Management View report type, click Go to show the selected information in the graphical display. Drill down further into the information for each display by clicking anywhere on the pie chart or clicking the chart labels for the bar and line charts. Drilling down further allows you to view:

Risk IDs and descriptions for each severity level (critical, high, medium, low).

Detailed information for each Risk Description.

Change History for each Risk.

Conflicting functions that are causing the Risk.

Detailed information for each conflicting function.

Change History for each function.Risk Violation report under Management View:

In the above screen shot you able to see all the risk violations by process as for example ITC Order to cash, ITC Financial Accounting. In right side you can see the bar chart and clicking on that you can view the further report of risk violations corresponding to each Risk.

To see individual risk violation you have to click on risk id and can see the detail risk violation as seen in the below screen shot.

Role Analysis under Management view:Role Analysis features identify SoD violations among the roles and profiles that have been assigned to users. These roles and profiles include typical responsibilities such as payroll, accounts payable, and finance.Menu Path:

Go To (Informer (Management view ( Role Analysis

1. From the Cal. Month/Year drop down menu, select a date. This is the date range set

in SAP.

2. From the System drop down menu, select the system for which you would like to

collect SoD data.

3. From the Analysis Type drop down menu, select an analysis type.

4. From the Violation Count By field, select either Risk or Permission.

5. Press Go.Note: Most management reports will want to select counts at the Risk level which will show the number of conflicts at the highest level. If Risk is selected, a user will only be counted once against the risk regardless of how many occurrences the user has. If permission level is selected, a user may count for multiple violations within a risk because they have several actions which allow them to do a specific function.

In the above screen shot we able to see that number of roles with no violations along with %. number of roles with violations along with %.

In the down right side we can see the bar chart of Roles and users. By clicking on Roles we can see the further report. Where we can see the detail report of process, Risk Level , No of violations corresponding to a risk, as shown in the below screen shot.

If you click to any of the risk, system will take us the below mentioned screen where you can view the detail report including relevant functions and other required parameters as show in the below mentioned screen shot.

You can see the change history as well by clicking on change history button which will show the Risk change history report as show in below mentioned screen shot.

Risk AnalysisRisk Analyses are run to see if any User, Role or Organization has access to two or more conflicting actions. When two or more actions are determined to be conflicting, the combination of those actions are defined as Risks. Risks define Rules, also known as SoDs.

When you run a Risk Analysis any existing SoDs are reported for each User, Role or Organization included in the analysis.

Menu Path:Informer ( Risk Analysis ( Role level

As shown in the above screen shot while doing the role level risk analysis you have to select some parameters.

System: Select the system for which you want to run the role level risk analysis for example ECC Quality systemRole: If you want to see a report specifically to a role then put the role name and run the job.

Risk by process: Under several processes we define the risk. So while doing the risk analysis we have to choose a process for which we want to view the role level analysis as for example ITC order to cash.Risk ID: If you want to see a report specifically to a role then put the role name and run the job.

Risk Level: There are four types of Risk level Critical/High/Medium/Low. While defining risk we choose these risk level. So if it is required to do a risk analysis for specifically any risk level then we have to select that level and run the risk analysis.Rule Set: While creating a risk one rule set is assigned. Among several rule sets select the rule set for which you want to run the role level risk analysis.Report Type

There are six report types, each of which can be formatted in several ways.

Action Level SoD reports Generating this report type produces a list of SoDs at the

action level.

Permission Level SoD reports generating this report type produces a list of SoDs at

the permission level.

Critical Actions reports generating this report type limits the list to Critical actions

available. Critical actions are defined under the Rule Architect tab.

Critical Permissions reports

Critical Roles/Profiles reports generating this report type lists only the Critical

Roles and Profiles associated with the User, Role or Organization. This report does not list any risks.

Mitigation Control reports Generating this report type lists valid Mitigation Controls assigned to the User, Role or Organization included in the analysis.Choosing a Report Format:You can choose one of four report formats for the six report types described above: 1. Summary: This report format lists the combination of conflicting actions that produce the risk in one line item.

2. Detail: This report format lists each Risk as a single line item, displays the Risk severity level and provides a link to the Risk Resolution page where options are available for resolving the risk. Drill down further by clicking the risk to view more detailed information, including conflicting functions.3. Management Summary: This report format lists each Risk as a single line item, displays the Risk severity level and provides a link to the Risk Resolution page where options are available for resolving the risk. Drill down further by clicking the risk to view more detailed information, including conflicting functions.4. Executive Summary: This report format lists each risk as a single line item and displays the total number of conflicting actions producing the Risk.(After selecting all the required parameter run a background job as shown in the above screen shot

( Give the Background Job a name.

( Select an Immediate start or schedule a Delayed start for the Background Job. If you choose to schedule a delayed start, set the date and time for the job to begin.

( If you would like to run the Background Job more than once, click the Schedule

periodically check box and then set the schedule parameters.

( Click Schedule. You will see a message at the bottom of the page that includes a Job

ID number if the Background Job was scheduled successfully.

Search back ground job:Menu Path: Informer ( Background Job ( Search ( put the job id and click on search button .

Search will take us to the below mentioned screen where we can see the details of the report

( select the job for which one you want to see the detail report use the buttons below .

The Buttons are as follows.Show Job History: It will show the job history as shown in below mentioned screen shot.

View Log: will show each step of the job. If any error occurs while execution of the job that can be analyzed from this View Log.