Embed Size (px)
Citation preview
SAP GRC EAMClient case
www.pwc.be
April 2016
PwC
Agenda
SAP GRC client context
Emergency Access Management deep-dive
Question & answer
2April 2016
PwC
SAP GRC client context
3April 2016
PwC
Common SAP authorisation challengesand how these related to our client
Effective SAPSecurity Design
SAP RoleArchitecture
Security &Provisioning
Processes
OrgStructure &Governance
M
Misalignment of IT vs Business ObjectivesLack of Strategic Security Design DecisionsNo Role or Security Design Ownership
User provisioning process withinsufficient automation & informationRole Change Mgmt lacks risk and qualitycontrolsInefficient emergency support process
Overly Complex Security DesignLacks flexibility to respond to ongoing changesLacks scalability to grow with organizationInefficient Role Build ApproachNo Documentation of Security Control PointsInherent Segregation of Duties RiskManagement KPIs for Security Design
are not establishedLack of automation for ongoingmonitoring & recertification proceduresInsufficient SoD and/or Mitigatingcontrol frameworks
4April 2016
PwC
Working together: PwC expertise & SAP GRC toolsA value accelerator in our client’s SAP security journey
SAP GRC AccessControl technology
PwC internal control,business process and SAPsecurity & GRC technicalexpertise
Controlledemergency
access
Monitoredaccess risks
SOx compliantsolution
Client benefits
IT processefficiency
5April 2016
PwC
SAP GRC project timelineEight-week roll-out plan to SOx compliance!
EAM + ARM
Project kick-off
ARA
Installation
05/05 02/06
Post go-live support
Go-live
30/06
GRC roadmap
Knowledge transfer
6April 2016
PwC
Emergency Access Management deep-dive
7April 2016
PwC
IntroductionSpecific scope of the EAM work
The intention of AME LP was to integrate the existing ticketing system (SAPSolution Manager ChaRM) with the GRC EAM module.
8April 2016
PwC
Process starts with a Solution Manager ticket forwhich a power user intervention is necessary
9April 2016
PwC
The user will start SAP GRC EAM session byclicking a custom button in Solution Manager
custom developed
10April 2016
PwC
The user access his Emergency AccessManagement dashboard
The user only has access to the firefightershe has been pre-approved for.
SOx control: Access to firefightersmust be (pre-)authorised byappropriate personnel
11April 2016
PwC
The user access logs into a firefighter
Only 1 user can log into a firefighter at thesame time
Controller notificationSOx control: Authorisation toaccess firefighter IDs isreviewed/renewed periodically
12April 2016
PwC
Upon logging, the user is required to enter hisreason code and intervention plan
The ticket number is automaticallyadded to the “Firefighter” log (non-modifiable).
The user must select a reason codefrom the drop-down list
And enter the anticipated detailedactions of his intervention (tofacilitate the log review)
Each Firefighter session will always belinked to one ticket number. A ticketnumber could be linked to multipleFirefighter sessions.
SOx control: Firefighter usagemust be linked to a SolMan ticket,justifying usage
13April 2016
PwC
The user is then logged in the productive system asthe firefighter
SOx control: IT users do not have“maintain” access in production
14April 2016
PwC
During its usage, the firefighter cannot be used byanother user
Once the user logged off from the firefighter, it immediately becomesavailable again
Controller notification
15April 2016
PwC
After session end, FF session number and log fileare automatically attached to the ChaRM ticket
16April 2016
PwC
The controller receives notification that a log ispending review in SAP GRC
17April 2016
PwC
The log is reviewed by the firefighter controller
SOx control: Firefighter log mustbe reviewed by an appropriatepersonnel
18April 2016
PwC
Conclusion
19April 2016
PwC
A view for the future
Expansion across the globalclient organisation
Process optimisation through dataanalytics and KPI & KRI monitoring
SAP GRC PC for client’sbusiness units
SAP GRC RiskManagement
Link with IdentityManagement solution
SAP GRC FraudManagement and AuditManagement
SAP GRC GlobalTrade Services
20April 2016
PwC
Question & answerPwC’s upcoming SAP GRC & security events
http://www.pwc.be/en/events-courses.html
Date & time28 April 201616:00h – 17:00h
Webinar: SAP HANA security - Prepare for what’s next• Obtain a clear and detailed view on the security set-up in a SAP HANA
based environment• Watch the theory come alive through a live SAP HANA security demo• Gain first-hand insight on security good practices in a SAP HANA context
through experience sharing by PwC experts• Learn about the security skills, processes & controls required to continue
safeguarding your sensitive data in a SAP HANA context
Date & time18 May 201610:30h – 16:00h
PwC Brussels
Increasing quality & profitability with SAP GRC Access Control• Live demo & good practice sharing• Gain insights from an SAP GRC AC client use case• Obtaining first-hand views on SAP GRC’s roadmap for the future• Explore how to generate value-add from your SAP GRC system by
quantifying potential risk violations using data analytics techniques usingPwC process mining expertise combined with SAP Access ViolationManagement technology
For moreinformation on thesubject, pleasecontact ...
Wim RymenDirector+32 473 269 [email protected]
Kris WautersSenior manager+32 499 558 [email protected]
Romain PrudhommeSenior consultant+32 485 175 [email protected]
© 2016 PricewaterhouseCoopers. All rights reserved.“PricewaterhouseCoopers” refers to the network of member firms ofPricewaterhouseCoopers International Limited, each of which is aseparate and independent legal entity.
