13
WHITE PAPER SAP GRC Access Control Solution. -White paper on Implementation Methodology. HCL SAP GRC Practice January 2008 1-13

Sap grc-access-control-solution

Embed Size (px)

Citation preview

WH

ITE

PA

PE

R

SAP GRC Access Control Solution.-White paper on Implementation Methodology.

HCL SAP GRC PracticeJanuary 2008

1-13

Table of ContentExecutive Summary 3

Introduction 4

SOX, SoD and SAP 4

Functions of SAP GRC Access Control 6

Implementation Methodology 7

ANNEXURE 1: Various Aspects 10

ANNEXURE 2: Role and Responsibilities 11

ANNEXURE 3: Time Lines 12

ANNEXURE 4: Challenges 12

ANNEXURE 5: SAP GRC Business benefits 13

2-13

In the era of stringent corporate governance new regulatory requirements have made tighter internal control as

standard compliance across the globe.

All organization irrespective of size are struggling to comply with these regulations and managing the risk. The cost and

effort to establish, maintain and prove compliance demand both money and time which can be invested for more value

addition rather than value protection.

For many organization the technology solutions is to try automation using standard office tools such as spreadsheet

which in spite of its low cost advantage may become a part of problem rather than a compliance solution.

Fortunately newly available software platform that have become known as the GRC technology can help streamline the

automation. This white paper pertains to one of the most accountable control automation tool: SAP Access Control and

details its implementation methodology.

Executive Summary

3-13

He who cannot obey himself will be commanded.

That is the nature of living creatures.

- Friedrich Wilhelm Nietzsche

©Barings Bank – Nick Lee son’s $1.2 Billion loss –

Barings’ forced into bankruptcy.

§Due to improper supervision and SoD

violations delayed detection.

©Daiwa Bank – Toshihide Iguchi’s $1.1 Billion loss

and $340 Million fine for unauthorized trades.

©Mgmt tried to conceal losses by overriding

controls and SoD violations

©Sumitomo Bank – Yasuo Hamanaka’s $1.8

Billion copper position losses.

©Maintained 2 sets of books for over a decade

©NatWest U.K. – Kyriacos Papoulis concealed

over $100 Million in option losses

§Manipulated the books.

©Enron, Tyco International, Adelphia, Peregrine

Systems and WorldCom…………………..Socite

General….

SAP GRC Access Control

Integrated GRC is an offshoot of SOX and such other

compliances existing across industries worldwide.

Evolution of Integrated GRC:

In itself GRC is not new. Corporate Governance, Risk

management and Compliance as individual issues where

the most fundamental concerns of Business and its Top

leaders. What's new is Integrated GRC.

It an approach the organization practices and the various

roles the board and the senior management, line

management and rest of the organization play in relation

to oversight, strategy risk management and strategy

execution regarding compliance with laws and

regulations and internal policies and procedures.

IntroductionSarbanes Oxley Compliance was a result of such

Scandals. Also known as the Public Company Accounting

Reform and Investor Protection Act of 2002 and

commonly called SOX, it is a controversial United States

federal law passed in response to a number of major

corporate and accounting scandals.

Signed by Congress on July 30, 2002 its overall purpose is

to protect investors by improving the accuracy and

reliability of corporate disclosures made pursuant to the

securities laws.

As per the requirement to be SOX (Sarbanes Oxley Act)

compliant, the main issue arises in SoD (Segregation of

Duties) management i.e. Access related problems in

organizations. For this purpose the necessity is to make

an automated approach to implement the rules and

policies of SOX compliance.

SAP is in process of addressing the various compliance

and risk management issues across the verticals with the

development of automated solutions.

One of the Solutions they have developed comprises

GRC Access Control an application that handles

sustainable prevention of segregation of duties

violations. By implementing the automated Access

control solution, it will provide the enablement to fulfill

the requirements of SOX compliance without any SoD

violation and its severity.

SOX, SoD and SAP

4-13

A primary internal control intended to prevent or

decrease the risk of errors or irregularities by assigning

conflicting duties to different personnel.

SAP Definition for SoD

Segregation of Duties (SoD)

Across an enterprise there are various functions and

these functions are performed, together by a set of

roles/responsibilities.

SoD says that these set of Roles/responsibilities should

be assigned in such a way that, across an enterprise, any

individual should not have end to end access rights over

any function.

End to end access SoD

Actual job titles and organizational structure may vary

greatly from one organization to another, depending on

the size and nature of the business. With the concept of

SoD, business critical duties can be categorized into four

types of functions: authorization, custody, record keeping

and reconciliation. In a perfect system, no one person

should handle more than one type of functions.

The Roles and Responsibilities for the function should

be divided in such a way that one person does not have

full right over the function that the risk of malicious

activity of manipulation of the function is reduced. The

more critical the function is, greater and clearer

Segregation of Duties should be.

Some examples of incompatible duties are:

©Creating vendor and initiate payment to him.

©Creating invoices and modifying them.

©Processing inventory, and posting payment.

©Receiving Checks and writing pay-offs.

Ideally, single individual must not have authority of

creation, modification, reviewing and deletion for any

transaction / tasks / resources.

If any individual has access rights to creation and

modification, he can create and after getting it reviewed,

he can modify it to do some fraudulent exercises.

Similarly if an individual has creation and deletion rights

he can create, initiate payment and later delete any

transaction logs that can track his activity.

Segregation of Duties deals with access controls. Access

Control ensures that one individual should not have

access to two or more than two incompatible duties.

Segregation of Duties ensures that:

©There are no errors, as SoD ensures cross check of

roles/responsibilities

©Risk of Fraud is reduced as fraud will involve two or

more than two individuals

©Clear separation of Roles/Responsibilities across

various functions in organization.

©Segregation of Duties must be so performed that it

reduces the risk associated with a function/process

that can be mal-functioned to practice any

5-13

fraudulent exercises. If proper SoD does not exist in

an organization, then:

©There are ineffective internal access controls

©There is improper use of materials, money, financial

assets and resources

©Estimation of financial condition may be wrong

©Financial documents produced for audits and review

may be incorrect

Manual Approach for SoD

Traditional approaches for identifying and preventing

SoD issues are costly, time-consuming, and exhaustive

with scope for errors. In the increased regulatory

environment, companies cannot afford to waste time

and money hoping that a manual approach will satisfy

their audit requirements. Companies now seek a

comprehensive, automated approach to help them

quickly resolve the SoD challenges without disrupting

their business.

SAP Access Control

SAP GRC Access Control delivers a comprehensive,

cross-enterprise set of Access Control that enables all

corporate compliance stakeholders -- including business

managers, auditors, and IT security managers -- to

collaboratively define and oversee proper SoD

enforcement, enterprise role management, compliant

provisioning, and Superuser privilege management.

Functions of SAP GRC Access Control

application for SAP. When deployed together,they

provide an end-to-end Access Control solution that

addresses the following areas:

©Risk detection SAP applications for Access Control

detect even the most obscure access and

authorization risks across SAP and non-SAP

applications, providing protection against every

potential source of risk, including segregation of

duties and transaction monitoring.

©Risk remediation and mitigation These applications

for access and authorization control enable fast,

efficient remediation and mitigation of access and

authorization risks by automating workflows and

enabling collaboration among business and technical

users.

©Reporting The appl icat ions del iver the

comprehensive reports and role-based dashboards

businesses need to monitor the performance of

compliance initiatives and to take action as needed.

©Risk prevention Once access and authorization risks

6-13

The SAP GRC Access Control Includes the Virsa

Compliance Calibrator application for SAP, the Virsa

Role Expert application for SAP, the Virsa Firefighter

application for SAP, and the Virsa Access Enforcer

have been remediate, only SAP applications for

Access Control can prevent new risks from entering

a production system. By empowering business users

to check for risks in real time and automating user

administration, the applications make risk

prevention a continuous, proactive process.

Implementation Methodology based on SAP Best Practice

HCL has come out with an excellent approach and

methodology for implementation of SAP GRC Access

Control Suite. This Suite embraces four tools:

©Access risk analysis and remediation

©Complaint user provisioning

©Role Management

©Privileged user access management

This implementation methodology when followed step

by step makes access and authorization risk

management and further its compliance adherence, an

integral part of customary organizational activities. The

implementation process is based on Best Practices

provided by SAP and extends from GET CLEAN

(identify and resolve the access risk issues) phase to

STAY CLEAN (complaint user provisioning process is

channeled into automated structure) phase.

The implementation process starts from installation and

configuration of Compliance Calibrator. In line with the

SoD Management Process, Business Process Owners

identify any fraudulent or accidental corruption activity,

subjected to access and authorization or SoD risks and

then implement the necessary mitigation controls on

them. Next, during implementation of Role Expert,

through Role Designer we design the role designation

methodology of the organization. In Access Enforcer

implementation, we define workflows. Workflows are

meant for channelizing the different work processes into

structured, transparent and automated manner.

At last, Fire Fighter is implemented which endow

selected users with exceptional rights. To ensure risk

occurrence, all the activities of users with fire fighter

rights are logged and documented.

7-13

The proposed methodology which helps in

implementing SAP GRC Access Control projects has six

phases:

©Implementation Readiness

©Deploy & Install GRC Access Control Tool Suite

©Risk Analysis and Remediation

©Super User Privilege Management

©Compliance User Provisioning

©Enterprise Role Management

Control Tools.

Access Control Tool Suite can be easily downloaded

from SAP Support Portal at SAP Service Marketplace at:

service.sap.com. You need to login from your service

marketplace ID. It will ask for your Customer Number

or Installation Number.

The SAP GRC Access Control Tool Suite includes

following tools:

©Virsa Compliance Calibrator

©Virsa Access Enforcer

©Virsa Role Expert

©Virsa Firefighter for SAP

Risk analysis and remediation

Risk Analysis and Remediation is done by

Compliance Calibrator.

Risk Analysis and Remediation provides real-time

compliance around the clock and prevents security and

controls violations before they occur. Once deployed,

business managers can analyze real-time data, find

hidden issues and help ensure the effectiveness of access

and authorization controls across the enterprise.

The scope of the process includes following key

areas:

©Identification of critical access and segregation of

duties

©Real-time risk assessment

©Simulation and remediation

©Documentation of mitigation controls

©Summary and drill-down reports

Preparation of Implementation

We recommend the implementation life-cycle of GRC

Access Control Tool includes every thing from

Installation and configuration of all 4 software’s to their

integration and validation.

Preparation Includes:

©Net Weaver installation configured and validated i.e.

ready for applications installation

©Resource Identification

©Requirement Validation: It will include review and

validation of customer’s requirement against

product functionality. There should be a brief analysis

of customer’s business environment which will

include the organizational scan and study of their

business processes. BPX along with implementation

consultant and BPO will architect solutions to

address requirement gaps.

Deploy & Install GRC Access Control Tool

Suite

Once the preparations for implementation are done, we

proceed for installation and configuration of Access

8-12

Super user Privilege Management

Superuser Privilege Management is done

using Firefighter

©Superuser Privilege Management is a solution used

for emergency situations, extensive and/or special

access, and when you do not have time to obtain

logins, passwords. Feature provided by it:

©Provides Super User access control

©Compliant controls for emergency access

§Users assigned to specific firefighting IDs with

defined authorizations and validity dates

§Separate login is required as well as

documentation regarding reason for use

Can only be used by one user at a time

Auditable reporting

Compliant User Provisioning

Compliant User Provisioning will be done

by Access Enforcer

Access Enforcer enables fully compliant user

provisioning throughout the employee life cycle and

prevents new SoD violations. Businesses can automate

provisioning, test for SoD issues, streamline approvals,

and reduce the workload for IT staff. The solution

performs following activities:

©Automate Provisioning Workflow

©Provide Compliant User Provisioning Across the

Enterprise

§

©

§Logs actions without turning on SAP logging

©Identify SoD Issues in Real Time

©Streamline Approvals

Enterprise Role Management

Introduction to Role Expert

Role Expert is a Role Creation and Management Tool.

This SAP GRC Access Control Tool is a web enabled tool

that can ease the overhead in an Organization in

creation and management of Roles.

Apart from creation and management of Roles it also

takes care of Risks associated with different Roles,

Segregation of Duties, and Generation of types of

reports useful for management and auditors and also the

mitigation of risks.

Purpose of Role Expert

Role Expert implementation serves the following

purposes in an organization:

©It helps implement best practices of good role

naming conventions.

©Automates the creation and maintenance of Roles.

©Implements best practices of Approval workflow

automation for Role in the Organization.

©Automates the generation of reports of various

types to serve the purpose of management and

auditors as well.

©Performing automatic risk analysis at all levels and

also mitigation of risks before approving or creating

the requested role.

©Transparency, tracking and monitoring of creation

and implementation of Roles.

§

9-13

ANNEXURE 1: Various Aspects.

Steps Activities Involved Person Involved Duration/Days

Implementation •Readiness

• Software Installation• NetWeaver Environment Validation

Deploy & Install GRC •Access Control Tool Suite

•••

Super User PrivilegeManagement l

• Assignment of Firefighter roles to

• Mapping Firefighter IDs to Owner,

Compliance User •Provisioning

• Define process stages and approvals• Create test initiators, stages, and paths• Define test users and request types• Test initial workflows• Define escalations and detours• Complete workflow configuration

Enterprise Role •Management

• Creation of Role Generation Methodology

• Creation of Naming Conventions for Roles

• Creation of Role in Role Expert• Reports in Role Expert

Hardware/Software requirement Basis/Security 17analysis Consultant

GRC AC Tool Consultant

Software installation as well certain GRC AC Tool Consultant 15one-time initial configuration activities.

Risk Analysis and • Identification of critical access and GRC AC Tool Consultant 26Remediation segregation of duties GRC Business Process Analyst

Real-time risk assessment SOX Domain ConsultantSimulation and remediationDocumentation of mitigation controls Summary and drill-down reports

The application tracks, monitors, and GRC AC Tool Consultant 4ogs every activity a super user GRC Business Process Analystperforms with a privileged user ID.• Creation of Firefighter Ids

applicable User IDs

Firefighter, and Controller

Learn about Access Enforcer GRC AC Tool Consultant 20 workflows and their components GRC Business Process Analyst

Creation of Role Attributes required GRC AC Tool Consultant 15for any Role GRC Business Process Analyst

10-13

Role Number Group Responsibility

Basis/Security Consultant

GRC AC Tool Consultant

• Integration of all 4 tools• Risk Recognition, Remediation, Mitigation• Rule Building and their Maintenance• Configuration of workflows• Configuration of Role Attributes• Configuration of Role Generation Methodology• Configuration of Naming Conventions• Report Generation

SOX Domain 1Consultant • Creation of Mitigation Controls

• Approve or Reject already created Risks and Mitigation

• Scenario Analysis and Identification of Format & Content of

GRC Business 1Process Analyst

• Designing workflows for user and role provisioning• Identification of Role Attributes• Identification of Role Generation Methodology• Identification of Naming Conventions• Identification of risk & role owners and approvers

Client Technical Team

• NetWeaver Environment Validation

Client Business Team

• Approving remediation to address user access issues • Approve or reject risks between business areas and approve

Client Project Manager/ Coordinator

Client Audit / Internal Control Team

1 HCL GRC • Hardware/Software requirement analysis• Software Installation• NetWeaver Environment Validation

2 HCL GRC • Master Data Creation• Configuration of all 4 tools

HCL GRC • Risk identification

Controls

Reports

HCL GRC • Risk Analysis and Validation• Designing alternative controls to mitigate SoD issues

To be Client • Hardware/Software requirement analysisdecided • Software Installation

To be Client • Identifying risk and/or approving controls for monitoring decided risks

mitigating controls for risks.

To be Client • Managing the implementation projectdecided

To be Client • Perform risk assessments on a regular basis to identify new decided risks, perform periodic testing of rules and mitigating

controls; act as a liaison with external auditors.

ANNEXURE 2: Role and Responsibilities

11-13

ANNEXURE 3: Time Lines

Implementation Activity Duration/Days

Formation of project team* 2Software Installation and Validation* 5Requirement Validation/System and User Landscape Study/Master Data Creation*Implementation Readiness 17Compliance Calibrator Configuration and Implementation 26Firefighter Configuration and Implementation 4Role Expert Configuration and Implementation 15Access Enforcer Configuration and Implementation 20Roll-Out/Deployment/Go-Live 10

10

Challenges Solution

Real-time alert generation and A

Setting up organizational rules and running risk analysis based on these rules

Integrating workflows in Compliance Calibrator for various processes

Efficient handling of false positives

Designing user-provisioningworkflows and properinitiators to trigger them

Cross-applicationimplementation

Cross-system

Cross-geo implementation

lert Generation and its notification through e-mail was configured notnotification through mail only for mitigating controls but also for risk execution and critical

transaction execution

Compliance Calibrator provides a supplemental table to addressorganizational restrictions without having to change and maintain the entirerules database. These restrictions were configured as organizational rules.

Various processes of Compliance Calibrator can be automated andstructured through workflows which are created and executed throughAccess Enforcer. Path for connecting the Compliance Calibrator to the workflows is entered in the Workflow service URL.

Rule Building is done at authorization objects level to prevent false positivesof SoD violations.

User provisioning workflows are created and configured through AccessEnforcer

The system includes rules at both the transaction and object level that address the SAP applications for APO, Basis, CRM, EBP, SRM, FI/CO, HR /

Payroll, Procure to Pay, MM/QM, Order to Cash, and Portals.

The Virsa Compliance Calibrator "out-of-the-box" rule set includes implementation transaction objects and value combinations analyzing some 120,000 possible

combinations of potential risk for access rights. These cover - SAP: 20,000,Oracle: 20,000, PeopleSoft: 3,800, JDE 151.

A centralized monitoring system is provided by connecting various systemsacross geo.

Note: * These activities are performed simultaneously. The total implementation time is 56 calendar days.

ANNEXURE 4: Challenges

12-13

ANNEXURE: 5

SAP GRC Business Benefits:

SAP helps organizations build an integrated GRC approach in a step-by-step approach. SAP solutions for governance,

risk, and compliance help you leverage your SAP and non-SAP IT investments, and deliver the following business benefits:

Increased shareholder value – Good corporate governance is reflected in many intangibles, including brand and

reputation – and it translates directly into share price premiums.

Optimized risk/return portfolios – Greater transparency and insight enables your decision makers to select or

reject projects based on risk impact and probability relative to potential return.

Reduced GRC costs – Integrated corporate governance significantly reduces the number of people – and time –

required to ensure and manage compliance and risk management.

Improved business performance and predictability – SAP solutions for governance, risk, and compliance deliver

enterprise wide transparency, a systematic process for anticipating risks, and the tools to proactively determine proper

actions.

Business sustainability – Using solutions delivered through automation, analytics, and alerts, businesses can more

effectively mitigate risks stemming from myriads of legislations.

Assumptions for the Duration/Days in Annexure:

1. Minimum Net Weaver support Pack is already installed and validated on identified systems.

2. All the database and memory requirements for installation of Access Control Tools are met.

3. Hardware and memory sizing is already performed.

4. Organization already possesses the license for all required Access Control Tool.

5. Person efforts and time would go on reducing in subsequent implementation in different geographies

6. The company would go for addressing compliance management issues subsequently across different locations.

13-13