GRC Access Control Overview

2

Agenda

Purpose & Target Audience GRC Solutions Why GRC Access Control GRC Access Control Basics GRC Access Control Architecture GRC Access Control Applications

• Risk Analysis & Remediation

• Compliant User Provisioning

• Enterprise User Management

• Super User Privilege Management

New features of Access Control 5.3 GRC Access Control – Critical success factors to implement GRC Access Control benefits GRC Products and Vendors Appendix

3

Purpose

The purpose of this document is:Provide an overview of GRC AC system architecture and functionality.

Intended audience:

• Infrastructure, Security

• SAP Functional

• Internal Control/ Internal Audit

• IT Security

• Security Compliance

4

GRC Solutions

5

Governance, Risk & Compliance (GRC) Solutions

Risk Analysis and Remediation

Compliant User Provisioning

Superuser Privilege Management

Enterprise Role Management

ACCESS CONTROL

6

Why GRC Access Control

7

Business Drivers / Common Challenges

Customers face a host of security challenges, including: Continued increase in compliance spend

Requirement for continuous compliance monitoring

Requirement for centralized Internal controls repository

Fraud Examiner report recently estimated average loss of existing fraud is 7% of revenue.

Disparate and complex application landscape with process inefficiencies/redundancies

Existing segregation of duties violations and compliance issues

Desire to automate user provisioning to support compliance requirements, operational efficiency goals, and regulatory requirements

Request of Emergency access (admin rights) is ad hoc and insufficiently monitored and controlled

Poor communication between Business & IT results in “best-guess” approval of requests

8

GRC Access Control Goals

9

Compliance World-wide

GRC to ensure Compliance with regulatory mandates

10

Integrated GRC

Unified process, complianceand risk methodologies

Alignment of riskand strategy management

Increased visibility acrossimpact of risk

Standardized risk andcompliance methodologies

11

Necessity to Implement Access Control

Common approaches rely on periodic audits/manual evaluations and subsequent remediation of the findings

Despite the high effort, without a process in place to continuous monitor Segregation of Duties risks are not under control

12

Maturity Model

Evolve from Manual, unreliable and inefficient controls to technology-based, cost effective, reliable controls

13

GRC Access Control Basics

14

Terminology

Segregation of Duties (SoD): Segregation of Duties deals with access controls ensuring that no one user has access to two or more than two incompatible duties. Some examples of incompatible duties are:

• Creating vendor and initiate payment• Creating and modifying invoices• Processing inventory, and posting payments

Roles: A role is a container that holds Transactions/Reports and an associated profile Authorization: Permission to access data or execute transactions Authorization Object: A group of fields that allow for management of authorizations User: End Users given access to SAP applications Risk: This defines the potential risks existing in the system due to SOD and is based

on the standard business process Risk Analysis: The Process of analyzing Roles, Profiles and/or Users for Risks Mitigation Control: Mitigation Controls gives the ability to associate controls with

Risks, so they can be applied to Users, Roles identified to violate SoDs during Risk Analysis.

15

Governance, Risk and Compliance

Corporate Governance:• Ethical corporate behavior together with management and practices in the creation of all stakeholders

• Spells out the rules and procedures for making decisions about corporate affairs

IT Governance:• Helps to ensure alignment of IT and enterprise objectives

•IT resources are used responsibly and its risks are managed properly

Risk Management• Identify, classify, document, and reduce risks to an acceptable level

• Risk is a result of three different parameters

• Existence of a threat for a business process

• Likelihood of occurrences

• Impact on the Business process

Act accordingly:• National and International legal requirements:

• Sarbanes – Oxley Act (US)

• Data Protection Law (Germany)

• J – SOX ( Japan)

• Corporate policies represents both corporate philosophy and strategic thinking on a high level

• Low – level policies focus on the operational layer

Policies need to be in sync with the overall business strategy and legal requirements

16

Evolution of SAP GRC

Virsa Systems founded in 1996

Sarbanes-Oxley Act (SOX) 2004

SAP AG announced acquisition of Virsa on 3rd April 2006

SAP AG renamed SAP Virsa Application to SAP GRC suite

SAP upgrades GRC

SAP integrates GRC AC with PC,EHS & GTS

SAP GRC + SAP BO GRC = SAP BO GRC SAP BO GRC + RM + PC= SAP BO GRC

SAP BO GRC + IDM components + Dashboards

17

GRC AC Risk Remediation Strategy

Pro-active real-time compliance by preventing security and controls violations before they occur. The approach of GRC AC in implementing Access Control is top to bottom.

18

GRC Access Control Processes

• SOD – Rules

repository Maintenance

– Mitigation Plan Maintenance

– Management Reporting

• Continuous Compliance monitoring

GRC AC

• Dynamic approval workflows, audit trails

•Authorization changes•Role design changes•Compliance repository changes

•Access, Authorization Changes, Approvals, Audit Trials• Emergency access requests

• Emergency Change Access Management• Emergency session log  capture and storage

• SAP Role Management• Compliant SAP Role management• Role management audit trails

GRC RAR GRC CUP GRC SPM GRC ERM

19

Segregation of Duties

A segregation of duty issue for a business process is when an individual can perform two or more of the following functions on a given transaction

Authorization: Implied or explicit approval to perform a business transaction or activity

Custody: Activities assigned to personnel to safeguard an asset, including information

Record Keeping: Activities to record the transaction or event in the company’s records

Reconciliation: Comparisons of recorded balances or volumes to actual between time intervals to detect differences and take action on any differences

20

Authorization Concept

Check auth.objectF_BKPF_BUK

Accounting document: Authorization for Company Code

Check auth.objectF_BKPF_GSB

Accounting document: Authorization for Business area

Check auth.objectF_BKPF_KOA

Accounting document: Authorization for Account type

Auth Objects and Field Values

Check auth.objectS_TCODE

Transaction Code

Execute Tcode FB50

Glen, a G/L Accountant wants to execute a GL Posting.Job Task

SAP RoleIn addition to this, if Glen had access to

FS00 – G/L Account Master record maintenance

F_SKA1_BES: G/L Account: Account AuthF_BKPF_BLA: Acctg Doc: Auth for Doc Types

21

Risk!Gives someone the access to create a fictitious GL account and generate journal activity or hide activity via posting entries

FS00 – G/L Account Master record maintenance

FB50 – G/L Account posting

Authorization Concept

Authorization Concept (contd..)

22

GRC SOD Rules Approach

Evaluate

Analysis

23

RAR Standard Rule Set• SAP

– 256 Risks• 58,649 action combinations – As of 2008 Q2 update for the below business

processes

• Oracle– 162 Risks

• 13,183 action combinations• PeopleSoft

– 57 Risks• 27,906 action combinations

• JD Edwards– 21 Risks

• 303 action combinations• Non-RTA system analysis framework for legacy systems

–HR and Payroll –Materials Management

–Procure to Pay (70/11104) –APO/SCM

–Order to Cash (32/6101) –SRM

–Finance (37/6229)

•General Accounting

•Project Systems

•Fixed Assets

–CRM

–Basis, Security and System Administration (25/13556) –Consolidations

24

Cross-Enterprise Rules Library Delivered out of the box

25

GRC Access Control Architecture

26

Terminology

RTA: It respond to events or signals as fast as possible, or as they happen and sits in the backend .

JCO: A programming interface (API) that provides an interface between a Java program and a legacy application such as CICS and ECC

IGS: The IGS is used to generate graphical content, and to give you enough information to incorporate such graphics into your own Web Dynpro applications

UME: A Java-based user administration component with central user administration, an SSO, and secure access to distributed applications

SLD: Signifies the layout of the systems in an environment. Landscape is the highest node within the system landscape hierarchy.

27

Standard GRC Architecture

28

GRC Architecture-Generic view

29

RTA: The Enterprise Software Real-Time Agent

RTA Usage TYPE Prebuilt for SAP BAPI® programming interface

Prebuilt for Oracle Stored procedure Stored procedure

Prebuilt for PeopleSoft Web services Web services

Prebuilt for Hyperion Web services Web services

Custom-built for direct access to legacy system database Query

Query

Custom-built for upload file extraction to legacy system Flat file (delimited)

30

GRC Access Control Landscape - Basic

SAP GRC Access Control Application System Landscape for a Typical Installation

31

GRC Access Control Landscape – Authoritative User Sources

SAP GRC Access Control Application System Landscape with Authoritative-User Sources

32

GRC Access Control Landscape – Central User Administrator

SAP GRC Access Control Application System Landscape with User Provisioning with or Without the CUA

33

GRC Access Control Applications

34

GRC Access Control Overview

35

GRC AC Applications GRC Access Control is an enterprise application that provides end-to-end automation for

documenting, detecting, remediating, mitigating, and preventing access and authorization risk enterprise wide, resulting in proper segregation of duties, lower costs, reduced risk, and better business performance; it also provides an integrated framework for designing, enforcing and monitoring continuous compliance in SAP systems

GRC Access Control consists of the below four Applications:

• Risk Analysis & Remediation (RAR) and Risk Terminator– Sustainable SoD definition, remediation, monitoring and reporting for continuous

compliance

• Complaint User provisioning (CUP)– Proactive, compliant, automated auditable access approval and provisioning

• Enterprise Role management (ERM)– Compliant role design, maintenance and auditability

• Super user Privilege Management (SPM)– Controlled and reviewable privilege user management

36

Risk Analysis and RemediationRisk Analysis and Remediation enables monitoring of SAP User Access and applies a library of Segregation of Duties (SoD) rules to detect potential irregularities and minimize risks of fraudulent activity. It is a real-time and preventive compliance solution.

• Audit & Assessment of existing practice

• Risk Identification and Assessment

• Business SoD rules definition

• Mitigation Controls definition

• Assessment of Mitigation Controls

• Remediation plans

• Progress Monitoring

• Dynamic Dashboards

RAR Functionalities

37

Facilitate discussion between Business and IT Centralized definition of Risks related to User Access Real-time and Cross-system risk analysis Remediation of SoD Violations Proactive detection of SoD issues by simulation Audit ability of Change Documents

RAR - features and benefits include

SAP GRC Super UserPrivilege Management (Firefighter)

SAP GRC EnterpriseRoleManagement (Role Expert)

SAP GRC CompliantUserProvisioning (Access Enforcer)

SAP GRC Risk Analysis and Remediation (Complaince Calibrator)

38

Risk Terminator

•Provides real-time SOD analysis during user and role maintenance and user to role assignment

• Risk Terminator can be configured to run a risk analysis when one of the four tasks is performed

• When a role is generated using PFCG• When users are assigned to a role using PFCG• When a role or profile is assigned to a user using SU01• When a role or profile is assigned to users using SU10

• The Risk Analysis report will be displayed to the user with showing the SoD violations•The configuration setting “Stop generation if violation exists” will determine if this is an error or a warning.•If the User continues to process the task, a warning message is displayed with two options:

•Discard changes•Continue

39

Superuser Privileged User Access ManagementThe Privileged User Access Management Tool lets "superusers" perform emergency activities outside of their role under a controlled and auditable environment.

CurrentE.RFC

Emergency Situation

Firefighter has

required access

remediate situation.

Firefighter ID Owner logs into

CUP and approves the FF ID to the FF with an expiration

date.

Pre-Designated

Firefighter logs into CUP and requests a FF

ID + Notification sent to BTO

Audit Logs / Transactions are Archived

for Future Audits

Access auto expires after

pre-determined period

Firefighter logs into SAP using

their ID and executes a

TCode to check out the FF id.

Work Order Acceptance

FFIDIs Required

Yes

No

40

SPM - features and benefits include Pre-approved emergency access Automatic email notification when Firefighter mode is activated Automatic sending of log report to controller Detailed audit trial of performed actions Audit ability ( FF User not equal to SAP_ALL User) Web based log reports, including Risk Analysis

SAP GRC Super UserPrivilege Management (Firefighter)

SAP GRC EnterpriseRoleManagement (Role Expert)

SAP GRC CompliantUserProvisioning (Access Enforcer)

SAP GRC Risk Analysis and Remediation (Complaince Calibrator)

41

SPM – Process Overview

42

Compliant User ProvisioningJob functions change frequently and employees transition into new roles or inherit new responsibilities, but companies often overlook how these changes impact SoD requirements. By incorporating control activities into everyday business processes, companies avoid after-the-fact violation detection. SAP GRC Access Control creates visibility, enables fully compliant user provisioning throughout the employee life cycle, and prevents new SoD violations.

• Assessment of Business

• Assessment of Business relationship

• Design Dynamic workflow service

• Automate User provisioning

• Reduce burden on IT

• Prevents Risks by proactive analysis

• Meets Regulatory compliance target

CUP Functionalities

43

CUP - features and benefits include Homogenized access request process Automated approval management (Workflow) Dynamic routing for approval Risk analysis before request approval Transparent view on impact of the approval (in business language) Automated user provisioning to SAP Automated logging of request approvals and modifications

SAP GRC Super UserPrivilege Management (Firefighter)

SAP GRC EnterpriseRoleManagement (Role Expert)

SAP GRC CompliantUserProvisioning (Access Enforcer)

SAP GRC Risk Analysis and Remediation (Complaince Calibrator)

44

CUP – Functional Overview

45

CUP – Typical End User

Requestors – request access to systems and roles

Approvers – approve user access request; security, managers, data owners (role owners), process owners, etc

Administrators – administer requests, configure workflow, manage application security, manage

other system settings/configuration

46

CUP – Provisioning Workflow

User Access Request

Role OwnerApproval

ManagerApproval

Security CoordinatorApproval

Security Coordinator

ApprovalHR

CRM

Legacy

ECC

47

CUP – Workflow features Flexible configuration of workflows

Multiple Approvers

Different workflow paths for different request attributes

Parallel Paths – Different workflow paths based on role selection

Detours and Forks – certain predefined conditions can trigger detours

Escape Routes

Forwarding to another approver

Automated provisioning without security review

Automated Actions Create/Change User

Change User Master record information (validity date, user group, etc)

Lock/Unlock user

Delete Users

Notifications

48

CUP - Other Workflow types (non user access request) Risk Analysis and Remediation

Risk Change Approvals

Mitigation change approvals

SOD Management by exception

Superuser Privilege Management – Automates E-RFC process while providing audit trail and maintaining compliance

Superuser access assignment

Enterprise Role Management Role maintenance approvals

User Access Review – Can facilitate Quarterly Access Review Reviews sent to approvers to approve user’s current access

SOD Management by Exception Exception based reporting and remediation via workflow

49

CUP - Additional Capabilities Password Self-Service

Allows users to reset their password using challenge and response (If not authenticating against MS AD)

HR Triggers Ability to setup automatic workflow requests based on a function/action that occurs in an SAP HR

system

BI Integration for detailed custom reporting Standard cube is available (as of 5.3)

Integration with Training System Verification of user training status

Will need web service integration configuration

50

CUP - Typical Administration Maintain Roles

Upload new roles on periodic basis

Remove roles on periodic basis

Maintain Approvers Upload new approvers

Remove approver information as required

Maintain Workflow Maintain workflow paths

Opportunities to streamline workflow process

Manage Requests On hold or stale requests

51

CUP - Integration Points and Data Sources Possible points of integration

ECC, BI, BI-EP, Solution Manager

Non SAP Systems (with custom RTA)

Supported Data Sources Multiple SAP Systems

Multiple LDAP Systems

Out of the Box

Active Directory

SunOne

Novel E-directory

IBM Tivoli

Any LDAP system supported by SAP UME

Non-SAP Support Systems Oracle, PeopleSoft, JD Edwards

52

Enterprise Role ManagementEnterprise Role Management addresses the root of access control through standardized and centralized role design, testing, and maintenance. It helps you eliminate manual errors and makes it easier to enforce best practices. The application puts role ownership in the hands of business process owners rather than IT staff, allowing them both to document role definitions, perform automated risk assessments, track changes, and conduct maintenance with ease, which increases consistency and lowers IT costs.

Centralized Role Management

Across applications

Enterprise Rules Audit logSAP GRC

Access Control

Role

…

RoleRole

Role

Role Role Role Role Role Role

Compliant enterprise roles

ERM Functionalities• Creation and maintenance of role

• Integrates with RAR for SoD analysis

• Assignment of Role Owner to roles

• Triggers dynamic approval workflow

• Dual environment : Analysis & Generation

• Provision opening SAP profile generator

53

ERM - features and benefits include Central management of authorization roles

Automatic notification of change of Role Owners

Approval workflow for Role Changes

Preventive Risk analysis for roles

Automatic role generation in SAP system

Audit trials and reporting of all role changes

SAP GRC Super UserPrivilege Management (Firefighter)

SAP GRC EnterpriseRoleManagement (Role Expert)

SAP GRC CompliantUserProvisioning (Access Enforcer)

SAP GRC Risk Analysis and Remediation (Complaince Calibrator)

54

ERM – Process Overview

HR

ECC

CRM

Definition Authorization Derive Generation Approval Risk Analysis

Security Business Process Owner

Risk Analysis & Remediation

Compliant User Provisioning

HR

ECC

CRM

Test

55

New Features of Access Control 5.3

56

New Features of Access Control 5.3

Risk Analysis and Remediation: Single launch pad for all the four capabilities (multiple window may be open)

Performance improvements

Enterprise portal and UME integration (Risk Analysis and user provisioning)

Import/Export utilities (Component, Configuration, Mitigation data)

Enhanced reporting• Many added reports and more reports can be exported

• BI integration of custom reporting

Enhancements of change Management Audit Trail

SoD management by exception• Identifies unmitigated risks

• Provides Mitigation reaffirm functionality

57

Compliant User Provisioning: End user request form customization

Integration with multiple data sources

Password reset• Supported for Oracle, PeopleSoft, JD Edwards

• User password self-service with a challenge response

Cross-system risk analysis for access requests

Compliant User Provisioning for Oracle, PeopleSoft, JD Edwards

Utilize HR triggers fro PeopleSoft

Enhance CUA support

Integration with training systems

Identity Management integration with major IDM vendors

New Features of Access Control 5.3 (contd..)

58

Enterprise Role Management Enhanced role derivation (org. value maps)

Enhanced risk analysis and simulation

Ability to generate roles for multiple systems at one time

Ability to copy a role

Documentation of Non-SAP roles and enterprise wide roles

Integration with SAP ERP’s profile generator

Superuser Privilege Management Enhanced log report

Multiple owners for firefighter IDs

Automatic archival of Log report

New Features of Access Control 5.3 (contd..)

59

GRC Access Control Critical success factors

60

Access Control – Critical success factors to implement

Engaging Business and IT team- In order to customize and fine-tune risk definitions and gather all requirements. Validate rule set with Internal Audit.

Management support- Having support from appropriate level of the organization will assist in addressing points of resistance

Resources- Understanding the organization’s key business initiatives will be critical, since multiple initiatives often compete for the same (business) resources

“Avoid the Big bang”- Building out the GRC Access Control solution component by component allows to absorb all parts of a sustainable solution

Installation Vs Integration- An operational installation of SAP Access Control is realistic in relatively less time, however a successful integration requires much more time, effort and expertise

Embed the solution in the organization- By defining the operational processes to sustain compliance ( impact on new projects, new risks, new systems, changes in organization)

61

SAP GRC Benefits

62

SAP GRC Benefits Reduced Risk:

• Lower fraud-related loss

• Faster remediation

• Improved business processes and overall performance

Reduced Cost of compliance :

• Automation /Monitoring frees up resources for value tasks

• Shorter audit cycles

• Streamlined evaluations

• Lower TCO

Improved confidence:

• Visibility /Real-time information

• Single version of the truth

• Reinforced accountability

63

SAP GRC Benefits (contd..)Key Areas Observation of “AS IS” Process Benefits

Segregation of Duties Security activities require 25% to 50% of security admin time

Manual processes are inefficient and prone to error, Annual audit time of several weeks to manually create SoD reports and to review

Automated monitoring and tracking

Preventive and detective controls

Add/Change/Delete Users Manual data entry is inefficient, generates error, and creates risk

Frequent Add/Change requests requiring manual effort

Delays of process create risk of unauthorized access

Deletion of users is not consistently and accurately implemented

Automated users administration

Privileged User Access Access is granted for extended period of time

Activity is not verifiable

Question of “What did they do when they had access?”

Automated Superuser access with tracking of all activities

Role Design and Management Limited Role reaffirm process

Limited ability for validation of current roles and proposed changes of roles

Difficult to manage large number of master roles and derived roles

Compliant role design and management

Sensitive Transactions Management

Limited, manual tracking of access

Current control does not meet Audit requirements well

Automate alerting, tracking, and logging

Reporting Manual reporting process

Manual analysis of differences between time periods

Limited visibility for management

Automated pre-built access controls reporting

64

Qualitative Benefits

Comparative study of GRC AC v. Manual Process

Provides partial pro-active SOD analysis

SOD analysis level restricted to Transaction Code level

Captures the SOD implications at periodic Internal Audit control

Captures potential risk with no solution

Prone to human error in provisioning Roles to users

Manual Log process for emergency access provisioning leading to discrepancy and missing Audit trail

Manual definition of Role creation process resulting in loss of control and Audit trail

GRC AC Process Manual ProcessProvides fully pro-active SOD analysis

SOD analysis spreads to Auth. Object level values

Captures the SOD implications at run time

Captures potential Risks with probable solution

Avoids human error in provisioning Roles by Defining Pre-approved approval paths

Automatically captures the Log for emergency access provisioning and limits access to time period producing Audit trail

Standard methodology defined for Role creation Process resulting into Auditable roles

65

GRC Products and Vendors

66

GRC – Products and vendors SAP- SAP is a German Enterprise business software company provides a comprehensive

suite of GRC solutions. Some of the major GRC products are:• GRC Access Controls

• GRC Process Controls

• Enterprise Risk Management

• Global Trade Services and others

Oracle- Oracle, is one of the giant companies to provide GRC solutions. Oracle offers “Oracle Governance, Risk and Compliance Manager” solution. Oracle provides an enterprise GRC platform that integrates business intelligence, process management, and automated controls enforcement to enable sustainable risk and compliance management. Core capabilities includes:

• GRC Insight

• GRC Process

• GRC Controls

Approva Corporation- Approva’s Controls Intelligence Suite provides real-time insight and analysis about the state of controls across your business. Companies are using the product to address a wide array of business challenges. Some of the GRC products from Approva are:

• User Access Controls & Security

• Financial & Operational Controls

67

• Master Data Integrity & Accuracy

• Fraud Identification & Prevention

• Controls Design & Optimization

• Compliance & Continuous Auditing

Archer Technologies- Archer’s out-of-the-box solutions provide the foundation for a best-in-class enterprise governance, risk and compliance (GRC) program. They include Policy, Threat, Asset, Risk, Business Continuity, Incident, Vendor and Compliance Management. Enterprise Governance, Risk and Compliance Solutions Over 6 Million Licensed Users.

Security Weaver- Security Weaver is a leading enterprise IT security solutions provider company with world class solutions for all sizes of customers. Using Security Weaver’s GRC solutions you get Superior Application Performance with less hardware expenses and minimal Installation Expense, yet Leverage Existing Organizational Competency. Security Weaver provides following solutions:

• Separations Enforcer

• Emergency Repair

• Secure Provisioning

• Secure Audit

• Secure Enterprise

Trintech- Trintech- Trintech provides a world class solution to address SOX and other compliance initiatives, such as HIPAA, PCI-DSS, FERC/NERC, etc.

68

69

Appendix

70

GlossaryTerminology Description

Segregation Of Duties A primary internal control intended to prevent or decrease the risk of errors or irregularities by assigning conflicting duties to different personnel.

Personalization Applications may support community personalization to allow organizational groups to customize views for all users.

SOX Sarbanes Oxley Compliance commonly called SOX, it is a controversial United States federal law passed in response to a number of major corporate and accounting scandals.

GRC Governance Risks Compliance

Mitigation Controls It is a term used for the controls defined for the Identified Risks in the system.

Mitigation Objects It is a term used for identifying the conflicting roles and users which has the Mitigation controls defined

Risks This defines the potential risks existing in the system due to SOD and is based on the standard business process.

Rules This is the collection of risks and functions that forms the core for analyzing the SOD Conflicts

Rule set This is the facility in GRC to bucket the specific rules for different Business Requirements

Role Provisioning It is the process of assigning the authorization to the requested user in the system.

Auto provisioning Auto provisioning is taken care by SAP GRC internally from the CUP approval workflow

Firefighter It defines the emergency access provided to the user in the system based on the request for the limited duration and is monitored for its activities

Firefighter ID It is the ID pre defined in the system to be used by the firefighter on emergency basis

RAR Risk Analysis and Remediation

CUP Compliant User Provisioning

ERM Enterprise Role Management

SPM Superuser Privilege Management