Beruflich Dokumente
Kultur Dokumente
Contents:
Mitigation Controls
Alerts
Compliance Configuration
Firefighter Overview
Access Enforcer Overview
Module Breakdown
Process Walkthrough
Module Breakdown
Example R/3 Role Design model
Activity
Transaction:
Workstep SAP worksteps
Workstep
Workstep
SAP Security – The major elements of the SAP authorization concept
Users
Composite Profiles
Simple profiles
Authorization Objects
Authorizations
Fields Users User Profile
SOX….
The Sarbanes-Oxley Act of 2002 also called as Public Company Accounting Reform and
Investor Protection Act of 2002 and commonly called SOX or Sarbox in response to major
corporate scandals like Enron…………..
♣IT does not own the responsibility for proper segregation of duties. They can’t understand hurdles
on business side, as they lack the collaboration tools and language to efficiently collaborate with the
business owners.
♣Lines of the business managers are responsible for SoD, but they lack the technical depth to
manage user access, so they rely on IT
♣Internal auditors are trying desperately to stay on top of the SoD issue. However with manually
maintained spreadsheets listing the access and authorizations of all employees, contractors, and
partners and so on, they can only perform a very limited audit at a very high cost.
Sarbanes Oxley and SAP - Top 7 Control Deficiencies in SAP
1. Segregation of Duties - segregation of duties as the most important point of control focus or
deficiency.
2. Inconsistent Business Process Procedures - Business procedures not matching the actual process is
another problem area in many SAP implementations.
3. Unsecured Customized Programs - Many customized 'Z' transactions or 'Y' transactions built in to
suit the business process.
4.Unauthorized Access to SAP BASIS - Many companies make the mistake of giving access to
sensitive BASIS transactions like SE13, SE38, SM49, SU10, SU12, SM13, SC38, SM59, KE54 etc
to users in production.
Such unrestricted access can lead to a potential control deficiency under Sarbanes Oxley.
5. Unrestricted Posting Periods - Allowing unrestricted access to open Posting periods in SAP can
result in unauthorized entires in previous open periods. This can become a severe control
deficiency under SOX
6. SAP Access to Terminated Employees - SAP access had not been revoked for employees who
had been terminated. This can potentially lead to control deficiency
7. Database and OS Hardening - The data in SAP sits on databases like Oracle etc and SAP Portal
as such runs on an operating system. If databases and operating systems are not hardened, the
whole SAP environment is put at risk.
GRC – Governance Risk Compliance
Business Challenges
- Identifying risks arising through user access privileges.
- Knowing when users have executed transactions that constitute a risk
- Developing solutions for risk management and control.
- Stopping risk from being introduced into the production system through change updates.
- Prohibiting and controlling access to critical basis, developer and sensitive
business transaction.
- Ensuring that mitigating controls exists for user access risks and are executed.
IT / Security Challenges
- Stopping risk from being introduced into the production system through change updates.
- Prohibiting and controlling access to critical basis, developer and sensitive
business transaction.
IT Based Antifraud Controls - SOD & SAT
Modern IT applications ERPs like SAP, Oracle Apps, J D Edwards, Peoplesoft can be configured
based on roles. .
Access to specific transactions in the system can be restricted based on user roles and profiles.
Segregation of duties in applications can act as a major antifraud controls and lead to better
SOX compliance.
Sensitive Access Controls SAT –
SATs coupled with SODs can act as the foundation for IT based antifraud controls.
The other important antifraud control is restricting user access to sensitive transaction in the system.
From an IT perspective users have access to a lot of information such as payroll data, balance
sheet, profit and loss account etc.
This sensitive information can be misused. It is therefore important to restrict users access to
this sensitive information in applications.
MM SoD Conflicts – Sample data
SoD Controls (Functions that should be segragated) Risks
RISK LEVEL
Business Process – Used to classify risks, rules and rule sets by business function e.g. Order to Cash, Purchase to
Pay, Record to Report are all types of Business Processes. All risks and functions are assigned to business functions.
Function - Identifies the tasks an employee performs to accomplish a specific portion of their job responsibilities. This can be
analogous to a role, but more often a role comprises multiple functions.
Action- Known as Transactions in SAP. To perform a function, more than one action may be required to be performed.
Permission – Object in SAP, which form as part of Actions.
Risks – Identify potential problems your enterprise may encounter, which could cause error or irregularities within the
system.
Rule Sets –Ccategorize and aggregate the rules generated from a risk. when you define a risk, you attribute one or more rule
sets to that risk. Similar to business process.
SoD – Segregation of Duties, are primary internal controls intended to prevent, or decrease the risk of errors or
regulatory irregularities, identify problems, and ensure corrective action is taken. This is
achieved by assuring no single individual has control over separate phases of a business transaction.
.
Definitions – Function, Business Process, Action,
Permissions & Activities
1
2
3
1. Function
5
2. Business process
3. Action
4. Permissions
Activities
Process Overview
SAP Compliance Calibrator
SAP CC is used to identify SOD conflicts before the change enters production. This allows control leads to
reject the introduction of risk or assign / implement a mitigating control before risk is apparent.
Note: Rules have to be pre-defined before Risk Analysis is performed.
Deeper understanding of risks inherent in the security design allows business approvers to make a proactive choice
as to whether they allow a user to have an SOD risk or critical transaction.
Rules are created in compliance calibrator based on the “risks” you define.
Rules are logical constructions composed of a circumstance or condition, and the appropriate response to
that condition. This is commonly represented as an IF-THEN statement.
IF
Employee X can Create a Vendor &
Employee X can Authorize Pay vendor
Then
Employee X has been granted High Risk Conflicting Roles
Compliance
Risks Rules
Calibrator
Rules Architect – The Rules Library
Building rule sets can be complex and time consuming. Typically three distinct
roles and skills are involved.
Internal Controls Expert
Provides information on SOD risks, criticality and represents business (process) owners in decisions to mitigate or remove
risks.
SAP Functional Expert
Internal
Provides expertise on the business Control
process configuration in SAP , knowledge Expert
on objects and activity values. Helps to set
the configuration data for the rule set
library. Helps identify false positives.
SAP CC Expert
Rules
Provides knowledge on Generation
rules setting in SAP CC SAP SAP
performing mass upload changes Functional CC
and risk analysis.
Expert Expert
Risk Analysis
SAP Compliance Calibrator
Once the rule set has been defined and implemented risk analysis can be performed to identify the SOD
conflict and critical transaction risks in the staging and production system.
Risk analysis can be performed at the user or role level. Risk Analysis and remediation is most efficient when
a structured authorizations concept is implemented that maps roles to job and people. In these
circumstance remedial efforts correct risks for large groups of users.
Compliance Calibrator provides Interactive visual analysis in the form of Bar charts, Pie Charts and Line Charts
By clicking upon
a certain chart
area, detailed
statistics are
accessed
Informer
SAP Compliance Calibrator
You can generate reports for Users, User Groups, Roles, Profiles, HR Objects and Organizational Levels
Mitigation Control
Mitigation Controls- Rather than remove the cause of the risk, you may want to control certain risk violations that you want available to specific users, roles,
or profiles.
Monitor ID - The ID of the User who is assigned as a Monitor, who is assigned the specific Controls.
Where risks are accepted in the system, a mitigating control should be implemented and executed. An example is a supervisory review and sign off.
SAP CC gives you the functionality to document the mitigating controls for each risk. Once documented and assigned to a Monitor the tool can be used to track
execution of the control or non compliance.
Many clients will have separate cross-enterprise process controls software and we suggest three options for implementation:
1) Simplest option, identify risk as controlled. Risk is removed from risk reporting.
2) Associate the risk with a mitigating control in an alternate repository e.g. process control software.
3) Fully document the mitigating control within the SAP Compliance Calibrator.
A choice also exists on who to give responsibility for maintaining data in the SAP CC tool. This can be centralized in IT or Controls or fully distributed to
the business.
Compliance Calibrator includes functionality which can alert business and controls leads by email when a critical
or conflicting action is executed.
Conflicting and Critical Actions – When a user performs both transactions in an SOD rule or uses a critical
transaction.
Mitigation monitoring – If a Monitor does not execute a control to a specified frequency then an alert will
be generated which is sent to the Monitor and visible to the control leads.
Cleared alerts- When an alert message has been delivered and cleared. Alerts remain as an archived record and
can still be tracked and monitored.
SAP Compliance Configuration
The configuration Tab is the main starting point for post installation setup.
NOTE: Only an User with Administrative authority can access and use this aspect of Compliance calibrator.
The Java Connector (JCO) acts as the integration point between the Java application and the SAP system to be monitored / analyzed.
The User Management Engine provides for out-of the box J2EE Administrator profiles to be defined or activated .
The Rule set upload function is used to load the standard rules or customized rule set – e.g. critical transaction codes, critical objects etcetera. These characteristics are the foundations of the SoD
rules.
The Workflow component is used to trigger email alerts to named Process Owners within the User Provisioning. It is an integrated part of the Access Enforcer solution.
Background Job Scheduling is used for activating Monitoring e.g.. frequency of SoD analysis, Risk Violations.
SAP Compliance Configuration
Agree security design principles and Establish design concepts and principles for mapping roles to jobs and users e.g. 1
dependencies with SAP CC Composite role to each user
Confirm Project governance and high Agree business owners, Business Approvers, Control Approvers, Role
level processes Maintenance and UP processes. Define Security controls.
Master data and functional set up. Test Agree master data definitions; Organization; Business Process; Risk Descriptions;
functionality Monitors and Control Approvers.
Define risks and configure risk rule set Agree SODs conflicts and critical transactions. Categorise risk (H/M/L). Update
risks rule set. Test risks.
Run Risk analysis Run risk analysis in staging environment. Run Risk Analysis in production
environment. Export reports and update Risk Logs.
Remedial actions Identify and remove false positives. Agree whether to accept or reject risks. Plan
authorization changes, update security design templates and raise change request
to security maintenance. Re-run risk analysis.
Mitigate Accepted Risks Agree mitigating controls for each risk. Agree control owners and business
approvers (execution). Update mitigating controls in tool.
Update procedures and security controls. Update procedures to introduce SAP CC as a preventative control and reflect
governance for business ownership.
Transition to live Train and enable operations staff, business approvers, control owners. Deploy new
procedures. Stabilization support
Fire-fighter
The Firefighter application allows a user to take responsibility for tasks outside their normal job function, in
a emergency situation.
Enables users to perform duties not included in the roles or profiles assigned to their user IDs.
Provides this extended capability to users while creating an auditing layer to monitor and record
Firefighter usage, providing the capability to review activities used during an emergency situation.
Role 1
Role 2 Firefighter ID 1 User 1
Role 3
Before users can access Firefighter, they must be assigned a Firefighter ID. For each Firefighter ID you
define the following roles.
Owner Owners can assign Firefighter IDs to Firefighters
Controllers Receives email notification and reviews the Firefighter Log report.
In addition the Administrator perform the creation of Firefighter ID and assign authorization roles.
Process Overview
SAP Firefighter
Firefighter enables users to perform duties not included in the roles or profiles assigned to their
userIDs. Firefighter provides this extended capability to users while creating an auditing layer
to monitor and record Firefighter usage.
Through automated emergency access administration, Firefighter tracks, monitors, and
logs all emergency access activities
Example
If the employee who normally works with vendor accounting, but is on vacation or sick leave,
another employee who usually verifies invoices may be assigned a Firefighter ID to perform this task
temporarily.
Benefits of Firefighter are:
Avoid business obstructions with faster emergency response
Reduce audit time
Reduce time to perform critical
tasks 30
Fire-fighter
Firefighter dashboard
Access Enforcer automates the end-to-end access provisioning approval process by combining roles and
permissions with workflow.
When a user requests access to resources for which they do not have permission, Access Enforcer automatically
forwards the access request to designated managers and approvers within a pre- defined workflow. This
workflow is customized to reflect your company policy.
Roles and permissions are automatically applied to the enterprise directories when the access request
are approved.
Access Enforcer automates the role provisioning process within the identity management environment. It
ensures corporate accountability and compliance with Sarbanes-Oxley along with other laws and regulations.
Access Enforcer
Access Enforcer has four task modules for specific usage. They include:
Requestors The Requestors module is for end-users who are requesting access to SAP and non-SAP
backend systems.
Approvers The Approvers module is for approvers who approve access requests. Approvers can also
request access for other end-users. Approvers include line managers and IT security.
Informer The Informer module is a reporting tool that provides graphical and analytical reports for managers.
Configuration The Configuration module is for Access Enforcer Administrators who define defaults,
workflow, and other attributes that are based on their corporate business processes and policies.
Access Enforcer Module Breakdown
SAP
2. Provides Access Request page, which can be set to specific or
multiple data sources (e.g. SAP HR system or non-SAP systems)
to complete the request process Access
Enforcer
5. Upon approval, access request is routed to next stage, which could involve the
IT security team for entry to the SAP backend system or application server.
Automatic provisioning to the target system could take place.
Access Enforcer - Benefits
Role Expert
Role Expert is a solution for compliant enterprise role management, allowing role owners to define,
document, and manage roles across multiple enterprise applications ad enforces best practices,
resulting in lower ongoing maintenance and effortless knowledge transfer
Automatically analyzes roles for potential security risks (audit and SoD issues), tracks changes, and facilitates
approval workflow, eliminating the inefficient back-and-forth exchanges between business managers and IT.
Role Expert provides a complete audit trail, covering role definition, detailed change history, and control test
results and allows SAP security administrators and Role Owners to document important role information that
can be of great value for better role management such as:
Tracking progress during role implementation
Monitoring the overall quality of the implementation
Performing risk analysis at role design time
Setting up a workflow for role approval
Providing an audit trail for all role modifications
Maintaining roles after they are generated to keep role information current
Role Expert
Role Library- Dashboard of all the roles in Role Expert. Displays an interactive graphical interface of the
roles broken down by system landscape, role owner, or business process. It also shows the number of roles
with violations and roles belonging to different role types.
Role designer- Provides you with a step-by-step guide for designing roles across your enterprise. Role
Designer allows you to define:
♣Role Building Methodology
♣Naming Conventions
♣Role Attributes
♣Org. Value Mapping
♣Approval Criteria