You are on page 1of 14

SAP GRC- ACCESS CONTROL

Submitted by : Manas Choudhary (12030241142 ) C Group Leader 9665372521 Shankar Kendre (12030241159) C 9960899626 Raghavendra Aarole (Roll No) - C 7709998886 Ishan Mishra (12030241073) - A 7276899981 Rahul Vardhan Dinesh (12030241210) D 9420290268 Batch 2012-14

Agenda
Fragmentation Integrated GRC SAP Solutions for GRC Segregation of Duties Violations Risk Analysis and Remediation Access Management Compliant Provisioning Benefits of SAP GRC 01 02 03 04 05-06 07 08-09 10-11

Fragmentation
Managing with confidence is difficult in an increasingly complex world
ASX Principle CLERP 9 7 SOX ROHS WEEE Segregation of duties Credit Risk Human Capital Risk Project Risk

Australia

Governance
U.S.A Japan U.K. France China Germany India Risk Mgmt.

Compliance Governance

Board of Directors Finance

Compliance Compliance Compliance

Risk Mgmt. Risk Mgmt.

Legal

Sales
Contracts HR Risk Mgmt. Controller IT

Compliance Governance
Risk Mgmt.

Compliance
Governance
Risk Mgmt.

Policy Mgmt.
Audit & Compliance Treasury

Security

Proj. Mgmt.

Doc. Mgmt.

Contracts Planning Customers

ERP

Production

Billing

Integrated GRC
Forward looking organizations are seeking a unified approach to GRC
ASX Principle CLERP 9 7 SOX ROHS WEEE Segregation Of Duties Credit Risk Human Capital Risk Project Risk

Australia

Governance
U.S. A. Japan U.K. France China Risk Mgmt.

Compliance Governance

Board of Directors Finance

Compliance Compliance Compliance

Risk Mgmt. Risk Mgmt.

Legal

Sales
Contracts HR Risk Mgmt. Controller IT

Compliance Governance
Risk Mgmt.

Compliance
Germany
India

Policy Mgmt.
Risk Mgmt. Audit & Compliance Treasury

Governance

Security

Proj. Mgmt.

Doc. Mgmt.

Contracts Planning Customers

ERP

Production

Billing

SAP Solutions for GRC


A unified solution for GRC management
Business Process

Industry-Specific GRC
Life Sciences High Tech
Chemicals

Oil & Gas Banking

Transparency to balanced global risk profile Standardization on common GRC content and rules Automates and embeds GRC into business processes

Cross-Industry GRC
Risk Management Compliance & Controls
Access Control

Risk Management

Process Control

Global Trade

Environment

GRC Repository

Business Process Platform

Business Applications

Segregation of Duties Violations


Minimal Time To Compliance Continuous Access Management Effective Management Oversight and Audit

(Get Clean)
Risk Identification and Remediation Rapid, cost-effective and comprehensive initial clean-up Enterprise Role Management Enforce SoD compliance at design time

(Stay Clean)
Compliant User Provisioning Prevent SoD violations at run time Superuser Privilege Management Close #1 audit issue with temporary emergency access

(Stay in Control)
Periodic Access Review and Audit Focus on remaining challenges during recurring audits

Risk analysis, remediation and prevention services

Cross-enterprise library of best practice segregation of duties rules

Risk Analysis and Remediation


Access Risks Services
Risk Identification

Real-time SoD Risk Analysis Critical Transaction Monitoring Cross-Application Integration

Common services across all SAP GRC Access Control capabilities

Remediation Management
Mitigation Management Alerts Framework Reporting Real-time Simulation Mandatory Prevention

Prevention

Reporting

Prevention Services Delivers 24/7, real-time compliance by stopping security and controls violations before they occur
SAP GRC Access Control, with its comprehensive preconfigured rule set, reflected deep expertise within SAP that would have taken us a very long time to replicate.
Synopsys Inc.

Access Risks Library


Rules

Elimination

Cross-Enterprise Rules Database Cross-Enterprise Rules Architect

Risk Analysis and Remediation Contd.


Getting Initial Risk Analysis and Remediation clean

Risk Identification

Facilitates collaboration between Business and IT to clean up access risks

Risk Elimination

End-to-End Automation

Reporting

Prevention

The clean-up process has brought a tremendous degree of discipline to the way we think about and manage user access and authorizations.
Synopsys Inc.

Access Management
The only compliance-focused emergency access solution
Key Functionality
ID Administration Date Restrictions
Security

Compliant Superuser Access


Superuser

Log-in Restrictions

Privileged Access
New Session
Firecall ID

Single User per ID


Specific Authorization Access

New Session
Firecall ID

New Session
Firecall ID

New Session
Firecall ID ...

Notification

SD

MM

FICO

Alert Framework
Log Log Log Log

Reporting

Reporting Audit Logs

Pre-assigned firecall IDs Access restrictions Validity dates Field-level changes tracked in audit log

Compliant Provisioning
Current ApproachInefficient, Not Compliant
Access Request email

Enables Compliant End-to-End Provisioning hire to retire

email

Manager Approval

Role Owner spreadsheets, paper forms spreadsheets, paper forms IT Security

Manual Provisioning

Compliant Provisioning contd..


Compliant Provisioning with Dynamic Workflow
HR Event Employee Hired/Retired Mgr Approval Request Generated 100% Automated Path Workflowbased on request type and user attributes

Embed cross-enterprise preventive compliance into business process

Via e-mail

Reduce cost of user administration


Improve productivity of end users

Escalation Workflow Risk Analysis 1 Click Preventive Simulation Exception Workflow Automated Provisioning

Auditable tracking for auditors

100% Automated

Benefits of SAP GRC


Key Solution Capabilities and Benefits Identifies and prevents access and authorization risks in cross-enterprise IT systems to prevent fraud and reduce the cost of continuous compliance and control Provides end-to-end automation for detecting, remediating, mitigating, and preventing access and authorisation risk across the enterprise Allows for true cross-enterprise SoD risk mitigation by integrating into SAP and nonSAP systems Common Customer Challenges Addressed Need to comply with SOX regulations for section 404, or similar regulations Weak support for the audit process to ensure the right measures are in place to prevent fraud Manual or people-intensive compliance processes involving emails, spreadsheets and/or paper Costly, manual remediation Uncontrolled role management Excessive super-user access Inefficient and un-auditable user provisioning Reactive vs. preventative

Establish approach and process to manage risk rules Gain alerts on potential violations Identify business functions which produces risks when executed by same individual Focus on prevention vs. a point in time detection Simplify compliant enterprise level role administration Enforce compliant security for Privileged Access Increase visibility through timely notification Deliver audit ready, detailed reporting Lower risk and save money through proactive compliance
13

Thank You

14