the way we do itBusiness Analytics

Access Controls

The Opportunity

Access management with segregation of duties is critical requirement of every organization today. By having appropriate roles and authorizations maintained in the organization we can prevent frauds and control user access.

Despite the importance of access some of the key challenges that organizations are facing today are

• Delays in providing access to users • No uniform roles and tasks definition • No information and analytics on quantum of risks • High audit time and cost• No active management and visibility of sensitive access

Providing end to end user access management eliminating segregation of duties (SOD) risks

Business and IT - Ongoing Dilemma

Figure above depicts ever growing access demand of business and stringent audit requirements.

Capgemini Solution

Capgemini Global Process Model based standard roles and associated tasks will ensure conflict free roles while ensuring adequate access to operating team for seemless performance of various processes.

Deliver Centralized Preventive Control Around Segregation of Duties This would mean a common Segregation of Duties (SOD) matrix being followed across the organization. A common SOD matrix across different business processes and entities will provide cross organization risks which otherwise will not be visible. All roles created within the organization should be compliant to this central SOD matrix. Users, when assigned to the roles, would need to be checked for any SOD conflicts before the actual assignment.

Drive Automation in User Access Management This would ensure faster access to users. Automation will also enable approvals from various stakeholders like role owners and line managers to be taken through a web enabled workflow. Audit trail for entire access provisioning will also be captured.

Reduce Audit Time and Cost Cost will come down if centralized access control processes, based on Capgemini defined Global Process Models, are followed. The Global Process Model for access control provides the best practice for various access processes like role creation, role deletion, user role assignment workflows, periodic reviews for movers, leavers and joiners and many more. These Processes capture all audit requirements thereby reducing audit time and cost.

Analytics and reporting around sensitive access drives better decision making.Pre-delivered set of analytics and reporting is available from Capgemini around the following areas to drive greater visibility and predictability of risks.

How It Works

Step by step approach for conceptualization, analysis and remediation around Access Controls.

IT (Security/Controls Team)

I need ALLaccess, I’m a

Super User

Why don’tyou let me do

my job ?

Auditors/Compliance Teams

Senior Management

Business

I hired Bill today.He needs access to close

books by tomorrow!!!

Violating so manycontrols? This is

ugly...

Why can’t youever get youract together?

Capgemini will deliver Access Control service on run service basis and will ensure to avoid segregation of duty challenges at the stage of providing access.

Key Analytics We Provide on Access Control:

Benefits of Access ControlsProtect Information and Prevent Fraud• Eliminate access and authorization risks with out-of-the-box rules• Enforce segregation of duties across applications and departments• Prevent improper access instead of reacting to problems

Case Study  Capgemini is currently providing complete access control service including global reporting and analytics across more than 50 countries for leading Fast Moving Consumer Goods (FMCG) company. The scope includes Role management, User access management, monitoring critical access and super users access. Role management includes evaluation of effectiveness of mitigation controls. Capgemini has provided the list of global mitigation controls which are part of the Global Process Model.

Capgemini has increased visibility with global reporting along with recommendations on remediation for identified risks. The global reporting offers summarized as well as drill down view of the risk areas by country or business process. Analytics around top 5 sensitive access risks, unmitigated SOD risks, usage for fire fighter Single Platform Module (SPM) and more help drive the organization focus towards key risk areas and address them quickly.

(1) Risk Recognition (2) Rule Building and Validation

Identify or approve con�icts and exceptionsClassify risks as Critical, High, Medium, or LowIdentify new risks and conditions that should be monitored

Establish technical rules to monitor riskVerify rules against test cases (Users/Roles)

(3) Analysis (4) Remediation

Run reports for risk analysisExplore alternatives to eliminating riskSize cleanup effortsModify rules based on analysis

Determine alternatives for eliminating risksPresent analysis and select corrective actionsDocument approval of corrective actionsModify/create roles or user assignment

(5) Mitigation (6) Continuous Compliance

Design alternative controls to mitigate riskEducate management on con�icts approval and monitoringDocument a process for monitoring mitigation controlsImplement controls

Communicate changes in roles and user assignmentSimulate changes to roles and usersImplement alerts — they will- Aid in monitoring new access risks- Assist in testing mitigation controls

Rule Building and

ValidationAnalysis Remediation Mitigation Continuous

ComplianceRisk Recognition

1 2 3 4 5 6

Phase One Phase Two Phase Three

Access Control Reporting and Analytics

Visibility and Outcome

Movers, Leavers and Joiners The number of people in ERP changing positions, leaving or joining the organization

Sensitive Access People having access to sensitive IT transactions or sensitive business transactions

Segregation of Duties Reporting specific to divisions & clusters in the organization for SOD and follow up for resolution

Super User Access and Usage Fire fighter IDs assigned to users with validity and type of usage

Usage Analysis and Role Mining From within the roles available with the users reviewing the transactions used

About Capgemini

With more than 125,000 people in 44 countries, Capgemini is one of the world’s foremost providers of consulting, technology and outsourcing services. The Group reported 2012 global revenues of EUR 10.3 billion.

Together with its clients, Capgemini creates and delivers business and technology solutions that fit their needs and drive the results they want.

A deeply multicultural organization, Capgemini has developed its own way of working, the Collaborative Business Experience™, and draws on Rightshore®, its worldwide delivery model.

Learn more about us at

www.capgemini.com

the way we do itBusiness Analytics

The information contained in this document is proprietary. ©2013 Capgemini.All rights reserved. Rightshore® is a trademark belonging to Capgemini.

Optimize Operations• Automate segregation of duties management • Automate access management• Promote IT and Line of Business collaboration• Enforce accountability with review and approval processes• Ease compliance and avoid authorization risk

Minimize Time and Cost of Financial Compliance• Provide proof and reliability with control tests and audit trial for SOD controls• Report and review key risk indicators for system access

Capgemini Differentiators

Terry Sandifordterence.sandiford@capgemini.com

For more details contact:

Strategy for Provisioning Roles in Transparency – a brain child of Capgemini for accelerated SOD health check.

A day/s workshop at the client premises which is a good starting point of the engagement depending on the GRC maturity of the customer.

Sandbox and Demo environment for GRC suite of products which can be used by Capgemini Consultants to conceptualize client scenarios and test.

Standard Training scripts and recordings to accelerate transition and transformation around Access Controls.

Global Process Models for SAP GRC Access Controls and Process Controls activities.

Capgemini has a detailed risk and controls library with over 400+ controls de�ned for various business processes across sectors.

A global community of Access Control and Risk management consultants across the world with knowledge of business processes.

SPRInT

GRC BusinessValue

Workshops

GRC CoE Infrastructure

Ready to RunTraining Scenarios

GPM

Risk and Control Library

CG GRC Global Community

Differentiator Purpose