sap grc access control emergency access management · pdf filepwc sap grc eam key terminology...
TRANSCRIPT
PwC
PwC provides end-to-end SAP consulting servicesValue through SAP strategy, design, implementation & QA
PwCSAP
Consulting
HumanCapital
Valuechain
Technology& Security
EnterpriseAssets
Finance &Treasury
GovernanceRisk &
Compliance
April 2016Slide 2
PwC
PwC’s SAP security & GRC servicesIncrease quality & profitability with PwC services & SAP technology
April 2016Slide 3
PwC
Agenda
SAP security: What & why?
SAP GRC Access Control overview
Emergency Access Management deep-dive
Live demo
Implementation good practices
Question & answer
April 2016Slide 4
PwC
SAP authorisationsPwC’s five guiding principles for an effective design
Task basedmethodology
Smarttechnical
design
Know yourcontrol points
Qualitytechnical build
SoD freeEffective
SAPsecurity
April 2016Slide 6
PwC
PwC’s holistic view on SAP securitySAP GRC as an enabler for a sustainable authorisation model
Effective SAPSecurity Design
SAP RoleArchitecture
Security &Provisioning
Processes
OrgStructure &Governance
M
“Get clean, stay clean”
Use the right tools andprocesses to support yourSAP authorisation concept
April 2016Slide 7
PwC
Access Risk Analysis
GRC
Accessmanagement
technology
1234
1
3 Access RequestManagement
2
Business RoleManagement
4
Emergency AccessManagement
SAP GRC Access ControlFour modules which enable controlled SAP authorisations
April 2016Slide 9
PwC
Your challenges
How to handle those midnight emergency calls…… without opening security gates permanently?
• Recent audits demonstrated that your SAP users in IT and Business had access to sensitive SAPtransactions or tables on a permanent basis whilst the access was not required to support the user’sday-to-day job activities. This sensitive access was granted to these users to allow them to support thebusiness in case of incidents and/ or emergency requests, but resulted in an uncontrolled usage ofsensitive SAP access.
Access to sensitive transactions is not controlled
Your desired response
dddsd
You want to address above challenges by implementing appropriate controls on the usage ofsensitive SAP access in support of incidents and emergency requests, and by installing regularrisk-based SAP access reviews. SAP GRC Access Control technology has been identified as animportant enabler for these controls.
SAP GRC to meet IT, business and internal control requirements
April 2016Slide 11
PwC
SAP GRC Emergency Access ManagementAn enabler for controlled management of elevated access!
• Pre-define emergency access for approved users• Activity monitoring for all emergency users• Enables compliance-focused emergency access for
SAP
• Avoid business obstructions with faster emergencyresponse
• Reduce audit time• Reduce time to perform• Workflow based log Review• Compliant Emergency access management process
Key Functionality
Key BenefitsNew session New session New session New session
Log Log Log Log
SAP_ALL
• Pre assigned firefighter IDs• Access restrictions• Validity dates and expiry• Field-level changes tracked in audit log• Workflow based Log review
Super user
Firecall IDSD
Firecall IDMM
Firecall IDFICO
Firecall ID…
April 2016Slide 12
PwC
SAP GRC EAM key terminologyTo assist you in not getting lost in translation
Term Definition
EAMEmergency Access Management, SAP’s tool for providing elevated securityauthorisations through a controlled process ensuring usage is appropriate.
SPM / VirsaFireFighter
Legacy names for EAM from GRC versions 5.3 and earlier.
Firefighter ID
A separate SAP user account typically assigned to a specific process area. Whenneeded, an end user logs into GRC and opens an emergency access session. Atthat point, a new SAP session is opened and all actions performed are logged inEAM.
EAM ID, SPM ID, FFID, FireFight ID
FirefighterAn end user who logs into EAM and checks out a Firefighter ID to performemergency actions.
OwnerResponsible for approving and periodically reviewing access granted to anindividual Firefighter ID. Owners are also responsible for authorizing the securityauthorizations assigned to the Firefighter ID.
ControllerResponsible for monitoring and assessing the appropriateness of activityperformed by a user using an individual Firefighter ID.
April 2016Slide 13
PwC
A typical SAP GRC EAM process flowAll actors need to take up responsibility to generate benefit!
April 2016Slide 14
PwC
Embed ownership of userprovisioning to businessprocess owners
Improved harmonybetween the goals of ITand the needs of business
Encourage consistentexecution of businessprocesses
Reduce access risks andtherefore avoid fraud anderrors
Simplify the access requestprocess for business users
Reduce time spent for userprovisioning
Get rid of recurring auditand compliance remarks
Determine your SAP GRC AC business caseHow to build a solid and compelling one?
SAP’s GRC value calculator tool:http://www.pulse-iq.com/SAP/AccessControlValueCalc/dashboard.html
April 2016Slide 17
PwC
Access Risk Analysis Integration
Continuous Compliant Access Management
GRC implementation roadmapWorking smart towards your goals
April 2016Slide 18
PwC
EAM & ARA implementation trajectoryKeep your objectives in mind and involve the right stakeholders
• SAP GRC Technicalinstallation
• EAM: Defineemergency accessmanagement (EAM)needs
• ARA: Define accessrisk analysis (ARA)usage needs
•Design “firefighter”accounts & accessand supportinggovernance structure& processes
•Define access risks tobe monitored for inscope processes
•Define ARAgovernance structure& processes.
• Build firefighter IDs,assign their access
• Configure EAM inSAP GRC back-end
• Set-up EAMreporting
• Construct ARA riskruleset
• Configure ARA inSAP GRC back-end
• Set-up ARAreporting
• Go-live of the testedEAM solution
• Provide ad-hocsupport to EAMadministrators andend-users
• Go-live of the testedARA
• Provide ad-hocsupport to EAMadministrators andend-users
Assess
• Perform EAM unit,integration and useracceptance testing
• Train EAM end-users
• Perform ARA unit,integration and useracceptance testing
• Train ARA end-users
Design
Construct
Implement
Operate &Review
Ongoing training & knowledge transfer
SAP GRC EAM
SAP GRC ARA
April 2016Slide 19
PwC
Determine your EAM relevant usageInvolve the right stakeholders to identify this usage
Appropriate usage includes
• Emergency changes required in production
• Sensitive transactions not available via end user security roles
• SOx-sensitive, restricted transactions
• Infrequent, sensitive tasks (opening/closing posting period)
• Cutover tasks
Inappropriate usage includes
• Daily business tasks by support users (creating purchase orders, etc)
• Non-sensitive tasks available via security roles
• Using EAM as a crutch to support a bad security design
April 2016Slide 20
PwC
Make smart design decisionsThese will drive actual & perceived value-add of your EAM
01
02
03
04
Design Firefighter users perbusiness process
Think of availablenotifications andworkflow functionality
Centralised vs.decentralised approach?
Pre-approved” Firefighter strategy vs.“ad hoc” approval required
05 What about ID vs. role-based firefighting?
April 2016Slide 21
PwC
SAP GRC governance structureEven SAP GRC needs governance to ensure its sustainability!
Functional use GRC tool maintenance
GRC process flows
Structure
Roles & responsibilities
April 2016Slide 22
PwC
Key takeawaysFor you to consider during our SAP GRC EAM journey!
• SAP GRC EAM delivers great return on investment for your organization froman internal control and efficiency perspective, when implemented right
• Determine a clear and realistic scope, with all the right stakeholders involved;don’t forget about your (external) auditor
• Smart design decisions are key: Garbage in = Garbage out
• Also your SAP GRC tool needs governance to deliver value
April 2016Slide 24
PwC
Question & answerPwC’s upcoming SAP GRC & security events
http://www.pwc.be/en/events-courses.html
Date & time28 April 201616:00h – 17:00h
Webinar: SAP HANA security - Prepare for what’s next• Obtain a clear and detailed view on the security set-up in a SAP HANA
based environment• Watch the theory come alive through a live SAP HANA security demo• Gain first-hand insight on security good practices in a SAP HANA context
through experience sharing by PwC experts• Learn about the security skills, processes & controls required to continue
safeguarding your sensitive data in a SAP HANA context
Date & time18 May 201610:30h – 16:00h
PwC Brussels
Increasing quality & profitability with SAP GRC Access Control• Live demo & good practice sharing• Gain insights from an SAP GRC AC client use case• Obtaining first-hand views on SAP GRC’s roadmap for the future• Explore how to generate value-add from your SAP GRC system by
quantifying potential risk violations using data analytics techniques usingPwC process mining expertise combined with SAP Access ViolationManagement technology
For moreinformation on thesubject, pleasecontact ...
Wim RymenDirector+32 473 269 [email protected]
Kris WautersSenior manager+32 499 558 [email protected]
Constance VervalckeManager+32 493 240 [email protected]
© 2016 PricewaterhouseCoopers. All rights reserved.“PricewaterhouseCoopers” refers to the network of member firms ofPricewaterhouseCoopers International Limited, each of which is aseparate and independent legal entity.