IA SAP Security Meeting Agenda VF 20151104 - Presentation
-
Upload
spicychaitu -
Category
Documents
-
view
220 -
download
0
Transcript of IA SAP Security Meeting Agenda VF 20151104 - Presentation
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
1/29
SAP logical separation risks andcontrols working sessionDiscussion Document
November 4, 2015
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
2/29
Page 2
Discussion agenda
Introductions, confirm problem statement and objectives 15 minutes
Level set on progress to-date 15 minutes
Discuss enterprise risk framework 10 minutes
Level set on SAP security arcitecture 10 minutes
Lessons learned from oter spins and carve-outs 30 minutes
!o-develop solution framework and options 30 minutes
!o-develop roadmap 10 minutes
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
3/29
Page 3
"ackground and objectives
Develop framework for analying solutions
Develop options, bot! tec!nical an" non#tec!nical
Develop roa"map to solving t!e issues
Develop a solution, in a cost effective manner an" commensurate wit! t!e risk, to"emonstrate t!at only people w!o are aut!orie" to write "i" write, for bot! t!e $%an" &' businesses
Problem Statement
#orking Session $bjectives
(fter careful consi"eration of timeline, risks, resources an" ot!er factors, t!e (ir
Pro"ucts team !as "eci"e" to "eploy )logical separation* t!roug! security tosegregate t!e +(P -- system an" ancillary systems to ac!ieve Day .ne of t!e $%spin
%!e &% team !as encountere" certain tec!nical constraints to fully secure t!eenvironment t!at, if not a""resse", may result in material weaknesses in t!e controlsenvironment
"ackground
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
4/29
Page 4
%ole &esting Progress to Date
%ole &ested %esults
(ccounting /0 3 pass43 fail or warning
$%ec!nician
105 5 pass4 fail or warning
uyer+ourcing
55 pass24 fail or warning
-ustomer
+ervice 6ep
52 34 pass
1/ fail or warning
AP &esting Approac &est %esults
-reate $% +ecurity roles wit! N7c!anges 8Plant-o-o"e, etc9:
6ole -ategory .wner 8or "esignee:performs testing
&"entify"ocument 'aps "iscovere""uring testing
6eview "ocumente" gaps # approveas is or recommen" reme"iationpat!
6eme"iate i"entifie" &ssues
6epeat starting at +tep 2
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
5/29
Page 5
%isk area' I& logical access post-separation
(nterprise risk management' %isk areas
%isk e)amples*+ig Level
Potential mitigating actions Impact if notmitigated
Impactedorgani.ation
; compliant on+ep201
$aterials
%ec!nology
0ote' $ter separation risk areas could be identified troug a targeted risk assessment e)ercise1
%isk area' Internal !ontrols over /inancial %eporting +I!/%
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
6/29
Page
Security in SAP' Standard vs !ustom
A ot! stan"ar" an" custom transaction security is base" on w!at is in t!e
source co"eA ven +(P stan"ar" is not consistent in using source co"e to secure "ata
A $ost commonly use" transactions !ave robust securityA +ome less commonly use" transactions !ave gaps
Standard transactionsB
A
.rganiational levels are use" in most transactionsA +ome stan"ar" transactions lack organiational security
!ustom transactionsB
A +ome may be copie" over from stan"ar" transactions an" may in!eritsecurity obCects
A .t!ers t!at are completely custom may not !ave any obCects
A +ecurity aut!oriations "epen"s on t!e co"ers an" w!at was use"
A +ecurity obCects may not be easy to fin", "epen"ing on layers of source co"e
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
7/29
Page
&ecnical security autori.ation concept
SAP Autori.ation !oncept (nvironment
ProCect(ccountant
+ingle 6oleB$aintain proCect systems
+ingle 6oleBournal entry posting
+ingle 6oleB+ettle proCects
+ingle 6oleBDisplay accounting
ProCectaccountant for
$aterials
%ec!nologies
Post Cournal entry
-reate workbreak"own structure
6everse Cournal entry
Post proCect settlement
Display accounting"ocument
Plant
-ompany co"e
-ost center
-ontrolling area
Profit center
-reate
-!ange
Display
Delete
6everse
Position !omposite role Single role &ransaction $rgani.ational value Activity
Display accounting"ocument
Profit center 6everse
Display accounting"ocument
8?03:
(ccountingDocumentB
(ut!oriation for-ompany -o"es8?EFP?E
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
8/29
Page /
112115
112115
112115
112115
112115
112115
112115
112115
112115112115
1121151/3
112115133
&esting results breakdown analysis
Already tested transactions
#it+(P stan"ar" aut!oriationcontrol by org level
13
#itout+(P stan"ar"aut!oriation control by org level
4
$ut of te 34 transactions
#it+(P stan"ar" aut!oriationcontrol by org level
4
#itout+(P stan"ar"aut!oriation control by org level
13
%o be -onfirme" 41
$ut of te 355 transactions
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
9/29
Page
$ur e)periencesDivestiture or Spin !omple)ities Sample scope
H1bn multinationalelectricity an" gas
utility companyseparation of a state#owne" utilitysubsi"iary to anot!erpublicly liste" utilitycompany
+ingle instance of +(P -- in Nort!(merica wit! 10,000 users9 Profiles
!a" open access wit!out limitations bycompany co"e
+eparation of "ata an" access was akey part of t!e carve#out
7everage" stan"ar" +(P organiationalsecurity settings w!ere possible
(ssiste" in e=tensive testing to i"entify gaps instan"ar" security an" t!roug! customtransactions
6emove" transactions t!at coul" not besecure" properly an" were not essential fort!e business
-!ange" co"ing w!en transactions were notsecure but !a" !ig! business impact
(utomotive suppliercarve"#out from a?ortune 100"iversifie" in"ustrialcompany
+ingle instance of +(P !a" openaccess wit!out limitations byorganiation structures 8companyco"es, profit centers, plants, etc9:
Gery s!ort win"ow to closing t!etransaction
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
10/29
Page 10
Potential solution options
112115
112115
112115
112115
+ourceB I proCect e=perience an" +(P "ata
.ver 0J of stan"ar" +(P transactionsoffer org level as aut!oriation criteria
112115
112115asis
112115
112115
112115
.ver 0J support stan"ar" +(Paut!oriation controls usingorganiation levels
Not use" by $%, covere"t!roug! &% %+(
7imite" access by $%,covere" t!roug! usiness%+(K manual process nee"e"
.ut of scope for t!is "iscussion
$ay nee" customie"tec!nical solutioning orworkaroun"s
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
11/29
Page 11
%isk impact of security roles vs usage fre6uency'()amples for discussion
()cludematerial
%isk Impact
Low8rating 1:
ig8rating 5:
/re6uency
7apping of roles by risk impact and fre6uency
Low8rating 1:
ig8rating 5:
Post(ntries in8eneralLedger
Profit!enter
%eporting
!ange!ustomer
Delivery
ProcessSales$rders
!ange"atcInfo1
Display7aterial
7aster
(nter&ime Seet
DisplayProc1
!ontract
DisplayP7 $rders
!ange
P7 $rders
+ample role transactions
from (Ptesting log
Stock$verview
!ange!ustomer!ontactPerson
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
12/29
Page 12
Potential approac to address key risks
6isk
ranking
.perationalimportance
Lig!
7ow
7ow Lig!
!ustom solutionsor &SA
7inimal effortneeded
%etire or findprocessalternative 9compensatingcontrol
7onitoring
%ec!nical solutions8
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
13/29
Page 13
Solution framework for discussion
Define enterprise risks an" overall securityseparation obCectives
Define type of access re@uire" by $% an"
acceptable to (P
Defineobjectives
(valuate risksand impact
Identifysolutions
Implementsolutions
&nventory an" classify all transactions by risk an"impact
(ssess output of &% testing against transaction riskclassification an" overall obCectives
(lign wit! Day .ne operating mo"el 8role c!anges,
process c!anges an" %+( nee"s:
.ptions to be evaluate" for critical transactionsB19 +tay t!e pat! an" absorb risks29 6e"esign new profiles39 7everage compensating controls49 Deploy tec!nical solutions 8e9g9, user e=it:59 (""itional %+( services or legal means 8ND(:
7everage e=isting &%, &nternal (u"it an" +pin P$.proce"ures to "evelop, test, train an" "eploy
&mplement an" test compensating controls, inclu"ingsecurity access to manage au"it an" &-?6 risk
I +ecurity (ssessmentMorkbenc!8see appen"i=:
-ustom tco"e analysis tool8see appen"i=:
+(P '6- Day .ne operating mo"el
an" "etaile" process an"
pro"uct flows
%ask#base" role mo"el8see appen"i=:
Position#role mappingaccelerator "atabase
+pin milestones I 'lobal (u"it
$et!o"ology
Procedures &ools
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
14/29
Page 14
Appendi) A' (: Practitioner "ios
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
15/29
7I!A(L P$%&(%Partner
6isk %ransformation
P!oneB 1 31 /1 223
#mailB mic!ael9porterOey9com
Professional ()perience Summary$ic!ael Porter is a Partner in t!e ("visory +ervices practice of rnst Ioung 77P9 $ic!ael !as over 23 years of e=perience w!ic! inclu"es provi"ing &% risk, controls an"tec!nology consulting services to large global ?ortune 500 companies9 Lis e=perience inclu"es lea"ing security an" control "esign proCects for global +(Pimplementations, lea"ing t!e implementation of +(P '6- v10, as well as lea"ing multiple (&-P( +.- reporting engagements, financial au"iting, &% au"iting 8inclu"ing &%'eneral -ontrols:, an" "ata analysis9 Le !as serve" as t!e $i"west 6egion %!ir" Party 6eporting Practice 7ea"er as well as &n"ianaQs &% 6isk an" (ssurance 8&%6(:7ea"er9 $ic!ael also !as e=tensive e=perience in a""ressing business process an" &% controls, +(P security role "esign, system implementation testing, risk assessmentsan" +arbanes#.=ley controls an" security9
(ngagement ()perience
; =tensive e=perience in lea"ing internal controls "esign an" implementation of +(P controls an" security for large companies inclu"ing life sciences an" global ?ortune100 companies9 Primary responsibilities inclu"e" provi"ing security an" internal control e=pertise wit! a focus on automating internal controls "uring businesstransformations9
; 7e" t!e +(P internal controls, '6- an" security team for a maCor
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
16/29
"%IA0 ;I(8L(%+enior $anager
6isk %ransformation R +(P +ecurity
P!oneB 1 3 2 42
#mailB brian9ieglerOey9com
Professional ()perience Summaryrian Siegler is a +enior $anager of t!e 6isk %ransformation practice of rnst Ioung 77P9 rian is consi"ere" by t!e in"ustry to be a +ubCect $atter 6esource in +(P+ecurity wit! fifteen years of +(P e=perience an" a strong knowle"ge of proCect management, as well as a firm foun"ation in operations, access controls, an" processcontrols9
Project 7anagement
; 7iaise" wit! two site accounting managers in maCor automotive manufacturing plants to resolve accounting an" mont! en" close processes
; +erve" as proCect manager for multifunctional +(P support mo"el, !elping wit! L6, +D, ?&-., %$, P+ an" $$ resources wit! responsibility for over H2 million inannualie" billings
; +erve" for t!ree years as on#site functional +ales an" Distribution liaison
SAP Security ()perience < 8%! Access !ontrols ()perience
; (ssiste" client wit! manage" service transaction spin by performing logical separation of security roles, reviewing risk an" assisting on appropriateness of transactionservice agreement, non#"isclosure agreement an" overall security "esign
; -o#le" wit! client L6 security role reme"iation "eployment
; Provi"e" t!oug!t lea"ers!ip aroun" +(P role "esign lea"ing practices
; (cte" as functional lea" of two +(P security role re"esign proCects
; Morke" on eig!t full system life cycle implementations
; Develope" functional "esign "ocuments, tec!nical "esign "ocuments, le" off#s!ore an" on#s!ore teams of initial an" full life cycle implementations
; Develope" scalable security mo"els t!at coul" be leverage" for cross functional implementations an" "esigne" for sustainability
; $anage" pro"uctions support "efects an" role "esign c!anges for large scale 820,000 users: implementation
; +trong e=perience in a variety of functions, inclu"ing ?inance, +upply -!ain, Luman 6esources, an" usiness Planning an" -onsoli"ations
; valuate" sensitive an" critical access issues aroun" critical L6 activities
; Lelpe" wit! cross#functional issues involving security an" functional issues
; valuate" +oD rule sets for )false positives* an" )false negatives*, tailoring t!e rule set to appropriately i"entify an" reme"iate or mitigate appropriate risks
; (ssiste" custom transaction review proce"ures an" a""e" custom transactions to rule sets
; Develope" training materials for a large community 81000: of en" users in '6- 1090
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
17/29
(D#A%D !A7P"(LL+enior $anager
6isk # &nternal (u"it
P!oneB 1 10 13 /0/1
#mailB e"9campbellOey9com
Professional ()perience Summary" -ampbell is a +enior $anager in t!e ("visory +ervices practice of I9 " !as over twelve yearsQ e=perience in !elping clients buil" success an" e=ecute against t!eirgoals, w!ile managing risks across t!eir business9 " !as "iverse skillsets in risk management across business processes an" tec!nologies, as well as, across riskcategories inclu"ing operational, financial, strategic an" compliance risk9 " !as le" tec!nology an" enterprise wi"e risk assessments, -ybersecurity programassessments, an" is well verse" in t!e use of "ata analytics to inform business an" risk intelligence9 " is responsible for overseeing large multi#national internal an"e=ternal au"it engagements an" is e=perience" on &nternal -ontrols over ?inancial 6eporting 8&-?6: re@uirements9 " !as also !as e=tensive e=perience in proCectmanagement met!o"s, +ervice .rganiation -ontrol 6eporting engagements, &% governance, an" "ata governance9
(ngagement e)perience
;?or two multi#billion "ollar -!emicals&n"ustrial Pro"ucts companies " le" &nternal (u"it transformation activities by a"vising on c!anges to &( vision, people mo"el,
"elivery mo"el an" &( enabling tec!nologies9 Le was responsible for "eveloping an" "efining s!ort term an" long term internal au"it plans, performing company#wi"e riskassessments an" special proCects9 " !as broa" &nternal (u"it e=periences in teaming wit! +ubCect $atter 6esources to e=ecute "iverse risk base" reviews inclu"ing+ustainability (ssurance, (nti#bribery(nti#-orruption, Data uality (ssessments, &% security assessments, (ttack an" Penetration, +ocial ngineering, -lou" -omputing,multi#stage system "evelopment lifecycle reviews9
;" !as le" an" performe" &nternal an" =ternal (u"it support "uring prepost transaction events for large national an" multi#national companies9 (s part of t!e e=ternalau"it team " !as le" tec!nology an" control reviews supporting retro#active financial statement carve#out au"its, as well as, "ata analytics in support of +- filings9 "!as also performe" in t!is role, reviews of ac@uisition company controls for t!e purposes of &-?6 rea"iness9 .n multiple &nternal (u"it clients " !as performe" security,"ata, an" ot!er system reviews, as well as, business process controls an" proCect governance au"its for company spin#offs an" separation 8future +- registrant:transactions9
;" is a lea"er in our ?inancial (u"it &% &ntegration 8?(&%: competency9 " !as "eep e=periences in supporting our =ternal ?inancial (u"it teamQs work aroun" tec!nologyrisk an" our &-?6 opinion9 " !as supporte" t!e "evelopment of our ?(&% transformation program an" met!o"ology9 Le is a @uality lea"er supporting our &nternal ualityprograms, inclu"ing our P-(. inspection process9 " !as also le" teams t!roug! risk an" control i"entification, process flow "ocumentation, an" un"erstan"ing t!e flowof information in business processes as an internal controls specialist 8internal proCect:9 (s part of t!e financial au"it process, " !as con"ucte" !un"re"s of reviews ofinternal controls for compliance un"er +ection 404 of t!e +arbanes#.=ley (ct9 ?e"eral 'overnment proCects also inclu"e performing au"its using t!e ?&+-($met!o"ology9
;" !as e=perience in t!e planning, e=ecution an" implementation of "ata analytics program, as well as, "ata governance an" "ata @uality assessments9 ?or a fortune 500global consumer pro"ucts company, " "evelope" a framework for t!e application of "ata analytics in t!e internal au"it process9 ?or a utilities company in t!e water an"wastewater in"ustry, manage" a "ata @uality assessment across si= key business processes as part of a company#wi"e usiness %ransformation9
;Performe" in"epen"ent verification an" t!ir"#party reporting proce"ures t!roug! +ervice .rganiation 6eporting reviews for a patient ill 6eview an" -ase $anagement+ervice -ompany, as well as state level $e"icai" processors9 6esponsibilities inclu"e evaluating t!e "esign of an" testing t!e operational effectiveness of transactionprocessing, application specific controls, access 8p!ysical an" logical: controls, an" program c!ange controls9
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
18/29
S$00: $%I8I&A0$+enior $anager
%ransaction ("visory +ervices R &% spins an" "ivestitures
P!oneB 1 312 / 2/52
#mailB sonny9origitanoOey9com
Professional ()perience Summary+onny is part of t!e .perational %ransaction +ervices 8.%+: practice focuse" on "ue "iligence, integration an" separation from an &% perspective9 Le !as more t!an 20years e=perience i"entifying an" "elivering business value t!roug! t!e effective use of tec!nology9 During !is career, !e !as worke" wit! a number of strategic an" privatee@uity clients to con"uct strategic information system planning, software selection, business process optimiation, program management, application "evelopment an"implementation initiatives across several in"ustries9 &mplementations inclu"e" e#business, enterprise resource planning 86P:, customer relations!ip management 8-6$:,web portal, custom "evelope" applications, an" "ata ware!ousing an" mining solutions9
+onny !as e=tensive e=perience in pre#close an" post#close integration an" separation strategy an" e=ecution inclu"ingK one#time cost i"entificationK stan"#alone financialan" operating mo"els an" synergy i"entification9 Le !as e=perience in several in"ustries inclu"ing consumer package" goo"s 8-P':, manufacturing, "istribution, retail,mining an" transportation an" logistics9 Previously, +onny serve" as a Director wit! FP$' in t!eir %ransaction 6estructuring practice focuse" on i"entifying financialan" business implications base" on t!e impact of tec!nology as well as integrating an" separating companies9 Le also previously serve" as Gice Presi"ent of ("visory
+ervices focuse" on aligning information tec!nology wit! business initiatives an" !ea"e" up t!e Program $anagement .ffice 8P$.: for %!e ra"for" =c!ange9
Le !as been a contributing e"itor for t!e Merger & Acquisition ourna! for lea"ing practices title" )DonQt .verlook &% M!en -alculating t!e Galue#-reation Potential of aDeal*, a contributor for t!e "orresterreport )( -&.Qs 'ui"e %o $erger (n" (c@uisition Planning* as well as spoken at conferences inclu"ing t!e =ecutive %ec!nology -luban" $i"west 6egional
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
19/29
Page 1
Appendi) "' (: project e)periences
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
20/29
Descriptionof SpinCo
Duration
Numberof
Countrie
s
SpinCoRevenue
SpinCo Day 1 ERPDay 1 Support
Model
NotesLogically
Separate
Clone
!" data#
Clone
(w/odata) Ne! $S%
SpinCo
o!ned
Nutritionalproducts
&' () *+,P
P
Creation of ne! entities and logicallyseparated !it-in RemainCo ERP systemfor Day 1
Provided 1. mont- $S% for SpinCo toimplement ne! ERP system
ProfessionalWound CareBusiness
/*'Mont-s
)+ (1*0, P P
Creation of ne! entities and logicallyseparated !it-in RemainCo ERP systemfor Day 1
Provided 1. mont- $S% for SpinCo toimplement ne! ERP system
PerformanceChemicals
1&Mont-s
&2 (& * /, P P
Copy of RemainCo ERP instance !it-data cleansing " conversion prior to Day1
Provided $S% support to SpinCo,uild"Con3g 'mt-4 /mt- datamigration"test
5$ application support primarilyoutsourced
Animalhealthbusiness
6 (+ * &, P P P
Multiple ERP platforms globally
Logically separated !it-in S%P ERPplatforms7 cloned ot-er 3nancialplatforms !it- data conversion prior toDay 1
Pharmaceutical business
/Mont-s
12 (0, P P P P
Mi8 of logical separation and ne! ERPimplementation
Ne! ERP !as implemented pre Day 1for some regions and ot-ers -ad 5$ $S%until t-e implementation !as 3nali9ed
$!o ERP systems !it- dedicated teams
: Selected companies -ad relatively minor to moderate systems isolation issues;
Day 1 ERP highlights from past transactions
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
21/29
Page 21
=34" >tility company wit tigt regulationsdivest part of te business
ackgroun"
(pproac!
6esults
( H1 multinational electricity an" gas utility company wante" to carve out a part oft!e business9 IQs intimate knowle"ge of t!e clientQs controls environment an"
compliance re@uirements, supplemente" by "eep relations!ips, le" into furt!erassisting wit! a state#owne" utility separation proCect9 (t t!e beginning of t!is proCectanot!er ven"or was selecte" to provi"e recommen"ations9 (fter two mont!s wit! little progress, t!e client opte" to c!oose I instea" an" gave
si= mont!s to complete t!e proCect9 %!e state gave t!e utility company a very s!ort separation timeline9
Lelpe" t!e utility "esign +(P security roles in ?inance, +upply -!ain, an" Luman
6esources using a logical separation (ssiste" in stan"ing up an appropriate level of security to separate financial an"
employee security "ata w!ile a"!ering to contractual terms of t!e logical separation
$et t!e +tateQs man"ate of stan"ing up a logical separation on t!e spin "ate
+ecure" separation of employee an" financial "ata, protecting confi"ence in finance,!uman resources, an" supply c!ain
Provi"e" roles an" user profiles for over 2000 users using bot! +(P an" i"entitymanagement profiles for t!e new entity until t!ey coul" be move" to a separate +(Pinstance
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
22/29
Page 22
/ortune 355 diversified industrial companycarve out a product line
ackgroun"
(pproac!
6esults
( ?ortune 100 "iversifie" in"ustrial company wante" to carve out one of t!eir lossmaking pro"uct line9 %!e company !a" a single instance of +(P wit! open access
wit!out limitations by organiation structures 8company co"es, profit centers, plants,etc9:9 %!e "eal !a" t!e following comple=ity9Gery s!ort win"ow for closing t!e transaction
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
23/29
Page 23
Leading consumer goods company carve outa single business unit
ackgroun"
(pproac!
6esults
%!e consumer goo"s company was "ivesting a business unit running on a single globalinstance of +(P9 %!e buyer was an .racle environment wit! "ifferent .racle
configurations supporting t!eir business9 %!e goal for +(P security on "ay 1, was to allow t!e consumer goo"s company tocontinue to operate t!e business as usual, w!ile allowing t!e "iveste" entity tooperate un"er t!e %+(9 (""itionally, t!e consumer goo"s company wante" tosecure "ata from access by t!e "iveste" entity
&nternal (u"it an" t!e P$. partnere" to assist in i"entifying t!e impact to e=istingcontrols as a result of t!e "ivestiture across ?inance, &nformation %ec!nology,Luman 6esources an" Purc!asing
&t was "etermine" t!at new user &DQs were not re@uire" for t!e "iveste" employeesas +(P
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
24/29
Page 24
Appendi) !' &ools and enablers
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
25/29
Page 25
Security Assessment #orkbenc
A %!e "iagnostics tool provi"es "eep role "esign analytics t!roug! interactive "as!boar"sto i"entify unnecessary +oD risks an" t!e relate" root cause base" on t!e analysis ofroles, user assignments an" tco"e e=ecution "ata9
Task basedroles
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
26/29
Page 2
!ustom &ransaction !ode Analy.er
%!eABAP Discover Tool analyescustom transactions for appropriate
aut!oriation obCects an" "etectsprograms wit! missing security obCects
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
27/29
Page 2
Task Catalog Task
Transaction
Code Transaction escriptionPurc-asing Create and C-ange Purc-ase
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
28/29
Page 2/
Appendi) !' "ackup pages
-
7/24/2019 IA SAP Security Meeting Agenda VF 20151104 - Presentation
29/29
Page 2
$ur understanding of modules used by AP and 7&
7odule used by AP97& 7ost common org security
?inance 8?&: R mostly '7, some (P an" (6, ?i=e" assets,%reasury
-ompany co"e
-ontrolling 8-.: -ontrolling area , profit center, plant
+ales an" "istribution Rsales an" billing 8+D#+7+, +D#&7:
+ales organiation, plant
+ales an" "istributionlogistics e=ecution R s!ipping 87#+LP:
+!ipping point
-re"it an" risk management 8+D#?#-$: -re"it control area
$aterials management#Purc!asing 8$$#P