Optimizing User Administration in SAP ISACA Geek Week - Atlanta August 13, 2014.
-
Upload
latrell-proudfoot -
Category
Documents
-
view
214 -
download
1
Transcript of Optimizing User Administration in SAP ISACA Geek Week - Atlanta August 13, 2014.
Optimizing User Administration in SAP
ISACA Geek Week - Atlanta
August 13, 2014
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Today's Presenters
Managing DirectorERP Solutions Practice
Senior ConsultantERP Solutions Practice
Senior ConsultantERP Solutions Practice
Aric QuinonesProtiviti
Chris AramburuProtiviti
Connor HammersmithProtiviti
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Who We AreProtiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 35 percent of FORTUNE 1000® and 40 percent of FORTUNE Global 500® companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
• 3,100 professionals
• Over 20 countries in the Americas, Europe, the Middle East and Asia-Pacific
• 70+ offices
• Our revenues: US $ 528.3 million in 2013
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
The Risk Universe of SAP Security
4
General IT Risks
Application Interface Controls
IT Infrastructure Controls
Change Management
Security Administration
Backup and Recovery
Other Project / Implementation Risks
Project Cost Identification
Transaction and Master Data Conversion
Go/No Go Decision Criteria
Testing and Training Strategy
Post Go-Live Support Requirements
* SAP Security Risks
Security Standards
Segregation of Duties and Sensitive Access
Powerful Users Access Management
User and Role Provisioning Process
* SAP Business Process and
Transactional Data Risks
Configurable Application Controls
Detective / Monitoring Controls / Reports
Procedural Business Process Controls
SOX Controls (compliance purposes)
* Continuous Monitoring Applications and Processes
Control Documentation Update, Compliance and Risk Management Optimization and
GRC Software Configuration
Steering Committee
Board of Directors
Compliance(Regulatory Requirements)
External / InternalAudit
GRC and ERM framework
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
What We’ll Cover
Recap of Session Takeaways
Case Study
Wrap-up
Common Issues with User Administration in SAP
Solutions to Common Issues with User Administration in SAP
5
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
A Few Questions
• How many people use one of the major ERP systems (SAP, Oracle or MS Dynamics)?
• How many people actually use SAP?
• How many people use a GRC tool for Segregation of Duties (SoD) Analysis – such as SAP GRC, Oracle GRC, or Fastpath?
• What is an SoD Analysis?
• How many people know what a t-code is?
6
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Standardized Role Architecture
Change Management
Development of Custom Transactions, Objects, Programs, & Tables
Backend System Configurations
Common Issues with User Administration
Security Related
GRC Related
User Provisioning
Segregation of Duties (SoD)
Management of Temporary / Emergency Access
7
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Standardized Role Architecture
• Role-level SoD issues
• Inappropriate organizational level restrictions
• Duplicative transaction assignments
• Powerful roles with unnecessary access
• Excessive number of transactions granting unintended access to end users
• Increased efforts of the Security Team for role maintenance and user provisioning
Key Risks
• Inconsistent role standards
• Lack of role governance
• Roles not managed globally
• Unintuitive role naming convention
• Lack of role documentation
Root-Causes
B. Smith, Finance Manager• Assigned 114 active roles
• Providing access to 6,636 unique transactions (919 duplicate via multiple role assignment)
• Of the 6,636 transactions only 6,328 transactions are executable
Transactional History Analysis
• 115 executable transactions were executed a total of 12,946 times
• The top 25 transactions accounted for 89% of the activity
8
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Choosing the Appropriate Role Architecture
9
• Derived versus Enabler
• Job Based versus Task Based
• Ensuring the Architecture is Scalable
• Aligns with SAP Resource Skillset & Compliance Culture
• Standardized Role Naming convention
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Change Management
The lack of Change Management can impact role maintenance which is critical to maintaining a secure SAP environment and standardized role architecture.
Key Risk: Roles unaligned with the new and existing global business processes
10
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Development of Custom Transactions, Objects, Programs & Tables
• Lack of functionality knowledge
• Circumventing security & gaining unauthorized access to sensitive data
• Bypass organizational level security restrictions
• Excessive privileges within the scope of the specific transaction
• Unauthorized execution of programs
Key Risks
• Absence of SAP customizing governance processes• Poor design documentation and/or lack of communication• Custom program coded to call powerful transactions (i.e. SE38, SA38, SM30, etc.)• Authorization checks not coded in custom program• Not assigning custom programs to custom transactions
Root-Causes
11
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Backend System Configurations
There are several security related backend tables and configuration that are critical to maintaining a controlled security environment that are often overlooked or maintained which could become a significant security risk.
Company Code 1000
Plant 100
Purchasing Group 1
Purchasing Group 2
Purchasing Org 1900
Purchasing Group 3
SU24
SE54 RSPARAMRSCSAUTH
12
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Governance: Policies & Procedures
13
• A security governance policy contains standards for the SAP ECC production environments to ensure consistency and minimize significant risk to the environment. The should be designed to create standards around the following key areas:‒ User Access Management‒ Custom Program and Table Security
Requirements‒ Backend System Configurations‒ Role Creation and Maintenance
Standards‒ Password Management‒ Security Parameters
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
SAP solutions for Governance, Risk, and Compliance
Manage access risk and prevent fraud
SAP AccessControl
SAP ProcessControl
SAP RiskManagement
Preserve and grow value
Ensure effectivecontrols and ongoing
compliance
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
GRC Access Control Overview
Primary GRC Risks to be discussed today:
User Provisioning
SoD / Sensitive Access Monitoring
User ProvisioningManagement of Temporary / Emergency Access
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
User Provisioning
• Assignment of excessive and/or sensitive access
• Documenting appropriate approvals for compliance purposes
• Delay in provisioning or deprovisioning
• Selection of correct roles
• User access reviews
Key Risks
• The user does not know the appropriate role to select due to current naming convention• User provisioning is a manual process• Approvals are documented offline or via email• Master data has not been maintained appropriately
Root-Causes
16
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
• User Provisioning:
− Integrates with SAP to prevent SoD Violations
− Customizable access request workflows
− Template based access requests
− Complete audit trail to satisfy compliance requirements
− Eliminates manual provisioning to end users
• Workflows also available for:
− User Access Reviews
− FF Log Review
− SoD Remediation
− Mitigating Control Assignment / Review
• Standardized on SAP Business Workflow Technology
Solution Enhancements
• Business workflow reduces manual tasks and streamlines access request processing
• Gain visibility of User Access Risks before entering a production environment
• Faster and easier for users to request the roles they need
• Leverage existing resources for workflow administration and configuration
• Utilize existing HR structure for automated and compliant position based role assignment
• Improved security and richer request context
Key Benefits
GRC automates the SAP access request and provisioning process by providing customizable workflow options that
integrate seamlessly with the SoD Risk Analysis
User Provisioning
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Segregation of Duties (SoD)
• A user with excessive or sensitive access within the system has the ability to perform fraudulent activity
• Internal controls may be circumvented by excessive access
Key Risks
• Over the course of time a user may switch job functions• It may be necessary for the user to have the access within SAP to perform both business
functions during the transition period• After the transition period is over the user may still retain this excessive access• SoD violations can quickly spiral out of control because in some organizations users submit
access requests by replicating a user performing the same job function
Root-Causes
18
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
SoD / Sensitive Access Monitoring
SoD / Sensitive Access Monitoring
• Products such as SAP Access Control can be used to monitor SoD Violations, as well as Sensitive Access.
• A custom “rule set” containing function conflicts (e.g., Create Vendor vs. Manual Payments), as well as sensitive transactions/objects can be tailored to your specific risk environment.
• Simulations and “what if” analyses can be run before actual security changes are made.
• Can be integrated into the user provisioning and role creation process.
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Customizing Your Ruleset
It is import to customize your own ruleset by reviewing with all of the key stakeholders:
– Risk Relevance - Inactive vs. active
– Criticality Level - Low, medium, high, or critical
– Modify Rules – There are authorizations which need to be
adjusted to ensure accuracy for your organization and to
remove false positives
– Review Custom Transactions and Tables – All new custom
transactions and programs should be reviewed for inclusion in
the ruleset
20
Finalize SoD Ruleset
Update SoD Ruleset with
Feedback
Define SoD Ruleset
Ruleset Analysis Against Leading
Practices
Incorporate Feedback from Internal Audit
Communicate Proposed Ruleset
to Business Controllers
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Management of Temporary / Emergency Access
• Superuser or privileged access should be approved and reviewed in a timely manner
• A user can perform critical actions either accidentally or maliciously to interrupt system availability
Key Risks
• Certain sensitive or critical transactions are necessary to keep the system running smoothly• Restricting and monitoring sensitive access within the system is a top audit concern• Log review is a very tedious and time consuming process• Some users are assigned the profile SAP_ALL granting unrestricted access
Root-Causes
21
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Management of Temporary / Emergency Access
Emergency Access Management
• SAP Access Control or Firefighter, can be used to effectively handle temporary and elevated system access.
• All activity and the changes performed within Firefighter are logged for review/signoff.
• Log review can be integrated into workflow to automatically route and track Firefighter log approvals.
• Provisioning of Firefighter IDs can be integrated into Access Request (ARQ).
• Centrally managed across all systems (end-user does not need an ID in the target system, only the GRC system).
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
How Firefighter Works?
The workflow functionality within SAP GRC can provide an automated and auditable process for:
– Requesting elevated access– Routing request for approval– Automatically assigning approved access for the specified time period– Logging and routing the activity logs to the Firefighter Controller for review.
• Reduces the effort required to grant and provision emergency access to multiple systems. Provides a structured, documented process around emergency access
• Enables documented account of the controller’s review
GRC
R3 CRM BI
Administered Centrally on GRC
System
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Control Optimization
• Sometimes we cannot avoid certain risks within the ERP systems we manage.
• Luckily, SAP has many configurable controls that can be enabled to help mitigate some of these risks.
• For example:
– Check for duplicate invoices
– 3-Way Match
Protiviti’s Control Library:
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Start Quick Wins Enhanced Functionality Optimization
Business Role Management Data
Migration
RulesetOptimization & Reporting
Change Mgmnt. for
users & roles
Technical Installation /
Upgrade
Streamlined super user
process
SAP Security RemediationUpgrade
Solution Components
Process Improvement
SolutionDesign
Emergency Access
SAP Access Control – Sample Roadmap
Access Risk Analysis
SoD
Access Request Management
SAP PC/RM Integration
Integration with Non-SAP
Applications
Automated SAP
Provisioning
Risk Mitigation
End to end Provisioning
25
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Recap of Session Takeaways
Recap of Session Takeaways
Case Study
Wrap-up
Common Issues with User Administration in SAP
Solutions to Common Issues with User Administration in SAP
26
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Key Points to Take Home
27
1. A standardized role architecture simplifies user administration in SAP
2. A strong change management policy is vital when maintaining good SAP Security practices
3. There are many tools available to assess the security in your SAP environment
4. Achieve buy-in & sponsorship across organization
5. Strong Security & Governance policies are crucial to maintaining a secure ERP environment
Remember:
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
What We’ll Cover
Recap of Session Takeaways
Case Study
Wrap-up
Common Issues with User Administration in SAP
Solutions to Common Issues with User Administration in SAP
28
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Results - Other Role Redesign Project Metrics
29
Before Security and GRC Redesign After Security and GRC Redesign % Reduction
New User to be provisioned 15 days New User to be provisioned 4 hours 98.889%
# of transactions per role 77 # of transactions per role 7.3 90.519%
Average transactions per user 2,281 Average transactions per user 371 83.735%
Number of detailed SoD violations 13,054,616 Number of detailed SoD violations 3,149 99.976%
Intra Role SoD Conflicts 94,458 Intra Role SoD Conflicts 3 99.997%
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Questions?
30
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.31
Thank You!
Chris Aramburu3343 Peachtree Road, NESuite 600Atlanta, GA 30326
Powerful Insights. Proven Delivery.®
Direct: +1 404.443.8221
Aric Quinones3343 Peachtree Road, NESuite 600Atlanta, GA 30326
Powerful Insights. Proven Delivery.®
Direct: +1 404.240.8376
Connor Hammersmith3343 Peachtree Road, NESuite 600Atlanta, GA 30326
Powerful Insights. Proven Delivery.®
Direct: +1 404.926.4315
© 2014 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Confidentiality Statement and Restriction for Use
This document contains confidential material proprietary to Protiviti Inc. ("Protiviti"), a wholly-owned subsidiary of Robert Half International Inc. ("RHI"). RHI is a publicly-traded company and as such, the materials, information, ideas, and concepts contained herein are non-public, should
be used solely and exclusively to evaluate the capabilities of Protiviti to provide assistance to your Company, and should not be used in any inappropriate manner or in violation of applicable securities laws. The contents are intended for the use of your Company and may not be
distributed to third parties.