SAP GRC Access Control HOW SAP GRC ACCESS CONTROL WILL IMPROVE YOUR BUSINESS DECISIONS

3/7/2017

KEY FACTS

2

2

FOUNDATION FOOT PRINT CLIENTELE CORE STRENGTH OWNERSHIP TEAM SIZE

Reston, VA

Princeton, NJ

Delhi

Hyderabad

Guwahati

Lucknow

Cupertino, CA

Chicago, IL

Dublin, Ireland

Houston, TX

London, UK

1993: 24

years young

Startups to

Fortune 500

People and

process (ISO

9001:2008

and CMMi

Level 3)

Public limited.

BSE|NSE :

KELLTONTE

C

1200+

employees

globally

USA,

Canada,

Ireland , UK &

India

1

The Gilded Armory Certifications. Alliances. Recognition.

Digital

Transformation

Harness the power of

digital technologies

and data to create

competitive advantage

Digital Connected

Enterprise Connecting the dots in

your digital systems of

engagement, insight,

records and core IT

Enterprise

Solutions Delivering end-to-end

SAP solutions as a

certified SAP Gold

partner

Professional

Services

Promoting strategic

agility with cutting-

edge technology

consulting and

professional

services

Outsourced Product

Development

Ensuring high quality

and high

performance product

development via agile

SDLC model

WHAT WE DO

PARTIAL CUSTOMERS BY INDUSTRY

Others

Financials

Services

Energy

Utilities

Manufacturing

Retail

Speaker Bio-

Feroz Mohammed is a Senior consultant for Kellton Tech, the leading provider of

Security & GRC solutions for customers running SAP. He has over 9 years of

experience in Security & GRC Implementation, Upgrades and Support. Feroz

has served in multiple industries like manufacturing, oil & gas, energy, chemicals

and many more.

Feroz Mohammed

Sr. SAP Security & GRC

Kellton Tech

AGENDA 1. Introduction – Kellton Tech

2. What is GRC?

3. Four Components of GRC Access Control

4. Mobile Apps

5. Customer’s Success Story

6. QA

Governance Risk Compliance

SAP Governance, risk and Compliance (GRC) offers solutions that enable you

to make better business decisions by visualizing and predicting how risks may

impact performance. You can reduce complexity and cut costs – while protecting

your company’s reputation and financial wellbeing by integrating key GRC

activities into your existing business processes.

Kellton Tech can help organizations identify, remediate, monitor, exploit and

manage enterprise risks in addition to coordinating the utilization of people,

process and technology to improve GRC effectiveness and help manage costs.

Governance Risk Compliance

In a Sarbanes Oxley Act (SOX) regulated environment, a business needs to

define their access controls based on Segregation of Duties (SoD).

Segregation of Duties: SoD is the concept of having more than one person

required to complete a task. In business the separation of sharing of more than

one individual in one single task shall prevent from Fraud and Error.

Example: if user X can create a vendor & then pay the same vendor.

Risk: When an employee in a company is assigned with Task that could provide

them with an opportunity to commit fraud. Tasks are assigned to the employee in

form of Roles which are made up of Actions/T-codes.

SAP GRC Access Control

SAP GRC Access Control

1. Access Risk Analysis aka (ARA)

2. Emergency Access Management aka (EAM)

3. Business Role Management aka (BRM)

4. Access Request Management aka (ARM)

Access Risk Analysis

The Access Risk Analysis is the core module of SAP GRC and is used for

preventive and ongoing monitoring of SoD risks, critical transactions and

Mitigating Controls.

ARA Life cycle: Risk Identification

Rule Building & Validation

Analysis Remediation/

Mitigation

Continuous Compliance

1. Risk Identification

2. Rule Building & Validation

3. Analysis

4. Remediation/Mitigation

5. Continuous Compliance

Access Risk Analysis

How to eliminate the risk?

There are two approaches

1. Remediate

2. Mitigate

Continuous

Compliance

Emergency Access Management

• EAM enables end-users to perform emergency activities outside the

parameters of their standard role, but within a controlled and fully audit-able

environment. The application assigns a temporary Firefighter ID that grants

end user (Firefighter) broad yet regulated access, and logs every activity

he/she performs using the temporary ID.

• Benefits: Resolve SoD conflicts.

A controller monitors all the activities executed by the firefighter and is also responsible

to audit the usage by reviewing and signing off on firefighter log report.

Audit documentation is immediately prepared after the event which eliminates time and

resources needed to prepare it making it cost effective.

Business Role Management

• Business Role Management (BRM) is the identification and mitigation of risks

at an early stage, even before the creation of the roles. Risks can be identified

as a conflict within a single role and Composite role.

• Benefits:

Creates Single, Derived roles by pro-active avoidance of SoD risks.

Supports the definition and documentation of role information, authorization

and testing results.

Using GRC simulation functionality, it allows preventative measures to be

carried out far quicker than manual alternative.

Access Request Management

• Access Request Management (ARM) is the provisioning tool that will provide

the company with the ability to manage SAP user access management and

Role assignment within connected system.

• Provisioning access to users, involves the user completing the forms that

request access to backend system.

• Access Request are created in GRC box by requestors and submitted for

approval. The requestor would be responsible for selecting the roles required

by the user. Once submitted, the request is routed online by workflow to

relevant approvers.

Access Request Management

Benefits:

ARM will help you stay clean and Stay in control.

Significant improvements in provisioning solution e.g. usability, workflow,

flexibility, maintenance, reduce man power and system performance.

A number of ready to use out of box workflows for ARM integration with

EAM, BRM and ARA.

Using Access Request you could create, change, lock, unlock and Self-

service password reset lifts another user administration burden from the

support team.

GRC Access Approver for Mobile apps

Currently SAP Delivers the following Fiori applications for SAP Access Control

Request Access

Check Request Status

Access Approver/Compliance Approver

Firefighter Usage & Many More.

GRC Access Approver for Mobile apps

Review Requests

Decide on the Fly – approve request from any where

Review and approve time-sensitive user and firefighter

access requests

Review risks associated with a request

Take Action

Call or email users to request additional information

Add comments before approving or rejecting requests

Forward requests to people in your contact list when

further information is needed

.

Get Clean

Stay Clean

Customer Success

PAR Pacific: GRC Implementation

Company PAR Pacific Holding, INC Headquarters Houston, TX Publicly traded - PARR Industry Oil & Gas Products and Services Refinery Employees 1500+ Web Site http://www.parpacific.com

Objectives PAR has decided to implement GRC to identify governance and security issues that

need to be addressed. Become better informed about best practices for remediation and mitigation of access

risk Proactively identify risks prior to user provisioning

Why SAP Central repository for mitigation controls Comprehensive documentation of role management activities for audit purposes

Resolution Expedited adoption of the SAP® Access Control application thanks to RBEI’s rapid

implementation methodology and value-adding best practices for security Streamlined the role management process with risk-free roles and harmonized user

access administration Future plans Grow with and adapt to changes, thanks to future-proof, scalable technology Improve monitoring and analysis or risks and controls with one-click access to

dashboards and reports

90% Fewer SoD violations

50% Less cycle time for access management

30% Reduction in composite and single roles

Lower Cost of compliance

Kellton Tech was also involved in S/4 HANA Implementation to PARR Pacific, Please follow

the link below for more details:

http://www.kelltontech.com/kellton-tech-case-study/leading-energy-provider-par-pacific-consolidates-

business-systems-sap

H&E: GRC Implementation

Company H&E Equipment services. Headquarters Baton Rouge, LA Publicly traded –HEES Nasdaq Industry Construction equipment, rental and leasing service. Products and Services Heavy Equipment's Employees 1700+ Web Site http://www.he-equipment.com

Objectives Adapt segregation-of-duties (SoD) rules to meet company’s needs Standardize, automate, and accelerate all governance, risk, and compliance (GRC)

processes Work with internal Audit & Business to review the default rule set

Why SAP Need more visibility towards end user access. Flexible and scalable role management framework Risk Remediation & Mitigation

Resolution Successfully being using Access request workflow & Firefighter as well. Tailored the SoD rule set to the company’s business scenarios and rationalized naming

conventions Future plans Plan to switch to S/4 HANA soon to utilize the Mobile Apps functionality Encourage and empower employees with enhanced self-services

90% Improvement in visibility of Risks

20% Savings in cost through effective risk management and better resource management

10% Reduction in auditing costs

Kellton Tech has been involved with H&E’s SAP ECC 6.0 implantation since the beginning.

Our primary focus originally was the implementation of the Sales and Distribution for their

equipment Sales, Rental, and Parts business. Kellton Tech has since expanded to become the

preferred vendor for support of all SAP products, Support and integrations

http://www.kelltontech.com/sites/default/files/inline-images/HE_Reference_2015.pdf

Questions