SAP GRC
-
Upload
kellton-tech-solutions-ltd -
Category
Technology
-
view
45 -
download
0
Transcript of SAP GRC
KEY FACTS
2
2
FOUNDATION FOOT PRINT CLIENTELE CORE STRENGTH OWNERSHIP TEAM SIZE
Reston, VA
Princeton, NJ
Delhi
Hyderabad
Guwahati
Lucknow
Cupertino, CA
Chicago, IL
Dublin, Ireland
Houston, TX
London, UK
1993: 24
years young
Startups to
Fortune 500
People and
process (ISO
9001:2008
and CMMi
Level 3)
Public limited.
BSE|NSE :
KELLTONTE
C
1200+
employees
globally
USA,
Canada,
Ireland , UK &
India
Digital
Transformation
Harness the power of
digital technologies
and data to create
competitive advantage
Digital Connected
Enterprise Connecting the dots in
your digital systems of
engagement, insight,
records and core IT
Enterprise
Solutions Delivering end-to-end
SAP solutions as a
certified SAP Gold
partner
Professional
Services
Promoting strategic
agility with cutting-
edge technology
consulting and
professional
services
Outsourced Product
Development
Ensuring high quality
and high
performance product
development via agile
SDLC model
WHAT WE DO
PARTIAL CUSTOMERS BY INDUSTRY
Others
Financials
Services
Energy
Utilities
Manufacturing
Retail
Speaker Bio-
Feroz Mohammed is a Senior consultant for Kellton Tech, the leading provider of
Security & GRC solutions for customers running SAP. He has over 9 years of
experience in Security & GRC Implementation, Upgrades and Support. Feroz
has served in multiple industries like manufacturing, oil & gas, energy, chemicals
and many more.
Feroz Mohammed
Sr. SAP Security & GRC
Kellton Tech
AGENDA 1. Introduction – Kellton Tech
2. What is GRC?
3. Four Components of GRC Access Control
4. Mobile Apps
5. Customer’s Success Story
6. QA
Governance Risk Compliance
SAP Governance, risk and Compliance (GRC) offers solutions that enable you
to make better business decisions by visualizing and predicting how risks may
impact performance. You can reduce complexity and cut costs – while protecting
your company’s reputation and financial wellbeing by integrating key GRC
activities into your existing business processes.
Kellton Tech can help organizations identify, remediate, monitor, exploit and
manage enterprise risks in addition to coordinating the utilization of people,
process and technology to improve GRC effectiveness and help manage costs.
Governance Risk Compliance
In a Sarbanes Oxley Act (SOX) regulated environment, a business needs to
define their access controls based on Segregation of Duties (SoD).
Segregation of Duties: SoD is the concept of having more than one person
required to complete a task. In business the separation of sharing of more than
one individual in one single task shall prevent from Fraud and Error.
Example: if user X can create a vendor & then pay the same vendor.
Risk: When an employee in a company is assigned with Task that could provide
them with an opportunity to commit fraud. Tasks are assigned to the employee in
form of Roles which are made up of Actions/T-codes.
SAP GRC Access Control
1. Access Risk Analysis aka (ARA)
2. Emergency Access Management aka (EAM)
3. Business Role Management aka (BRM)
4. Access Request Management aka (ARM)
Access Risk Analysis
The Access Risk Analysis is the core module of SAP GRC and is used for
preventive and ongoing monitoring of SoD risks, critical transactions and
Mitigating Controls.
ARA Life cycle: Risk Identification
Rule Building & Validation
Analysis Remediation/
Mitigation
Continuous Compliance
1. Risk Identification
2. Rule Building & Validation
3. Analysis
4. Remediation/Mitigation
5. Continuous Compliance
Access Risk Analysis
How to eliminate the risk?
There are two approaches
1. Remediate
2. Mitigate
Continuous
Compliance
Emergency Access Management
• EAM enables end-users to perform emergency activities outside the
parameters of their standard role, but within a controlled and fully audit-able
environment. The application assigns a temporary Firefighter ID that grants
end user (Firefighter) broad yet regulated access, and logs every activity
he/she performs using the temporary ID.
• Benefits: Resolve SoD conflicts.
A controller monitors all the activities executed by the firefighter and is also responsible
to audit the usage by reviewing and signing off on firefighter log report.
Audit documentation is immediately prepared after the event which eliminates time and
resources needed to prepare it making it cost effective.
Business Role Management
• Business Role Management (BRM) is the identification and mitigation of risks
at an early stage, even before the creation of the roles. Risks can be identified
as a conflict within a single role and Composite role.
• Benefits:
Creates Single, Derived roles by pro-active avoidance of SoD risks.
Supports the definition and documentation of role information, authorization
and testing results.
Using GRC simulation functionality, it allows preventative measures to be
carried out far quicker than manual alternative.
Access Request Management
• Access Request Management (ARM) is the provisioning tool that will provide
the company with the ability to manage SAP user access management and
Role assignment within connected system.
• Provisioning access to users, involves the user completing the forms that
request access to backend system.
• Access Request are created in GRC box by requestors and submitted for
approval. The requestor would be responsible for selecting the roles required
by the user. Once submitted, the request is routed online by workflow to
relevant approvers.
Access Request Management
Benefits:
ARM will help you stay clean and Stay in control.
Significant improvements in provisioning solution e.g. usability, workflow,
flexibility, maintenance, reduce man power and system performance.
A number of ready to use out of box workflows for ARM integration with
EAM, BRM and ARA.
Using Access Request you could create, change, lock, unlock and Self-
service password reset lifts another user administration burden from the
support team.
GRC Access Approver for Mobile apps
Currently SAP Delivers the following Fiori applications for SAP Access Control
Request Access
Check Request Status
Access Approver/Compliance Approver
Firefighter Usage & Many More.
GRC Access Approver for Mobile apps
Review Requests
Decide on the Fly – approve request from any where
Review and approve time-sensitive user and firefighter
access requests
Review risks associated with a request
Take Action
Call or email users to request additional information
Add comments before approving or rejecting requests
Forward requests to people in your contact list when
further information is needed
PAR Pacific: GRC Implementation
Company PAR Pacific Holding, INC Headquarters Houston, TX Publicly traded - PARR Industry Oil & Gas Products and Services Refinery Employees 1500+ Web Site http://www.parpacific.com
Objectives PAR has decided to implement GRC to identify governance and security issues that
need to be addressed. Become better informed about best practices for remediation and mitigation of access
risk Proactively identify risks prior to user provisioning
Why SAP Central repository for mitigation controls Comprehensive documentation of role management activities for audit purposes
Resolution Expedited adoption of the SAP® Access Control application thanks to RBEI’s rapid
implementation methodology and value-adding best practices for security Streamlined the role management process with risk-free roles and harmonized user
access administration Future plans Grow with and adapt to changes, thanks to future-proof, scalable technology Improve monitoring and analysis or risks and controls with one-click access to
dashboards and reports
90% Fewer SoD violations
50% Less cycle time for access management
30% Reduction in composite and single roles
Lower Cost of compliance
Kellton Tech was also involved in S/4 HANA Implementation to PARR Pacific, Please follow
the link below for more details:
http://www.kelltontech.com/kellton-tech-case-study/leading-energy-provider-par-pacific-consolidates-
business-systems-sap
H&E: GRC Implementation
Company H&E Equipment services. Headquarters Baton Rouge, LA Publicly traded –HEES Nasdaq Industry Construction equipment, rental and leasing service. Products and Services Heavy Equipment's Employees 1700+ Web Site http://www.he-equipment.com
Objectives Adapt segregation-of-duties (SoD) rules to meet company’s needs Standardize, automate, and accelerate all governance, risk, and compliance (GRC)
processes Work with internal Audit & Business to review the default rule set
Why SAP Need more visibility towards end user access. Flexible and scalable role management framework Risk Remediation & Mitigation
Resolution Successfully being using Access request workflow & Firefighter as well. Tailored the SoD rule set to the company’s business scenarios and rationalized naming
conventions Future plans Plan to switch to S/4 HANA soon to utilize the Mobile Apps functionality Encourage and empower employees with enhanced self-services
90% Improvement in visibility of Risks
20% Savings in cost through effective risk management and better resource management
10% Reduction in auditing costs
Kellton Tech has been involved with H&E’s SAP ECC 6.0 implantation since the beginning.
Our primary focus originally was the implementation of the Sales and Distribution for their
equipment Sales, Rental, and Parts business. Kellton Tech has since expanded to become the
preferred vendor for support of all SAP products, Support and integrations
http://www.kelltontech.com/sites/default/files/inline-images/HE_Reference_2015.pdf