Vendor Solutions and Services Leverage your GRC assets to gain … · 2015-05-08 · Vendor...

© 2010 Wellesley Information Services. All rights reserved.

Vendor Solutions and Services

Leverage your GRC assets to gain better visibility into business risksLeo CastroNovell, Inc.

Brian ParkerDeloitte & Touche LLP

1

In This Session ...

We’ll cover three main topics:

1. Challenges that impact your visibility to business risk2. Our vision of how visibility to business risk can help balance

agility and security, in support of your business objectives3. Specific examples of how the solution builds on SAP

BusinessObjects capabilities

2

What We’ll Cover …

1. Challenges that impact your visibility to business risk

2. Our vision of how visibility to business risk can help balance agility and security, in support of your business objectives

3. Specific examples of how we build on SAP BusinessObjects• Integration with SAP Process Control• Integration with SAP Risk Management• Integration with SAP Access Control

Wrap-up

333

Risk and Compliance Challenges

• Many organizations are still challenged to progress along the continuum of risk and compliance maturity

Excessive Cost and Burden on the Business

Increasing Risks and Severity of Impact

Complex Compliance Landscape

Organizations are not leveraging risk and compliance efforts, which increases inefficiencies and testing costs

Silo approach to risk & compliance activities

Different results and ratings for the same environmentConflicting and contradictory results

Solutions tend to be created at division or department level and struggle to integrate into entire operational structure

Struggle to scale risk and compliance

solutions

Information Security 3rd Party HIPAAPCI SOX Privacy ● ● ●

Lines of Business

Functional Leads

Compliance Managers

Information SecurityLegal Audit Service/

Arch LeadsCompliance Managers

Corporate IT

Information Security 3rd Party HIPAAPCI SOX Privacy ● ● ●

Lines of Business

Functional Leads

Compliance Managers



Corporate ITLines of Business

Functional Leads

Compliance Managers



Corporate IT

Program Silos

*Source: Deloitte

4

Problem: The CIO Cannot Provide Business-Relevant Risk Data to CFO

The enterprise is set up with distributed security domains

Issue: Volumes of disparate data make it hard to assess the

risk to the enterprise

The enterprise is set up with distributed security domains

Issue: Volumes of disparate data make it hard to assess the

risk to the enterprise

Toni

CIO

5

Wouldn’t It Be Great To Convert Raw Data Into Information That Provides Full Visibility To Business Risk?

Monitor all events

in the enterprise, injecting identity into access events

and correlating

those to defined business processes and key risk indicators (KRIs).

6





Wrap-up

7

Visibility to Business Risk A first step in balancing business agility and security

Visibility to Business Risk Helps Put In Place The Right Controls and Processes

More Secure

• Confidence in meeting compliance objectives

Greater Business Agility

• Move at the speed of business requirements

• Less compliance cost burden

Controls and Processes

SAP, Novell, and Deloitte Help Customers Drive Achieve the Right Balance of Controls and Processes

Non

Sustainable

–Triage–Manual processes–Limited awareness of risks and controls

Non

Sustainable–Triage–Manual processes–Limited awareness of risks and controls

Business

Agility

–Optimize access policies –Preventative controls –Automation of policy–Access visibility–Enterprise roles management

Business

Agility–Optimize access policies–Preventative controls–Automation of policy–Access visibility–Enterprise roles management

Business

Governance

–Map access to process compliance –Process visibility and accountability –Real-time event monitoring –Inspection of IT security risks –Integrating IT processes to business policy

Business

Governance–Map access to process compliance–Process visibility and accountability–Real-time event monitoring–Inspection of IT security risks–Integrating IT processes to business policy

Business

Intelligence

–Enterprise risk- driven business decisions –Risk mitigation and remediation –Mapping of risks that affect business objectives –Clear visibility to the enterprise of business/IT processes and policies

Business

Intelligence–Enterprise risk- driven business decisions–Risk mitigation and remediation–Mapping of risks that affect business objectives–Clear visibility to the enterprise of business/IT processes and policies

Reactive

Automated

Access

Continuous

Monitoring

Integrated

Excellence

Automate existing compliance framework

Automate the testing controls that protect the business

Provide clear visibility to the business

• Fully integrated processes and policies bringing clear visibility to impact on business objectives

• Risk management• Security

management• Process

management• Access

management• Integrated “out-of-

box”

policies, processes and best practices

• Identity/security integration with access and process controls

• Automated risk mitigation• Tight integration

with access control and identity management

• Spreadsheets• Manual

documentation

8

9

SAP, Novell, and Deloitte Mitigate Risks That Threaten Business Objectives

Define business objectives, policies and

Key Performance Indicators (KPIs) to help

meet objectives

Real time risk response

Allow business to determine best

long-term response

Monitor and detect risk

Analyze risk versus thresholds

Evaluate processes and business

objectives to help prioritize risks

Building the Crucial Bridge Between Strategic Applications

Strategic Business Applications

Strategic Business Applications

IT SystemsIT Systems

IT InfrastructureIT Infrastructure

IT ProcessesIT Processes

Novell®

Compliance Management

Platform

extension for

SAP

environments

SAP BusinessObjects

SAP ERP

SAP NetWeaver

HCM FIN OPS

Process Control

Risk Mgmt

Access Control

10

11





Wrap-up

12

Personas

John

Controller

Bill

Accounting Manager

Toni

CIO

Sandra

Security Admin

Frank

Role Owner, SAP Biz Apps

Linda

Risk Analyst

Ted

CFO

Mike

IT Admin

13

Integration with SAP BusinessObjects Process Control

Sandra

Security Admin

Sandra, the IT Security Admin, puts IT computer controls in place to manage administrative access.

SAP BusinessObjects Process Control

Ensure that customer data is not replicated into uncontrolled environments

Access to customer data is restricted based on where the data resides and who has access to it

All information resources are subject to appropriate physical and logical security

Security Configuration

Information Security

ControlProcessObjectiveControl Sub Category

Control Category


Mike

IT Admin

Frank


Business Role: Role Owner

Active DirectoryRole: ADDomainAdmin

CMP SAP BusinessObjects Process Control

Mike makes Frank an Active Directory Domain Administrator.

The Novell ® Compliance Management Platform sees the event as an out-of-policy action and sends an alert to SAP GRC Process Control.

14


SAP BusinessObjects Process Control

Recognizing that the activity violates one of the established IT computer controls, Process Control creates a remediation event.

Event

System: Active Directory

Change in role: Frank is now an Active Directory Domain Admin.

User: Mike

Description:

Approve

Reject

Toni

CIO

Sandra

Security Admin

Notification is sent to Toni and Sandra.

15


Access Event

System: Active Directory

Change in role: Frank is now an Active Directory Domain Admin.

User: Mike

Description:

Approve

Reject

Mike needs to remove Frank’s access to Active

Directory.

Sandra

Security Admin

Mike

IT Admin Frank


Business Role: Role Owner

Active DirectoryRole: ADDomainAdmin

Sandra notifies Mike that he needs to remove Frank’s Active Directory privileges.

16

17





Wrap-up

Integration with SAP BusinessObjects Risk Management

Business Role: IT Admin

Mike

IT Admin

Administrator account logins are tracked for security purposes and historical trending.

SAP BusinessObjects

Risk Management

Every time an administrative account is used, SAP BusinessObjects Risk Management evaluates the login against the Key Risk Indicators (KRIs).

Novell ® Compliance Management Platform

(Novell Sentinel™)

Username: miked

CRMSystem

18

Integration with SAP BusinessObjects Risk Management

SAP BusinessObjects

Risk Management

In the past few weeks, the amount of administrative account usage has increased.

Business Role: IT Admin

CRMRole: CRMAdmin

Mike

IT Admin

Mike is the only person who knows the admin password. He’s questioned about the use of the Administrator Account.

19

20





Wrap-up

New Accounting Manager Role-Based Access to SAP System

Business Role: Sales Contractor

CRMRole: SalesMgr1

• ViewReports

SAP Portal

Bill

Sales Contractor

I need to see the latest customer

purchase reports

Bill goes into the Customer Relationship Management section of the SAP Portal to see reports on recent customer purchases.

21

New Accounting Manager Role-Based Access to SAP System

SAP Portal


CRMRole: SalesMgr1

• ViewReports

Bill

Sales Contractor

Why don’t I have access?

Bill clicks the link to view the reports, but finds he does not have access.

Instead of showing an “access denied” message, the Novell ®

Compliance Management Platform asks Bill if he would like to request access.

22

New Accounting Manager Access Request


CRMRole: SalesMgr1

• ViewReports

Bill

Sales Contractor

I guess I will request it.

Bill requests access by providing the necessary information in the request form, and then submits it for approval.

CMP

23

New Accounting Manager Request Approval

I don’t see issues with giving him

access.

John

Controller

Access Request

System: CRM

Complete tasks assigned by my manager.

Requestor: Bill

Reason for Request:

Approve

Reject

CMP

The Novell ® Compliance Management Platform sees Bill’s access request and sends it to SAP Access Control to check for SoD violations.

John, Bill’s boss, sees Bill’s access request and the results of the SoD check. He approves the request.

The results from the check show no SoD violations.

SAP BusinessObjects Access Control

24

New Accounting Manager Granted Access through Bill’s Automated Role

SAP Portal

Bill

Sales Contractor

Wow, that was fast. I am glad that there is

not a lot of red tape in this organization.


CRM Access: Approved

Bill receives notification that he has been granted access to the SharePoint system.

Bill clicks the “View Historical Reports” link in the SAP portal. He finds that he is now properly provisioned to begin working with the reports in the SharePoint system.

25

26





Wrap-up

27

Visibility to Business Risk A first step in balancing business agility and security

Visibility to Business Risk Helps Put In Place The Right Controls and Processes

More Secure

• Confidence in meeting compliance objectives

Greater Business Agility

• Move at the speed of business requirements

• Less compliance cost burden

Controls and Processes

SAP, Novell, and Deloitte Help Customers Drive Achieve the Right Balance of Controls and Processes

Non

Sustainable

–Triage–Manual processes–Limited awareness of risks and controls

Non

Sustainable–Triage–Manual processes–Limited awareness of risks and controls

Business

Agility

–Optimize access policies –Preventative controls –Automation of policy–Access visibility–Enterprise roles management

Business

Agility–Optimize access policies–Preventative controls–Automation of policy–Access visibility–Enterprise roles management

Business

Governance

–Map access to process compliance –Process visibility and accountability –Real-time event monitoring –Inspection of IT security risks –Integrating IT processes to business policy

Business

Governance–Map access to process compliance–Process visibility and accountability–Real-time event monitoring–Inspection of IT security risks–Integrating IT processes to business policy

Business

Intelligence

–Enterprise risk- driven business decisions –Risk mitigation and remediation –Mapping of risks that affect business objectives –Clear visibility to the enterprise of business/IT processes and policies

Business

Intelligence–Enterprise risk- driven business decisions–Risk mitigation and remediation–Mapping of risks that affect business objectives–Clear visibility to the enterprise of business/IT processes and policies

Reactive

Automated

Access

Continuous

Monitoring

Integrated

Excellence

Automate existing compliance framework

Automate the testing controls that protect the business

Provide clear visibility to the business

• Fully integrated processes and policies bringing clear visibility to impact on business objectives

• Risk management• Security

management• Process

management• Access

management• Integrated “out-of-

box”

policies, processes and best practices

• Identity/security integration with access and process controls

• Automated risk mitigation• Tight integration

with access control and identity management

• Spreadsheets• Manual

documentation

28

29

SAP, Novell, and Deloitte Mitigate Risks That Threaten Business Objectives

Define business objectives, policies and

Key Performance Indicators (KPIs) to help

meet objectives

Real time risk response

Allow business to determine best

long-term response

Monitor and detect risk

Analyze risk versus thresholds

Evaluate processes and business

objectives to help prioritize risks

30

The Integrated Offering Brings Exponential Value to You

31

Key Points to Take Home

• The joint Novell – SAP solution, powered by Deloitte, helps customers to:

Gain better visibility into business risks and mitigate them before they impact business objectivesLeverage existing compliance IT infrastructure to grow as needs growDraw upon Deloitte’s leading practices to minimize startup time and maximize ROI

32

Resources

• www.novell.com/cmpsapInformation on Novell’s Compliance Management Platform and the Compliance Management Platform extension for SAP environments

• http://www.novell.com/sapGeneral information on the SAP-Novell partnership, including the SAP BusinessObjects collaboration

• A rich set of white papers and additional information on enabling the risk intelligent organization

www.deloitte.com/us/riskintelligent

33

Your Turn!

How to contact us:Leo Castro

[email protected]

Brian [email protected]

34343434

DisclaimerSAP, R/3, mySAP, mySAP.com, SAP NetWeaver®, Duet™, PartnerEdge, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP.

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This [publication or presentation] is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.

* Designates Pre-existing Works owned by Deloitte Development LLC, used herein pursuant to grant of license to WIS.

Novell General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

http://www.deloitte.com/us/about

Vendor Solutions and Services Leverage your GRC assets to gain … · 2015-05-08 · Vendor...

Documents

Transcript of Vendor Solutions and Services Leverage your GRC assets to gain … · 2015-05-08 · Vendor...