Texas Instruments: Making the Journey from Home-Grown SoD Compliance to SAP GRC AC 10.0 Chris Fowler Solution Architect, Texas Instruments Vicki

Similar documents
The Benefits of Advanced Behavioral Analysis Bridget Wilcox and Luke Finsaas

Application Control Effectiveness for SAP. December 2007

Continuous Monitoring: Match Your Business Needs with the Right Technique

Minimize Access Risk and Prevent Fraud With SAP Access Control

Expert Tips To Simplify And Automate Your User Access Request Process David Denson PwC

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma

SAP BusinessObjects GRC Access Control 10.0 New Feature Highlights and Initial Lessons Learned

Welcome to the Audit, Control & Security Stream. Sponsored by:

1. Introduction to the Automated Accounts Payable Development Process Flows of Purchase Orders, Goods Receipts and Invoice Queries...

MD348 Umoja Asset, Inventory and Equipment Master Data Maintenance. Umoja Asset, Inventory and Equipment Master Data Maintenance Version 5 1

Overview of SAP BusinessObjects Risk Management 10.0

AP Automation at Fossil. How Fossil implemented Opentext Vendor Invoice Management Wim Schalken

EMC HYBRID CLOUD FOR SAP

How Accenture is taking SAP NetWeaver Identity Management to the next level. Kristian Lehment, SAP AG Matthew Pecorelli, Accenture

An Introduction to Continuous Controls Monitoring

Lessons from McKesson s Approach to Maintaining a Mature, Cost-Effective Sarbanes-Oxley Program

Ensuring Contract Compliance through integration of Ariba Contracts and SAP ECC Michael Chavez and Sean Rhoades, Deloitte Consulting LLP

GRC TRAINING: RISK OWNERS

Extraction of SAP Data for Audit & Compliance

[ COREY PEARSON. Driving Process Efficiency through SAP Business Workflow at Stanley John Hoover, Stanley Works Rajkishore Una, GyanSys Inc.

Masterminding Data Governance

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

ACL WHITEPAPER. Automating Fraud Detection: The Essential Guide. John Verver, CA, CISA, CMC, Vice President, Product Strategy & Alliances

The Power of Risk, Compliance & Security Management in SAP S/4HANA

Infosys: Treating Governance and Compliance Strategically with SAP Access Control

ORACLE APPLICATION ACCESS CONTROLS GOVERNOR FOR PEOPLESOFT

Moving your enterprise systems to the cloud? What do you need to know to manage the risks? Jamie Levitt, Director

Vendor Management. Minimizing Value Leakage. Deloitte Consulting LLP. November 19, 2013

IT28 GOING PAPERLESS WITH MICROSOFT DYNAMICS NAV Tom Taylor, Microsoft

GO LIVE, ON TIME, ON BUDGET

White Paper: The Seven Elements of an Effective Compliance and Ethics Program

IDS for SAP. Application Based IDS Reporting in the ERP system SAP R/3

SAP Workflow Classics Session 803 Martin Maguth, Norikkon Torsten Schnorpfeil, Norikkon

Supply Chain Shared Services (SCSS)

City of Palo Alto (ID # 1521) Finance Committee Staff Report

Proven deployments across different Industry verticals; Being used by leading brands

Using SAP Master Data Technologies to Enable Key Business Capabilities in Johnson & Johnson Consumer

Case Study of a Segregation of Duties Project

Application Management Services (AMS)

Cracking the Code on Software License Management

Unlocking the power of SAP s governance, risk and compliance technology

GR5 Access Request. Process Diagram

Disclosure of Drug Promotion Expenses: The Importance of Master Data Management and Considerations for Choosing a Reporting Solution

Identity & Access Management Case Study & Lessons Learned. Prepared by Tariq Jan

Advisory Services Oracle Alliance Case Study

SILVERPOP Step-Up Plan

Business-Driven, Compliant Identity Management

Software Configuration Management Best Practices

Session 1604 Interactive Discussion Forum with ASUG Solution Manager SIG Leadership: Capitalizing on SAP Solution Manager for your business and IT

Using Technology to Automate Fraud Detection Within Key Business Process Areas

Enabling Data Quality

Data Consistency Management Overview January Customer

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

M-Files EAM. Agile Plant Maintenance Solutions

Service Automation to implement and operate your Cloud initiatives

Data Audit Solution. Data quality visibility in 5 days for improving corporate performance. TABLE OF CONTENTS. Purpose of this white paper

Service Portfolio Management PinkVERIFY

Multi Channel Invoice Processing the way forward

DETAILED BOOT CAMP AGENDA

Internal audit strategic planning Making internal audit s vision a reality during a period of rapid transformation

Building flexible, easy to change and rock-solid applications with BRFplus decision services. Carsten Ziegler, James Taylor

Integrated Governance, Risk and Compliance (igrc) Approach

State of Alaska Enterprise Messaging and Directory Services Strategy Vision and Scope

Risk Management in Role-based Applications Segregation of Duties in Oracle

Optimizing the Source to Contract Process to Maximize and Lock in Savings Patrick Eckhert Cardinal Health Head of Indirect Procurement

CA Workload Automation for SAP Software

Atlanta OAUG. Internet Expenses Key to speedy processing. Chetan Manjarekar

Audit of the Enterprise Resource Planning System Implementation

Introducing webmethods OneData for Master Data Management (MDM) Software AG

Monster Energy Energizes Its ERP Testing With Panaya

SAM Benefits Overview

The Firewall Audit Checklist Six Best Practices for Simplifying Firewall Compliance and Risk Mitigation

Minder. simplifying IT. All-in-one solution to monitor Network, Server, Application & Log Data

Product Complaints Management. Infosys Handbook for Life Sciences

MECOMS Customer Care & Billing As A Service

How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions

MODERNIZING IT PLATFORMS SUCCESSFULLY HOW PLATFORM RENEWAL PROJECTS CREATE VALUE

Security and Your SAP System When Working with Winshuttle Products

TAKE COST CONTROL AND COMPLIANCE TO A NEW LEVEL. with ACL Travel & Entertainment Expense Fraud and Cost Control Solution

Fraud Prevention and Deterrence

Why Professional Services Firms Need an Integrated ERP Solution

COMPLIANCE MANAGEMENT SOLUTIONS THOMSON REUTERS ACCELUS COMPLIANCE MANAGEMENT SOLUTIONS

Ali Chalak, Manager. Top 10 Audit Findings

IBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems

Shared Services - Accounts Payable. Technology / Process Enhancements August 2014 Implementation

4/1/2009. Short-termterm

Case Study: Intercompany and Revenue Recognition process in SAP for a Professional Services Industry. Sandeep Bagchi and Rahul Raina

A shift in responsibility. More parties involved Integration with other systems. 2

Cost Justifying Mobility Management Untapped Cost Savings You Can t Ignore

SAP Change Control - One Integrated Process to Manage Software Solution Deployments SAP AG

Billing and Revenue Management - A Case for Change

Helping Enterprises Succeed: Responsible Corporate Strategy and Intelligent Business Insights

flex support Service Overview

Test du CISM. Attention, les questions, comme l'examen, ne sont disponibles qu'en anglais.

CA Nimsoft Service Desk

Four Universal Truths Jeopardizing Customer Service in Financial Institutions Changes That Will Transform Customer Service Experiences and Outcomes

Fermilab Computing Division Service Level Management Process & Procedures Document

The Benefits of Component Object- Based SCADA and Supervisory System Application Development

Summit Platform. IT and Business Challenges. SUMMUS IT Management Solutions. IT Service Management (ITSM) Datasheet. Key Benefits

Transcription:

Texas Instruments: Making the Journey from Home-Grown SoD Compliance to SAP GRC AC 10.0 Chris Fowler Solution Architect, Texas Instruments Vicki Purcell Senior Associate, PricewaterhouseCoopers

About Texas Instruments

TI s SAP Landscape Single global instance of ECC 6.04 Originally implemented R/3 4.01B in Jan 1999 Not using SAP for HR processing Approximately 12,000 users world-wide Also running single instances of: GTS 8.0 SRM 4.0 (being upgraded to 7.0) CRM 4.0 (being upgraded to 7.0) SCEM 1.1 (being upgraded to EM 7.0)

Learning Points How TI: Replaced a limited, custom SOD management solution with standardized SOD controls. Managed implementation of SOD controls and remediation in one project. Moved from job-based security roles to task-based security roles.

Challenges & Revelations Existing access request process was not adequate Need to implement a new access request tool Existing SoD tool was not adequate Need to implement a new tool to standardize SoD management Scope of violations in existing roles was too large to mitigate Need a new approach for SAP security design

Challenge #1 Existing access request process was not adequate Sensitive access approval decentralized and manual No integration of custom SoD tool with access requests Manual security provisioning after approvals All reminders and escalations generated manually No enforced SLA - requests taking 2 days to 3 months Inadequate archiving of security requests Firefighter process was ad-hoc

Revelation #1 Need to implement a new access request tool SAP GRC Access Control 10.0 ARM and EAM Access Request Management (ARM) Replace manual provisioning Emergency Access Management (EAM) Replace ad-hoc firefighter process

Challenge #2 Existing SoD tool was not adequate Custom SoD tool only did Role-to-Role analysis Rules checked for roles that should not be combined Only evaluated violations in the ECC system Only evaluated business risks Mitigating control documentation was only at individual user level Internal Audits found that this level of SoD analysis was not effective

Challenge #2 - Example Example: TI Rule #3: Returns Administration and Advanced Receiving Role A: RL143 Returns Administration - VS - Role B: RL119 Advanced Receiving Tool would only flag this role combination as an SoD violation

Revelation #2 Need to implement a new tool to standardize SoD management Evaluated several different compliance solutions Decided on SAP GRC Access Control 10.0 ARA Convert TI role to role ruleset structure to GRC s function-risk structure Create more comprehensive SoD rules SAP standard GRC rules TI unique rules PwC leading practice rules

Original Project Scope Phase 1: Implement ARA and EAM Define TI SoD ruleset and run against ECC and GTS systems Assign IT users broad, individualized firefighter ID s Complete in October, 2012 Phase 2: Implement ARM and finish EAM Define Access Request approval workflows Final definition and assignment of Firefighter users Complete in February, 2013

Challenge #3 Scope of violations in existing roles was too large to mitigate SoD analysis showed an unexpectedly high number of violations Intra-role conflicts were biggest problem User conflicts very high, especially in IT support SoD violations that had not been tracked before What now?

Revelation #3 Need a new approach for SAP Security design Clean up existing violations within roles Be sustainable over time Introduce least privilege access for all users

Security Approach Options Option 1: Remodel Split roles to single out conflicting transactions Remove authorization objects from specific roles Benefits Provides quick(er) incremental fixes Addresses easy issues Risks Create additional roles which increase maintenance costs Corrects initial issue, but could cause long-term issues Could be more costly in long term Repetitive process required to fix all issues Duplication of access and mixed design complicates provisioning

Security Approach Options Option 2: Rebuild Build all new security roles Use transaction usage history, role mapping templates, etc. Implement consistent design meeting business and regulatory needs Benefits Complete SoD remediation much sooner Long-term fix to issues Continuous compliance is possible (get clean stay clean) Reduce maintenance and compliance costs Provides sustainable provisioning design with GRC Efficient resolution of all SAP Security Assessment audit red flags Risks No immediate impact on SoD statistics Will require change in mindset of business and security team

Role Design Decision Decision Point: Keep Job-based role model or switch to task-based roles? Pain points with job-based roles: More difficult to control SoD violations Excessive duplication of transactions Roles provide excessive access to the users who only need some of the functions Broad definition of job roles permit them to grow over time Least privilege concept is more difficult to implement with job roles Conclusion: In TI s dynamic environment, designing new job-based roles would have resulted in overly broad access or in a huge number of individually tailored roles

Role Design Decision TI s decision: implement task-based role model All roles free of intra-role SoD violations Minimal duplication of tcodes across roles Roles are designed to lowest common denominator to make them reusable Easy to implement least privilege concept User SoD violations are handled with role unassignments rather than role changes Eliminate non-used tcodes from new roles

What Task-Based Roles What are task-based roles? What are task-based roles? TIER 1: GENERAL ACCESS General access is provisioned via one single role made up of tasks common to all users, such as printing, inbox, SU53, etc. Where Contract Maintenance AR Common Display Company Code: 1003 User General Process Billing FI Common Display Sales Organization: 1003 Tier 1 Vendor Master Maintenance Tier 2 Tier 4 Tier 3 TIER 2: DISPLAY ACCESS Display access is provisioned via a set of roles defined by functional area that allow display and reporting access intended to compliment the functional roles of the users TIER 3: FUNCTIONAL ACCESS Functional access is provisioned via multiple single task based roles. Role grouping of activities that are the lowest common denominator of tasks and permission components to suit the needs of the end users. These groupings usually are SOD free and part of a sub-process such as Invoice Processing or Material Master Maintenance. TIER 4: CONTROL POINTS Roles that provide additional control point access or granularity needed by Tiers 1-3 such as Company Code, Plant, etc.

Project Scope Change Where does role redesign fit in the project scope? Decided to integrate the role redesign and GRC Access Control implementation into a single project Extended Phase 2 (ARM) to complete May, 2013 Added Role Design project to execute in parallel

Metrics Increased SoD risk visibility by 700% Decreased number of transactions in roles by 50% Reduced transaction duplication in roles by 97% Eliminated 100% of manual and changed authorizations Eliminated 100% of intra-role SoD violations Reduced SoD user violations by 97%

Key Learnings This is rocket science! (you need experts to help) Ensure availability of the core team In a highly customized environment, having a Developer on the project team is key GRC doesn t end with the implementation Be prepared for the potential results - you really don t know how bad the SoD situation is You may not eliminate all SoD violations by segregation

SoD Compliance Process Compliance Effort Breakout Mitigation 10% Ruleset Customization 30% Remediation 20% Role Redesign 40%

Best Practices Do not allow business users to have direct access to tables and programs Make sure you have at least 12 months of transaction usage data Have separate transactions for display vs. update SAP Security Team should be involved at the beginning of any development project Ensure all roles are free of intra-role violations to make user remediation easier Ownership of risk and role management must belong to the business, not IT Do not underestimate business readiness requirements

Key Benefits Automation of security provisioning processes allows SAP Security Team to focus on proactive activities Greater visibility to mitigated and unmitigated SoD conflicts Provides tools to empower the business to own their risk management process Audit independence

Questions?

THANK YOU FOR PARTICIPATING Please provide feedback on this session by completing a short survey via the event mobile application. SESSION CODE: 0901 For ongoing education on this area of focus, visit www.asug.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information