Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

SAP GRC Access Control Emergency Access Management April 2016 www.pwc.be PwC Pw

SAP GRC Access Control Emergency Access Management April 2016 www.pwc.be PwC PwC provides end-to-end SAP consulting services Value through SAP strategy, design, implementation & QA PwC SAP Consulting Human Capital Value chain Technology & Security Enterprise Assets Finance & Treasury Governance Risk & Compliance April 2016 Slide 2 PwC PwC’s SAP security & GRC services Increase quality & profitability with PwC services & SAP technology April 2016 Slide 3 PwC Agenda SAP security: What & why? SAP GRC Access Control overview Emergency Access Management deep-dive Live demo Implementation good practices Question & answer April 2016 Slide 4 PwC SAP security: What & why? April 2016 Slide 5 PwC SAP authorisations PwC’s five guiding principles for an effective design Task based methodology Smart technical design Know your control points Quality technical build SoD free Effective SAP security April 2016 Slide 6 PwC PwC’s holistic view on SAP security SAP GRC as an enabler for a sustainable authorisation model Effective SAP Security Design SAP Role Architecture Security & Provisioning Processes Org Structure & Governance M “Get clean, stay clean” Use the right tools and processes to support your SAP authorisation concept April 2016 Slide 7 PwC SAP GRC Access Control overview April 2016 Slide 8 PwC Access Risk Analysis GRC Access management technology 1 2 3 4 1 3 Access Request Management 2 Business Role Management 4 Emergency Access Management SAP GRC Access Control Four modules which enable controlled SAP authorisations April 2016 Slide 9 PwC Emergency Access Management deep-dive April 2016 Slide 10 PwC Your challenges How to handle those midnight emergency calls… … without opening security gates permanently? • Recent audits demonstrated that your SAP users in IT and Business had access to sensitive SAP transactions or tables on a permanent basis whilst the access was not required to support the user’s day-to-day job activities. This sensitive access was granted to these users to allow them to support the business in case of incidents and/ or emergency requests, but resulted in an uncontrolled usage of sensitive SAP access. Access to sensitive transactions is not controlled Your desired response dddsd You want to address above challenges by implementing appropriate controls on the usage of sensitive SAP access in support of incidents and emergency requests, and by installing regular risk-based SAP access reviews. SAP GRC Access Control technology has been identified as an important enabler for these controls. SAP GRC to meet IT, business and internal control requirements April 2016 Slide 11 PwC SAP GRC Emergency Access Management An enabler for controlled management of elevated access! • Pre-define emergency access for approved users • Activity monitoring for all emergency users • Enables compliance-focused emergency access for SAP • Avoid business obstructions with faster emergency response • Reduce audit time • Reduce time to perform • Workflow based log Review • Compliant Emergency access management process Key Functionality Key Benefits New session New session New session New session Log Log Log Log SAP_ALL • Pre assigned firefighter IDs • Access restrictions • Validity dates and expiry • Field-level changes tracked in audit log • Workflow based Log review Super user Firecall ID SD Firecall ID MM Firecall ID FICO Firecall ID … April 2016 Slide 12 PwC SAP GRC EAM key terminology To assist you in not getting lost in translation Term Definition EAM Emergency Access Management, SAP’s tool for providing elevated security authorisations through a controlled process ensuring usage is appropriate. SPM / Virsa FireFighter Legacy names for EAM from GRC versions 5.3 and earlier. Firefighter ID A separate SAP user account typically assigned to a specific process area. When needed, an end user logs into GRC and opens an emergency access session. At that point, a new SAP session is opened and all actions performed are logged in EAM. EAM ID, SPM ID, FFID, FireFight ID Firefighter An end user who logs into EAM and checks out a Firefighter ID to perform emergency actions. Owner Responsible for approving and periodically reviewing access granted to an individual Firefighter ID. Owners are also responsible for authorizing the security authorizations assigned to the Firefighter ID. Controller Responsible for monitoring and assessing the appropriateness of activity performed by a user using an individual Firefighter ID. April 2016 Slide 13 PwC A typical SAP GRC EAM process flow All actors need to take up responsibility to generate benefit! April 2016 Slide 14 PwC Emergency Access Management live demo April 2016 Slide 15 PwC Implementation good practices April 2016 Slide 16 PwC Embed ownership of user provisioning to business process owners Improved harmony between the goals of IT and the needs of business Encourage consistent execution of business processes Reduce access risks and therefore avoid fraud and errors Simplify the access request process for business users Reduce time spent for user provisioning Get rid of recurring audit and compliance remarks Determine your SAP GRC AC business case How to build a solid and compelling one? SAP’s GRC value calculator tool: http://www.pulse-iq.com/SAP/AccessControlValueCalc/dashboard.html April 2016 Slide 17 PwC Access Risk Analysis Integration Continuous Compliant Access Management GRC implementation roadmap Working smart towards your goals April 2016 Slide 18 PwC EAM & ARA implementation trajectory Keep your objectives in mind and involve the right stakeholders • SAP GRC Technical installation • EAM: Define emergency access management (EAM) needs • ARA: Define access risk analysis (ARA) usage needs •Design “firefighter” accounts & access and supporting governance structure & processes •Define access risks to be monitored for in scope processes •Define ARA governance structure & processes. • Build firefighter IDs, assign their access • Configure EAM in SAP GRC back-end • Set-up EAM reporting • Construct ARA risk ruleset • Configure ARA in SAP GRC back-end • Set-up ARA reporting • Go-live of the tested EAM solution • Provide ad-hoc support to EAM administrators and end-users • Go-live of the tested ARA • Provide ad-hoc support to EAM administrators and end-users Assess • Perform EAM unit, integration and user acceptance testing • Train EAM end- users • Perform ARA unit, integration and user acceptance testing • Train ARA end-users Design Construct Implement Operate & Review Ongoing training & knowledge transfer SAP GRC EAM SAP GRC ARA April 2016 Slide 19 PwC Determine your EAM relevant usage Involve the right stakeholders to identify this usage Appropriate usage includes • Emergency changes required in production • Sensitive transactions not available via end user security roles • SOx-sensitive, restricted transactions • Infrequent, sensitive tasks (opening/closing posting period) • Cutover tasks Inappropriate usage includes • Daily business tasks by support users (creating purchase orders, etc) • Non-sensitive tasks available via security roles • Using EAM as a crutch to support a bad security design April 2016 Slide 20 PwC Make smart design decisions These will drive actual & perceived value-add of your EAM 01 02 03 04 Design Firefighter users per business process Think of available notifications and workflow functionality Centralised vs. decentralised approach? Pre-approved” Firefighter strategy vs. “ad hoc” approval required 05 What about ID vs. role- based firefighting? April 2016 Slide 21 PwC SAP GRC governance structure Even SAP GRC needs governance to ensure its sustainability! Functional use GRC tool maintenance GRC process flows Structure Roles & responsibilities April 2016 Slide 22 PwC Conclusion April 2016 Slide 23 PwC Key takeaways For you to consider during our SAP GRC EAM journey! • SAP GRC EAM delivers great return on investment for your organization from an internal control and efficiency perspective, when implemented right • Determine a clear and realistic scope, with all the right stakeholders involved; don’t forget about your (external) auditor • Smart design decisions are key: Garbage in = Garbage out • Also your SAP GRC tool needs governance to deliver value April 2016 Slide 24 PwC Question & answer PwC’s upcoming SAP GRC & security events http://www.pwc.be/en/events-courses.html Date & time 28 April 2016 16:00h – 17:00h Webinar: SAP HANA security - Prepare for what’s next •Obtain a clear and detailed view on the security set-up in a SAP HANA based environment •Watch the theory come alive through a live SAP HANA security demo •Gain first-hand insight on security good practices in a SAP HANA context through experience sharing by PwC experts •Learn about the security skills, processes & controls required to continue safeguarding your sensitive data in a SAP HANA context Date & time 18 May 2016 10:30h – 16:00h PwC Brussels Increasing quality & profitability with SAP GRC Access Control •Live demo & good practice sharing •Gain insights from an SAP GRC AC client use case •Obtaining first-hand views on SAP GRC’s roadmap for the future •Explore how to generate value-add from your SAP GRC system by quantifying potential risk violations using data analytics techniques using PwC process mining expertise combined with SAP Access Violation Management technology For more information on the subject, please contact ... Wim Rymen Director +32 473 269 227 wim.rymen@be.pwc.com Kris Wauters Senior manager +32 499 558 949 kris.wauters@be.pwc.com Constance Vervalcke Manager +32 493 240 406 constance.vervalcke@be.pwc.com © 2016 PricewaterhouseCoopers. All rights reserved. “PricewaterhouseCoopers” refers to uploads/s1/ eam-guide 1 .pdf