1.3. sa pience be tech day 2012 nationale-loterij presentation - cwagdp

Your logo

1

How to implement SAP GRC Access Control 10.0 successfully

The National Lottery Belgium case

Gert De PauwThe National Lottery

Chris WalravensExpertum

SAPience.be Tech Day 2012

Your logo

2

Agenda

Key Facts about the National Lottery

Project challenges / major reasons

Key Facts about Delaware / Expertum

Project Approach / solutions

Benefits for business & IT

Success Factors

Lessons learned / pitfalls

Next steps


Your logo

3

The National Lottery


Wet van 19 april 2002 + het beheerscontract tussen de Belgische Staat en de Nationale Loterij: “sociaal verantwoordelijke en professionele aanbieder van spelplezier” met twee essentiële doelstellingen :

• het spelgedrag kanaliseren en zo een alternatief bieden voor privé en/of illegale spelen

• de bestaande gebruikers van loterijen en kansspelen aantrekken met een modern en aantrekkelijk aanbod, zonder evenwel de omvang van de markt uit te breiden

Financiële steun aan organisaties en manifestaties van publiek belang:

• 225,3 miljoen euro aan subsidies rond de thema's sociaal, sport, cultuur, familie, wetenschap en nationaal prestige worden door de ministerraad goedgekeurd. Sinds 2002 stort de Nationale Loterij 27,44% van het globale jaarlijkse subsidiebedrag rechtstreeks aan de drie (Vlaamse, Franse en Duitstalige) Gemeenschappen.

• Sociale of naamsponsoring van initiatieven ten voordele van de integratie en het welzijn van minderbegoede bevolkingsgroepen (b.v. Restos du Coeur, eindejaarsdiners, bezoeken aan evenementen en tentoonstellingen aan verminderd tarief)

Op een verantwoorde

manier

Grootste mecenas

van België

Kanalisatie

Actief en op een autonome manier bijdragen tot de preventie en behandeling van gokverslaving dankzij de steun aan initiatieven in die richting

Your logo

4

The National Lottery


Enkele kerncijfers

RK VTE ops/log

VTE sales

RK Brussel (Jette) 3 6

RK Antwerpen 4 8

RK Brugge 3 6

RK Tienen 3 7

RK Gent 5 7

RK Namen 3 7

RK Mons 4 6

RK Liège 4 6

Totaal Decentraal 29 53

• Eén van de grootste retailnetwerken van België• 5240 winkelpunten – zelfstandigen werken op commissie en verkopen onze producten

Your logo

5

The Project Challenges

Business• Access too broad with impact on performance / fraud / errors

• No transparency regarding content of authorizations

IT• Mainly manual processes

• No prevention of access risk possible

SOD (Segregation of Duties)• Hardly any segregation of duties enforced

• No clear responsibilities defined

• Difficult overview for Internal and External Audit


Your logo

6

The Project Challenges


Business• Reduce the accesses on a need to have basis

• Enhance transparency to enhance understanding

• Introduce role / risk ownership to allow a clear approval process

IT• Automate user provisioning processes

• Enforce preventive SOD checks

Audit• Enforce segregation of duties

• Obtain audit trail for user provisioning processes

• Monitoring & Reporting tool for Internal and External Audit

Your logo

7

Delaware


History• Founded in 1981; has been part of Bekaert, Andersen and Deloitte• Independent partnership since 2003

Today• 750 professionals• Belgium, China, Singapore, France, Luxembourg, The Netherlands & US

Recipe• Aligning business and technology• Combining strengths, delivering solutions

Philosophy• Entrepreneurship, Care, Respect, Team spirit, Commitment

Your logo

8

Expertum


History• Founded in April 2006 by 2 ex-SAP Belux employees• Partnerships

Today• Team of 50+ SAP Experts and Project Managers

Mission• Exceed client expectations by providing top-quality expertise• Provide our people a safe environment for personal and professional growth

Strength• Highly skilled & experienced SAP consultants in all SAP areas, combined with a wide industry knowledge in several domains

Your logo

9

The Project Approach


Transition plan• SAP GRC Access Control 10.0

• AMR (Analyse & Manage Risk)

• EAM (Emergency Access Management)

• PMU (Provision & Manage Users)

Monitoring / Reporting

Business Role

Situering:

01/11/2011 01/05/2012

TO BE

SAP GRCAccess Control 10.0

MonitoringReporting

01/05/2013

Business Roles

08/11/2012

Your logo

10

The Project Approach


Provision & Manage Users (PMU)

ProvisioningApproval

ProceduresWorkflow

(Stay Clean)

Business Role Management (BRM)

“PFCG”(existing authorization

concept remains)

Analyze & Manage Risk (AMR)

CustomizingMaster Data

Rule set vs used functionality

(Get Clean)

Minimal Time To Compliance

Continuous Access Management

Emergency Access Management (EAM)

Fire fighters: who ?Approval: who ?Access: what ?

Periodic Access Review and Audit

Focus on remaining challenges during

periodic audits

(Stay in Control)

Effective Management Oversight

and Audit

GRC AC 10.0 authorizations

Your logo

11

The Project Approach - AMR

Create understanding & ownership of the rule set

Validation workshops for the rule set:• Business processes (department / ECC module / owners)

• Risks (classification / owners)

• Segregation of Duties conflicts

• Critical functionality

• Integration of own developed transaction codes

Input from key users was crucial

Validation of the rule set from internal audit


Your logo

12

The Project Approach - AMR

Results workshops:• Review user lists with rule set violations

• Indicate remove / keep

• Parts of the Segregation of Duties conflicts

• Critical functionality

• Detailed testing of the rule set

• Preparation for the remediation activities

Remediation activities• Remove / update roles

• Assign a mitigating control (« access accepted »)

• Split roles postponed until the business roles setup


Your logo

13

The Project Approach - EAM


Workshops for identifying: • What Firefighter IDs are needed

• What specific authorizations are needed per firefighter

• Which users can use which firefighter

• What the Firefighter owners & controllers are

• What the allowed Reason Codes are

Input from key users was crucial

Your logo

14

The Project Approach - EAM


End user

Central GRC dashboard

FF session 1

FF session 2

Firefighter ECCLogging & Reporting

FF user-ID 1

FF user-ID 2

FF user-ID 3 FF session 3

Report 1

Report 2

Report 3

Owner Approval

Your logo

15

The Project Approach - PMU


Automatic workflow provisioning• New user triggered by HR department

• Role assignments / removals approved by role owner(s)

• Requests / approvals / changes automatically logged

Preventive risk analysis• Role assignment requests include risk analysis

• Risk violations approved / mitigated / rejected by risk owner(s)

Your logo

16

Benefits

Business• Understanding

• Transparency

• Ownership

• Approvals with (more) knowledge

IT• Automation

• Process is business driven

• Ownership lies with business


Your logo

17

Success Factors

Key user / business involvement from the start

Technical knowledge of the software

Knowledge of user and role administration processes

Combining technical and process knowledge into optimal solution and application setup


Your logo

18

Lessons Learned / Pitfalls

Usually existing authorizations concepts are not fully suited to allow:• Advanced remediation activities

• Full transparency to fully allow ownership and understanding

Don’t overestimate the possibilities• Firefighter log only logs what is in CDHDR & CDPOS tables

• Webdynpro’s are customizable, but to a point

• Portal integration (UWL) not fully possible


Your logo

19

The Next Steps

Business Roles• Redesign technical roles

• Define business roles corresponding to positions

• Setup BRM module

Automate HR trigger• Currently user creation triggered by manual request

• Automated request will be implemented

Approval Delegation


Your logo

20

Gert De PauwSenior SAP Manager

T. +32 475 22 49 56E. [email protected]

Chris WalravensGRC Competence Lead

T. +32 474 47 59 83E. [email protected]

www.expertum.net

Contact Details

Thank you!

Your logo

21SAPience.be Tech Day 2012

1.3. sa pience be tech day 2012 nationale-loterij presentation - cwagdp

Documents