2014 10 08 expertum - sapience tech day 2014 - process automation and cost savings with sap grc...
DESCRIPTION
Process Automation and Cost Savings with SAP GRC Access Control: the Tenneco caseTRANSCRIPT
Process Automation and Cost Savings with
SAP GRC Access Control
the Tenneco case
Sigrid Conix
Tenneco
1
Chris Walravens
Expertum
SAPience.be TECHday ‘14
Agenda
SAPience.be TECHday ‘14 2
The Players
SAP GRC Access Control
HR Triggers
Role Request Process (PMU)
Periodic Review Automation
Benefits
Tenneco
SAPience.be TECHday ‘14 3
Tenneco
SAPience.be TECHday ‘14 4
SAPience.be TECHday ‘14 5
Expertum
History
• Founded in April 2006 by 2 ex-SAP BeLux employees
• Partnerships
Today
• Team of 50+ SAP Experts and Project Managers
Mission
• Exceed client expectations by providing top-quality expertise
• Provide our people a safe environment for personal and professional growth
Strenght
• Highly skilled & experienced SAP consultants in all SAP areas, combined with a
wide industry knowledge in several domains
SAPience.be TECHday’13 6
Expertum
SAPience.be TECHday’13 7
Knowledge Management
- Product & Service
Development
Agenda
SAPience.be TECHday ‘14 8
The Players
SAP GRC Access Control
HR Triggers
Role Request Process (PMU)
Periodic Review Automation
Benefits
SAP GRC Access Control
SAPience.be User Day ‘14 9
Already Implemented…
Analyze & Manage Risk functionality (Phase 1)
• Already used to monitor 4 productive backend systems
• Worldwide systems
• Dashboards used on a daily basis
• Merged 4 rulesets into one single ruleset, but still considering
the specifics of each system
Emergency Access Management
• Was already set up, but in a limited way
• Extended the implementation to full scope, meaning:
• Multiple FF-IDs per backend system
• Specific authorizations per FF-ID
SAPience.be TECHday ‘14 10
Agenda
SAPience.be TECHday ‘14 11
The Players
SAP GRC Access Control
HR Triggers
Role Request Process (PMU)
Periodic Review Automation
Benefits
HR Triggers
Automatic creation of user-Ids
• IT 0105 / 0001 is the trigger
• An ABAP on the backend system automatically creates:
• The user-ID using the correct naming convention
• The e-mail address with the correct naming
• Creation of an employee in the HRM system triggers the
creation of a user-ID on SAP GRC
• As from that moment the new user can start requesting
access to other backend systems
SAPience.be TECHday ‘14 12
HR Triggers
Automatic termination of user-Ids
• Delimiting IT 0105 / 0001 is the trigger
• The accesses are automatically revoked on all backend
systems
SAPience.be TECHday ‘14 13
HR Triggers
Position changes of employees
• Whenever an employee changes positions within HR a role
change request per system is triggered and sent to the user
• The current role assignments are automatically delimited to
30 days in the future
• The current role assignments are sent to the end user to:
• Keep / remove existing role assignments
• Add new roles for the new position
• Subsequent flow is identical to the regular PMU flow
SAPience.be TECHday ‘14 14
Agenda
SAPience.be TECHday ‘14 15
The Players
SAP GRC Access Control
HR Triggers
Role Request Process (PMU)
Periodic Review Automation
Benefits
Role Request Process (PMU)
Any user (worldwide) can request roles
• The end user is forced to run a risk analysis to create awareness
Supervisor approval
• Of the requester
• The risk analysis at this level is also mandatory
• The request can not be approved with open risks
• The supervisor needs to:
• Either remove risks
• Propose a mitigating control
SAPience.be TECHday ‘14 16
Role Request Process (PMU)
Data owner approval
• The role owners need to give their approval as well
Plant Controller approval
• When (new) risks occur
• The Plant Controller needs to approve the risk mitigation
SBU Controller approval
• Final approval of mitigations
SAPience.be TECHday ‘14 17
Role Request Process (PMU)
Mitigating control approval
• In case a new mitigating control is needed
• The request is routed towards the mitigating control
administrator
SAPience.be TECHday ‘14 18
Agenda
SAPience.be TECHday ‘14 19
The Players
SAP GRC Access Control
HR Triggers
Role Request Process (PMU)
Periodic Review Automation
Benefits
Periodic Review Automation
User Access Reviews
• Most common periodic review
• Data / role owners are requested to review the role
assignments
• In case the assignment needs to be revoked, the de-
provisioning is performed automatically
SAPience.be TECHday ‘14 20
Periodic Review Automation
Critical Access Reviews
• This type of review is risk based
• A specific ruleset with only critical access is used
• In case risks need to be removed, root cause analysis needs
to determine what roles to remove
SAPience.be TECHday ‘14 21
Periodic Review Automation
Mitigating Control Re-certification
• In this review the mitigations are reviewed
• To ensure that no invalid mitigations remain in the system
SAPience.be TECHday ‘14 22
Agenda
SAPience.be TECHday ‘14 23
The Players
SAP GRC Access Control
HR Triggers
Role Request Process (PMU)
Periodic Review Automation
Benefits
Benefits
Manual user administration and role provisioning is reduced to
an absolute minimum
Communication between HR department and Entitlement
team is automated in the system
The request and approval process is highly standardized and
automated
Risk awareness is created thoughout the company
SAPience.be TECHday ‘14 24
Thank you!
SAPience.be TECHday ‘14 25
Sigrid Conix Global IT Security / Risk Management Tenneco
+32 475 89 48 77 [email protected] www.tenneco.com
Chris Walravens GRC Community Lead Expertum
+32 474 475 983 [email protected] www.expertum.net